Sunday, September 2, 2018



- Layout for this exercise:


- The goal of this exercise is the study of the hacking process for the vulnerable machine Brainpan 1.

- Brainpan 1 can be downloaded from here:,51/

- Once downloaded and imported with VMWare:


- netdiscover helps us to discover that Brainpan's IP is

- Nmap finds two open ports: 9999/tcp and 10000/tcp:

- Connecting with the browser to port 10000:

- dirb scans the web server and finds the folder /bin:

- Connecting to /bin with the browser there is an executable called brainpan.exe:

- Downloading brainpan.exe to Kali:

- Let's notice that it is a Windows executable file:

- Searching for strings inside brainpan.exe there are some functions prone to suffer from Buffer Overflow attacks:



- Connecting with the browser to the other open port 9999:

- Let's connect again to port 9999, now with netcat. Entering a random password the acces is denied:



- With the purpose of analyzing in deep the executable brainpan.exe let's move the file to a Windows environment like a Windows 10 machine:

3.1.1 - Finding the password

- Opening and running brainpan.exe with Immunity debugger it is pretty obvious that the string shitstorm is compared with other string using the function strcmp:

- This leads us to guess that shitstorm can be the password to enter the application:

- Our guess was correct because now the access is granted.

3.1.2 - Buffer overflow 

- As we discovered at the Enumeration step brainpan.exe contains some strings like strcpy prone to suffer from a Buffer Overflow exploitation.

- First of all, let's create a Python script to cast a long list of "A"s over brainpan.exe:

- Giving execution permissions to

- Opening and running brainpan.exe with Immunity Debugger:

- Launching the exploit over the Windows 10 machine:

- The EIP and the stack are overwritten with "A"s:

- Creating a pattern with lenght 1000 and inserting it at the exploit:

- Restarting brainpan.exe with Immunity Debugger and launching the exploit:

-  The EIP is overwritten with 35724134:

- Finding an offset of 524 for 35724134:

- Now, let's redo the script in this way:

- Restarting brainpan.exe with Immunity Debugger and launching the last version of the exploit:

- The result is that the EIP is overwritten witn BBBB, as expected:

- Looking for a command JMP ESP, we find it at the address 311712F3:

- The address  311712F3 should replace the string BBBB where the EIP is overflown, entered with Little Endian formart: \xF3\x12\x17\x31

- Creating a shellcode to achieve a reverse shell at Windows 10 machine on port 4444:

- Also, after the JMP ESP command a bunch of NOP instructions must be used to make it easier the execution of the shellcode.

- Joining everything at the script

- Setting a listening session with Netcat:

- Launching the exploit for last time:

- The exploit is successful and we have at Kali a remote shell from Windows 10:

- Output from Immunity Debugger:


- Now, let's change the former Windows shellcode with another one for Linux:

- Inserting the shellcode for Linux into a new exploiting script (just changing the shellcode):

- Giving execution permissions:

- Setting a listening session with netcat on port 5555:

- Launching the exploit against Brainpan:

- The exploit is successful because a low privilege shell is achieved:

- Improving the shellcode:


- So far we have a limited shell:

- Checking user puck's sudoer permissions, we discover that he is able to run as a root without password the command anansi_util:

- Let's run it:

- There are 3 options, it seems that the most interesting could be manual [command], what invites to enter a command, like for instance let's try pwd:

- The result is the man page for the command pwd

- However, because the command has been executed as a root, and remembering that man allows to execute additional inline commands starting with !, let's try !/bin/sh:

- Great, eventually we have a root shell:

- The purpose of executing inline commands from man with ! is just to test those commands without exiting the man page. 

- In our case it has been of great help for achieving a quick and easy Privilege Escalation, due to the fact that man has been executed with root privileges.5 - CAPTURING THE FLAG

- We find the flag by reading b.txt: