## https://sploitus.com/exploit?id=FB5B3ED6-F0DD-5AD2-BFFA-FCE7BDCBED3A
# Web & Binary Exploitation โ Security Assessment
Coursework from **FIT3173 โ Software Security** at **Monash University**. This
repository contains two hands-on offensive-security assessments: a low-level
**binary exploitation** exercise and a full **web-application penetration test**
with threat modelling.
> **Academic note.** This was individual university coursework, carried out in
> isolated lab environments against intentionally vulnerable targets for
> educational purposes. It is published here for portfolio / public visibility.
> Both write-ups are included as PDF reports.
---
## ๐ Reports
| Report | Focus |
| ------ | ----- |
| [Assignment 1 โ Buffer Overflow](FIT3173%20Assignment%201%20Buffer%20Overflow.pdf) | Stack buffer-overflow exploitation and modern memory-protection defenses |
| [Assignment 2 โ Web Security](FIT3173%20Assignment%202%20Web%20Security.pdf) | Network/web penetration test and threat modelling |
---
## ๐งจ Assignment 1 โ Binary Exploitation (Stack Buffer Overflow)
Exploited a deliberately vulnerable 32-bit C program (`stack.c`) and then
evaluated how successive OS/compiler protections hold up against the attack.
- **Working exploit** โ crafted a payload (NOP sled + `msfvenom` `linux/x86`
reverse-TCP shellcode + overwritten saved return address) that overflows the
buffer via `strcpy` and returns a **reverse shell** to a listener.
- **ASLR** โ demonstrated that enabling `kernel.randomize_va_space=2` breaks the
hard-coded return address, making the injected-shellcode approach unreliable.
- **Stack Guard / stack canaries** โ recompiled with `-fstack-protector-all`,
used **GDB** to locate the canary (`gs:0x14` โ `[ebp-0xc]`) and showed how the
overflow is caught by `__stack_chk_fail`; then constructed a payload that
**preserves the correct canary value** to bypass the check.
- **Non-executable stack (NX / DEP)** โ compiled with `-z noexecstack`, confirmed
the stack was `RW` (no execute) via `readelf`, and explained why injected
shellcode faults while **return-to-libc / ROP** would remain viable.
**Tools & concepts:** GDB, `msfvenom`, `readelf`, `objdump`/disassembly,
NOP sleds, little-endian address encoding, ASLR, stack canaries, NX bit.
## ๐ Assignment 2 โ Web Security (Penetration Test & Threat Modelling)
A black-box penetration test of the *Basic Pentesting 1* target VM from a **Kali
Linux** attacker machine on an isolated network, culminating in **full root
compromise**, followed by structured threat modelling. Each finding is documented
with reproduction steps, evidence, CVSS severity, risk, and remediation.
**Findings**
| # | Vulnerability | Severity |
| - | ------------- | -------- |
| 1 | **ProFTPD 1.3.3c backdoor** โ unauthenticated remote command execution as root, exploited via Metasploit (`exploit/unix/ftp/proftpd_133c_backdoor`) โ root shell | Critical (CVSS 9.8) |
| 2 | **Weak/default WordPress admin credentials** (`admin`/`admin`) at `/secret/` โ admin takeover and RCE through the theme/plugin editor | High (CVSS 8.8) |
| 3 | **Information disclosure** โ directory listing and version leakage aiding further attacks | Medium (CVSS 5.3) |
**Threat modelling** โ produced a **Data Flow Diagram** of the target system,
enumerated threats with mitigations, and presented a mitigated DFD.
**Tools & methodology:** Nmap (service/version enumeration), Metasploit, `dirb`
(content discovery), CVSS scoring, OWASP references, DFD-based threat modelling.
---
*FIT3173 โ Software Security ยท Monash University ยท For educational use in isolated lab environments only.*