# Wizard Labs - Dummy

## Quick Summary

Hey guys this is my write-up about Dummy from Wizard Labs. If you don’t know them , They are a new penetration testing lab, They have 16 boxes so far and Dummy is their first box to retire. This lab is nice I definitely recommend checking it out. Dummy is a windows box and it was an easy one (Difficulty: 2/10). It had an http service which was vulnerable to a buffer overflow , and metasploit had a module for it so this box can be done easily through metasploit . I will show that, then we will take a look at the exploit and how it’s happening. The ip of the box is 10.1.1.13 so let’s jump right in.

## Nmap

As we always do we will start by scanning the box with nmap , so :
nmap -sV -sT -sC 10.1.1.13

We see a lot of open ports , most of the http ports are running Microsoft HTTPAPI, we will ignore that and look at other things. We also see that the box has smb which is an interesting thing to look at so let’s try smbmap
smbmap -H 10.1.1.13

On port 8000 there’s an http server and it’s not running Microsoft HTTPAPI , it’s running Icecast streaming media server. Let’s check that port

## Icecast

If we go to that port we get a 404 response which is odd. We can try bruteforcing directories with dirbuster but that won’t help too much.
By searching online we will find that an old version of icecast had a buffer overflow vulnerability which allowed for a remote code execution (RCE). And we also find a metasploit module . So let’s open metasploit and search for icecast modules.

## Metasploit

By doing search icecast we will find the module , and it’s an exploit from 2004.

And we got a meterpreter session. we can drop a shell by typing shell then if we type whoami we will find that we are already Administrator so no need for privilege escalation

Then we can grab the flags

So now we did the box , but let’s understand the exploit. basically it’s a buffer overflow vulnerability, it happens because that version of icecast only accepted a maximum of 32 headers in the HTTP request , so if a request had 32 headers this caused the return address of the vulnerable function to be overwritten with a pointer to the begining of the header number 32. this means that anything we add as the 32nd header will be executed
So if we make a request with 31 headers and add shellcode as the 32nd header we can get a reverse shell and that’s what metasploit is doing. But if we look at the source of the module :

There’s not much detail because it’s based on metasploit so luckily I found this refrence which had a poc c code.
By looking at this part of the code :

We can see how the exploit is working. It’s doing a GET request , adding 31 “a”s as headers , then the 32nd header is the shellcode.
If you want to know more about bufferOverFlows check out my other articles

That’s it , Feedback is appreciated !