Introduction

One of the best ways to learn and hone IT skills where you would otherwise need to have hands on experience, is by testing out or implementing cool technologies like these in a homelab.

Remember that old Catch-22?

• How can I get the job without any experience?
• How can I get any experience without the job?

A Homelab helps with that.

Requirements

You will need to have at least one of the following Virtual Machine providers:
Virtualbox, Hyper-V, ESXI, or VMWARE.

For the purposes of this lab deployment I will be utilizing the Vagrant plugin for the VMWare provider, however the same or similar steps can still be followed if you use different providers. If you would like to do the same, but for ESXI I recommend you check out this awesome walk through by Darthsidious on building a lab.

If you're interested in having a Virtual Network Customization feature, creating VM clones, or creating snapshots among other awesome features then a VMWare or ESXI provider should be the way to go.

Don't have the money for VMWare Workstation Pro?
You can try evaluation version for 30 days for VMWare Workstation Pro.

Final Lab Map - Sneak Preview

_{I made this diagram with with the Draw.io tool for Desktop}

Setup Steps

To get started we will need to prep an ISO to be ready for a deployment with Vagrant.

Packer helps us automate some of that tiresome process of preparing images into VMs ready for Vagrant installation.

1. Download Chocolatey

   Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))```
   

2. Install Git via Chocolatey (if you don't already have it)
   cinst git
3. Install Vagrant via Chocolatey
   cinst vagrant
4. Install packer via Chocolatey
   cinst packer -y
5. Create a directory for packer boxes
   cmd /k "mkdir C:\Packer && cd C:\Packer"

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

cinst git -y

cinst vagrant -y

cinst packer -y

cmd /k "mkdir C:\Packer && cd C:\Packer"

Packer by HashiCorp

The VMware Packer builder is able to create VMware virtual machines for usewith any VMware product.

Packer by HashiCorp

The VMware Packer builder by Hashicorp

The VMware Packer builder is able to create VMware virtual machines for use with any VMware product.

Packer supports the following VMware builders:

• vmware-iso - Starts from an ISO file, creates a brand new VMware VM, installs an OS, provisions software within the OS, then exports that machine to create an image. This is best for people who want to start from scratch.

• vmware-vmx - This builder imports an existing VMware machine (from a VMX file), runs provisioners on top of that VM, and exports that machine to create an image. This is best if you have an existing VMware VM you want to use as the source. As an additional benefit, you can feed the artifact of this builder back into Packer to iterate on a machine.

packer plugins install github.com/hashicorp/vmware

Preparing our VMDKs for Packer Builder

To prepare the VMDKs we will...

^{You can download a copy of the vmware-vdiskmanager for windows or linux to do this by command line. I also provide the required files (and the missing DLLs) on my Google Drive.}

1. Open the settings for the VM
2. Select Hard Disk
3. Click Defragment
4. Click Compact
5. Compress the VMDK directory with the command below

cd /path/to/my/vm.directory/
tar cvzf custom.box ./*

^{The files that are strictly required for a VMware machine to function are: nvram, vmsd, vmx, vmxf, and vmdk files.}

More details on preparing VMDKs for .BOX format can be found below...

Vagrant by HashiCorp

As with every Vagrant provider, the Vagrant VMware providers have a custom boxformat.

Vagrant by HashiCorp

Create a JSON in the packer directory for your VM

{
  "builders": [
    {
	  "type": "vmware-vmx",
	  "source_path": "C:/Users/Administrator/Documents/vm_storage/FlareVM/FlareVM.vmx",
	  "ssh_username": "user",
	  "ssh_password": "password",
	  "shutdown_command": "shutdown -s -t 0"
	}
  ]
}

Convert the JSON to a .PKR.HCL with the following commands and build it

packer hcl2_upgrade build_flarevm.pkr.json
packer build build_flarevm.pkr.json.pkr.hcl

Creating custom Discord selfbots when Discord's webhooks aren't enough.

My Inspiration

Like most of the small projects I get ideas for, this one came to me when I was bored and wanted to know if I could send a friend a message on Discord or Slack using a simple device like a Raspberry Pi.

My friends often have tech troubles and since we usually communicate over Discord or Slack. I figured it would make my life a little bit easier if I can just have them run a script and it will automatically send the results back to me through our DMs to help troubleshoot their issues.

Webhooks

This is generally the go to option if you are okay with performing smaller requests and tasks. Webhooks are quite easy to set up, but hamper the amount of control you have over your bot. Methods that use the API are favored and abide by the TOS, so if you like to live safely then this is the option for you.

