Recently I noticed on an Ubuntu 22.04 based virtual machine I started to get a warning when attempting to update Metasploit.
$ msfupdate Switching to root user to update the package [sudo] password for anon: Adding metasploit-framework to your repository list..Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). OK Updating package cache..W: http://downloads.metasploit.com/data/releases/metasploit-framework/apt/dists/lucid/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Every year I look forward to spending a little time around the holidays playing SANS Holiday Hack Challenge. I typically don’t finish all the levels, but I always learn a few things because it forces me into new areas to solve the challenges. This year it seemed like a bunch of the challenges were focused around defense, doing forensics and sifting through logs. I learned a fair amount about Powershell. The funnest challenge for me this year though was centered around physical security.
One topic of security that has perked my interest for a while is fuzzing. It’s certainly not a new topic and although I’ve been aware of it, I haven’t really done that much hands on work with it outside of web application fuzzing. In this post, I wanted to get the very basics of using fuzzing as a building block for exploit development.
Recently browsing the Twitterverse I came across a couple of great resources on fuzzing.
Sometime in the past few months the exploit-exercises.com domain expired and you can no longer download the VMs from there. Which had me wondering, what would it take to simulate the exploitation experience on a more modern version of Linux.
The original version used Debian 6.0 with kernel version 2.6.32. That is a while ago. Instead of installing an old version of Debian, we can start with Ubuntu 18.04 64-bit desktop and build up from there.
