I'm starting my series on Vulnserver soon, so I wanted to give a brief introduction to it.
Vulnserver - Introduction
First of all, I know this post came out a little late. That said, I've been quite busy, plus I was celebrating my upgrade to level 30!
If you've followed my Twitter, or read that earlier post, then you know I've been working on the OSCE. My lab time is now over, and I've got my exam on 10 January!
That said, I'm hoping to go through at least some of the vulnserver challenges before the exam. This should give me some more practice, as well as actual exploits to blog about.
For more information, or to download the binary, then visit the original post by Stephen Bradshaw.
You can also download the code from his GitHub repository
If you want to check out some more write-ups or tutorials in the meantime, then definitely check out some of these.
Interacting with Vulnserver
Once you download the binary, you can run it by double-clicking on it. This will open up a command window displaying the current status. Note that it runs on port 9999 by default, but you can always change this if you want.
To interact with the "server", you can just connect to the socket using a script or netcat. After connecting, you can send commands over text, and interact with each individual "method".
C:\netcat>nc.exe 127.0.0.1 9999 Welcome to Vulnerable Server! Enter HELP for help. HELP Valid Commands: HELP STATS [stat_value] RTIME [rtime_value] LTIME [ltime_value] SRUN [srun_value] TRUN [trun_value] GMON [gmon_value] GDOG [gdog_value] KSTET [kstet_value] GTER [gter_value] HTER [hter_value] LTER [lter_value] KSTAN [lstan_value] EXIT EXIT GOODBYE
I won't go too in-depth in this post, but each of the methods in the binary is vulnerable and exploitable.
For example, here is a quick screenshot of my interaction with the TRUN method.
As you can see, I have full control over EIP with my string of "A"s.
In this case, I'm sure it would be a fairly standard jump to my shellcode to obtain execution.
Vulnserver - Conclusion
I'm hoping to knock out most of the methods and exploits between now and my OSCE exam. That said, if I don't, then I'll likely finish it up over time.
If you have any specific methods or techniques that you'd like me to try, then please let me know!