TryHackMe — Brainstorm

Let’s try crack this room with some disclaimer that I am writing this while hacking the room at the same time, so I might not explain everything in detail nor have time to check my grammar and spelling.

I stumbled upon this room because I was currently studying buffer overflows and read some good feedbacks on how I can test my BOF skills here. Our target can be found inside tryhackme site.

First, let’s spawn the machine and try to scan it using nmap.

1. Scanning all TCP ports open.

nmap -p- -Pn -T4 -oA nmap/allPorts 10.10.245.13

So, we got 3 ports open, let’s try to do a more detailed “version scanning” on it.

2. Version Scanning.

nmap -Pn -sV -sC -p 21,3389,9999 -T4 -oA nmap/versionScan 10.10.245.13

ENUMERATION

So, we got 3 ports open 21 for FTP, 3389 for RDP and abyss? application port 9999.

PORT 21

anonymous login on FTP port 21

Enumerating inside port 21 and downloading files inside.

So, on port 21, we have found that anonymous login is allowed and we are able to get all files inside the chatserver directory. Let’s leave it for now and proceed with other ports open.

PORT 3389

Since we don’t have any credentials yet that we can possibly use, we are not able to perform further enumeration on RDP port 3389

PORT 9999

nc 10.10.245.13 9999

So, we have a chat application? running on port 9999, and we got some .dll and .exe files from port 21. It seems to me that we got the source program and we can perform a buffer overflow against the files we got on port 21 to craft a script that we will ultimately use against port 9999.

Buffer Overflow

Let’s transfer the files we got from port 21 to Windows OS we built to test buffer overflow.

copying files out of kali machine.

Moving files to test machine.

So, if we’re going back to our enumeration of port 9999, we saw when we enter characters more than 20 on username fields, it cuts it back to 20 characters, however, the message part seems to be vulnerable to an bufferoverflow attack. We will figure it out.

FUZZING

Upon checking the behavior of the application, we need to write a script that will send a username and will fuzz the message input.

trying to send a lot of A’s in message input

After checking our test machine, the application crashed, strong indication that we can perform a buffer overflow attack against the machine.

I wrote a python script that sends username and will loop on the message input to fuzz until application crash, after which it will send us what or how many bytes was sent before the application crashed.

fuzzing script using python

So now, let’s run the script against our test machine running the target application. As we can see, we got different result but more or less it crashed around 1800 to 1900 bytes.

fuzzing the target application

Going back to our test machine, we ran Immunity Debugger and load the target, let’s pay attention to the EIP where it was filled for 41’s, 41 is hex of letter A, meaning we have successfully overwritten the EIP which is the crucial part of this buffer overflow.

EIP overwritten by hex of A

I actually made a checklist based on my study, a step by step guide in performing windows stack-based buffer overflow.

My checklist…

Since we fuzz around 1800 bytes, let’s create a unique pattern using the pattern_create.rb script from metasploit, copy the output and put it on our script.

creatinga unique patter with 2200 in length

We have tweaked our script a little bit, instead of looping, we will send the 2200 bytes of payload to our target all at once.

After we crashed the application again, we now go to our test machine to search for the exact point before we overwrite the EIP. In order to do this, we can using mona with the command of the screenshot below.

!mona findmsp -distance 2200

If we’re going to look closelym we can see the EIP offset was at 2012, meaning this is the start of offset before EIP was overwritten. So in order to prove that, we will going to send 2012 bytes of A, followed by ‘BBBB’ which translate to ‘42’ in hex.

tweaking the script a little bit.

After we ran the script again, we can see that the EIP was overwritten by 42s meaning that we now control the EIP, we just need to find bad chars, create payload and look for jump point. Let’s do that step by step.

FINDING BAD CHARS

Bad chars are characters that will make the application crash when executed, meaning before we could exploit the machine, the application will crash first making it difficult to exploit.

Let’s now generate characters in hex except for “\x00” which is a null byte, all programs avoids null byte.

!mona bytearray -b “\x00”

Let’s copy the generated characters to our script, we need to tweak our script a little bit again.

So after we send all the character’s to our target applicaiton, we now search for badchars, we will going to dump the ESP memory and check in which character the ESP acted up, however, we can execute a mona script that will compare our bytearray against ESP’s.

This step was included in my script in details, and how we need to repeat the process until we got all the exact bad chars.

Fortunately for us, we only got the null byte “\x00” as the bad chars, we expect the unmodified response of applicaiton, meaning the application executed all our test characters without any probelm.

After finding the bad char/s, we then now look for a jump point, a jump point that do not execute our listed bad chars. We are looking for ASLR = False on the result or much better if everything is false.

!mona jmp -r esp -cpb “\x00”

After we have chosen our jump point, we need to actually write it in hex format in reverse, this is called something like “little endian” formatting where the bytes were in order from higher to lower byte.

Meaning that if we chose 0x625014df, we will rewrite it on our script as “\xdf\14\x50\x62”, look closely and compare to see the difference and pattern.

GENERATING PAYLOAD

We will now generate our payload using msfvenom, the output of the command will be our payload in our script.

Note of the correct IP usage for LHOST.

We now copy the generated code and put it on our script

IP used was for my private network with my attack and test machine.

Let’s try to tweak again our script and should look like the screenshot below.

copying the jump point and payload to script

Creating a padding with NOP byte “\x90” and sending it all to our target machine.

So we now set up our listener according to the port we defined in msfvenom, then we execute our script against our target machine.

AND WE GOT A SHELL!

Checking our privilege, we are already system, meaning we have the highest level permission possible.

Collecting our prizes

Room was fairly easy after we have studied the buffer overflow and did some exercises, I would suggest to study BOFs by TCM and Tibsec first before diving into this kind of BOFs.

The challenge was to create a script for exploit and finding the EIP. It was a fun box and solidified my knowledge about windows buffer overflows.

P.S

My Kali is acting up on me, I freezes when I set my desktop to GNOME, I had unzip my kali several times and I wasted a lot of time setting up my kali again.

I got my image from offsec and running on VMWare. Who else got the same dilemma and what is your workaround? Let me know on your comment below.