├── DESCRIPTION.md ├── dojo.yml ├── injection-and-hijacking ├── RDDriver.sys ├── alloc-for-what-2 │ ├── RD │ │ ├── RDDriver.sys │ │ ├── hook.dll │ │ ├── rd_rules.txt │ │ └── robdefender.exe │ ├── calc99.exe │ └── init.ps1 ├── alloc-for-what │ ├── RD │ │ ├── RDDriver.sys │ │ ├── hook.dll │ │ ├── rd_rules.txt │ │ └── robdefender.exe │ ├── calc99.exe │ └── init.ps1 ├── calc99.exe ├── hello-world │ └── hello_world.exe ├── hook.dll ├── how-to-open-a-file-2 │ ├── RD │ │ ├── RDDriver.sys │ │ ├── hook.dll │ │ ├── rd_rules.txt │ │ └── robdefender.exe │ ├── calc99.exe │ └── init.ps1 ├── how-to-open-a-file-3 │ ├── RD │ │ ├── RDDriver.sys │ │ ├── hook.dll │ │ ├── rd_rules.txt │ │ └── robdefender.exe │ ├── calc99.exe │ └── init.ps1 ├── how-to-open-a-file-4 │ ├── RD │ │ ├── RDDriver.sys │ │ ├── hook.dll │ │ ├── rd_rules.txt │ │ └── robdefender.exe │ ├── calc99.exe │ └── init.ps1 ├── how-to-open-a-file-5 │ ├── RD │ │ ├── RDDriver.sys │ │ ├── hook.dll │ │ ├── rd_rules.txt │ │ └── robdefender.exe │ ├── calc99.exe │ └── init.ps1 ├── how-to-open-a-file │ ├── RD │ │ ├── RDDriver.sys │ │ ├── hook.dll │ │ ├── rd_rules.txt │ │ └── robdefender.exe │ ├── calc99.exe │ └── init.ps1 ├── robdefender.exe └── the-humble-calculator │ └── calc99.exe └── windows-crash-course ├── .init ├── DESCRIPTION.md ├── babywin-cookiemonster-1 ├── BabyWinCookieMonster1.exe └── BabyWinCookieMonster1.pdb ├── level-1 ├── .init ├── babywinsmoketest.exe └── babywinsmoketest.pdb ├── level-2 ├── .init ├── BabyWinSimpleOverflowNoASLR.exe └── BabyWinSimpleOverflowNoASLR.pdb ├── level-3 ├── .init ├── BabyWinSimpleOverflow.exe └── BabyWinSimpleOverflow.pdb ├── level-4 ├── .init ├── BabyWinAslrWinInDll.exe ├── BabyWinAslrWinInDll.pdb └── win.dll ├── level-5 ├── .init ├── BabyWinSCCallWriteFile.exe └── BabyWinSCCallWriteFile.pdb ├── level-6 ├── .init ├── BabyWinSCCallWriteFileNoLeak.exe └── BabyWinSCCallWriteFileNoLeak.pdb ├── level-7 ├── .init ├── BabyWinSC.exe └── BabyWinSC.pdb └── module.yml /DESCRIPTION.md: -------------------------------------------------------------------------------- 1 | You have learned the Linux Lifestyle, but have you wondered what wonders wait for you in the world of Windows? 2 | Enter here, and wonder no more! 3 | -------------------------------------------------------------------------------- /dojo.yml: -------------------------------------------------------------------------------- 1 | id: windows-warzone 2 | name: "Windows Warzone" 3 | type: public 4 | award: 5 | emoji: 🪟 6 | modules: 7 | - id: windows-crash-course 8 | name: Windows Crash Course 9 | description: | 10 | Learning to work in a new operating system is like learning to walk for the first time again. Start your journey by revisiting early concepts in a new guise. 11 | 12 | Note: This dojo is *slowly* being developed, including iterating on infrastructure support. Functionality is subject to change! 13 | image: pwncollege/windows 14 | 15 | challenges: 16 | - id: level-1 17 | name: level1 18 | description: Smoke Test - start windows VM - Run the challenge in `C:\challenge\` 19 | - id: level-2 20 | name: level2 21 | description: Straightforward Buffer Overflow 22 | - id: level-3 23 | name: level3 24 | description: BOF with ASLR enabled 25 | - id: level-4 26 | name: level4 27 | description: What if win is in a DLL? 28 | - id: level-5 29 | name: level5 30 | description: Call a WriteFile in shellcode 31 | - id: level-6 32 | name: level6 33 | description: Find and call WriteFile 34 | - id: level-7 35 | name: level7 36 | description: Now get the flag yourself. 37 | - id: babywin-cookiemonster-1 38 | name: Cookie Monster 1 39 | description: The cookie monster is hungry for flags. Can you feed it? 40 | resources: 41 | - name: "Applying Existing Knowledge" 42 | type: lecture 43 | slides: 1JVfle0cQaW0oJCVNWfssGgK1eexJjsHnDdCrgPsGtlQ 44 | video: Kvkz6lrxMn8 45 | playlist: PL-ymxv0nOtqptQV4CrmrtcZ6_jrnVGXi5 46 | - name: "Office Hours - Adam - 2024.03.11" 47 | type: lecture 48 | video: O3eZFriKXXk 49 | playlist: PL-ymxv0nOtqr7zM7ZBREoWa-eeSaKFJQd 50 | - name: "Office Hours - Robert - 2024.03.15" 51 | type: lecture 52 | video: wAUWkf4Xia4 53 | playlist: PL-ymxv0nOtqr7zM7ZBREoWa-eeSaKFJQd 54 | - name: "Class - Robert - 2024.03.19" 55 | type: lecture 56 | video: p91ddQbbNMo 57 | playlist: PL-ymxv0nOtqr7zM7ZBREoWa-eeSaKFJQd 58 | - name: "Windows on the Dojo - Getting Started Instructions" 59 | type: markdown 60 | content: | 61 | To get started: 62 | - Launch the challenge and enter the normal linux environment. 