Nmap scan report for 10.10.91.159
Host is up (0.046s latency).
Not shown: 65533 closed ports
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port9999-TCP:V=7.80%I=7%D=7/18%Time=5F12C47C%P=x86_64-pc-linux-gnu%r(NU
SF:LL,298,"_\\|\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20_\\|\\x20\\x20\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\n_\\|_\\|_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x20_\\|_\\|\\x20\\x20\\x20\\x20_\\|_\\|_\\|
SF:\\x20\\x20\\x20\\x20\\x20\\x20_\\|_\\|_\\|\\x20\\x20\\x20\\x20_\\|_\\|_\\|\\x20\\x20\\x20\\
SF:x20\\x20\\x20_\\|_\\|_\\|\\x20\\x20_\\|_\\|_\\|\\x20\\x20\\n_\\|\\x20\\x20\\x20\\x20_\\|\\x
SF:20\\x20_\\|_\\|\\x20\\x20\\x20\\x20\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x20_\\|\\x
SF:20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x20_\\|\\x
SF:20\\x20\\x20\\x20_\\|\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\n_\\|\\x20\\x20\\x20\\x20_\\|
SF:\\x20\\x20_\\|\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x
SF:20_\\|\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x
SF:20_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\n_\\|_\\|_\\|\\x20\\x
SF:20\\x20\\x20_\\|\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20_\\|_\\|_\\|\\x20\\x20_
SF:\\|\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\x20\\x20_\\|_\\|_\\|\\x20\\x20\\x20\\x20\\x20\\x
SF:20_\\|_\\|_\\|\\x20\\x20_\\|\\x20\\x20\\x20\\x20_\\|\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
When we connect to the 9999 via telnet we get an application called brainpan open up for us and it tells us to enter our password
I sent it 5000 A's to see if the application crashes or handles it well but lucky for us it crashes.
Now lets go to the HTTP Server using ip:10000 and we see this page which doesnt have anything intresting so lets do a gobuster and see if we find something.
gobuster dir -w=/usr/share/wordlists/dirb/common.txt -u <http://10.10.91.159:10000/>
and the first folder we find is bin
so lets traverse there and we find
sooo gg we found the binary lets export this and take it to our windows machine and exploit it and get the shell.
So now i have attached it to Immunity Debbuger and lets generate 5000 cyclic characters using msf-pattern_create and send it to this binary.