Posts

Showing posts from November, 2017

0wn!ng LazySysAdmin: 1

Image
Hi, In this post I am going to write on how I owned LazySysAdmin: 1 machine which is hosted on Vulnhub. As usual, I start with an arp-scan and discover the target IP address. Next, starts the port-scan. I decided to first enumerate the webpage: Enumeration reveals that wordpress and phpmyadmin is running. It is clear that the name of the admin is "togie" which may come to use at a later time. Next, I searched through the website and there are files with directory listing, etc but I had hit a roadblock on web service. I decided I shall look over to smb ports 139 and 445. using smbclient and checked if null sessions are enabled and my guess is correct. There are some interesting files here. After further digging I have two information points: 1. in wp-config, we see dbusername and password is present. 2. File deets.txt has a clue: Now, with username " Admin " and password " TogieMYSQL12345^^ " I can logi...

Automating backdoor creation for PE files

Hello, In this post I shall write about my experiences/attempt on automating the process of backdoor creation for windows PE(Portable Executable) files. More than a short and quick success attempt, it been many a failures and frustrations but I made some commendable progress by trying harder. I would like to point out that I am not publishing the entire code but giving you an outline as to "how to do it" but will include short code snippets The post highlights my journey where I faced most issues and spent most times and where I could have done better The rough idea for a backdoor is that we need to redirect the code flow at entry point of a PE file to a clean section within the PE file where shellcode is located to do the evil deed and it hand's off control back to the original code execution of the file. But we need to talk about the above statement in a detailed manner. [+] Getting the entry point of a PE & making a clean section within PE file. Wh...