CyberLarry

TryHackMe – Brainpan 1

by

CyberLarry
in

This writeup is for the TryHackMe room “Brainpan 1” at https://tryhackme.com/room/brainpan. The goal for this room is to reverse engineer a WIndows executable and craft a buffer overflow to gain access to the machine. There are three questions for this room with no flags to capture, so I’ll have to measure my progress by access level: none, user, and root.

Launching the machine, a quick nmap scan identifies two open ports: 9999 and 10000. Running a service scan on those two ports gives us some more details on what’s running there.

I ran a nc session to port 9999 and it looks like another text-based chat program that’s password protected. That looks like a good candidate for a buffer overflow if we can find the executable.

Visiting the website on port 10000, it’s just a single page infographic with nothing interesting in the HTML. But we knew it wouldn’t be that simple!

With no other ports open on the machine, I knew I had to get the executable from the website somewhere. I ran gobuster to see if there’s any directories, and it found the /bin directory.

And there’s the brainpan.exe file I’m looking for! Time to download the exe and get it loaded into Immunity Debugger for some fuzzing.

My fuzzer script crashed at sending 600 bytes, which means the overflow happened between 500-600 bytes.

I generated my cyclical pattern and used the msf ruby script to find the offset at 524.

A quick check for bad chars returned nothing in use by the executable:

Mona modules only showed one module in use by brainpan.exe without memory protections, and that’s the brainpan.exe itself. Searching for the JMP ESP code only returns one address to use.

Now I have everything I need to run the exploit! I used a meterpreter payload this time since I knew it was a Windows machine and wanted the extra functionality. After running the exploit, I caught a meterpreter shell on my Kali box.

Just for fun, I tried the getsystem command to see if it would work. I haven’t had much luck with getsystem in previous THM rooms but this time it actually worked and I got NT AUTHORITY\SYSTEM right away.