Systems itineraries

Basic Linux exploits

  • Stack operations and function-calling procedures

  • Buffer overflows

  • Local buffer overflow exploits

  • Exploit development process

Advanced Linux exploits

  • Bypassing non-executable stack (NX) with return-oriented programming (ROP)

  • Defeating stack canaries

  • Address space layout randomization (ASLR) bypass with an information leak

  • Position Independent Executable (PIE) bypass with an information leak

Linux kernel exploits

  • Return-to-user (ret2usr)

  • Defeating Stack Canaries

  • Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)

  • Bypassing Supervisor Mode Access Prevention (SMAP)

  • Defeating kernel address space layout randomization (KASLR)

Basic Windows exploitation

  • Compiling and debugging Windows programs

  • Writing Windows exploits

  • Understanding Structured Exception Handling (SEH)

  • Understanding and bypassing basic exploit mitigations such as SafeSEH

  • Return-oriented programming (ROP)

Windows kernel exploitation

  • The Windows kernel

  • Kernel drivers

  • Kernel debugging

  • Kernel exploitation

  • Token stealing

PowerShell exploitation

  • Loading PowerShell scripts

  • Creating shells with PowerShell

  • PowerShell post-exploitation

Getting shells without exploits

  • Capturing password hashes

  • Using Winexe

  • Using WMI

  • Taking advantage of WinRM

Post-exploitation in modern Windows environments

  • User recon

  • System recon

  • Domain recon

  • Local privilege escalation

  • Active Directory privilege escalation

  • Active Directory persistence

Next-generation patch exploitation

  • Application and patch diffing

  • Binary diffing tools

  • Patch management process

  • Real-world diffing