Vulnhub virtual machine; How bad do you want OSCP box, Lets begin with this is not for the faint of heart. Enumeration to multiple pivots, reverse engineering, buffer overflow all wrapped in to one VM. This box will teach you something new guaranteed, grab a drink you’re going to need one.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Vulnhub Link: https://www.vulnhub.com/entry/pinkys-palace-v2,229/ File: Pinkys-Palace2.zip (Size: 1.1 GB)
Only use with VMware
Discover VM on network:
1 |
|
Pinky’s VM shows IP address as well.
Target: 192.168.213.129
Enumeration
Nmap Scan
1 |
|
UDP Scan with unicorn:
1 |
|
Looking at what to be a wordpress site based off the enumeration which could lead to a wpscan.
Download robots.txt
1 |
|
no robots.txt to look at
Change host name in /etc/hosts
1 |
|
Navigating to web-server:
wpscan
1 |
|
wfuzz - directory scan
1 |
|
navigating to /secret
and discovered bambam.txt
cat bambam.txt
This could ellude to a port knocking of sort…
Port Knocking Script:
1 |
|
next we need to create this permutation list which will contain the port numbers mixed up. To do this a python script will be used to iterate the port numbers.
1 |
|
launch the knock.sh script with the target ip as an argument.
1 |
|
discover port 7654
running a web server and navigate to said server.
click to login.php
before we attempt to hydra this login page. We need to create a wordlist. To do so we can use cewl and john to sift through that list for duplicates.
creating word list from http://pinkydb
1 |
|
next use john
1 |
|
now we have a wordlist.txt
that we can use with hydra
create usernames from our wpscan username enumeration
Hydra login page - w/ wordlist.txt
1 |
|
…
Discovered the following credentials:
1 |
|
Login webserver - pinky:Passione
Exploring Links:
download the ssh key locally and cat the file:
connecting to ssh server with private key - stefano@pinkydb
1 |
|
Key is password encrypted and we need to perform some decryption before we can use.
Cracking the id_rsa
with ssh2john. (for some reason my current version of ssh2john
was not functioning but I did find an python version of the binary that functions the same off github.
Link: https://github.com/koboi137/john/blob/master/ssh2john.py
error i was seeing:
run the conversion of private key to something we can use to crack:
1 |
|
great, now just append it to a file with python ssh2john.py id_rsa > id_rsajohn
Crack converted private SSH key with john
:
1 |
|
Bingo, bango we have the password for Stefano:secretz101
Notes:
LFI Test
based off the php - there looks to be LFI.
1 |
|
output:
we can also send a reverse shell from this inclusion to gain access to the box.
SSH as Stefano
1 |
|
we are now *stefano*
permissions check:
1 |
|
well, the low hanging fruit has be removed.
Priv-esc
Looking around ~/
qsub
has a sticky bit which will allow us to run root commands. The binary has a message that i was left to communicate with Pinky. Just running the program it seems to ask for a password.
Lets attempt to crash the program with an excessive amount of “A”s
1 |
|
“Bad hacker! Go away” - I think not!
Enter the gdb
:
1 |
|
gdb is not local…
with continued enumeration a quick check of the variable $TERM
yielded “screen”
re-attemped the application with “screen” as the password.
A new message appears stating “Welcome to the Question Submit”. Might be the password might not be, but something changed.
Attempt a reverse shell injection
1 |
|
and we have a call back!
we are now the user pinky!
Spawn proper shell with python:
1 |
|
Investigate pinky home directory:
messages from qsub
were being sent to messages
directory.
Since there is no sudo we can have a look at what pinky is able to touch with find
.
1 |
|
a lot of “permission denied” and nothing of use.
1 |
|
backup.sh
discovered that we are able to take a loot at.
investigating the bash file
unfortunately we cannot open. Which is confusing because we are apart of the pinky group. But, after remember we upgraded from a SUID sticky bit the group list never updated.
updating the grouplist
1 |
|
the gid has now successfully updated.
1 |
|
The file is executable and will execute at the group level so if we modify it to include another reverse shell we could achieve access of user.
Creating reverse shell via appending backup.sh - new listener setup on 5555
1 |
|
backup.sh has been overridden! - we know wait till the cronjob is executed.
Reverse connection received:
we are now operating as user *demon*
upgrade shell again with python:
1 |
|
Investigate the home directory:
nothing of immediate usefulness. Begin again enumerating again with find command.
