BrainPan — Vulnhub Walkthrough


netdiscover to get the IP. #netdiscover -r

  • 9999
  • 10000


Running brainpan.exe

Before Running Script
After Running Script
Output of
pattern_create.rb metasploit-framework payload.
Registers overwritten
Exact match found at 524.
Inserting B’s at EIP.
EIP written with 42424242 = hex value of BBBB
No bad chars. Nothing replaced by original hex
Mona instead of Moana
!mona modules
I found return address: 0x311712f3
breakpoint hit at JMP ESP.
part 1
part 2
  1. Padding added “\x90”*16 bytes
  2. IP address changed to our real target machine, instead of testing windows machine


Ok so I enumerated Z: drive and it was whole like a linux drive , but how come seems to be windows? So I inspected , a program WINE was running.

  1. I thought we either need to intrude some information from files in linux in Z: drive
  2. (or) I shifted to C: drive and tried windows escalation.
  1. Files in linux held nothing.
  2. C: drive was just a drive which seemed to be of windows, it had not capability of windows commands except some basic cmd commands, but no sensitive files.
plugnplay running
  1. Changing home directories of users : denied
  2. Uname -a : linux kernel info
compile dirtycow for 32 bit linux kernel
access to /etc/shadow



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store