VulnHub Machines Walkthrough Series: Brainpan – Part 2

In this article, we’ll be carrying on with our walkthrough of an interesting VulnHub machine called Brainpan. In Part 1 of this article, we looked into how we got the user-level reverse shell from this machine. In this part, we will see two different methods of escalating to root.

Note: For all these machines, I have used VMware Workstation to provision VMs. Kali Linux VM will be my attacking box. Also, the techniques used are solely for educational purposes. I am not responsible if the listed techniques are used against any other targets.

Let’s begin the process with the shell we obtained in Part 1. [click the individual images to enlarge]

Method 1

1. Below, we can see the obtained shell from Part 1. The shell is currently under user puck.

<<nc -nlvp 1234>>

2. Another important thing to do is to escape out of the jail shell.

3. As is done in the previous articles in this series, one of the first commands that I execute is sudo -l. (Another useful check I perform is to check for binaries with SUID bit set).

4. Below is the output from the sudo -l command. We can see that the user puck can run the binary under /home/anansi/bin/anansi_util as root.

<<id>>
<<python -c ‘’import pty:pty.spawn(“/bin/sh”)>>
<<sudo -l>>

5. Below, we have run the abovementioned anansi_util and it has some parameters. An interesting parameter is manual [command]. We just passed a sample command “file” to it and then type !/bin/bash, and we have escalated to root.

<<sudo /home/anansi/bin/anansi_util manual file>>

Method 2

1. There is another binary on the system named validate, as shown below. Notice that this binary is owned by user anansi, so we will almost get the shell under anansi. But we know from Method (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Security Ninja. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/mHTMPMUEnvo/