Share
## https://sploitus.com/exploit?id=FB5B3ED6-F0DD-5AD2-BFFA-FCE7BDCBED3A
# Web & Binary Exploitation โ€” Security Assessment

Coursework from **FIT3173 โ€“ Software Security** at **Monash University**. This
repository contains two hands-on offensive-security assessments: a low-level
**binary exploitation** exercise and a full **web-application penetration test**
with threat modelling.

> **Academic note.** This was individual university coursework, carried out in
> isolated lab environments against intentionally vulnerable targets for
> educational purposes. It is published here for portfolio / public visibility.
> Both write-ups are included as PDF reports.

---

## ๐Ÿ“„ Reports

| Report | Focus |
| ------ | ----- |
| [Assignment 1 โ€” Buffer Overflow](FIT3173%20Assignment%201%20Buffer%20Overflow.pdf) | Stack buffer-overflow exploitation and modern memory-protection defenses |
| [Assignment 2 โ€” Web Security](FIT3173%20Assignment%202%20Web%20Security.pdf) | Network/web penetration test and threat modelling |

---

## ๐Ÿงจ Assignment 1 โ€” Binary Exploitation (Stack Buffer Overflow)

Exploited a deliberately vulnerable 32-bit C program (`stack.c`) and then
evaluated how successive OS/compiler protections hold up against the attack.

- **Working exploit** โ€” crafted a payload (NOP sled + `msfvenom` `linux/x86`
  reverse-TCP shellcode + overwritten saved return address) that overflows the
  buffer via `strcpy` and returns a **reverse shell** to a listener.
- **ASLR** โ€” demonstrated that enabling `kernel.randomize_va_space=2` breaks the
  hard-coded return address, making the injected-shellcode approach unreliable.
- **Stack Guard / stack canaries** โ€” recompiled with `-fstack-protector-all`,
  used **GDB** to locate the canary (`gs:0x14` โ†’ `[ebp-0xc]`) and showed how the
  overflow is caught by `__stack_chk_fail`; then constructed a payload that
  **preserves the correct canary value** to bypass the check.
- **Non-executable stack (NX / DEP)** โ€” compiled with `-z noexecstack`, confirmed
  the stack was `RW` (no execute) via `readelf`, and explained why injected
  shellcode faults while **return-to-libc / ROP** would remain viable.

**Tools & concepts:** GDB, `msfvenom`, `readelf`, `objdump`/disassembly,
NOP sleds, little-endian address encoding, ASLR, stack canaries, NX bit.

## ๐ŸŒ Assignment 2 โ€” Web Security (Penetration Test & Threat Modelling)

A black-box penetration test of the *Basic Pentesting 1* target VM from a **Kali
Linux** attacker machine on an isolated network, culminating in **full root
compromise**, followed by structured threat modelling. Each finding is documented
with reproduction steps, evidence, CVSS severity, risk, and remediation.

**Findings**

| # | Vulnerability | Severity |
| - | ------------- | -------- |
| 1 | **ProFTPD 1.3.3c backdoor** โ€” unauthenticated remote command execution as root, exploited via Metasploit (`exploit/unix/ftp/proftpd_133c_backdoor`) โ†’ root shell | Critical (CVSS 9.8) |
| 2 | **Weak/default WordPress admin credentials** (`admin`/`admin`) at `/secret/` โ†’ admin takeover and RCE through the theme/plugin editor | High (CVSS 8.8) |
| 3 | **Information disclosure** โ€” directory listing and version leakage aiding further attacks | Medium (CVSS 5.3) |

**Threat modelling** โ€” produced a **Data Flow Diagram** of the target system,
enumerated threats with mitigations, and presented a mitigated DFD.

**Tools & methodology:** Nmap (service/version enumeration), Metasploit, `dirb`
(content discovery), CVSS scoring, OWASP references, DFD-based threat modelling.

---

*FIT3173 โ€“ Software Security ยท Monash University ยท For educational use in isolated lab environments only.*