We are going to root the Brainpan 1 Challenge on tryhackme.com. First, we scan with nmap. Our initial scan shows only ports tcp/9999 and tcp/10000 available, so we do a deeper scan on those ports.
Port 10000 is http via the SimpleHTTPServer python utility. We can pull that up in our browser, but all we get is a .png image file.
Next we use gobuster to brute force the website.
We quickly find the /bin folder. Navigating to this folder in our browser, we find the file brainpan.exe can be downloaded. The description of the challenge tells us to “Reverse engineer a Windows executable, find a buffer overflow and exploit it on a Linux machine.” We now have the Windows Executable that we can download to our Windows machine for further investigation.
We can also test connections to port 9999.
This is likely the application we will be exploiting. It asks for a password, and gives “ACCESS DENIED” if the incorrect cred is entered.
Wireshark verifies that we submitted the password attempt:
We will do further attempts to abuse the executable on our Windows machine. After downloading the .exe to the Windows VM, I wrote a small script in Python to interact with it.
Here I’m opening a connection to the brainpan.exe that is running locally on my Windows 10 VM and then I send a password of ‘password’ to the program. The executable verifies that I sent the password, which it rejected.
Now that we can properly interact with the executable, let’s try to break it. In our Windows 10 VM, we launch Immunity Debugger as Administrator, select File → Attach and then select brainpan and click the Attach button. Click the run button in the button bar to get Immunity started. I modified my python script to send “A” characters to the program until it breaks.
Instead of just sending an 8 character password, now I’m sending a string of 600 “A’s”. I could have made a loop in my script testing the number of characters in increments of 100, but it didn’t take too many tries to reach a number that broke the executable. Brainpan confirms that we send 600 characters and Immunity shows an Access Violation, so it appears we have reached a buffer overflow condition.
Note also from Immunity the the “A” characters have overflowed into the ESP register and into the EIP register. 41 is the hex value of “A” in ASCII.
Moving on, we want to find the exact offset of the EIP register. Use metasploit’s pattern_create utility to create a unique 600-byte pattern to send to the executable.
Copy this pattern to our “password” variable in our Python script to send to brainpan.exe. You will have to close and relaunch Immunity and brainpan.exe. Make sure to run both as administrator. After running the script, note in Immunity that our pattern has been written to brainpan and that the value “35724134” is in the EIP register.
We can then use Metasploit to find the exact offset of the EIP register.
We now know that the EIP register is at memory offset 524. Let’s verify this with our Python script. We will modify the password we are sending to send 524 “A” characters followed by exactly 4 “B” characters and again watch in Immunity.
Here we see the string of “A’s” and then exactly 4 “B” characters (42 hex is “B”) in the EIP register.
Before we can craft our exploit, we must test for bad characters that we can’t include in our payload. I found the list of badchars at: http://vulp3cula.gitbook.io/hackers-grimoire/exploitation/buffer-overflow
We can modify our script to send the badchars.
After running the script, go back to Immunity, right-click on the hex value of the ESP register and select “Follow in Dump.” The list of characters that we sent from 01 to FF are in the hex dump pane. Closely examine the entire list to see if any of the hex numbers are out of sequence, which would indicate a bad character. In this case we do not have any bad chars.
The next step will use the mona.py module, which is not installed by default. Google mona.py and download it from Github. Paste it into the “PyCommands” folder in the Immunity install folder and relaunch brainpan and Immunity. At the command line for Immunity at the very bottom of the window, type“!mona modules” and hit Enter. In the Log Data window that pops up, look for an entry related to brainpan. We are looking for an entry with everything set to “False” which indicates no memory protection. Fortunately, our one options fits the description.
In Kali, find the hex address of the JMP ESR instruction. We will use this instruction to jump to our shell code.
Back at the Immunity command line, enter “!mona find -s “\xff\xe4” -m brainpan.exe and in the results note the address that we will put into EIP to jump to our shell code, in our case 0x311712f3.
We add the hex value to our Python code in Little Endian format.
In Immunity, we need to add a breakpoint. Hit the button to Enter an expression to follow and add our memory address to put into EIP.
Select the FFE4 instruction and hit F2 to add a breakpoint so the code stops executing here.
Run the Python script that includes our jump code. Verify the jump address is now in the EIP register.
Now that have verified our jump code we can add the payload to get our shell using msfvenom. We will first test the exploit on our local Windows machine.
The -a indicates x86 architecture. The -b is for badchars to avoid. The Null Byte, \x00, should always be avoided. Copy the payload to our python script, also padding with NOPS instructions (\x90) prior to the payload.
Kill Immunity and relaunch Brainpan.exe. In Kali, launch a netcat listener and then run our Python script. We get a shell on our local machine, which proves our exploit will work.
Now that we can we can successfully perform the buffer overflow exploit on our Windows machine, we attempt the exploit on the actual application. We need to generate a new payload to execute on the Linux machine.
Add this payload to our Python script. Open a second terminal and launch a netcat listener. Then run our script.
We get a shell!
First step is to upgrade our shell:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Initial investigation of user ‘puck’ reveals sudo privileges.
User puck can run a script in the home folder of another user. Attempts to view or write to this script are unsuccessful. We attempt to run the script.
The script will allow us to run ‘man’ with sudo priviliges. We are in luck because ‘man’ supports command execution, and since we are running it as root, we can get a root shell!
Thanks for reading.