See the Userbots section for more info on Discords TOS.

For instructions on creating Webhooks you can find the docs below:

• https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks

Python

import requests
import json

if __name__ == '__main__':

    wekbook_url = 'https://discordapp.com/api/webhooks/.../'

    data = {
        'text': 'A message sent with the power of Python in Discord.'
    }

    response = requests.post(wekbook_url, data=json.dumps(
        data), headers={'Content-Type': 'application/json'})

    print('Response: ' + str(response.text))
    print('Response code: ' + str(response.status_code))

import requests
import json

if __name__ == '__main__':

    wekbook_url = 'https://hooks.slack.com/services/{API_GUID}'

    data = {
    	'icon_emoji' = ':ghost:',
        'text': 'A message sent with the power of Python in Slack.',
        'username': 'Python Bot',
        'icon_emoji': ':robot_face:'
    }

    response = requests.post(wekbook_url, data=json.dumps(
        data), headers={'Content-Type': 'application/json'})

    print('Response: ' + str(response.text))
    print('Response code: ' + str(response.status_code))

Userbots

This method is if you want more power over what your bot can do, for example with Slack you are unable to directly mention someone when using Webhooks. However a word of warning, you can be banned for using userbots as it is explicitly against the TOS (at least for Discord).

Terms of Service | Discord

Read about Discord’s Terms of Service.

Discord

API Reference

For Discord it is likely safer to strictly use the requests module, as Discord says you will be banned for logging in with your user account (through their module/api).

Which is why I will be using the selfbot repo Zenon.

Finding your Discord Auth token:

1. Open the Discord App
2. Press Ctrl+Shift+I (to open Chromium dev tools)
3. Navigate to the Application Tab -> Storage -> Local Storage -> Discord.com
4. In the filter bar type: "token" without quotes
5. Press Ctrl+R (refresh Discord for the token to appear)
6. Finally highlight to copy and retrieve your token.

Install dependencies

pip3 install requests, unidecode

Here we define a few functions allowing our bot to wait for a command in your chat channel of choice and respond with a custom message, that can optionally include their username (unicode formatted).

import requests
import random
import time
from unidecode import unidecode


token = "your-token-here"
discord = "https://discordapp.com/api/v6/"
chatid = 795743570995839018

def send_message(chatid, content, proxy=None): # it can also be use as a private message
    return requests.post(discord + "channels/" + str(chatid) + "/messages#", proxies=proxy, data={"content":str(content), "nonce":str(random.randint(10000000, 99999999))}, headers={"Authorization":token}).text
	
def get_message(chatid, proxy=None):
    res = requests.get(discord + "channels/" + str(chatid) + "/messages?limit=1", proxies=proxy, headers={"Authorization":token}).text
    try:
        content = res.split('"content": "')[1].split('"')[0]
    except IndexError as e:
        content = res.split('"message": "')[1].split('"')[0],res.split('"retry_after": ')[-1].split("\n")[0]
    return content

def get_author_id(chatid, proxy=None):
    res = requests.get(discord + "channels/" + str(chatid) + "/messages?limit=1", proxies=proxy, headers={"Authorization":token}).text
    return res.split('"author":')[1].split('"id": "')[1].split('"')[0]

if __name__ == "__main__":
    while True:
        time.sleep(0.05) # To not spam the server
        message = get_message(chatid)
        if message == "!yobot":
            send_message(chatid, f"How may I help you <@{get_author_id(chatid)}>?")
        elif message[0] == "You are being rate limited.":
            print(f"Waiting off the rate limit for {int(message[1])/1000}s")
            time.sleep(int(message[1])/1000)

Prebuilt request functions

If you prefer to use a repo that already has prebuilt functions the Zenon repo on GitHub has a decent amount of predefined function to get you started.

Please stay tuned for updates and part 2!

This is a bold claim considering how much Python is used for writing exploits, however as we compare the output of some shellcode produced from both Perl and Python, you will see why Perl can be the better choice in most scenarios, or at least more straightforward.

Two potential solutions in Python3

$ uname -sp
Linux x86_64

#!/usr/bin/env python3

# Equivalent to running: execve /bin/sh
shellcode =  "\x31\xc0\x50\x68\x2f\x2f\x73"
shellcode += "\x68\x68\x2f\x62\x69\x6e\x89"
shellcode += "\xe3\x89\xc1\x89\xc2\xb0\x0b"
shellcode += "\xcd\x80\x31\xc0\x40\xcd\x80"

print(shellcode)

Piping the Python shellcode output to a file works most of the time; however, when we attempt to write the shellcode straight to a file or binary, we run into some more issues (examples below).

