This box is quite similar to Brainstorm which i did previously.
Initial scan shows 2 open tcp ports: 9999 and 10000
I did a quick recon with gobuster, which showed /bin directory from which I was able to download brainpan.exe.
I started this executable on my own Windows10 VM using immunity debugger. I sent again a long pattern. Below you can see example usage of the program on port 9999. You can see that after sending 600 chars, program crashed.
I took EIP address which indicate, which offset it is. I used :
msf-pattern_create -l 600
msf-pattern_offset -l 600 -q 35724134
So I decided to write a short python script which communicate with this program. The message which is being sent contains a sign (“A”) multiplyed by offset number. After this sequence there is four times “B” sign. Rest of payload is not important now
Such a script was sent to brainpan.exe (which was rerunned). Usage of this script is:
python exploit.py rhost_ip rport
EIP has been overwritten with 424242 which is “B” in HEX.
Now I modified script again to sent badchars after EIP address. \x00 is excluded from the beginning, because it is always a badchar.
Program crashed again. Then I used mona.py which is not included in immunity debugger (you have to add mona.py to debugger).
After rerunning immunity debugger you have to type:
!mona config -set workingfolder c:\mona\%p
!mona bytearray -b “\x00”
First command changes working folder and second creates bytearray without \x00.
Start exploit.py again and then check manually if any bad chars occured or use:
!mona compare -f C:\mona\chatserver\bytearray.bin -a {ESP_address}
Now I am sure that every badchar is excluded. Use” !mona modules” and look for an entry with every position set to “false”. If there is such a position, this file doesn’t contain memory protection.
Now we need to find JMP ESP, which will be usd to jump to shell code.
!mona jmp -r esp -cpb “\x00”
Output of this command shows JMP address: 0x311712f3
With this informations we can start modifying a python script.
First of create shell with ip of your machine.
ESP address must by written backwards in script: 0x311712f3. I left badchars for sometest, but you can remove them now.
Before running a script remember to set up a listener on port which was used in msfvenom command:
So this script worked on my local Windows machine. Now I have to modify again a script, but now with IP of ctf BOX and my tun0 (VPN) ip. I have also changed type of payload, because ctf box is a linux machine.
Final code of exploit looks like this:
“A” multiplyied by number of offset
retn value which is JMP ESP address written backwards
\x90 * x which is padding between the buffer and the saved registers
payload code
‘\r\n’ which is enter sign
I decided to use metasploit for receiving reverse shell in case of instability of shell. After gaining a shell I used python to spawn better shell.
After gaining shell remeber to check “sudo -l” on linux box. In this case we received information that we can run specific command:
With this information you can simply use manual to run bash as root:
Box is rooted 🙂