HomeGitHubPortfolio Twitter/X Medium Cont@ct

Brainpain (BoF Lab)

https://www.vulnhub.com/entry/brainpan-1,51/

https://www.vulnhub.com/entry/brainpan-1,51/

🔗 Brainpain 1

readme.txt (Disclaimer and Setup)

Description

 _               _                         
| |__  _ __ __ _(_)_ __  _ __   __ _ _ __  
| '_ \| '__/ _` | | '_ \| '_ \ / _` | '_ \ 
| |_) | | | (_| | | | | | |_) | (_| | | | |
|_.__/|_|  \__,_|_|_| |_| .__/ \__,_|_| |_|
                        |_|                
                            by superkojiman  
                 http://www.techorganic.com

DISCLAIMER
----------
By using this virtual machine, you agree that in no event will I be liable 
for any loss or damage including without limitation, indirect or 
consequential loss or damage, or any loss or damage whatsoever arising 
from loss of data or profits arising out of or in connection with the use 
of this software.

TL;DR: If something bad happens, it's not my fault.



SETUP
-----
Brainpan has been tested and found to work on the following hypervisors:
-    VMware Player 5.0.1
-    VMWare Fusion 5.0
-    VirtualBox 4.2.8

Import Brainpan into your preferred hypervisor and configure the network 
settings to your needs. It will get an IP address via DHCP, but it's 
recommended you run it within a NAT or visible to the host OS only since it
is vulnerable to attacks.

Source: Brainpan.zip/readme.txt

MD5 (brainpan.ova) = fc0f163220b9884df5dcc9cdc45361e4

Source: Brainpan.zip/md5.txt

Exclusive to VulnHub!

How to install Wine and Ollydbg on Linux

https://computingforgeeks.com/how-to-install-wine-on-debian/

https://www.kali.org/tools/ollydbg/ or sudo apt install ollydbg

In alternative you can install others sw such as: Immunity Debugger and execute it using Wine on Linux OS or on Windows OS (in this case you should transfer the executable brainpain.exe).

How to install Mona modules (optional)

Task 1 - Deploy the machine

Deploy attacker machine (Kali) and Brainpain machine on VirtualBox, Vmware or on a compatible emulator:

and check relative IPs:

🐲 Attacker/Kali IP: 192.168.56.7 obtained using ip a

The Brainpain VM is on the same subnet, than we do host discovery with nmap or arp-scan only in our subnet: nmap 192.168.56.0/24

🎯 Target IP: 192.168.56.8

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

Task 2 - Reconnaissance

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system, while Windows systems usually have a TTL of 128 secs.

2.1 Ports in listening and relative services

There're two open port, analyze them searching more info about services version and potential vulns:

command
result

sC

run default scripts

sV

enumerate versions

A

aggressive mode

Pn

no ping

oN

output to file with nmap formatting

We see that on port 1000 there's a web server, than we can try to open it on a browser.

and this is relative page source code:

We can see that it is a static page with only an image included.

While on port 9999 there's an hypotetic login form, but without possibility to insert input.

Now, we try to find potential hidden directory using gobuster:

and we find an interesting path: http://brainpain:10000/bin/

Going to it we find an interesting file exe, that we can download in locally:

Check more info about executable using command file:

that confirms exe windows file. Run it using windows emulator (wine):

Program was waiting a connection on port 9999, then we can use netcat on localhost and the same port:

now we can interact with login shell and insert psw (that we don't know).

Reading first tab page, after psw input we can see output that displays: [get_reply] copied 9 bytes to buffer. It means that program returns output of copied bytes to buffer and we can use it to test potential BoF vulnerability.

Task 3 - BoF Exploitation

3.1 Fuzzing

We can try to test sw using a fuzzer script in python:

add it into offset variable of our script:

program was crashed and we need to copy value of EIP register

EIP value in hexadecimal: 35724134

Now, we need to use pattern_offset ruby script with EIP value to calculate correct number of byte needed to crash app:

Output means that program cashes after 524 bytes.

3.2 Control EIP

Our scope is to overwrite EIP register and put into command to jump to ESP register (where we'll insert our payload/shellcode) and force execution, then we can try to put into EIP register 4 character of letter B (42 hex), using fuzzer below:

Now we've insert 524 letter A (41 hex) and 4 letter B (42 hex), infact we can see that EIP value is: 42424242.

Next goal is to overwrite EIP putting JMP ESP value, then find JMP ESP address

JMP ESP address is: 311712F3, to convert in little endian format: \xF3\x12\x17\x31

In the next fuzzer script we need to add this value to EIP and put 400 letter C to ESP (400 because payload usually is 350 bytes):

Badchars Check (Optional for this lab)

We already have control over the EIP, the next step will be to know the BADCHARS. Basically we need to know which characters are bad or invalid for the payload. These characters are those that could interfere with the execution of our payload or cause unexpected behavior.

There are several ways to create them, we can go to Badchars – GitHub and copy the badchars into our script.

LogoGitHub - cytopia/badchars: Bad char generator to instruct encoders such as shikata-ga-nai to transform those to other chars.GitHub

All right, ow we need to replace the 400 C's of the ESP with our shellcode:

3.3 Shellcode generation

in the below script to prevent i've add before shellcode a sequence of NOP chars to prevent the inexact memory addresses matter. NOP sleds help align the actual shellcode to a specific memory address. In some cases, the payload needs to be aligned to a particular memory boundary for successful execution. NOP sleds provide a flexible way to achieve this alignment. Of course NOP operations will be not executed and program will pass directly to our shell code inserted into buf variable.

First to execute it, we need to listening it on the same port of shellcode IP and PORT running a multi handler on msfconsole:

Then we can run our shellcode script to brainpain machine (192.168.56.8):

Connection was established on port 5555, and we've obtained a reverse shell

Task 4 - Privilege Escalation

We can execute /home/anansi/bin/anansi_util as root:

The program accepts manual option + command. Taking tentatives i can see that manual refers to linux man function. Then, i can use it to open a man page regarding a command (e.g. ls) and inserit into a !/bin/sh to became root.

save it, and we'll obtain root permissions!

PreviousBuffer Overflow (BoF)

Last updated