After I finished playing Pegasus I started next one VM with CTF called "Brainpan:2". The game was prepared by superkojiman. Thanks to VulnHub you can find it hosted here. Let's play...
When the VM started I used netdiscover with -r to try to find the IP of the target box. In my case (this time, because I restarted the machine so IP changed few times - you'll see later ;]) it ends with .55.
Let's scan the box now (log below):
At 10000/tcp you will find some small WWW, so we will go directly to the port 9999/tcp. You will find some nice, oldschool 'menu' ;]
After a while you should be able to spot the bug (when you're logged-in as GUEST and you will use VIEW to check local files: not validated input results as RCE):
Let's make it easier (with python and import pty) and let's get some overview of the current directory:
Then I decided to use the trick with ssh-keys (from few last CTFs) and prepare an access directly via SSH:
Cool. But I forgot that the SSH is not accessible (so far) via remote hosts. :<
Let's get back to our python-shell (in case of future IP changes or shelldrops I prepared another small 'backdoor'):
Ok. Now. To save some time I also prepared a small rce-poc to get the shell a little bit faster:
The skeleton of the poc used to do this you will find (somewhere at the github) or you can use the one I found (somewhere at the github ;]):
Ok. Quick overview:
No no no no wrong. I decided that maybe I will not do it like this. Maybe I'll need a C-wrapper to get something more here. Just trying, so. I started to prepare a small C code..
... an of course - no gcc ;] So: again.
Ok, we are here:
Then suddenly I realized that I created the new file 'rap' (so it's correct), see below:
This time we will use the other way:
Next I used create_pattern script from Metasploit:
No so long but maybe we will handle it:
Ok, let's try this one:
No. So I sit back to gdb and tried to study the asm code again.
We are here:
Start gdb and attach msg_root:
I decided that the offset (14) will be a good hint to check if the msg_root app can be exploited using environments variables. I tried to do it this way:
- python print "A"*14
+ addr of ourENV
Where is our envSH:
Checking in gdb again:
The case here was to run our exploit-code outside gdb ;)
Now as you probably remember ;] you will find some hints on menu. Below we will try to reconfigure old version of the code:
Now after a while we should be somewhere here:
What's inside puck's directory?
Hm.. it's time to root now?
Ok, we can do a nice python trick I found online (thanks!), check it out:
Ok, so we are finaly 'puck' user. Next, checking puck's directory:
Ok not-empty .bash_history, checking:
Ok. Now it's time to get that "root " access. Let's copy the ssh-files to the old stuff of backup (and backup to the new place the old .ssh-files ;]). Should work like this:
So we are ready now to get the final words:
Let's check the flag.txt file again:
I must admit that this is one of my favourite CTF so far. Big thanks goes to superkojiman (the author) as well as for the VulnHub Team for hosting such great CTF(s).
Once again big thanks for preparing this CTF VM.
In case of any comments/questions/feedback - you'll know how to find me.