Sunday, September 2, 2018
Brainpan
BRAINPAN 1
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Brainpan 1.
- Brainpan 1 can be downloaded from here:
https://www.vulnhub.com/entry/brainpan-1,51/
- Once downloaded and imported with VMWare:
2 - ENUMERATION
- netdiscover helps us to discover that Brainpan's IP is 192.168.1.26:
- Nmap finds two open ports: 9999/tcp and 10000/tcp:
- Connecting with the browser to port 10000:
- dirb scans the web server and finds the folder /bin:
- Connecting to /bin with the browser there is an executable called brainpan.exe:
- Downloading brainpan.exe to Kali:
- Let's notice that it is a Windows executable file:
- Searching for strings inside brainpan.exe there are some functions prone to suffer from Buffer Overflow attacks:
..............
...............
- Connecting with the browser to the other open port 9999:
- Let's connect again to port 9999, now with netcat. Entering a random password the acces is denied:
3 - EXPLOITATION
3.1 - ANALYZING BRAINPAN.EXE AT WINDOWS 10 WITH IMMUNITY DEBUGGER
- With the purpose of analyzing in deep the executable brainpan.exe let's move the file to a Windows environment like a Windows 10 machine:
3.1.1 - Finding the password
- Opening and running brainpan.exe with Immunity debugger it is pretty obvious that the string shitstorm is compared with other string using the function strcmp:
- This leads us to guess that shitstorm can be the password to enter the application:
- Our guess was correct because now the access is granted.
3.1.2 - Buffer overflow
- As we discovered at the Enumeration step brainpan.exe contains some strings like strcpy prone to suffer from a Buffer Overflow exploitation.
- First of all, let's create a Python script to cast a long list of "A"s over brainpan.exe:
- Giving execution permissions to exploit_windows.py:
- Opening and running brainpan.exe with Immunity Debugger:
- Launching the exploit over the Windows 10 machine:
- The EIP and the stack are overwritten with "A"s:
- Creating a pattern with lenght 1000 and inserting it at the exploit:
- Restarting brainpan.exe with Immunity Debugger and launching the exploit:
- The EIP is overwritten with 35724134:
- Finding an offset of 524 for 35724134:
- Now, let's redo the script in this way:
- Restarting brainpan.exe with Immunity Debugger and launching the last version of the exploit:
- The result is that the EIP is overwritten witn BBBB, as expected:
- Looking for a command JMP ESP, we find it at the address 311712F3:
- The address 311712F3 should replace the string BBBB where the EIP is overflown, entered with Little Endian formart: \xF3\x12\x17\x31
- Creating a shellcode to achieve a reverse shell at Windows 10 machine on port 4444:
- Also, after the JMP ESP command a bunch of NOP instructions must be used to make it easier the execution of the shellcode.
- Joining everything at the script exploit_windows.py:
- Setting a listening session with Netcat:
- Launching the exploit for last time:
- The exploit is successful and we have at Kali a remote shell from Windows 10:
- Output from Immunity Debugger:
3.2 - EXPLOITING BRAINPAN
- Now, let's change the former Windows shellcode with another one for Linux:
- Inserting the shellcode for Linux into a new exploiting script (just changing the shellcode):
- Giving execution permissions:
- Setting a listening session with netcat on port 5555:
- Launching the exploit against Brainpan:
- The exploit is successful because a low privilege shell is achieved:
- Improving the shellcode:
4 - PRIVILEGE ESCALATION
- So far we have a limited shell:
- Checking user puck's sudoer permissions, we discover that he is able to run as a root without password the command anansi_util:
- Let's run it:
- There are 3 options, it seems that the most interesting could be manual [command], what invites to enter a command, like for instance let's try pwd:
- The result is the man page for the command pwd.
- However, because the command has been executed as a root, and remembering that man allows to execute additional inline commands starting with !, let's try !/bin/sh:
- Great, eventually we have a root shell:
- The purpose of executing inline commands from man with ! is just to test those commands without exiting the man page.
- In our case it has been of great help for achieving a quick and easy Privilege Escalation, due to the fact that man has been executed with root privileges.5 - CAPTURING THE FLAG
- We find the flag by reading b.txt: