Machine Synopsis
RainbowTwo is a Hard Windows machine centered around exploit development for a custom network file-sharing service. Initial enumeration reveals anonymous FTP access and an unknown service listening on TCP port `2121`. The FTP share exposes the vulnerable service binary, a developer README, and a copy of `SysWOW64\kernel32.dll`. The README confirms that the service was rebuilt with `ASLR`, `DEP`, and `GS` enabled. Static and dynamic analysis then shows that the service is still vulnerable to a format string issue and a stack-based overflow that overwrites the SEH chain. The format string leak provides a reliable ASLR bypass by disclosing a pointer inside `filesrv.exe`; the SEH overwrite provides control of the exception handler; and a ROP chain calls `VirtualAlloc` to bypass DEP. Privilege escalation is achieved by abusing `SeDebugPrivilege` to migrate into a SYSTEM process.
Machine Matrix