63 | - Use the `windows` command in the linux environment to `start`, `stop`, or `connect` to a Windows virtual machine. The VM may take a few moments to start. 64 | - The Windows desktop gui is accessible over the web at [https://pwn.college/workspace/desktop-windows](https://pwn.college/workspace/desktop-windows). 65 | 66 | Obtaining the flag: 67 | - The challenge is located in `C:\challenge\` 68 | - The flag is located at C:\flag, but the hacker user cannot access it, even from the challenge binary! 69 | - The flag can be accessed by a "flag service" running on the windows machine. 70 | - The "flag service" will communicate the flag over a pipe located at `\\.\pipe\LOCAL\FlagPipe`. 71 | - The "flag service" will only communicate the flag to the challenge binary located at `C:\challenge\`. 72 | 73 | Other details: 74 | - Starting the VM from a practice environment will grant you administrator privileges on the windows machine. You may need to "log out" and "log in" again before the windows environment acknowledges this. 75 | - Your linux home directory is accessible via the Windows Z drive. It is recommended to use this to transfer files between the two environments rather than relying on the Z drive directly. 76 | - The challenge binary is located at `C:\challenge` in Windows and /challenge in Linux. 77 | - DO NOT RUN THE CHALLENGE FILE LOCATED AT `Y:`. This binary cannot obtain the flag and is an implementation detail. 78 | 79 | Use the windows VM in practice mode to leverage the installed tools and develop your exploit. 80 | 81 | In order to obtain the flag, run your exploit **inside the windows environment** targeting challenge binary located in `C:\challenge\`. 82 | - id: injection-and-hijacking 83 | name: Injection and Hijacking 84 | description: | 85 | While Windows has many concepts familiar to those seen in Windows, the win32 API and windows security model is quite different and allows for scenarios uncommon in Linux. This module will explore some classic Windows injection and hijacking techniques that allow code to be executed in the context of another process, such as DLL injection, process hollowing, and thread hijacking. As an added twist, a rudimentary Endpoint Detection and Response (EDR) system will be used to detect and block these techniques. Can you bypass the EDR and execute your code in the context of another process? 86 | 87 | Note: This dojo is *slowly* being developed, including iterating on infrastructure support. Functionality is subject to change! 88 | image: pwncollege/windows 89 | 90 | challenges: 91 | - id: the-humble-calculator 92 | name: The Humble Calculator 93 | description: No tricks here, just a simple calculator. Can you obtain the flag? 94 | - id: hello-world 95 | name: Hello World 96 | description: A simple hello world program. Can you obtain the flag? 97 | - id: alloc-for-what 98 | name: Alloc For What? 99 | description: Some virtual allocations are suspect and will result in process termination by the EDR. Can you obtain the flag? 100 | - id: alloc-for-what-2 101 | name: Alloc For What? 2 102 | description: Some virtual allocations are suspect and will result in process termination by the EDR. Can you obtain the flag? 103 | visibility: 104 | start: "2025-04-16T17:30:00-07:00" 105 | - id: how-to-open-a-file 106 | name: How to open a File 107 | description: Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag? 108 | visibility: 109 | start: "2025-04-16T17:30:00-07:00" 110 | - id: how-to-open-a-file-2 111 | name: How to open a File 2 112 | description: Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag? 113 | visibility: 114 | start: "2025-04-16T17:30:00-07:00" 115 | - id: how-to-open-a-file-3 116 | name: How to open a File 3 117 | description: Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag? 118 | visibility: 119 | start: "2025-04-16T17:30:00-07:00" 120 | - id: how-to-open-a-file-4 121 | name: How to open a File 4 122 | description: Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag? 123 | visibility: 124 | start: "2025-04-16T17:30:00-07:00" 125 | - id: