Hi guys, I am trying to pass the second task in the skill assessment of assembly language. And hit a brick wall.
In the task, I need to take the already working assembly and make a shell code from it(like remove all nuls, vars, and direct address), and make it smaller than 50 bytes, cause attacked server has 50 bytes buffer.
I removed all nuls from this shellcode, chose the smallest register size, and fixed one line where was an error, cause it tried to put text longer than the max register size via this register on the stack. I have fixed that and separated the text into two chanks. And made two pushes.
Also I deleted the last syscall, as was said in the task hint.( Do we really care about a nice exit?!)
I made a 49 bytes - No NULL bytes hex code. and come to the place where i need to run it on the attacked machine.
I had no clue how to do it, so i opend connection with net cat, and typed it in the termilal
like: nc ip.ip.ip.ip port and just entered it in the opened console.
And here i got a brick wall as a “Failed to run shellcode!”. I tried other shellcodes i could find other internet, even 29 byte size, but other and other got this message.
A week of trying passed, and I am on the same place.
So my questions:
is it a valid way, to send shell code as a net cat message? i did it cause it was working in one of the previous tasks, but is it not a realistic scenario? I mean shell code is a payload that we put into attacked software, and could not be run by itself. So the case when I was able to execute shellcode remotely via nc console, means there is some service sitting on the target machine and executes all text he got as a shell code. I mean it is quite far away from a real penetration test situation. Or it is not, and net cat can run shellcodes remotely, and it is me, who is far away from the understanding of the real penetration testing
So if I do all of this in a correct way, how can I get more info on why I am getting this “Failed to run shellcode!”
If I do it wrong, what is the right way to run a shellcode on the attacked machine?
I run an NMAP, on this machine and there are many open ports such as ssh, apache, and SMTP, so in theory maybe this machine could be attacked, and I can get a reverse shell. But this means there is no need for the shellcode created by the HTB team and has nothing with the task assignment in how it is stated.
So, I will be super thankful for any hints or advice, cause I already run out of ideas.