Intro

Around beginning of this year, I wanted to start studying for OSWE (WEB-300) from Offensive Security to boost my web application security skills. I took the updated OSWE course that was revamped in 2020. The whole experience of taking the course and the exam were amazing. It was the most valuable Offensive Security training that I have ever done. I highly recommend this course to anyone who wants to ramp-up their web application exploitation and source code review skills.

Since there are already plethora of the review about this OSWE exam about how it’s structured, what you will be learning…

What is Crypter?

A crypter is a software that can encrypt, obfuscate and manipulate malware or a RAT (Remote Access Tool) tool to potentially bypass security products such as anti-viruses.

Encryption Process

For creating a simple crpyter, I will be using the following process:

• Generate a key with random characters & seed (32 characters hard-coded as of now)
• AES Encrypt #1 — Initialize the state array with the block data using the key
• AES Encrypt #2 — Generate IV (Initialization Vector) using block size + length of shellcode
• AES Encrypt #3 — Run the encryption process using the block and IV
• Base64 encode the results

Decryption Process

• …

What is Polymorphism?

The polymorphism means the ability of an object to take on many forms. In computer science, the term polymorphism also means the ability of different objects/codes to respond in a unique way to the same functionality.

Shellcode Selection

I will use the following shellcode from the Shell-Storm to demonstrate the polymorphic shellcode:

• sys_exit(0) — http://shell-storm.org/shellcode/files/shellcode-623.php
• /bin/sh — http://shell-storm.org/shellcode/files/shellcode-752.php
• /bin/cat /etc/passwd — http://shell-storm.org/shellcode/files/shellcode-571.php

1) sys_exit(0)

The original shellcode from the Shell-Storm is as following:

/*
Name   : 8 bytes sys_exit(0) x86 linux shellcode
Date   : may, 31 2010
Author : gunslinger_
Web    : devilzc0de.com
blog   : gunslinger.devilzc0de.com
tested on : linux debian
*/char *bye=…

Msfvenom Shellcode Analysis

Today I will analyze the following shellcode generated by the msfvenom, specifically in linux/x86:

• linux/x86/exec — Execute an arbitrary command
• linux/x86/shell_bind_tcp — Listen for a connection and spawn a command shell
• linux/x86/shell_reverse_tcp — Connect back to attacker and spawn a command shell

1) linux/x86/exec

This msfvenom will execute an arbitrary command that you add while creating a payload. Let’s create the payload with the linux command id.

# msfvenom -p linux/x86/exec CMD=id -f c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 38 bytes
Final size of…

What is Encoder?

In computer systems, an encoder can be used for various purposes. For example, Base64 encodes binary data into an ASCII characters which are known to pretty much every computer system. Or one may use an encoder to mangle their own code to potentially bypass a security product such as AV. Today, I will demonstrate a simple custom encoding scheme for a x86 shellcode.

Encoding Scheme

Help was an easy difficulty Linux box. Good learning path for:

• GraphQL Query Enumeration
• Unauthenticated PHP File Upload (HelpDeskZ)
• Linux Kernel Exploit

Initial Recon

Nmap

# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.121Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-13 00:14 EDT
Nmap scan report for 10.10.10.121
Host is up (0.081s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http…

Json was a medium difficulty Windows box. Good learning path for:

• JSON-based deserialization (Bearer: header)
• JuicyPotato Exploit (SeImpersonatePrivilege)

Initial Recon

Nmap

# nmap -Pn --open -sC -sV -p- -T4 10.10.10.158PORT     STATE  SERVICE      VERSION
21/tcp   open   ftp          FileZilla ftpd
| ftp-syst:
|_  SYST: UNIX emulated by FileZilla
80/tcp   open   http         Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Json HTB
135/tcp  open   msrpc…

Unattended was a medium difficulty Linux box. Good learning path for:

• Nginx off-by-slash Attack
• SQLi (boolean-based Blind)
• SQLi → LFI (Abusing Existing <?php include(); ?>)
• LFI → PHP Session Poisoning → RCE
• Socket TTY Shell
• Linux initrd Exploit

Initial Recon

Nmap

#  nmap -Pn --open -T4 -sV -sC -p- 10.10.10.126Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-12 12:33 EDT
Nmap scan report for 10.10.10.126
Host is up (0.078s latency).
Not shown: 65533 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE  VERSION
80/tcp  open  http     nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Site doesn't have…