how-to-open-a-file-5 126 | name: How to open a File 5 127 | description: Some file names are suspect and will result in process termination by the EDR. Can you obtain the flag? 128 | visibility: 129 | start: "2025-04-16T00:00:00-07:00" 130 | 131 | resources: 132 | - name: "Class Livestream - Windows Security Model - 2025.03.26" 133 | type: lecture 134 | slides: 1hb5guHSmSIOohZ8nDvy7vckckYuAzZnDtKTesc2YzoU 135 | video: hmfYzdg0I9A 136 | playlist: PL-ymxv0nOtqoqSMi6euNpzHQkRT8HCgxE 137 | - name: "Class Livestream - Injection and Hooking - 2025.04.02" 138 | type: lecture 139 | slides: 1pXCKs4jwNzSKgf_KzDw1K1q_De4h3u9oxnd7T_O7PRQ 140 | video: oIvnaODvbwo 141 | playlist: PL-ymxv0nOtqoqSMi6euNpzHQkRT8HCgxE 142 | - name: "Class Livestream - More Windows - 2025.04.16" 143 | type: lecture 144 | video: bfyIiuMA4us 145 | playlist: PL-ymxv0nOtqoqSMi6euNpzHQkRT8HCgxE 146 | - name: "The Robdefender EDR" 147 | type: markdown 148 | content: | 149 | Shortly into this series of challenges, our custom EDR, "robdefender" will start up inside the window VM. Over the course of many challenges, robdefender will be updated to detect and block various techniques. The EDR is not perfect, and there are many ways to bypass it. The EDR implmentation resides in `C:\challenge\RD` as an implementation detail. The "rd_rules.txt" can provide some insight as to what hooks are enabled. 150 | 151 | ROBDEFENDER IS NOT THE INTENDED TARGET FOR THESE CHALLENGES! The running challenge process is where you should focus. 152 | 153 | Fair Warning: It is not recommended to spend time understanding the EDR implementation and it is subject to change without notice. 154 | -------------------------------------------------------------------------------- /injection-and-hijacking/RDDriver.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/injection-and-hijacking/RDDriver.sys -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what-2/RD/RDDriver.sys: -------------------------------------------------------------------------------- 1 | ../../RDDriver.sys -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what-2/RD/hook.dll: -------------------------------------------------------------------------------- 1 | ../../hook.dll -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what-2/RD/rd_rules.txt: -------------------------------------------------------------------------------- 1 | VirtualAlloc kernel32 2 none 1 2 | VirtualAllocEx kernel32 2 none 2 3 | VirtualProtect2FromApp kernel32 2 none 3 4 | VirtualProtect2 kernel32 2 none 4 5 | VirtualProtectEx kernel32 2 none 4 6 | VirtualProtect kernel32 2 none 4 7 | Thats a_lot_of 1 allocs 0 8 | -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what-2/RD/robdefender.exe: -------------------------------------------------------------------------------- 1 | ../../robdefender.exe -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what-2/calc99.exe: -------------------------------------------------------------------------------- 1 | ../calc99.exe -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what-2/init.ps1: -------------------------------------------------------------------------------- 1 | sc.exe create Robdefender binPath="C:\challenge\RD\Robdefender.exe" displayname="Robdefender" start=auto 2 | start-service Robdefender 3 | -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what/RD/RDDriver.sys: -------------------------------------------------------------------------------- 1 | ../../RDDriver.sys -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what/RD/hook.dll: -------------------------------------------------------------------------------- 1 | ../../hook.dll -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what/RD/rd_rules.txt: -------------------------------------------------------------------------------- 1 | VirtualAlloc kernel32 2 none 1 2 | VirtualAllocEx kernel32 2 none 2 3 | VirtualProtectEx kernel32 2 none 4 4 | VirtualProtect kernel32 2 none 3 5 | What does_this 1 mean 0 6 | -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what/RD/robdefender.exe: -------------------------------------------------------------------------------- 1 | ../../robdefender.exe -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what/calc99.exe: -------------------------------------------------------------------------------- 1 | ../calc99.exe -------------------------------------------------------------------------------- /injection-and-hijacking/alloc-for-what/init.ps1: -------------------------------------------------------------------------------- 1 | sc.exe create Robdefender binPath="C:\challenge\RD\Robdefender.exe" displayname="Robdefender" start=auto 2 | start-service Robdefender 3 | -------------------------------------------------------------------------------- /injection-and-hijacking/calc99.