3/23/2023 0 Comments Abyss web server reverse shellNext, I used smbmap and smbclient to gather some information on any shares available through the Samba service. I tried FTP first to check for anonymous logins being allowed, but no luck there. The results show 6 services listening: FTP, SSH, NetBios, SMB, HTTP-proxy, and regular HTTP. I followed up with a scan of all ports, but it didn’t come back with any additional ones that what is listed below. I started out with a basic nmap scan to run default scripts, enumerate versions of detected services, and log the output to a file for later reference. I should point out that I generally prefer the open-ended format of Hack the Box, so tried to avoid looking at the tasks as much as possible (until the end) and just figuring out what needed to be done.įirst up, once I was connected to the VPN, a quick ping shows the VM is up and running. When you open up the room it gives you a list of tasks to perform and enter answers for, but the first is always to deploy the machine, which activates the VM you’re going to be targeting.Īfter deploying, we get the IP we’ll attack once we’re connected with the OpenVPN config file provided through the site. The site itself seems pretty cool and has a large number of “Rooms” that serve as the challenges.Īnyway, the room I tried was called Vulnversity and describes itself as “Learn about active recon, web app attacks and privilege escalation”. This site is similar to Hack the Box, but seems a little more beginner friendly as it has questions you’re supposed to answer about each challenge that serve as a way to guide you in the right direction, whereas a lot of the HTB machines are ambiguous and you just have to figure out what to do. Today I tried out one of the easier challenges on. However, I’m back now and ready to go, plus I know Rose and Jordan have been sorely lacking good reading material. Prior to taking (and passing!) my OSCP exam back in February, I was doing as many CTF machines as I could for practice and burned myself out a bit. Since it has been a while and I have some free time at home, I figured I should get back to doing some write-ups. As the application would likely be running as the current user, this should provide a Net-NTLMv2 hash that can either be cracked or passed to another machine.(Credentials) Have the application try to connect to the attacker’s SMB server that is running Responder.This would avoid needing to write the log file to disk.(Exfiltration) Have the application perform an HTTP request with the submitted password to the attacker’s external server.I haven’t tested either of these personally, but they should work in theory: I’m not going to detail anymore in this post, but I will list two potential ideas that could be done with this specific app and there are countless others for other applications depending on their functionality and purpose. C:\Program Files, but it’s not abnormal to compromise a machine and find more interesting things to do with it during post-exploitation. In many cases this would require administrative rights to access the original’s location on disk, i.e. NET binary with a modified one, there are a variety of other useful things that could be added. If we have access to overwrite an existing. It will not be exactly the same as the original, but will usually be close enough that you won’t notice much of a difference.Īs an example of what this looks like, I created a simple C# Windows Forms application in Visual Studio that displays a login prompt and prints a message on submission for whether or not the password was correct.Ĭontents of the log file created by application Closing and other potential ideas The useful part about this in our case is that a decompiler can reconstruct what it thinks the original code looked like much easier from IL code. This IL code is a higher level machine language than the usual assembly language used by the CPU, such as instructions like jmp, push eax, pop ebx, etc. Given how popular C#/.NET is in the world today, this seems like a good topic.Īs a quick overview, when a developer creates an application written in C#/.NET and compiles it, the compiler generates a file that contains what’s known as Intermediate Level code (IL code). I haven’t written anything in a while because I’ve been going through various trainings/courses, but I want to start getting back into the habit of it, so today I’m going to talk about the process of adding a backdoor to a.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |