Next, I sent a message of 1,000 'A' which didn't crash the server but when I sent one with a length of 10,000 it did, which means we can probably trigger a Buffer Overflow with the message input. I repeated the procedure with a username consisting of 1000x 'A' but the result was the same.
Neither on the client-side nor the server-side the application seemed to crash and the username got cut after 20 characters which shows that this user input is probably sanitized in a way that prevents a Buffer Overflow. Using Python I created a string of A's with a length of 100 characters and used it for my username. Besides those two there do not appear to be any other user inputs. Looks like there are two attack vectors: The username input and the message input itself. I started ImmunityDebugger with admin privileges and opened the chatserver executable in it. I then transferred those files from my Linux VM onto my Windows VM. Time to download these two files onto our local machine with get.
On that server is a directory called "chatserver" that contains two files:Īs these files are for execution I changed into the binary mode with binary. We can access the FTP server using ftp 10.10.128.96, anonymous as the username and an empty password. Since the the THM Brainstorm machine is blocking ping probes you have to add the -Pn flag.Īfter we found the two open ports 21, 3389, and 9999 it's time to enumerate them further: Let's begin with a nmap scan to gather some information: Reverse engineer a chat program and write a script to exploit a Windows machine.THM Room: here
0 kommentar(er)