1 |
|
both directory /daemon
and /daemon/panel
worth investigating.
panel
seems to be a binary with execute
1 |
|
after running panel
I received a
1 |
|
this repeated over and over as if its trying to connect to a port. Thinking back to our open port 31337
might have something to do with this. With no actual way to disassemble the binary remotely we need to send the file locally.
Base64 encode file before sending to local:
1 |
|
Send file from Remote to Local: Local Kali:
1 |
|
Remote System:
1 |
|
Decode Base64 panelb64
1 |
|
add chmod
1 |
|
Create SSH Foothold:
Add ssh key to box just to make sure we have an easy return if anything.
add ssh-rsa to /home/demon/.ssh/authorized_keys && chmod 600
Run panel
locally and check netstat
1 |
|
we indeed have panel executing a command to port 31337.
connect to local port with nc:
1 |
|
Buffer Overflow - gdb peda
installing gdb-peta This is going to allow us to great patterns and offsets within gdb along with some functionality to create shellcode. github link: https://github.com/longld/peda
1 |
|
Launching gdb-peda against ./panel
1 |
|
run binary with r
connect to port 31337 with nc
1 |
|
python create A’s x200 with python
1 |
|
send 200 “A”s to binary through the nc
as expected we get a SIGSEGV
we know this program has a handlecmd
which is part of our vulnerability that we will need to take over our registers in that we can search for that and print a few lines of the function
search handlecmd
print a 50 lines of the function:
1 |
|
Catching/Understanding the crash:
set a breakpoint at 0x4009aa
ret
1 |
|
run binary again with r
connect with nc
and send “A”s to hit breakpoint on ret
gdb:
we experience a crash due to the fact that RBP and RSP have been filled with “A”s and the ret
of the program will send us directly into the RSP.
continue with si
to see the function push us to the RSP which creates a loop.
Next, we need to create a pattern
1 |
|
Re-attempt sending the binary on port 31337 except with our created pattern.
-close gdb with q
-kill handle process x2 && run gdb
1 |
|
run binary with r
connect to port 31337 with nc:
1 |
|
send created pattern string:
1 |
|
gdb - binary crashes with our pattern filling the registers
Finding the location of the RSP with pattern_offset location:
pattern_offset:
1 |
|
(note: don’t add the \n)
at this point we know that 120 bytes we overwrite the RSP (stack pointer)
Create Skeleton Buffer Overflow Exploit: requirements pwntools to install:
1 |
|
create exploit.py with editor of choice
1 |
|
q
gdb && pkill panel && re-launch gdb && r
to run the binary
execute exploit.py:
1 |
|
gdb:
panel binary crashes and we now have control of the RSP to which this is the location we are going to insert our shellcode.
check for a jmpcall
to see if there is a jmprsp
call rsp
visualization:
Next, replace our exploit “BBBB0000” with the address to call rsp “0x400cfb”
we now need shellcode in our case we have 120 bytes to use:
Create shellcode with msfvenom:
-types of x64 reverse shells with msfvenom -l
syntax to create shellcode:
1 |
|
we have exactly 120 bytes of space to use and our shellcode we generated is 119 bytes.
adding + modifying exploit.py
Re-exploiting our binary by closing restarting process and sending our new exploit.
additional: if you require super small shellcode within 77 and 84bytes that can be achieved with zerosum0x0 script.
https://zerosum0x0.blogspot.com/2014/12/x64-linux-reverse-tcp-connect-shellcode.html
script located at github: https://github.com/zerosum0x0/SLAE64/blob/master/reverseshell/reverseshell.asm
download github repository usage: edit the reverseshell.asm and localip hex address in little endian format
navigate to reverseshell - cd reverseshell
1 |
|
output
and now we have 75 bytes of working shellcode!
Root&Loot
Re-run gdb panel + execute our newly modified exploit.py with an active listener on 4444.
a callback is made as root
Final Stretch - attacking our binary on the remote box change the “ip” on our script to “pinkydb”
setup listener
1 |
|
Execute local kali:
listener:
upgrade our shell && loot
1 |
|
and in the end the rollercoaster of emotions has ended with a victory!
also, if you made it this far. I’m proud to say I am the new owner of rootandloot.com! have any ideas for the site? drop them in the comments or find me on twitter @executeatwill
#HAILippSec
“bring me the root” -Exec