sobota, 27 stycznia 2018

Brainpan2 - CTF

After I finished playing Pegasus I started next one VM with CTF called "Brainpan:2". The game was prepared by superkojiman. Thanks to VulnHub you can find it hosted here. Let's play...

When the VM started I used netdiscover with -r to try to find the IP of the target box. In my case (this time, because I restarted the machine so IP changed few times - you'll see later ;]) it ends with .55.

Let's scan the box now (log below):

At 10000/tcp you will find some small WWW, so we will go directly to the port 9999/tcp. You will find some nice, oldschool 'menu' ;]

After a while you should be able to spot the bug (when you're logged-in as GUEST and you will use VIEW to check local files: not validated input results as RCE):

Cool. :]

Let's make it easier (with python and import pty) and let's get some overview of the current directory:

Then I decided to use the trick with ssh-keys (from few last CTFs) and prepare an access directly via SSH:

Cool. But I forgot that the SSH is not accessible (so far) via remote hosts. :<

Let's get back to our python-shell (in case of future IP changes or shelldrops I prepared another small 'backdoor'):

 'Just in case' ;]

Ok. Now. To save some time I also prepared a small rce-poc to get the shell a little bit faster:

The skeleton of the poc used to do this you will find (somewhere at the github) or you can use the one I found (somewhere at the github ;]):

Ok. Quick overview:

What's this?



When I saw that the file is created with root perms I was wondering what can I do with that... Few steps I tried you will find below:

Hehe ;] Still no luck, so I'm doing something wrong. Again.

No no no no wrong. I decided that maybe I will not do it like this. Maybe I'll need a C-wrapper to get something more here. Just trying, so. I started to prepare a small C code..

... an of course - no gcc ;] So: again.

Ok, we are here: maybe...

Then suddenly I realized that I created the new file 'rap' (so it's correct), see below:

There is the suid but the owner is still the same user. I though that if I'm able to set suid bit, maybe I'll be able to use msg_root to change /root perms and access that directory that way:

Yeah sure Neo.


This time we will use the other way:

Better. More.


Next I used create_pattern script from Metasploit:


No so long but maybe we will handle it:

Ok, let's try this one:

No. So I sit back to gdb and tried to study the asm code again.

;D cool. I updated the script ( and restarted the VM to try again:

We are here:

Start gdb and attach msg_root:

I decided that the offset (14) will be a good hint to check if the msg_root app can be exploited using environments variables. I tried to do it this way:

- python print "A"*14
+ addr of ourENV
+ NOPs
+ shellcode


Where is our envSH:

Still not good, so I decided to add some NOPs befour our ESH payload:

Checking in gdb again:

Ok, we've got a shell but where is the new priv? ;|

The case here was to run our exploit-code outside gdb ;)



Nice trick ;] So it seems that we need to do something more here.

Nice ;]

Now as you probably remember ;] you will find some hints on menu. Below we will try to reconfigure old version of the code:

Now after a while we should be somewhere here:


What's inside puck's directory?

Hm.. it's time to root now?

Ok, we can do a nice python trick I found online (thanks!), check it out:

Ok, so we are finaly 'puck' user. Next, checking puck's directory:

Ok not-empty .bash_history, checking:

Ok. Now it's time to get that "root " access. Let's copy the ssh-files to the old stuff of backup (and backup to the new place the old .ssh-files ;]). Should work like this:

So we are ready now to get the final words:

Let's check the flag.txt file again:


I must admit that this is one of my favourite CTF so far. Big thanks goes to superkojiman (the author) as well as for the VulnHub Team for hosting such great CTF(s).

Once again big thanks for preparing this CTF VM.

In case of any comments/questions/feedback - you'll know how to find me.


Brak komentarzy:

Prześlij komentarz