This challenge is designed solely based on buffer overflow exploitation and it is a good chance for noobie like me to start off and train on... :)
Kick start with finding the target IP...
Scan for the ports...
Returned only 2 open ports, which are 9999 and 10000...
Let's recon harder and see if we can find something better...
Nothing useful...
Check out their http website...
Scrapped the web page source code but nothing found again...
Let's poke on its 9999 port and see what is going to happen...
Obviously not some easy brute force or dictionary attack can break in...
Leave it and move on again...
Check if any sub-directory found on the web hosting...
Found a "/bin" directory...
Let's check it out... :)
Found a "brainpan.exe" file... seems like a Windows executable file...
Grab it down for further probing...
Checked and verified it is a Windows executable file...
Some forensics-fu with 'Strings' command and found the password for port 9999 is "shitstorm"...
Tried log in using the credential found successfully but nothing rewarding so far...
Move the 'brainpan.exe' file over to Windows environment and debug using Immunity Debugger...
At the same end, create a fuzzer script as shown below to fuzz with the "brainpan.exe" file...
Set the target IP address accordingly, here we will set the IP of the windows machine first before we move on back to our Brainpan box...
The script will try feed from 100 bytes and increment of 100 every time until the program crashed... and this is where we begin our buffer overflow exploitation...
Seems like the program crashed after intake of 600 bytes... hence we create a unique 600 bytes to identify the offset of EIP...
Next step is to find the exact offset of EIP using the pattern_offset script in Kali linux...
Since the leftover spaces for shell code is definitely not enough (600-524 = 76 bytes)... We tried to increase it further to 1000 bytes see if the crashed address remained the same...
Well, since the program behave the same if we push in 1000 bytes... so we make changes accordingly...
Push in 524 of "A" + 4 of "B" to differentiate the memory address + the rest bytes will be filled with "C" temporary...
Tested and everything seems fine...
Next step is to find the memory address for "JMP ESP"...
Finding out the hexcode for instruction "JMP ESP" using the nasm_shell scripts...
Execute the mona scripts in Immunity Debugger...
!mona find -s "\xff\xe4" -m brainpan.exe
Replace the memory address found accordingly...
At the other hand, create the payload...
Put the shell code created earlier into our fuzzer scripts...
Padding the shell code with some NOP bytes...
Launch a handler to catch the reverse shell...
Run the exploit and check for the reverse shell...
The attack is successful...
Let's move this back to Linux payload...
Create another new payload using the msfpayload for linux...
Replace the code accordingly...
Launch the exploit as previous attack and wait for reverse shell...
Now, we got a shell on the target box... apparently this user does not have much privilege on the box... let's see what can this user 'puck' do as sudo with "sudo -l" command...
Only one sudo command which does not require any password... "anansi_util"...
This command require at least one argument...
As far as I know, we can launch another shell within the "manual" command...
So here, I try with "manual vi"...
We see a regular manual page for "vi"...
To launch an command within "manual", we pre-pend an "!" in front of it...
Hence, "!/bin/bash" will launch another shell within the "manual"...
Check for the id and we got the root shell instantly... :)
A very nice challenge indeed... sorry as I do not have screenshots from windows machine as I accidentally reverted the machine... :(
No comments:
Post a Comment