Posts: 44 Threads: 0 Joined: N/A September 21, 2022 at 5:37 PM (September 21, 2022, 03:57 AM)technic Wrote: (September 21, 2022, 12:12 AM)onl1_f4ns Wrote: (September 19, 2022, 03:25 AM)technic Wrote: (September 18, 2022, 07:13 PM)pleasehelpme Wrote: (July 18, 2022, 05:11 PM)yournamehere Wrote: yup there are only 2 packets with this type, and can't be confused with other ones ;) got all 5 files now
BTW I used a script to parse all the first packets then did the zip recovery manually.
now I have to exploit those 2 files I think I can see something interesting and found some references
Im on scry -> root.
I have the incident files.
Im trying to decrypt packets.
How did you get the AES keys? Do you have to reverse engineer the coredump binary?
you can get the binary executable from pcap and inspect the coredump in gdb: gdb binary coredump.- reverse the executable, search the api, and find the source code for the library used.
- find in source code where the AES key is stored, and the allocation sizes of each relative structure.
- you can inspect the stack area, dump upto stack frame of main, and collect heap pointers (addresses significantly differs from function pointers)
- checking the chunck size of each heap pointer, find one that matches the top control structure. from there you can follow the structures and find the AES key storage.
I read all the docs about TLV packets that I was able to find and yet stuck on this part.
https://github.com/OJ/clr-meterpreter/blob/master/streams/2019-04-25-Part-2/tlv.md
We need to de XOR all the packets first and then we need to extract an encryption key right? How to find and extract this encryption key for the packets? and how do we know that packets Non-encrypted or encrypted?
and there's more.. some packets have 00 04 00 01 as a XOR key, but some 00 00 00 001:
0000 00 04 00 01 00 06 08 00 27 9d 84 9e 02 74 08 00
0010 45 00 00 3c 2d 8b 40 00 40 06 de ce 0a 0a 0d 25
0020 0a 0a 0d 2a a2 ba 11 5c c9 ef 8a d5 00 00 00 00
0030 a0 02 fa f0 2e 91 00 00 02 04 05 b4 04 02 08 0a
0040 5e 55 23 f4 00 00 00 00 01 03 03 07
another:
0000 00 00 00 01 00 06 08 00 27 2a be 42 36 4d 08 00
0010 45 00 00 3c 00 00 40 00 40 06 0c 5a 0a 0a 0d 2a
0020 0a 0a 0d 25 11 5c a2 ba d7 96 03 14 c9 ef 8a d6
0030 a0 12 fe 88 da d6 00 00 02 04 05 b4 04 02 08 0a
0040 a2 ec 37 70 5e 55 23 f4 01 03 03 07
don't really get it.. is it suppose to change?
I have read some nice blog post https://www.bussink.net/meterpreter-reverse_http-how-does-it-communicate-between-device-and-the-msf/
where he's just de XOR-ing packets to at least see a key. but i don't see such a thing...
For XOR-key, it is changing for each packet.
Some corrections to above link on tlv packet:
4 bytes 16 bytes 4 bytes 4 bytes 4 bytes
[ XOR KEY ][ SESSION GUID ][ ENCRYPTION FLAG ][ length ][ type ][ data ]
[ THIS IS XORED ]
the length field counts from length field onwards (length + type + data)
ENCRYPTION FLAG = 1 indicates data part is AES encrypted (16-bytes IV + encrypted data)
ENCRYPTION FLAG = 0 indicates data part is not encrypted (a series of TLVs)
noting a tlv packet may span across several TCP packets.
For AES encrypt key you need to extract from coredump (follow the previous post) Thanks for making it more clear to me. I've got `scryh` account a longtime ago and just badly stuck on final steps for root... I've never done anything like this... meterpreter session reversing... and it's incredibly baffling ! This is exactly why this challenge is of insane level indeed ! I was very confused because there's not so much info on this topic. Even after reading all of this posts. Especially where to find this AES key. For some reason I thought it's inside of this meterpreter session.. Will try to do this now. Oh, and we also need to extract this binary from pcap, which an attacker uploaded to the target... i think i got the logic now... thanks! Posts: 23 Threads: 0 Joined: N/A October 2, 2022 at 10:20 AM anyone have ssh key for root Posts: 33 Threads: 0 Joined: N/A October 25, 2022 at 2:42 AM Yo Any One Know How To privexec to scryh user i'm really stuck
I've Tryed Modifying ldap to point to my ip address but it justs throws this error
modifying entry "ou=servers,dc=response,dc=htb"
ldap_modify: Object class violation (65)
additional info: attribute 'ipHostNumber' not allowedPosts: 38 Threads: 0 Joined: N/A November 13, 2022 at 3:03 PM (July 10, 2022, 02:36 PM)yournamehere Wrote: Finally escalated to Scryh . Oh wow I know why this box is called Response now!
