Vulnhub virtual machine; OSCP prep box, pivoting enumeration through separate web-server to engage the target. Buffer-overflow of an application to gain root.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Discover VM on network netdiscover -r 192.168.56.0/24
Target: 192.168.56.117 verified via vm:
Enumeration
Onetwopunch Scan:
this script offers a bit of a change from nmap
and uses unicornscan
added ip to targets.txt
1 |
|
(started freaking out on me. Will have to re-attack as to why?!)
Nmap scan:
1 |
|
looks as if we have two HTTP servers operating on ports 8080
and 31337
Nmap scan number 2
1 |
|
more of an aggressive scan and found the ssh
server.
Navigating to first port 8080
source:
looks to be forbidden.
Navigating to port 31337
an error page with looks to be some type of application bleed of squid/3.5.23
.
source:
ok, looks like we are working with Stylesheet for Squid Error pages
as our application on our web-server
Let move to impersonate a local ip (127.0.0.1) for port 8080
that was refusing connections.
1 |
|
we have just fooled the web-server in thinking the request came from the internal network.
Perform gobuster with a proxy of port 31337
1 |
|
/littlesecrets-main
directory discovered.
added the target ip + port as a proxy and navigated to directory.
we have a login page
gobuster enumeration of files
1 |
|
discovered /login.php
, /logs.php
Lets try to enter this login page via sqlmap
1 |
|
after a bit of time we are able to decode the pinky_sec_db
the hashes look like md5 and with a quick decryption of them at https://www.md5online.org/md5-decrypt.html we have credentials.
1 |
|
since it looks like we have a mange
hash lets try and SSH to box
SSH
1 |
|
sudo -l
search for hidden files:
1 |
|
looks to be an ultrasecret and a note.txt
cat both files:
we have an rsa key (encoded in base64) and the note confirms said rsa key.
decode rsa key
1 |
|
Priv-esc
with decoded private key we can now placed the key on our local box ~/.ssh/pinkyv1
and change the chmod
to 600 and connect to pinky ssh with private key.
1 |
|
we are now operating as pinky.
from the home directory we discover this adminhelper
binary
this binary when executed submits an echo and could be vulnerable to an overflow
testing:
1 |
|
attempting to crash binary
1 |
|
segmentation fault - exactly what we were looking for to happen.
Buffer Overflow
This binary also has an SUID bit which will allow us to act as root if executed.
- we need to find where the application crashes
- find the offset
-
insert our shell code to take advantage of overflow
- location of crash
use gdb to figure out what address application crashes at.
1 |
|
break-main
1 |
|
run application
1 |
|
view registers
1 |
|
this is a 64-bit architecture based off the different register layout.
rip is at main
continue running
1 |
|
we have reached the segmentation fault - application crash. Our next step would be to determine location of frame pointer.
1 |
|
this means that the overflow has occurred at 0x61616161616161
next, examine the stack pointer $rsp
1 |
|
means that “A” exceeded the buffer by 55 times.
examine the “A” sent initially and subtracted 55 from the total
1 |
|
our remaining number and/or offset = 72
re-run gdb with argv of 72 and additional text to ensure we are filling the $rsp
with “a” and taking over the $rsp
1 |
|
which is 72 “a”s and “bcdefghi” which should be the “rsp”.
break-main
1 |
|
run application
1 |
|
continue
1 |
|
crash:
Disassemble the main
1 |
|
we are exploiting this “strcpy” command that is vulnerable to the buffer overflow.
inspect the $rbp
1 |
|
here are our “A”s
inspect the $rsp
1 |
|
here are teh extra bytes we took over the rsp with. We need to inject the shell code into this rsp location!
shellcode payload for x64 systems will result in a shell via push. This is provided by link: http://shell-storm.org/shellcode/files/shellcode-806.php along with exploit-db link: https://www.exploit-db.com/exploits/36858
shellcode:
1 |
|
Leading us to getenv.c
1 |
|
this try to inject an environment variable into the program. Use this script to find an injectable address
Create an variable via export with shellcode from above. In the end this will return the exploit address of the shell code.
1 |
|
see the variable created in env
1 |
|
after compiling the getenv.c to an application we will execute the variable within the application
1 |
|
results in our shellcode being placed at 0x7fffffffed68
Root
next, we run the ./adminhelper with our initial payload of “A” and add our return address to our shellcode in little little endian format.
1 |
|
our shellcode executes and successful buffer overflow occurs dropping us into a root shell due to the SUID bit on the ./adminhelper
upgrading the shell to full.
1 |
|
flag /root/root.txt
Bring me the root!
-exec