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/injection-and-hijacking/calc99.exe -------------------------------------------------------------------------------- /injection-and-hijacking/hello-world/hello_world.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/injection-and-hijacking/hello-world/hello_world.exe -------------------------------------------------------------------------------- /injection-and-hijacking/hook.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/injection-and-hijacking/hook.dll -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-2/RD/RDDriver.sys: -------------------------------------------------------------------------------- 1 | ../../RDDriver.sys -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-2/RD/hook.dll: -------------------------------------------------------------------------------- 1 | ../../hook.dll -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-2/RD/rd_rules.txt: -------------------------------------------------------------------------------- 1 | CreateFileA kernelbase 2 none 1 2 | CreateFileW kernelbase 2 none 2 3 | CallNamedPipeW kernelbase 2 none 2 4 | CreateFile2 kernelbase 2 none 1 5 | The hooks_go 1 deeper 0 6 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-2/RD/robdefender.exe: -------------------------------------------------------------------------------- 1 | ../../robdefender.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-2/calc99.exe: -------------------------------------------------------------------------------- 1 | ../calc99.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-2/init.ps1: -------------------------------------------------------------------------------- 1 | sc.exe create Robdefender binPath="C:\challenge\RD\Robdefender.exe" displayname="Robdefender" start=auto 2 | start-service Robdefender 3 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-3/RD/RDDriver.sys: -------------------------------------------------------------------------------- 1 | ../../RDDriver.sys -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-3/RD/hook.dll: -------------------------------------------------------------------------------- 1 | ../../hook.dll -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-3/RD/rd_rules.txt: -------------------------------------------------------------------------------- 1 | NtOpenFile ntdll 2 none 1 2 | NtCreateFile ntdll 2 none 2 3 | NtFsControlFile ntdll 2 none 2 4 | NtCreateTransaction ntdll 2 none 1 5 | No escaping_this 1 hacker 0 6 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-3/RD/robdefender.exe: -------------------------------------------------------------------------------- 1 | ../../robdefender.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-3/calc99.exe: -------------------------------------------------------------------------------- 1 | ../calc99.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-3/init.ps1: -------------------------------------------------------------------------------- 1 | sc.exe create Robdefender binPath="C:\challenge\RD\Robdefender.exe" displayname="Robdefender" start=auto 2 | start-service Robdefender 3 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-4/RD/RDDriver.sys: -------------------------------------------------------------------------------- 1 | ../../RDDriver.sys -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-4/RD/hook.dll: -------------------------------------------------------------------------------- 1 | ../../hook.dll -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-4/RD/rd_rules.txt: -------------------------------------------------------------------------------- 1 | NtOpenFile ntdll 2 none 1 2 | NtCreateFile ntdll 2 none 2 3 | NtFsControlFile ntdll 2 none 2 4 | NtCreateTransaction ntdll 2 none 1 5 | NtCreateThread ntdll 3 nope 1 6 | NtCreateThreadEx ntdll 3 nope 1 7 | Stop those_pesky 1 threads 0 8 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-4/RD/robdefender.exe: -------------------------------------------------------------------------------- 1 | ../../robdefender.