search

tommelo / lnk2pwn

Malicious Shortcut(.lnk) Generator
MIT License
68 stars 12 forks source link

not working with current wine #2

Closed r3k2 closed 5 years ago

r3k2 commented 5 years ago

hello im having this problem on blackarch:

python2.7 ./lnk2pwn.py -c config.json -o ~/hackthebox/10.10.10.106/files/privscalation/lnk2pwn/

                 ,-*
                (_).lnk
           -----------------
               <lnk2pwn>

    Malicious Shortcut(.lnk) Generator

                             [tommelo]
                                v1.0.0

[+] Checking wine installation
[+] wine status: OK
[+] Setting up the workspace
[+] Creating the output folder
[+] Generating the shortcut
0025:err:ntoskrnl:IoCreateDriver failed to insert driver L"\\Driver\\WineHID" in tree
0025:err:ntoskrnl:IoCreateDriver failed to insert driver L"\\Driver\\WineHID" in tree
0025:err:ntoskrnl:IoCreateDriver failed to insert driver L"\\Driver\\WineHID" in tree
0025:err:ntoskrnl:IoCreateDriver failed to insert driver L"\\Driver\\WineHID" in tree
0025:err:ntoskrnl:IoCreateDriver failed to insert driver L"\\Driver\\WineHID" in tree
0025:err:ntoskrnl:IoCreateDriver failed to insert driver L"\\Driver\\WineHID" in tree
0038:fixme:ver:GetCurrentPackageId (0x33fe24 (nil)): stub
0038:fixme:msvcrt:__clean_type_info_names_internal (0x1e2709b0) stub
0009:fixme:ver:GetCurrentPackageId (0x33fe24 (nil)): stub
[+] Renaming .lnk to a fake extension: .txt
[+] Generating the UAC bypass VBScript
[+] Moving files to the output folder
Traceback (most recent call last):
  File "./lnk2pwn.py", line 126, in <module>
    main(cli_args)
  File "./lnk2pwn.py", line 101, in main
    executor.execute(args)
  File "/home/rek2/hackthebox/10.10.10.106/files/privscalation/lnk2pwn/cmd/generatecmd.py", line 240, in execute
    self.delegate(args, json_config=json_config)
  File "/home/rek2/hackthebox/10.10.10.106/files/privscalation/lnk2pwn/cmd/command.py", line 113, in delegate
    self.handler(args, kwargs)
  File "/home/rek2/hackthebox/10.10.10.106/files/privscalation/lnk2pwn/cmd/generatecmd.py", line 189, in __generate
    os.rename(tmp_lnk_rtlo, lnk_file)
OSError: [Errno 18] Invalid cross-device lin

I also try with the steam wine version changing the env $PATH but same result.

[ blackarch lnk2pwn ]$ wine --version
wine-3.19
[ blackarch lnk2pwn ]$ uname -a
Linux rek2system 4.18.16-arch1-1-ARCH #1 SMP PREEMPT Sat Oct 20 22:06:45 UTC 2018 x86_64 GNU/Linux
tommelo commented 5 years ago

Hey @ReK2Fernandez thanks for reporting this issue! Yeah, depending on wine wasn't a good solution when I started developing this tool, I've seen some other users reporting issues with wine in different linux distros.

I'm currently working on a C version of this tool to remove the wine dependency, meanwhile, would you mind testing the script using a Kali Linux vm?

By the way, I'm not sure if this tool is going to help you to privesc a hackthebox machine, though. Bypassing the UAC using the trusted binary "fodhelper" only works if the logged user is part of the admins group.

Let me know if you can get this to work using a Kali Linux VM and also if the privesc works using lnk2pwn.

r3k2 commented 5 years ago

hello @tommelo thanks. I ended up writing my own using golang, with win32/com libs etc, that worked for what I needed, this was for a horizontal escalation not vertical so I really did not need that part, only the part of run something. if I had used yours I will had prob commented that piece. Thanks for the response, maybe next time if you have a C version with more options I will add it to my goto tools. thanks.