muwa00 MUWASEC

AArch64 Android emulation and kernel cross-compilation

The following assumes you are using a AArch64 host.

Android SDK installation

Setup SDK and emulator :

# https://developer.android.com/studio/index.html#command-line-tools-only
sudo apt-get install unzip openjdk-17-jdk gradle -y

Scrambled vs NetExec

Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:

smbclient won’t work, and I wasn’t able to get crackmapexec to work either.

To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :)

Note: I will pass the web part where we get one username : ksimpson

Reverse engineering

Obtained binaries from Discord server. The download link: https://drive.google.com/file/d/1xPP9R2VKmJ9jwNY_1xf1sVVHlxZIsLcg

Basic information about binaries. There are two main versions of the program in question: aimful-kucoin.exe and aimful-binance.exe. They are both Windows executables. From the FAQ section of the discord server, the following information is available:

In what language was this bot written?

Python.

	using NtApiDotNet;
	using NtApiDotNet.Ndr.Marshal;
	using NtApiDotNet.Win32;
	using NtApiDotNet.Win32.Rpc.Transport;
	using NtApiDotNet.Win32.Security.Authentication;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
	using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
	using NtApiDotNet.Win32.Security.Authentication.Logon;
	using System;

	$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

	function Show-Menu {
	Clear-Host
	Write-Host "======================================================"
	Write-Host "================ Give Back Control ================"
	Write-Host "======================================================"
	if($elevated -eq $true){
	Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
	Write-Host "We have superpowers. Ready to continue."

	#include "banzi.h"

	/*
	* socket 占页
	* https://www.willsroot.io/2022/08/reviving-exploits-against-cred-struct.html
	* 需要在内核中开启 CONFIG_USER_NS=y, 默认开启
	*/

	void unshare_setup(uid_t uid, gid_t gid) {
	int temp;

	#!/bin/bash

	# Decompress a .cpio.gz packed file system
	rm -rf ./initramfs && mkdir initramfs
	pushd . && pushd initramfs
	cp ../initramfs.cpio.gz .
	gzip -dc initramfs.cpio.gz \| cpio -idm &>/dev/null && rm initramfs.cpio.gz
	popd

	<#
	.SYNOPSIS
	List common security processes running!

	Author: @r00t-3xp10it (ssa redteam)
	Tested Under: Windows 10 (19043) x64 bits
	Required Dependencies: Get-WmiObject, Get-Process {native}
	Optional Dependencies: Get-MpPreference, Get-ChildItem {native}
	PS cmdlet Dev version: v2.3.18

	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

	import sqlite3

	def get_chrome_cookies(db=None):
	import json
	from base64 import b64decode
	from win32.win32crypt import CryptUnprotectData # pip install pywin32
	# should use Cryptodome in windows instead of Crypto
	# otherwise will raise an import error
	from Cryptodome.Cipher.AES import new, MODE_GCM # pip install pycryptodomex