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-4/calc99.exe: -------------------------------------------------------------------------------- 1 | ../calc99.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-4/init.ps1: -------------------------------------------------------------------------------- 1 | sc.exe create Robdefender binPath="C:\challenge\RD\Robdefender.exe" displayname="Robdefender" start=auto 2 | start-service Robdefender 3 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-5/RD/RDDriver.sys: -------------------------------------------------------------------------------- 1 | ../../RDDriver.sys -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-5/RD/hook.dll: -------------------------------------------------------------------------------- 1 | ../../hook.dll -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-5/RD/rd_rules.txt: -------------------------------------------------------------------------------- 1 | NtOpenFile ntdll 2 none 1 2 | NtCreateFile ntdll 2 none 2 3 | NtFsControlFile ntdll 2 none 3 4 | NtCreateTransaction ntdll 2 none 4 5 | NtCreateThreadEx ntdll 3 none 6 6 | NtCreateThread ntdll 3 none 7 7 | NtAllocateVirtualMemory ntdll 2 none 8 8 | NtWriteVirtualMemory ntdll 2 none 11 9 | NtProtectVirtualMemory ntdll 2 none 9 10 | whats winnt.h 1 do 0 11 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-5/RD/robdefender.exe: -------------------------------------------------------------------------------- 1 | ../../robdefender.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-5/calc99.exe: -------------------------------------------------------------------------------- 1 | ../calc99.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file-5/init.ps1: -------------------------------------------------------------------------------- 1 | sc.exe create Robdefender binPath="C:\challenge\RD\Robdefender.exe" displayname="Robdefender" start=auto 2 | start-service Robdefender 3 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file/RD/RDDriver.sys: -------------------------------------------------------------------------------- 1 | ../../RDDriver.sys -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file/RD/hook.dll: -------------------------------------------------------------------------------- 1 | ../../hook.dll -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file/RD/rd_rules.txt: -------------------------------------------------------------------------------- 1 | CreateFileA kernel32 2 none 1 2 | CreateFileW kernel32 2 none 2 3 | CallNamedPipeA kernel32 2 none 1 4 | CallNamedPipeW kernel32 2 none 2 5 | CreateFile2 kernel32 2 none 1 6 | CreateFileTransactedA kernel32 2 none 3 7 | CreateFileTransactedW kernel32 2 none 3 8 | OpenFile kernel32 2 none 3 9 | I miss 1 open 0 10 | -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file/RD/robdefender.exe: -------------------------------------------------------------------------------- 1 | ../../robdefender.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file/calc99.exe: -------------------------------------------------------------------------------- 1 | ../calc99.exe -------------------------------------------------------------------------------- /injection-and-hijacking/how-to-open-a-file/init.ps1: -------------------------------------------------------------------------------- 1 | sc.exe create Robdefender binPath="C:\challenge\RD\Robdefender.exe" displayname="Robdefender" start=auto 2 | start-service Robdefender 3 | -------------------------------------------------------------------------------- /injection-and-hijacking/robdefender.