A hands-on lab reproducing real-world CVEs and binary reverse engineering challenges.
Educational purpose only. All exploits are run in isolated lab environments.
Context: A simulated internal network with multiple machines. Goal: pivot from an initial foothold to full network compromise.
[Attacker .200]
│
├─ 1. Recon (nmap)
├─ 2. CVE-2020-7247 → RCE on SMTP server (.10)
├─ 3. SSH pivot into .10
├─ 4. DNS poisoning → redirect .57 traffic to attacker
├─ 5. CVE-2025-14942 → Capture wolfSSH credentials
└─ 6. SSH into .158 with stolen credentials
| Step | Flag |
|---|---|
| Find flag.txt on attacker machine | CongratsYouFoundMe |
| DNS TXT record | WhatsInAName? |
| OpenSMTPD RCE — flag.txt | YouPwnedOpenSMTPDAgain |
| wolfSSH credential leak — final flag | ThisIsTheEndAfterAll |
| CVE | Software | Type |
|---|---|---|
| CVE-2020-7247 | OpenSMTPD | Remote Code Execution |
| CVE-2025-14942 | wolfSSHv1.4.21 | Pre-auth Credential Leak |
Context: An obfuscated binary (11.bin) with anti-debugging protections and an encrypted payload. Goal: recover the correct password.
11.bin (outer binary)
│
├─ 1. Static analysis (Ghidra) → find XOR decryption routine
├─ 2. Extract inner binary
│ ├─ Method A: Python XOR script (Ghidra export)
│ └─ Method B: GDB memory dump
│
└─ dumped_payload.bin (inner binary)
│
├─ 3. Find main function → search "Wrong length"
├─ 4. Bypass anti-debug (ptrace timing checks)
├─ 5. Brute force seed (2^15 space)
└─ 6. Recover password character by character
- Password length: 209 characters
- Seed found: 17822
- Format:
COURSE{...} - Protection: XOR encryption + ptrace timing-based anti-debug
# Network lab
apt install nmap netcat tcpdump openssh-client python3
# Reverse engineering
apt install gdb ghidra python3
pip install pandasThis repository is for educational and research purposes only.
All exploits were executed in isolated lab environments.
Do not use these techniques against systems you do not own or have explicit permission to test.
MESBAH Slimane