Buffer Overflow, CTF Walkthroughs, Guides, Stack Buffer Overflow, TryHackMe

TryHackMe – Buffer Overflow Prep Walkthrough

June 10, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This room is part of the TryHackMe Offensive Security path and it aims to teach or consolidate stack buffer overflow exploitation skills for students aspiring to take on the OSCP certification exam.

OVERFLOW1

Starting immunity Debugger:

Selecting the oscp executable:

Running the application with F9:

Testing the connection using Netcat:

Configuring Mona’s working folder

Creating a simple Python fuzzer script to cause the application crash:

Running the fuzzer, the script stopped at 2000 bytes:

The application crashed with an access violation error:

Creating the initial Python exploit:

Creating pattern of 2400 bytes to identify the offset:

Adding it to the script:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 1978:

Updating the offset accordingly and retn with 4 B characters, to ensure EIP can be overwritten:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed and EIP was successfully overwritten with the B characters:

Generating a byte array with Mona to identify bad characters:

Creating a script to generate a list of possible characters to find the bad ones:

Running the script:

Updating the payload variable with bad characters:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed – ESP is overwritten with 0187FA30:

Running a command in Mona to do a memory comparison and find bad chars, they are 00,07,08,2e,2f,a0 and a1:

After trying each character this is what the bad characters look like, this is because often bad chars corrupt the next one too:

Generating a new byte array in Mona excluding the bad characters:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed – ESP is overwritten with 017dfa30:

No bad characters appeared this time – this means that 00,07,2e and a0 need to be removed

Finding valid JMP ESP instructions using Mona:

Searching for the first one to ensure it belongs to a JMP ESP instruction:

It appears this is the case:

Updating the script with the return address of the JMP ESP instruction:

The next step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case, the Windows Reverse TCP Shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect t
  • -f to specify the format
  • -b to specify the bad characters
  • -v to specify the name of the variable used for the shellcode

Updating the script with the shellcode, along with 10 NOP slides at the beginning of it to avoid errors during the decoding phase:

Starting the application again without the debugger:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Executing the script – received a callback on the Netcat listener and a reverse shell as the admin user:

From this point on, the walkthrough will onlyl include the offse and bad characters parts of the process, for brevity.

OVERFLOW2

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW2 command:

Running the fuzzer, the script stopped at 700 bytes:

The application crashed with an access violation error:

Creating pattern of 1100 bytes to identify the offset:

Adding it to the script:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 634:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed – ESP is overwritten with 019bfa30:

Generating a byte array with Mona to identify bad characters:

Running a command in Mona to do a memory comparison and find bad chars, they are 00,23,3c,83 and ba:

OVERFLOW3

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW3 command:

Running the fuzzer, the script stopped at 1300 bytes:

The application crashed with an access violation error:

Creating pattern of 1300 bytes to identify the offset:

Adding it to the script:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 1274:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed – ESP is overwritten with 0185fa30:

Running a command in Mona to do a memory comparison and find bad chars, they are 00,11,40,5f,b8 and ee:

OVERFLOW4

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW4 command:

Running the fuzzer, the script stopped at 2100bytes:

The application crashed with an access violation error:

Creating pattern of 2100 bytes to identify the offset:

Adding it to the script:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 2026:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed – ESP is overwritten with 01bafa30:

Generating a byte array with Mona to identify bad characters:

Running a command in Mona to do a memory comparison and find bad chars, they are x00,xa9,xcd and xd4:

OVERFLOW5

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW5 command:

Running the fuzzer, the script stopped at 400 bytes:

The application crashed with an access violation error:

Creating pattern of 400 bytes to identify the offset:

Adding it to the script:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 314:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed – ESP is overwritten with 019afa30:

Generating a byte array with Mona to identify bad characters:

Running a command in Mona to do a memory comparison and find bad chars, they are 00,16,2f,f4, and xfd:

OVERFLOW6

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW6 command:

Running the fuzzer, the script stopped at 1100 bytes:

The application crashed with an access violation error:

Creating pattern of 1200 bytes to identify the offset:

Adding it to the script:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 1034:

Restarting Immunity and re-attaching the vulnerable app:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Executing the script:

The application crashed – ESP is overwritten with 0187fa30:

Generating a byte array with Mona to identify bad characters:

Running a command in Mona to do a memory comparison and find bad chars, they are 00,08,2c, and ad:

OVERFLOW7

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW7 command:

Running the fuzzer, the script stopped at 1300 bytes:

The application crashed with an access violation error:

Creating pattern of 1700 bytes to identify the offset:

Adding it to the script:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 1306:

Restarting Immunity and re-attaching the vulnerable app:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Executing the script:

The application crashed – ESP is overwritten with 01a6fa30:

Generating a byte array with Mona to identify bad characters:

Running a command in Mona to do a memory comparison and find bad chars, they are 00,8c,ae,be and fb:

OVERFLOW8

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW8 command:

Running the fuzzer, the script stopped at 1800 bytes:

The application crashed with an access violation error:

Creating pattern of 1800 bytes to identify the offset:

Adding it to the script:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 1786:

Restarting Immunity and re-attaching the vulnerable app:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Executing the script:

The application crashed – ESP is overwritten with 0199fa30:

Generating a byte array with Mona to identify bad characters:

Running a command in Mona to do a memory comparison and find bad chars, they are 00,1d,2e,c7 and ee:

OVERFLOW9

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW9 command:

Running the fuzzer, the script stopped at 1600 bytes:

The application crashed with an access violation error:

Creating pattern of 1600 bytes to identify the offset:

Adding it to the script:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 1514:

Restarting Immunity and re-attaching the vulnerable app:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Executing the script:

The application crashed – ESP is overwritten with 018bfa30:

Generating a byte array with Mona to identify bad characters:

OVERFLOW10

Restarting Immunity and re-attaching the vulnerable app:

Updating the fuzzer to use the OVERFLOW10 command:

Running the fuzzer, the script stopped at 600 bytes:

The application crashed with an access violation error:

Creating pattern of 600 bytes to identify the offset:

Adding it to the script:

Restarting Immunity and re-attaching the vulnerable app:

Executing the script:

The application crashed, running Mona command to find EIP offset, it is 537:

Restarting Immunity and re-attaching the vulnerable app:

Running the script to generate a list of characters:

Updating offset and payload variable with bad characters:

Executing the script:

The application crashed – ESP is overwritten with 019ffa30:

Generating a byte array with Mona to identify bad characters:

Running a command in Mona to do a memory comparison and find bad chars, they are 00,a0,ad,be,de and ef:

Conclusion

Although the techniques and commands used in this rooom are slightly different to what students would learn in the PwK course, it is definitelyl a great resource for learning stack buffer overflow exploiitation and it gives a lot of chance to hone this skill and ace the OSCP exam.