#!/usr/bin/env python3

# Equivalent to running: execve /bin/sh
shellcode =  b"\x31\xc0\x50\x68\x2f\x2f\x73"
shellcode += b"\x68\x68\x2f\x62\x69\x6e\x89"
shellcode += b"\xe3\x89\xc1\x89\xc2\xb0\x0b"
shellcode += b"\xcd\x80\x31\xc0\x40\xcd\x80"

with open('python_shellcode2.bin', 'wb') as f:
	f.write(shellcode)

Let's compare the two

$ python3 execve_binsh_shellcode.py > python_shellcode1.bin
$ python3 execve_binsh_shellcode2.py
$ cat python_shellcode1.bin
1ÀPh//shh/bin‰ã‰Á‰Â°♂Í€1À@Í€
$
$ cat python_shellcode2.bin
1└Ph//shh/binëπë┴ë┬░♂═Ç1└@═Ç

Comparing the outputs, it's obvious that something is a little bit off...

However, it isn't immediately clear what went wrong until we compare the differences between the two using xxd.

$ xxd python_shellcode1.bin
00000000: 31c3 8050 682f 2f73 6868 2f62 696e c289  1..Ph//shh/bin..
00000010: c3a3 c289 c381 c289 c382 c2b0 0bc3 8dc2  ................
00000020: 8031 c380 40c3 8dc2 800a                 .1..@.....

$ xxd python_shellcode2.bin
00000000: 31c0 5068 2f2f 7368 682f 6269 6e89 e389  1.Ph//shh/bin...
00000010: c189 c2b0 0bcd 8031 c040 cd80            .......1.@..

It seems like Python is replacing \x80 and possibly some other bytes it doesn't like.

\x31\xc0\x50\x68\x2f\x2f\x73
\x68\x68\x2f\x62\x69\x6e\x89
\xe3\x89\xc1\x89\xc2\xb0\x0b
\xcd\x80\x31\xc0\x40\xcd\x80

Looking at the original shellcode we want, it is clear that we are getting some extra and undesired bytes in our output.

Okay...Well, how does Perl perform then?

A safer and more straightforward approach

perl -e 'print("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80")' | xxd

00000000: 31c0 5068 2f2f 7368 682f 6269 6e89 e389  1.Ph//shh/bin...
00000010: c189 c2b0 0bcd 8031 c040 cd80            .......1.@..

Awesome!!! Now we're ready to start writing some exploits. I will continue where we left off and demonstrate how we can drop some shells using Perl and a little bit of disassembly in a future post, subscribe to my blog so you don't miss it!

Happy hacking! -Kal

Breaking it down

These two functions take two IP addresses from a string and splits them into four octets, then it converts the octets to a packed IP/integer (octet value * 256^octet) and sums the values to return how many host addresses are available between the two.

def ips_between(start, end):
    end_octets = [ int(octet) for octet in end.split(".") ] # Making binary octets from the strings
    start_octets = [ int(octet) for octet in start.split(".") ]
    return ip_to_packed_int(end_octets) - ip_to_packed_int(start_octets)


def ip_to_packed_int(bin_octets: list)->int:
    packed_ip = []
    power = 3
    for i in bin_octets:
        packed_ip.append((int(i) * (256 ** power)))
        power -= 1
    return sum(packed_ip)

Here is an example of some Python code to convert IP addresses to their Packed (integer) form. Addresses in their packed form are useful when you need to calculate the first host, last host, or subnet addresses.

192.168.1.0
255.0.0.0
255.255.255.255
0.0.0.1
0.0.0.255

#!/usr/bin/env python3


with open("addresses.txt", "r") as f:
        addresses = filter(None, f.read().split("\n"))


def ip_to_int32(ip):
        packed_int = [int(ip.split(".")[0]) << 24, int(ip.split(".")[1]) \
        << 16, int(ip.split(".")[2]) << 8, int(ip.split(".")[3])]
        return sum(packed_int)


for address in addresses:
        packed_ip = ip_to_int32(ip=address)
        print(packed_ip)

chmod +x ip_to_int.py
python3 ip_to_int.py

This was done through Prism.js