Setup Port forwarding on the debugged machine:
ssh student@atutor
echo -e "\nGatewayPorts yes \n" | sudo tee -a /etc/ssh/sshd_config && sudo service sshd restart
Set up proxy Server on the Kali VM/VPN machine :
# Connect | |
$passwd = ConvertTo-SecureString "NewUserSSecret@Pass61" -AsPlainText -Force | |
$creds = New-Object System.Management.Automation.PSCredential ("AS-5945632460@oilcorptarsands.onmicrosoft.com", $passwd) | |
Connect-AzAccount -Credential $creds | |
#Connect-AzureAD -Credential $creds | |
Connect-MgGraph -ClientSecretCredential $creds -TenantId bcdc6c96-4f80-4b10-8228-2e6477c71851 | |
## 1. Unauthenticated Recon: | |
#Get if Azure tenant is in use, tenant name and Federation | |
https://login.microsoftonline.com/getuserrealm.srf?login=[USERNAME@DOMAIN]&xml=1 |
const codeLines = `// Your decompiled C code here | |
HIWORD(v4) = HIWORD(memcpyDst0); | |
if (memcpyDst0[3] != 0x1090 && memcpyDst0[3] != 0x903 && memcpyDst0[3] != 0x508) { | |
... | |
}` | |
trackOpCode(codeLines,'memcpyDst0[3]') | |
/* output sample | |
Line 625: *(_DWORD *)(JavaClientInfo + 4 * *(_DWORD *)(JavaClientInfo + 1173160) + 1172360) = memcpyDst0[3]; | |
Line 683: if ( memcpyDst0[3] != 0x1090 && memcpyDst0[3] != 0x903 && memcpyDst0[3] != 0x508 ) | |
Line 686: if ( memcpyDst0[3] != 0x1070 && memcpyDst0[3] != 0x514 && memcpyDst0[3] != 0x521 ) |
//"use strict"; | |
var addrresses_we_return_to = []; | |
class CallTreeNode { | |
constructor(name, address,is_outside_exedll=false) { | |
this.name = name; | |
this.address = address; | |
this.is_outside_exedll = is_outside_exedll | |
this.children = []; | |
} |
function find_cmp_use_shellcode(patternsArg) { | |
/* | |
.scriptrun c:\scripts\debug.js | |
bp 0056C4B6 | |
bp 0056c850 | |
g | |
dx .State.Scripts.debug.Contents.find_cmp_use_shellcode("4141,4242,4432") | |
*/ | |
var patterns = patternsArg.split(",") | |
if (patterns === null || patterns.length==0) { |
<!DOCTYPE html> | |
<html> | |
<head> | |
<!-- <script src="script.js"></script> --> | |
<!-- Crypto JS library --> | |
<script> | |
!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var h,r,e,l,i,n,o,t,s,a,f,c,d,H,u,p,_,y,v,g,B,m,x,b,z,A,C,w,k,S,D,R,E,M,F,P,W,O,U,I,K,et,rt,X,L,j,N,T,Z,q,G,J,$,Q,V,Y,tt,it,nt,ot,st,ct,at,ht,lt,ft=ft||(h=Math,r=Object.create||function(t){return dt.prototype=t,t=new dt,dt.prototype=null,t},ot=(st={}).lib={},e=ot.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=ot.WordArra |
<!DOCTYPE html> | |
<html> | |
<head> | |
<!-- <script src="script.js"></script> --> | |
</head> | |
<body> | |
<h1> GPO Pattern Searcher </h1> | |
<p> Choose the GPO path file and text pattern to search for </p> | |
<form name="myForm" onsubmit="return FindThePattern(true)"> |
#define IMAGE_FIRST_SECTION(ntheader) \ | |
((PIMAGE_SECTION_HEADER)(ULONG_PTR)((const BYTE *)&((const IMAGE_NT_HEADERS *)(ntheader))->OptionalHeader + \ | |
((const IMAGE_NT_HEADERS *)(ntheader))->FileHeader.SizeOfOptionalHeader)) | |
// IMAGE_FIRST_SECTION = Pointer to the starting point of optional header “OPTHDROFFSET macro” + SizeOfOptionalHeader which exist in the image file header struct. | |
BOOL WINAPI GetSectionHdrByName ( | |
LPVOID lpFile, // pointer to the file | |
IMAGE_SECTION_HEADER *sh, // returned pointer to the section header | |
char *szSection // name of the section to find it. |
h1= title | |
p Welcome to #{3*3} | |
#{spawn_sync = this.process.binding('spawn_sync')} | |
#{ normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};}} | |
#{spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}conso |
spawn_sync = this.process.binding('spawn_sync') | |
normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};} | |
// Defines spawnSync, the function that will do the actual spawning | |
spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buff |
Setup Port forwarding on the debugged machine:
ssh student@atutor
echo -e "\nGatewayPorts yes \n" | sudo tee -a /etc/ssh/sshd_config && sudo service sshd restart
Set up proxy Server on the Kali VM/VPN machine :