I would say this is really taking me some long time to break into it... :( frustrated all the time... However, it is a very rewarding challenge that myself learned really a lot...
So less words, more photos I wished... :)
Ping sweep the network for the target IP...
IP found: 192.168.17.145
Port scanning...
Same with previous challenge Brainpan1, only showing port 9999 and port 10000...
Checking out the web page at port 10000...
Good information indeed...
But no fishy stuff here...
Netcat to port 9999....
Asked to login as 'GUEST'...
Done it and checked for available commands...
After tested every command, the 'VIEW' command seems like not sanitized and able to execute command...
Listening on port 443 to grab the shell from the target...
On the other hand, execute and throw a shell from the target back to our attacking machine...
Check on the attacking machine to see whether we got the shell from the target...
Yes! Everything seems good and smooth...
It's time to escalate to root privilege... finding the vulnerable target file...
Found out the file with 'root' permission and trying to see if able to break it...
Checking on the file usage...
So, what if we sending some unintended long strings of characters and see if it is breakable through buffer overflow...
My guessing is correct! Spamming 500 bytes of character "A" crashed the file...
Let's find out the real offset memory for crashing point...
Create a long unique strings of characters of 500 bytes...
Feeding in all the unique characters and see the crashing point...
Crashing point: 0x35614134
Check the offset with pattern_offset scripts...
Offset is match exact at 14. This means the file crashed after we feed in the 14 bytes as input...
Next, feed in a strings with 14 "A" following by 4 "B" and the rest with "C"...
Confirmed the EIP holding the "\x42\x42\x42\x42", which is translate into BBBB as input by us earlier...
Time to create our payload and reside our payload into the target machine environment variable...
Created our payload using msfvenom...
And export into variable "EVILCODE" created by us together with some NOP value for padding purpose...
Putting up a simple script to find the memory address of the variable "EVILCODE"...
Since, target machine does not have 'gcc' compiler...
So, I compiled the script file and host at my web server...
Download the compiled C file and output to 'tmp' folder... following by changing the file permission using command 'chmod 777 /tmp/getenvar'...
Execute the C file and looking for the variable memory address...
Our payload is reside at the memory address: 0xbffffef3
[-] Left out a screen capture here...which is executing the command: ./msg_root `python -c 'print("A"*14 + "\xf3\xfe\xff\xbf")'` a
Drop into another shell with "root" privilege... a fake-over taken here...
The real culprit we are after should be "root " with a space at the end...
Look further to see if we can find another vulnerable file with higher privilege...
Found the exact same software running at port 9999 but with older version, which is version 1.8...
Amend the config file for the brainpan-1.8.exe...
command: echo "port=9333\nipaddr=0.0.0.0" > brainpan.cfg
Changed the ipaddr to 'ANY', which is 0.0.0.0... run the file...
Connect back to the target IP at port 9333....
Notice with the older version of same software... repeat the exact same step as previous and throw a reverse shell back to our attacking machine...
This time the user id is puck... so check out the puck folder...
Some content resides in the backup folder which I believe is an original copy of initial setting...
Found a weird listening socket...
It might be the SSH service with port changed...
Try SSH into the box but the private key seems different and unauthorized...
Second attempt with the SSH private key resides in the backup folder...
Immediately drop into the real "root " shell and display out the flag... Job's done!
Thanks to superkojiman again for this interesting and joyful challenge...
No comments:
Post a Comment