I’m starting my series on Vulnserver soon, so I wanted to give a brief introduction to it.
Vulnserver – Introduction
First of all, I know this post came out a little late. That said, I’ve been quite busy, plus I was celebrating my upgrade to level 30!
If you’ve followed my Twitter, or read that earlier post, then you know I’ve been working on the OSCE. My lab time is now over, and I’ve got my exam on 10 January!
That said, I’m hoping to go through at least some of the vulnserver challenges before the exam. This should give me some more practice, as well as actual exploits to blog about.
For more information, or to download the binary, then visit the original post by Stephen Bradshaw.
You can also download the code from his GitHub repository
If you want to check out some more write-ups or tutorials in the meantime, then definitely check out some of these.
Interacting with Vulnserver
Once you download the binary, you can run it by double-clicking on it. This will open up a command window displaying the current status. Note that it runs on port 9999 by default, but you can always change this if you want.
To interact with the “server”, you can just connect to the socket using a script or netcat. After connecting, you can send commands over text, and interact with each individual “method”.
C:\netcat>nc.exe 127.0.0.1 9999 Welcome to Vulnerable Server! Enter HELP for help. HELP Valid Commands: HELP STATS [stat_value] RTIME [rtime_value] LTIME [ltime_value] SRUN [srun_value] TRUN [trun_value] GMON [gmon_value] GDOG [gdog_value] KSTET [kstet_value] GTER [gter_value] HTER [hter_value] LTER [lter_value] KSTAN [lstan_value] EXIT EXIT GOODBYE
I won’t go too in-depth in this post, but each of the methods in the binary is vulnerable and exploitable.
For example, here is a quick screenshot of my interaction with the TRUN method.
As you can see, I have full control over EIP with my string of “A”s.
In this case, I’m sure it would be a fairly standard jump to my shellcode to obtain execution.
Vulnserver – Conclusion
I’m hoping to knock out most of the methods and exploits between now and my OSCE exam. That said, if I don’t, then I’ll likely finish it up over time.
If you have any specific methods or techniques that you’d like me to try, then please let me know!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.