The second one was actually very hard to do. First off, the exploit must end in "}" for the exploit to be triggered, making it rather interesting to find out where to located your shellcode and how it would fit into the provided space. Second off, as noted in one of the fourms, you had to use a DLL from the application itself and not from the OS to get the POP POP RET to work for the SEH. This caused much frustration and confusion for me...though in actually it was pretty obvious that I should have done that as its standard to check application DLLs first, then OS DLLs as this makes the exploit more reliable (the application DLLs load in the same place across OS versions, where as many OS DLLs do.)
The third challenge was getting all of the bad characters sorted out. To do this I used generatecodes.pl and sent this as the payload, then manually checked the results. This allowed me to find that an extra character was also causing problems in addition to the standard ones I had already filtered out, and thus made the application execute the standard SEH handler as per normal.
The fourth and hardest challenged that faced me though was the limited space available for the shellcode. While I can't tell you what I did to go about it, I can say that Corelan's tutorials definitely helped here, and I was able to craft some shellcode that ultimately resulted in a bind shell on port 4444, created via a fairly standard msfpayload encoded to remove all the bad characters.
The main thing I want to point out here is that all of this was possible because when one faces the wall, you really do have to try harder. What I found works best is working at it in chunks. I worked till I felt like I was about to give up, tried a thing or two more, and, wait for the magic...., took a break. Yep. A break really does help, and it lets you calm down and think things through more. This last exploit took me literally a day to create (from 12 am to about 10 pm) on and off so it was a lot of work but the breaks helped to make things clearer.
Well thats all I have for now. :)
-tekwizz123
Nice man, actually had a few posts to catch up on since I missed them ;).
ReplyDeleteYou're making me jealous though, I really wanna do the OffSec courses, they sound awesome. What's your take on difficulty level compared to eCPPT? I decided to do eCPPT first since it was meant to be more of a challenge, but that's going by strangers, what do you think so far?
In my humble opinion, I honestly think eCPPT is good, but it lacks in many places, and i found myself a little disappointed by the exam, which quite frankly, is s**t easy to pass. Furthermore they don't really check your report that well; i wrote a very crappy one and i still managed to pass even when I should have put more effort in (though I did try for the most part) While it teaches a lot about web security there is no focus on network or os hacking at all.
DeleteOn the other hand PWB is much harder and actually makes sure you know your stuff. Think of it like eCCPT, but for hacking into computers. Turn the difficulty up by about 5-8 notches, and leave the person pretty much on their own to learn. Provide help if applicable (aka this isn't working in the labs, can you please reset my revert counter, etc) and let simmer. If all is good, you should develop a well rounded hacker.
To give an example of the challenge, many of these hosts do not have straight forwards exploits. While I will say that many of them can be exploited with metasploit, the way that you go about that is not as simple as click n pwn for most hosts (a few easy ones are) For example I just pwned a box recently, which required 3 steps of enumerating the web pages, then finding an exploit to give me the admin password for the webpage and then using that to create a backdoor.
I would say if your going to go for this course, then do the following:
1. Hack as many boot2roots as you can. When you get stuck, try harder, and if you still don't get it then look at the answer. Even if you look at the answer you will still learn, though not as much. By looking at these exploits you will soon learn to recognize patterns and exploits that will help you in the labs (a lot of the exploits on these vulnerable systems are similar in the labs ;) )
2. Be prepared to put in time. And i mean time. I spent about a good 4-6 hours a day for the first month or so going though the videos and lab guide and I have just finished (well minus one required one because I have actually skipped a few days to try pwning the labs)
3. MOST IMPORTANT: WHEN YOUR LOST, ITS CAUSE YOU DIDN'T ENUMERATE ENOUGH!
3a. Check to see if you set up your exploits right, sometimes that localhost isn't what you think it is.
3b. Don't work at silly o clock in the morning, it will cause you to make stupid mistakes even if the solution is right there.
4. Stay up to date with security news, it will help you develop the mentalitly needed.
There's more but I need to head to bed atm. (2:36 in the morning here)
Best of luck!
-tekwizz123