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/injection-and-hijacking/robdefender.exe -------------------------------------------------------------------------------- /injection-and-hijacking/the-humble-calculator/calc99.exe: -------------------------------------------------------------------------------- 1 | ../calc99.exe -------------------------------------------------------------------------------- /windows-crash-course/.init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #runuser -u hacker windows start 3 | #/opt/pwn.college/docker-entrypoint.d/38_start_windows_gui.sh 4 | -------------------------------------------------------------------------------- /windows-crash-course/DESCRIPTION.md: -------------------------------------------------------------------------------- 1 | Learning to work in a new operating system is like learning to walk for the first time again. 2 | Start your journey by revisiting early concepts in a new guise. 3 | 4 | -------------------------------------------------------------------------------- /windows-crash-course/babywin-cookiemonster-1/BabyWinCookieMonster1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/babywin-cookiemonster-1/BabyWinCookieMonster1.exe -------------------------------------------------------------------------------- /windows-crash-course/babywin-cookiemonster-1/BabyWinCookieMonster1.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/babywin-cookiemonster-1/BabyWinCookieMonster1.pdb -------------------------------------------------------------------------------- /windows-crash-course/level-1/.init: -------------------------------------------------------------------------------- 1 | ../.init -------------------------------------------------------------------------------- /windows-crash-course/level-1/babywinsmoketest.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-1/babywinsmoketest.exe -------------------------------------------------------------------------------- /windows-crash-course/level-1/babywinsmoketest.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-1/babywinsmoketest.pdb -------------------------------------------------------------------------------- /windows-crash-course/level-2/.init: -------------------------------------------------------------------------------- 1 | ../.init -------------------------------------------------------------------------------- /windows-crash-course/level-2/BabyWinSimpleOverflowNoASLR.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-2/BabyWinSimpleOverflowNoASLR.exe -------------------------------------------------------------------------------- /windows-crash-course/level-2/BabyWinSimpleOverflowNoASLR.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-2/BabyWinSimpleOverflowNoASLR.pdb -------------------------------------------------------------------------------- /windows-crash-course/level-3/.init: -------------------------------------------------------------------------------- 1 | ../.init -------------------------------------------------------------------------------- /windows-crash-course/level-3/BabyWinSimpleOverflow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-3/BabyWinSimpleOverflow.exe -------------------------------------------------------------------------------- /windows-crash-course/level-3/BabyWinSimpleOverflow.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-3/BabyWinSimpleOverflow.pdb -------------------------------------------------------------------------------- /windows-crash-course/level-4/.init: -------------------------------------------------------------------------------- 1 | ../.init -------------------------------------------------------------------------------- /windows-crash-course/level-4/BabyWinAslrWinInDll.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-4/BabyWinAslrWinInDll.exe -------------------------------------------------------------------------------- /windows-crash-course/level-4/BabyWinAslrWinInDll.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-4/BabyWinAslrWinInDll.pdb -------------------------------------------------------------------------------- /windows-crash-course/level-4/win.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-4/win.dll -------------------------------------------------------------------------------- /windows-crash-course/level-5/.init: -------------------------------------------------------------------------------- 1 | ../.init -------------------------------------------------------------------------------- /windows-crash-course/level-5/BabyWinSCCallWriteFile.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-5/BabyWinSCCallWriteFile.exe -------------------------------------------------------------------------------- /windows-crash-course/level-5/BabyWinSCCallWriteFile.