Showing posts with label buffer overflow. Show all posts
Showing posts with label buffer overflow. Show all posts

Tuesday, July 1, 2014

[WALKTHROUGH] Brainpan2

This is another challenge designed by superkojiman...

I would say this is really taking me some long time to break into it... :( frustrated all the time... However, it is a very rewarding challenge that myself learned really a lot...

So less words, more photos I wished... :)

Ping sweep the network for the target IP...


IP found: 192.168.17.145

Port scanning...


Same with previous challenge Brainpan1, only showing port 9999 and port 10000...

Checking out the web page at port 10000...


Good information indeed...

But no fishy stuff here...

Netcat to port 9999....

 Asked to login as 'GUEST'...


Done it and checked for available commands...

After tested every command, the 'VIEW' command seems like not sanitized and able to execute command...

Listening on port 443 to grab the shell from the target...


On the other hand, execute and throw a shell from the target back to our attacking machine...


Check on the attacking machine to see whether we got the shell from the target...


Yes! Everything seems good and smooth...

It's time to escalate to root privilege... finding the vulnerable target file...


Found out the file with 'root' permission and trying to see if able to break it...


Checking on the file usage...

So, what if we sending some unintended long strings of characters and see if it is breakable through buffer overflow...


My guessing is correct! Spamming 500 bytes of character "A" crashed the file...

Let's find out the real offset memory for crashing point...

Create a long unique strings of characters of 500 bytes...


Feeding in all the unique characters and see the crashing point...


Crashing point: 0x35614134

Check the offset with pattern_offset scripts...


Offset is match exact at 14. This means the file crashed after we feed in the 14 bytes as input...

Next, feed in a strings with 14 "A" following by 4 "B" and the rest with "C"...


Confirmed the EIP holding the "\x42\x42\x42\x42", which is translate into BBBB as input by us earlier...

Time to create our payload and reside our payload into the target machine environment variable...


Created our payload using msfvenom...

And export into variable "EVILCODE" created by us together with some NOP value for padding purpose...


Putting up a simple script to find the memory address of the variable "EVILCODE"...


 Since, target machine does not have 'gcc' compiler...

So, I compiled the script file and host at my web server...


 Download the compiled C file and output to 'tmp' folder... following by changing the file permission using command 'chmod 777 /tmp/getenvar'...


Execute the C file and looking for the variable memory address...


 Our payload is reside at the memory address: 0xbffffef3

[-] Left out a screen capture here...which is executing the command: ./msg_root `python -c 'print("A"*14 +  "\xf3\xfe\xff\xbf")'` a



Drop into another shell with "root" privilege... a fake-over taken here...

The real culprit we are after should be "root " with a space at the end...

Look further to see if we can find another vulnerable file with higher privilege... 


Found the exact same software running at port 9999 but with older version, which is version 1.8...

Amend the config file for the brainpan-1.8.exe...

command: echo "port=9333\nipaddr=0.0.0.0" > brainpan.cfg


Changed the ipaddr to 'ANY', which is 0.0.0.0... run the file...


Connect back to the target IP at port 9333....


Notice with the older version of same software... repeat the exact same step as previous and throw a reverse shell back to our attacking machine...


This time the user id is puck... so check out the puck folder...


Some content resides in the backup folder which I believe is an original copy of initial setting...


Found a weird listening socket...

It might be the SSH service with port changed...


Try SSH into the box but the private key seems different and unauthorized...

Second attempt with the SSH private key resides in the backup folder...


Immediately drop into the real "root " shell and display out the flag... Job's done!

Thanks to superkojiman again for this interesting and joyful challenge...

Posted by at No comments:
Labels: , , , , , , ,

Friday, June 20, 2014

[WALKTHROUGH] Brainpan 1

This is one joyful and also one full of frustration box as it took me quite some times to solve it... but it is very rewarding as well... really thanks to superkojiman on this great challenge that he designed... not sure why he named it as Brainpan, but I will definitely named it as Brainpain, which literally explained everything... :)

This challenge is designed solely based on buffer overflow exploitation and it is a good chance for noobie like me to start off and train on... :)

Kick start with finding the target IP...


Scan for the ports...

Returned only 2 open ports, which are 9999 and 10000...

Let's recon harder and see if we can find something better...


Nothing useful...

Check out their http website...


Scrapped the web page source code but nothing found again...

Let's poke on its 9999 port and see what is going to happen...


Obviously not some easy brute force or dictionary attack can break in...

 Leave it and move on again...

Check if any sub-directory found on the web hosting...


Found a "/bin" directory...

Let's check it out... :)


 Found a "brainpan.exe" file... seems like a Windows executable file...

Grab it down for further probing...


Checked and verified it is a Windows executable file...

Some forensics-fu with 'Strings' command and found the password for port 9999 is "shitstorm"...

Tried log in using the credential found successfully but nothing rewarding so far...

Move the 'brainpan.exe' file over to Windows environment and debug using Immunity Debugger...

At the same end, create a fuzzer script as shown below to fuzz with the "brainpan.exe" file...


Set the target IP address accordingly, here we will set the IP of the windows machine first before we move on back to our Brainpan box...

The script will try feed from 100 bytes and increment of 100 every time until the program crashed... and this is where we begin our buffer overflow exploitation...


Seems like the program crashed after intake of 600 bytes... hence we create a unique 600 bytes to identify the offset of EIP...

Next step is to find the exact offset of EIP using the pattern_offset script in Kali linux...


Since the leftover spaces for shell code is definitely not enough (600-524 = 76 bytes)... We tried to increase it further to 1000 bytes see if the crashed address remained the same...

Well, since the program behave the same if we push in 1000 bytes... so we make changes accordingly...

Push in 524 of  "A" + 4 of "B" to differentiate the memory address + the rest bytes will be filled with "C" temporary...


Tested and everything seems fine...

Next step is to find the memory address for "JMP ESP"...

Finding out the hexcode for instruction "JMP ESP" using the nasm_shell scripts...


Execute the mona scripts in Immunity Debugger...

!mona find -s "\xff\xe4" -m brainpan.exe

Replace the memory address found accordingly...


 At the other hand, create the payload...


 Put the shell code created earlier into our fuzzer scripts...

Padding the shell code with some NOP bytes...


Launch a handler to catch the reverse shell...


Run the exploit and check for the reverse shell...


The attack is successful...

Let's move this back to Linux payload...

Create another new payload using the msfpayload for linux...


Replace the code accordingly... 


Launch the exploit as previous attack and wait for reverse shell...


Now, we got a shell on the target box... apparently this user does not have much privilege on the box... let's see what can this user 'puck' do as sudo with "sudo -l" command...

Only one sudo command which does not require any password... "anansi_util"...
 
This command require at least one argument...

As far as I know, we can launch another shell within the "manual" command...

So here, I try with "manual vi"...


We see a regular manual page for "vi"...

To launch an command within "manual", we pre-pend an "!" in front of it...

Hence, "!/bin/bash" will launch another shell within the "manual"...



Check for the id and we got the root shell instantly... :)

A very nice challenge indeed... sorry as I do not have screenshots from windows machine as I accidentally reverted the machine... :(
Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)