Vulnhub virtual machine; How bad do you want OSCP box, Lets begin with this is not for the faint of heart. Enumeration to multiple pivots, reverse engineering, buffer overflow all wrapped in to one VM. This box will teach you something new guaranteed, grab a drink you’re going to need one.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Vulnhub Link: https://www.vulnhub.com/entry/pinkys-palace-v2,229/ File: Pinkys-Palace2.zip (Size: 1.1 GB)
Only use with VMware
Discover VM on network:
Pinky’s VM shows IP address as well.
UDP Scan with unicorn:
Looking at what to be a wordpress site based off the enumeration which could lead to a wpscan.
no robots.txt to look at
Change host name in
Navigating to web-server:
wfuzz - directory scan
/secret and discovered bambam.txt
This could ellude to a port knocking of sort…
Port Knocking Script:
next we need to create this permutation list which will contain the port numbers mixed up. To do this a python script will be used to iterate the port numbers.
launch the knock.sh script with the target ip as an argument.
7654 running a web server and navigate to said server.
before we attempt to hydra this login page. We need to create a wordlist. To do so we can use cewl and john to sift through that list for duplicates.
creating word list from http://pinkydb
next use john
now we have a
wordlist.txt that we can use with hydra
create usernames from our wpscan username enumeration
Hydra login page - w/
Discovered the following credentials:
Login webserver -
download the ssh key locally and cat the file:
connecting to ssh server with private key - stefano@pinkydb
Key is password encrypted and we need to perform some decryption before we can use.
id_rsa with ssh2john. (for some reason my current version of
ssh2john was not functioning but I did find an python version of the binary that functions the same off github.
error i was seeing:
run the conversion of private key to something we can use to crack:
great, now just append it to a file with
python ssh2john.py id_rsa > id_rsajohn
Crack converted private SSH key with
Bingo, bango we have the password for
based off the php - there looks to be LFI.
we can also send a reverse shell from this inclusion to gain access to the box.
SSH as Stefano
we are now
well, the low hanging fruit has be removed.
qsub has a sticky bit which will allow us to run root commands. The binary has a message that i was left to communicate with Pinky. Just running the program it seems to ask for a password.
Lets attempt to crash the program with an excessive amount of “A”s
“Bad hacker! Go away” - I think not!
gdb is not local…
with continued enumeration a quick check of the variable
$TERM yielded “screen”
re-attemped the application with “screen” as the password.
A new message appears stating “Welcome to the Question Submit”. Might be the password might not be, but something changed.
Attempt a reverse shell injection
and we have a call back!
we are now the user pinky!
Spawn proper shell with python:
Investigate pinky home directory:
qsub were being sent to
Since there is no sudo we can have a look at what pinky is able to touch with
a lot of “permission denied” and nothing of use.
backup.sh discovered that we are able to take a loot at.
investigating the bash file
unfortunately we cannot open. Which is confusing because we are apart of the pinky group. But, after remember we upgraded from a SUID sticky bit the group list never updated.
updating the grouplist
the gid has now successfully updated.
The file is executable and will execute at the group level so if we modify it to include another reverse shell we could achieve access of user.
Creating reverse shell via appending backup.sh - new listener setup on 5555
backup.sh has been overridden! - we know wait till the cronjob is executed.
Reverse connection received:
we are now operating as user
upgrade shell again with python:
Investigate the home directory:
nothing of immediate usefulness. Begin again enumerating again with find command.
/daemon/panel worth investigating.
panel seems to be a binary with execute
panel I received a
this repeated over and over as if its trying to connect to a port. Thinking back to our open port
31337 might have something to do with this. With no actual way to disassemble the binary remotely we need to send the file locally.
Base64 encode file before sending to local:
Send file from Remote to Local: Local Kali:
Create SSH Foothold:
Add ssh key to box just to make sure we have an easy return if anything.
add ssh-rsa to /home/demon/.ssh/authorized_keys && chmod 600
panel locally and check netstat
we indeed have panel executing a command to port 31337.
connect to local port with nc:
Buffer Overflow - gdb peda
installing gdb-peta This is going to allow us to great patterns and offsets within gdb along with some functionality to create shellcode. github link: https://github.com/longld/peda
Launching gdb-peda against
run binary with
connect to port 31337 with nc
python create A’s x200 with python
send 200 “A”s to binary through the
as expected we get a SIGSEGV
we know this program has a
handlecmd which is part of our vulnerability that we will need to take over our registers in that we can search for that and print a few lines of the function
print a 50 lines of the function:
Catching/Understanding the crash:
set a breakpoint at
run binary again with
nc and send “A”s to hit breakpoint on ret
we experience a crash due to the fact that RBP and RSP have been filled with “A”s and the
ret of the program will send us directly into the RSP.
si to see the function push us to the RSP which creates a loop.
Next, we need to create a pattern
Re-attempt sending the binary on port 31337 except with our created pattern.
-close gdb with
-kill handle process x2 && run gdb
run binary with
connect to port 31337 with nc:
send created pattern string:
gdb - binary crashes with our pattern filling the registers
Finding the location of the RSP with pattern_offset location:
(note: don’t add the \n)
at this point we know that 120 bytes we overwrite the RSP (stack pointer)
Create Skeleton Buffer Overflow Exploit: requirements pwntools to install:
create exploit.py with editor of choice
q gdb && pkill panel && re-launch gdb &&
r to run the binary
panel binary crashes and we now have control of the RSP to which this is the location we are going to insert our shellcode.
check for a
jmpcall to see if there is a
call rsp visualization:
Next, replace our exploit “BBBB0000” with the address to call rsp “0x400cfb”
we now need shellcode in our case we have 120 bytes to use:
Create shellcode with msfvenom:
-types of x64 reverse shells with
syntax to create shellcode:
we have exactly 120 bytes of space to use and our shellcode we generated is 119 bytes.
adding + modifying exploit.py
Re-exploiting our binary by closing restarting process and sending our new exploit.
additional: if you require super small shellcode within 77 and 84bytes that can be achieved with zerosum0x0 script.
script located at github: https://github.com/zerosum0x0/SLAE64/blob/master/reverseshell/reverseshell.asm
download github repository usage: edit the reverseshell.asm and localip hex address in little endian format
navigate to reverseshell -
and now we have 75 bytes of working shellcode!
Re-run gdb panel + execute our newly modified exploit.py with an active listener on 4444.
a callback is made as
Final Stretch - attacking our binary on the remote box change the “ip” on our script to “pinkydb”
Execute local kali:
upgrade our shell && loot
and in the end the rollercoaster of emotions has ended with a victory!
also, if you made it this far. I’m proud to say I am the new owner of rootandloot.com! have any ideas for the site? drop them in the comments or find me on twitter @executeatwill
“bring me the root” -Exec