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-5/BabyWinSCCallWriteFile.pdb -------------------------------------------------------------------------------- /windows-crash-course/level-6/.init: -------------------------------------------------------------------------------- 1 | ../.init -------------------------------------------------------------------------------- /windows-crash-course/level-6/BabyWinSCCallWriteFileNoLeak.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-6/BabyWinSCCallWriteFileNoLeak.exe -------------------------------------------------------------------------------- /windows-crash-course/level-6/BabyWinSCCallWriteFileNoLeak.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-6/BabyWinSCCallWriteFileNoLeak.pdb -------------------------------------------------------------------------------- /windows-crash-course/level-7/.init: -------------------------------------------------------------------------------- 1 | ../.init -------------------------------------------------------------------------------- /windows-crash-course/level-7/BabyWinSC.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-7/BabyWinSC.exe -------------------------------------------------------------------------------- /windows-crash-course/level-7/BabyWinSC.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwncollege/windows-dojo/47dc1c4f1d4631024be94084626c117987560006/windows-crash-course/level-7/BabyWinSC.pdb -------------------------------------------------------------------------------- /windows-crash-course/module.yml: -------------------------------------------------------------------------------- 1 | name: Windows Crash Course 2 | image: pwncollege/windows 3 | challenges: 4 | - id: level-1 5 | name: level1 6 | description: "Smoke Test: start windows VM, Connect to port 4001" 7 | - id: level-2 8 | name: level2 9 | description: Straightforward Buffer Overflow 10 | - id: level-3 11 | name: level3 12 | description: BOF with ASLR enabled 13 | - id: level-4 14 | name: level4 15 | description: What if win is in a DLL? 16 | - id: level-5 17 | name: level5 18 | description: Call a WriteFile in shellcode 19 | - id: level-6 20 | name: level6 21 | description: Find and call WriteFile 22 | - id: level-7 23 | name: level7 24 | description: Now get the flag yourself. 25 | resources: 26 | - name: "Applying Existing Knowledge" 27 | type: lecture 28 | slides: 1JVfle0cQaW0oJCVNWfssGgK1eexJjsHnDdCrgPsGtlQ 29 | video: Kvkz6lrxMn8 30 | playlist: PL-ymxv0nOtqptQV4CrmrtcZ6_jrnVGXi5 31 | - name: "Office Hours - Adam - 2024.03.11" 32 | type: lecture 33 | video: O3eZFriKXXk 34 | playlist: PL-ymxv0nOtqr7zM7ZBREoWa-eeSaKFJQd 35 | - name: "Office Hours - Robert - 2024.03.15" 36 | type: lecture 37 | video: wAUWkf4Xia4 38 | playlist: PL-ymxv0nOtqr7zM7ZBREoWa-eeSaKFJQd 39 | - name: "Class - Robert - 2024.03.19" 40 | type: lecture 41 | video: p91ddQbbNMo 42 | playlist: PL-ymxv0nOtqr7zM7ZBREoWa-eeSaKFJQd 43 | - name: "Windows on the Dojo - Getting Started Instructions" 44 | type: markdown 45 | content: | 46 | To get started: 47 | - Launch the challenge and enter the normal linux environment. 48 | - Use the `windows` command in the linux environment to `start`, `stop`, or `connect` to a Windows virtual machine. The VM may take a few moments to start. 49 | - The Windows desktop gui is accessible over the web at [https://pwn.college/desktop-win](https://pwn.college/desktop-win). 50 | 51 | Other details: 52 | - Starting the VM from a practice environment will grant you administrator privileges on the windows machine. You may need to "log out" and "log in" again before the windows environment acknowledges this. 53 | - The flag is located at C:\flag. 54 | - Your linux home directory is accessible via the Windows Z drive . 55 | - The challenge binary is located on the Y drive in Windows and /challenge in Linux. 56 | 57 | Use the windows VM in practice mode to leverage the installed tools and develop your exploit. 58 | 59 | In order to obtain the flag, run your exploit **FROM THE LINUX ENVIRONMENT** targeting tcp port 4001. 60 | There is a proxy service running inside the windows VM with elevated permissions. 61 | --------------------------------------------------------------------------------