Share
## https://sploitus.com/exploit?id=8AF44B16-C29F-5474-A5D9-1A90F16C935B
# Systems Exploitation CTF

Five offensive-security challenges spanning web application logic flaws, Linux privilege/ACL abuse, and remote binary exploitation with hand-written shellcode.

## Skills demonstrated

| Area | Tools / Technologies | Project |
|---|---|---|
| Remote binary exploitation | x86-64 shellcoding, raw syscalls, `pwntools` | [`remote-shellcode-exploitation`](remote-shellcode-exploitation) |
| Web app logic flaws | Session cookie capture, hash-based auth bypass, directory bruteforcing (`gobuster`) | [`admin-panel-idor-cookie-hijack`](admin-panel-idor-cookie-hijack) |
| Linux privilege & access control | POSIX ACLs (`setfacl`/`getfacl`), permission enumeration | [`linux-acl-privilege-escalation`](linux-acl-privilege-escalation) |
| Insecure Direct Object Reference | Predictable identifier enumeration | [`predictable-pastebin-idor`](predictable-pastebin-idor) |
| SUID/binary enumeration | Hash identification, credential recovery | [`suid-hash-enumeration`](suid-hash-enumeration) |

## Projects

- **[remote-shellcode-exploitation](remote-shellcode-exploitation)** โ€” Wrote raw x86-64 shellcode from scratch (`push`/`pop` register loading to dodge a forbidden-byte filter blocking `/bin/sh`), assembled it with `pwntools`' `asm()`, and used it to read and exfiltrate a flag from a fixed memory offset on a remote challenge server via raw `syscall` instructions (`sys_write`, `sys_exit`).
- **[admin-panel-idor-cookie-hijack](admin-panel-idor-cookie-hijack)** โ€” Bruteforced hidden directories to find an admin portal, captured a low-privilege session cookie, then reverse-engineered the server's `id = md5(salt + username)` session-derivation scheme to forge a session for a target admin account.
- **[linux-acl-privilege-escalation](linux-acl-privilege-escalation)** โ€” Found a flag file with no read permissions over SSH, discovered `setfacl` was permitted, and used it to grant itself read access without needing root.
- **[predictable-pastebin-idor](predictable-pastebin-idor)** โ€” Identified that a pastebin service generated paste URLs as unsalted `MD5(id)` hashes, then enumerated the ID space to access another user's private paste and recover the flag.
- **[suid-hash-enumeration](suid-hash-enumeration)** โ€” Enumerated root-only-readable files, computed their MD5 hashes, and cross-referenced known hash lookup services to recover the underlying plaintext files and the flag.

Each project folder includes a README describing the exploitation chain; the shellcode exploit is real, complete, working code.

## Author

Omar Mahmoud โ€” SSP Assignment 1, University Politehnica of Bucharest.