21 hours 43 minutes
modifying the code to fit the environment
are learning objective is to demonstrate how to analyze and then modify code to fit the environment.
So I've spoken about this before when we find exploit code and exploit DB or wherever it may be,
whoever authored that code doesn't know the environment we're working in. They will leave I. P. Addresses, whatever exploit that worked for them. They'll leave I. P. Addresses and assume that we know to change it to our environment. They leave ports
like FTP 21 whereas in our environment it could be port 5000, Who knows?
But in some cases you'll see the exploit code. They actually give us in the comments that it's a hard coded iP address.
Um even in pen test monkeys. PHP reverse shell.
You know, he'll say change this, change this. Very nice of him to do that.
But not everybody does that.
And that's the same with web requests. So Wordpress maybe in a directory called Wordpress and maybe in the root directory or it may be in some other name. Directory like WP.
So when you run your exploit, it may not work because you didn't have the correct directory structure. It's also the same with WP scan, right? If I use WP scan against a host, it will say it couldn't find wordpress. But if I specify the directory wordpress,
then it will find that you have to help these tools and these exploits and guide them
to find the right directory. And there have been times where I've missed a hard coded I. P. Address or I've missed a port or I've missed the correct directory structure and my exploit won't work. So with that in mind let's go to a demo.
So I'm gonna do my end map scan here
and I'm not going to do the full port scan because that will take a while. But I notice a few open ports so it may not just be that there's one open port and that's our vulnerable service. There could be many open ports and we have to kind of sift through that information and determine what's the lowest hanging fruit
because we could try to do things like brute force,
or RDP but I see here that FTP has anonymous login allowed and that is Konica Minolta FTp utility.
I wanna of course manually verify that FTP is allowed with anonymous login.
I can see that I logged in here
but I can also like I said google dork. So I would I would take the Konica Minolta
FTp utility information
and you could do something like google
db dot com
and we see that we have three here but let's choose the first one.
I can either download this directly from the website
Or I see it's 392 and five. I could use search split as well
so I could use search exploit
392 and five and that will download that to my desktop.
So if I analyze the code I'll open it with mouse pad now
be a little different than g edit
like I said it's very nice that we have the comments up here
and this is a buffer overflow so we should be used to seeing this code
this buffer here that this may look like our pattern create that we did in our
in our module
but we don't have to go through that whole process. Right. We already have a lot done for us by the author of this exploit.
We do see an MSF venom payload
that will have to change the L. Host to us.
We can we can leave the airport as well if we wanted to to 4444. We already see that all the bad characters are picked out here.
If we keep reading the code, we see that we have in hard coded ip and the author was kind enough to tell us that.
So we need to change this
to our host
And we know it's on Port 21 so we don't have to change that. And we also know anonymous login is allowed so we can leave that as well.
So now what we need to do is MSF venom.
So I will change this to us.
You'll see the architecture X 86. That might be different in our case. So
pay attention to that as well.
Sometimes it works, sometimes it won't work.
So I will change this code in here,
now I'll split this vertically. I'll do Net Cat.
And what we'll see here is do we know if this is Python two or 3?
I could try to execute this and you'll see it's giving me all these errors.
Also, maybe I didn't commit it correctly. I didn't seem odd.
So that might be the problem. Again, I have an error.
I have to figure out is this python two or 3?
I could do python to just because it looks like Python 2 to me
and we see it sent the buffer and now we've got our shell.
So that's how to find public, exploit code,
modified to fit our environment. And ultimately led us to get us to get a shell and also understanding the version of python. Right then why our system may or may not work or we have to debug why something is or isn't working.
So in summary. Now we should be able to demonstrate how to analyze and then modify code to fit the environment