Attacking Common Applications - Attacking Thick Client Applications

I just clicked “Step Over” (tool bar button) somewhere between 513 and 4600 times while watching the Memory Map.

These lines here need much more clarification:
Then, we can select fileopen and select the restart-service.exe to import it and start the debugging. Once imported, we right click inside the CPU view and Follow in Memory Map:

Checking the memory maps at this stage of the execution…

Grade of module: C-

1 Like

My powershell is not working either.

What if i cant find any MAP + RW? I’ve tried this so many times and keep ending up with the special MZ within this memory


I tried using strings on it but I get this
image

I stepped away from this “monster” for several months.
Did the other modules. By now I am 97% done with the pentester path.
I have the “Attacking Enterprise Modules” left to do and 4 more questions in other modules.
This question is one of the 4 that are left over to do.

No matter what I do on the changing the access permissions on the Temp folder it does not take it.

The below is the description from the module:
In order to capture the files, it is required to change the permissions of the Temp folder to disallow file deletions. To do this, we right-click the folder C:\Users\Matt\AppData\Local\Temp and under PropertiesSecurityAdvancedcybervacaDisable inheritanceConvert inherited permissions into explicit permissions on this objectEditShow advanced permissions, we deselect the Delete subfolders and files, and Delete checkboxes.
Finally, we click OKApplyOKOK on the open windows

When I click apply i get the following responses.

Any help or suggestions are appreciated.

Thanks

continent

When I then click continue through all of the pop ups and look at the permission tab it looks like this.

Then I run the oracle application and also look at the content of Temp\2 it looks like below.
I never see the .bat file written into the Temp\2 directory.

Have rebooted the box many times and tried small variations of the described approach. Nothing works. Must be making some basic selection or sequence mistake.

Thanks for any help.
Continent

You are right.

When you run the “restart-oracleservice.exe” in the debugger make sure it’s the one stored in the ProgramData folder :wink:

I did never find any menu “Dump to memory” in the window showing my MZ executable. It helped to mark all lines in this windows and save the content via Binary->Save to a File.

I am wondering why nobody else ran into that problem but if you are stuck here, this might help.

You save my life bro. I stuck here

I never saw restart-oracleservice.exe in the ProgramData folder. How did you get it there. I edited the tmp file and removed delete files.

Hello, I am having a hard time with this one…


I have restarted and change the preferences but still cant get the red arrow…

Now I get the red arrow but it never stops… I cant click the right one… I cant pause this…

Now I got to the dnSpy but I think I am not using the right file… I use a 3000 MAP R-W file but it does not end in the one you mentioned here… mine ends in B40000…

You need to navigate to the Main function: runas.exe->runas->Program->Main(string) to find the username,password

Have you used a PS and run the
C:\programdata\monta.ps1 to generate the restart-service.exe to the programdata folder?

I did run it but it did not generate the restart-service.exe.

Thanks man!!!

It should generate the restart-service.exe, if not try running the PS as Administrator

I’m unable to get PS to start even if I roght click a click run as administrator.

Powershell did NOT work for me either after many hours of trial and error but you can do the same thing if you create a .bat file with:

@echo off
setlocal

:: Define file paths
set "input_file=C:\ProgramData\oracle.txt"
set "output_file=C:\ProgramData\restart-service.exe"

:: Decode the Base64 encoded file
certutil -decode "%input_file%" "%output_file%"

echo Decoded and written to %output_file%

:: Clean up the certutil output files
del /F /Q "%input_file%.bak"

endlocal
1 Like