Was fun though :P
root part now. I think I got the logic already hello, could you give me a hint to become scryh? please Posts: 7 Threads: 0 Joined: N/A November 25, 2022 at 6:04 AM (November 13, 2022, 03:03 PM)coder1777 Wrote: (July 10, 2022, 02:36 PM)yournamehere Wrote: Finally escalated to Scryh . Oh wow I know why this box is called Response now!
Was fun though :P
root part now. I think I got the logic already
hello, could you give me a hint to become scryh? please it needs to fake SMTP server, HTTPS server and DNS server, nmap script has LFI issue Posts: 39 Threads: 0 Joined: N/A November 27, 2022 at 11:13 AM (September 21, 2022, 03:57 AM)technic Wrote: (September 21, 2022, 12:12 AM)onl1_f4ns Wrote: (September 19, 2022, 03:25 AM)technic Wrote: (September 18, 2022, 07:13 PM)pleasehelpme Wrote: (July 18, 2022, 05:11 PM)yournamehere Wrote: yup there are only 2 packets with this type, and can't be confused with other ones ;) got all 5 files now
BTW I used a script to parse all the first packets then did the zip recovery manually.
now I have to exploit those 2 files I think I can see something interesting and found some references
Im on scry -> root.
I have the incident files.
Im trying to decrypt packets.
How did you get the AES keys? Do you have to reverse engineer the coredump binary?
you can get the binary executable from pcap and inspect the coredump in gdb: gdb binary coredump.- reverse the executable, search the api, and find the source code for the library used.
- find in source code where the AES key is stored, and the allocation sizes of each relative structure.
- you can inspect the stack area, dump upto stack frame of main, and collect heap pointers (addresses significantly differs from function pointers)
- checking the chunck size of each heap pointer, find one that matches the top control structure. from there you can follow the structures and find the AES key storage.
I read all the docs about TLV packets that I was able to find and yet stuck on this part.
https://github.com/OJ/clr-meterpreter/blob/master/streams/2019-04-25-Part-2/tlv.md
We need to de XOR all the packets first and then we need to extract an encryption key right? How to find and extract this encryption key for the packets? and how do we know that packets Non-encrypted or encrypted?
and there's more.. some packets have 00 04 00 01 as a XOR key, but some 00 00 00 001:
0000 00 04 00 01 00 06 08 00 27 9d 84 9e 02 74 08 00
0010 45 00 00 3c 2d 8b 40 00 40 06 de ce 0a 0a 0d 25
0020 0a 0a 0d 2a a2 ba 11 5c c9 ef 8a d5 00 00 00 00
0030 a0 02 fa f0 2e 91 00 00 02 04 05 b4 04 02 08 0a
0040 5e 55 23 f4 00 00 00 00 01 03 03 07
another:
0000 00 00 00 01 00 06 08 00 27 2a be 42 36 4d 08 00
0010 45 00 00 3c 00 00 40 00 40 06 0c 5a 0a 0a 0d 2a
0020 0a 0a 0d 25 11 5c a2 ba d7 96 03 14 c9 ef 8a d6
0030 a0 12 fe 88 da d6 00 00 02 04 05 b4 04 02 08 0a
0040 a2 ec 37 70 5e 55 23 f4 01 03 03 07
don't really get it.. is it suppose to change?
I have read some nice blog post https://www.bussink.net/meterpreter-reverse_http-how-does-it-communicate-between-device-and-the-msf/
where he's just de XOR-ing packets to at least see a key. but i don't see such a thing...
For XOR-key, it is changing for each packet.
Some corrections to above link on tlv packet:
4 bytes 16 bytes 4 bytes 4 bytes 4 bytes
[ XOR KEY ][ SESSION GUID ][ ENCRYPTION FLAG ][ length ][ type ][ data ]
[ THIS IS XORED ]
the length field counts from length field onwards (length + type + data)
ENCRYPTION FLAG = 1 indicates data part is AES encrypted (16-bytes IV + encrypted data)
ENCRYPTION FLAG = 0 indicates data part is not encrypted (a series of TLVs)
noting a tlv packet may span across several TCP packets.
For AES encrypt key you need to extract from coredump (follow the previous post) How to root? plz tell me step by step? |
