BrainPan — Vulnhub Walkthrough

ENUMERATION

netdiscover to get the IP. #netdiscover -r 10.0.2.0/24

  • 9999
  • 10000

EXPLOITATION

Running brainpan.exe

Before Running Script
After Running Script
Output of Fuzzing.py
pattern_create.rb metasploit-framework payload.
Offset.py
Registers overwritten
Exact match found at 524.
Inserting B’s at EIP.
EIP written with 42424242 = hex value of BBBB
Badchars.py
No bad chars. Nothing replaced by original hex
Mona instead of Moana
!mona modules
I found return address: 0x311712f3
breakpoint.py
breakpoint hit at JMP ESP.
payload.
part 1 overflow.py
part 2 overflow.py
  1. Padding added “\x90”*16 bytes
  2. IP address changed to our real target machine, instead of testing windows machine

PRIVILEGE ESCALATION

Ok so I enumerated Z: drive and it was whole like a linux drive , but how come seems to be windows? So I inspected , a program WINE was running.

  1. I thought we either need to intrude some information from files in linux in Z: drive
  2. (or) I shifted to C: drive and tried windows escalation.
  1. Files in linux held nothing.
  2. C: drive was just a drive which seemed to be of windows, it had not capability of windows commands except some basic cmd commands, but no sensitive files.
plugnplay running
  1. Changing home directories of users : denied
  2. Uname -a : linux kernel info
compile dirtycow for 32 bit linux kernel
access to /etc/shadow

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store