Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

##OSCP Syllabus: https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/

##Windows Privilege Escalation: http://www.fuzzysecurity.com/tutorials/16.html https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html https://toshellandback.com/2015/11/24/ms-priv-esc/

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

$ python -m SimpleHTTPServer 8000