Thursday, October 12, 2017

SLAE64 Exam - Assignment 2 of 7 (Reverse Shell with Password)

This post is the second of 7 exam assignments of the Pentester Academy's x86/64 Assembly and Shellcoding on Linux.

SLAE64 - 1501

Success in these 7 assignments results in the Pentester Academy's SLAE64 certification.

  • Create a Shell_Reverse_TCP shellcode
    • Reverse connects to configured IP and Port
    • Needs a “Passcode”
    • If Passcode is correct then Execs Shell
  • Remove 0x00 from the Reverse TCP Shellcode discussed
I began with the nasm I made during the course.  This nasm was a reverse shell script with null bytes removed.  That nasm is here

I added a password read and compare section to this code after the dup section and before the execve section.  This section compared the password entered during execution with the hardwired password in the script ("AAAAAAAA").  If it is the same, then the script continues to the execve section.  If not, then the script exits gracefully.

Here is an extract of the password read and compare section:

Here is an extract of the graceful exit section I added below the execve section:

I saved the changes.  The nasm with this change is here.

After compiling and linking, I checked the op code for null bytes.

I set  up a netcat listener in another terminal (note: the extra-verbose switch was very helpful in confirming the connection). Then, I executed the binary.

My listener confirmed the connection.  Then I entered the correct password ("AAAAAAAA") which resulted in a remote shell.

After the successful test of the nasm, I extracted the op code from the binary with a modified objdump command.

Then, I pasted the op code in the shellcode.c template.  The shellcode.c is here

Compiling the shellcode.c with a modified gcc command was uneventful.

I executed the shellcode binary after setting up a netcat listener in another terminal.

After receiving a connection, I entered the correct password ("AAAAAAAA").  This resulted in a reverse shell.  I ran some basic linux OS commands to confirm.

I redid the above with an incorrect password, and the connection ended gracefully as intended.

It works.  Yay.

Files used in this assignment:

No comments:

Post a Comment