Most write-ups about xp_subdirs say the same thing: it leaks NTLM hashes if you point it at a UNC path, but have you ever asked why and how you get back that hash?

In our previous ASR introduction article, we explored Attack Surface Reduction (ASR) and learned how to configure rules to prevent potential threats. In this installment, we dive into techniques to bypass a specific ASR rule that professionals encounter in the field.

Introduction​

Windows Defender Exploit Guard, introduced with Windows 10, stands as a formidable defense mechanism against next-generation malware. Acknowledging the limitations of traditional antivirus technologies, Exploit Guard comprises four key components:

First off, a big thank you to the challenge authors,this one was genuinely well-crafted. It was packed with real-world attack techniques and clever misdirections that kept me on my toes for two solid days.

This was a genuinely fun challenge because it sat right at the intersection of web exploitation and binary reversing. It was actually my first time dealing with a challenge that combined both disciplines, and it was a good reminder that real-world web vulnerabilities don't always live purely in the application layer.

One of the things that makes calloc feel "safer" than malloc is that it zeros out the allocated memory before handing it back to you. But there is a little-known code path inside __libc_calloc that skips that zeroing step entirely, and it can be abused to leak both libc and heap addresses with a minimal set of primitives.