Brainpan 1 is a room perfect for Stack Based Buffer Overflow prep for OSCP.If you are new to Buffer Overflows, do complete the “Buffer Overlow Prep” room in TryHackMe by Tib3rius and refer to his walkthrough video as well.
NOTE: This writeup has been made as a part of note keeping and i will only cover the privilege escalation part.For the initial Buffer Overflow process, refer to my previous article in which i have explained it step by step.
Buffer Overflow Prep for OSCP-TryHackMe
(Room-OVERFLOW-1) Run our Immunity Debugger as Administrator and open the oscp.exe
Run the final exploit, and we finally get a shell.In this case, our payload will be linux/x86/shell_reverse_tcp since the target machine is actually linux.
We got a low level shell… But first, we need to stabilize the shell and make it interactive.
Now that that’s done, we can upload LinEnum.sh and look for a way to escalate our privs.
We find something interesting in the results.The same can be found after running sudo -l commands which shows what we can run as sudo.
This means we can run /home/anasi/bin/anasi_util as sudo without any password. Using that command gives us this output:
After some experimenting, we figure out that “manual” brings up a man page for a command. According to gtfobins.github.io/gtfobins/man , man combined with sudo spawns a shell that maintains elevated privileges. We enter a man page, then exit with !/bin/sh and we’re root!
Alternatively, We will try running opening the manual for the cat command:(we can also try bash or vim)
sudo /home/anansi/bin/anansi_util manual cat
Running the command opens up the manual. Now if we run the following we should break out into a root shell:
For practice, try out other rooms on TryHackMe like Brainstorm,Buffer Overflow Prep,Brainpan1,Gatekeeper. There are executables vulnerable to buffer overflow such as Vulnserver, WarFTP and SL Mail which you can download and use for further practice - ZEUS