tag:blogger.com,1999:blog-77041591363462820662024-03-05T19:21:33.930-08:00This Guy Hacksthisguyhackshttp://www.blogger.com/profile/01558267097437201225noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-7704159136346282066.post-39032252885734493092017-08-23T21:40:00.001-07:002018-06-20T04:42:24.384-07:00Trying Out Security Scenario Generator (SecGen)The <a href="https://www.reddit.com/r/netsec/comments/6u9l6o/random_vulnerable_vm_generator/">top post</a> on <a href="https://www.reddit.com/r/netsec/">reddit.com/r/netsec</a> this week is a pretty nifty idea: a <a href="https://github.com/cliffe/SecGen">Vulnerable VM generator</a>. Since vulnerable VMs are my thing, I decided to check it out. Installation is pretty straightforward on Ubuntu, and generating a VM is as simple as "ruby secgen.rb run".<br />
<br />
After everything is up and running, an nmap script scan shows a <a href="https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor">vulnerable IRC server</a> for which a metasploit module exists to exploit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh24pWEQLDHBMrisaiEU17YKsYs6JLR73kr4xUALkIHnwXrHHhQrpL-HkLW5m47LT1H4Xc5gycpG2P2Pngp4qdXVlwFXpyCWs0SNto6MVHzBxH9a83kalwkXN_-CC15CVHm81ReDWibgwo/s1600/Screenshot+from+2017-08-23+23-22-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="217" data-original-width="736" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh24pWEQLDHBMrisaiEU17YKsYs6JLR73kr4xUALkIHnwXrHHhQrpL-HkLW5m47LT1H4Xc5gycpG2P2Pngp4qdXVlwFXpyCWs0SNto6MVHzBxH9a83kalwkXN_-CC15CVHm81ReDWibgwo/s640/Screenshot+from+2017-08-23+23-22-04.png" width="640" /></a></div>
<br />
I go to msfconsole and set everything apropriately and, quickly, I have a low privilege shell (I later upgraded to a full meterpreter shell).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTONaQxaMLiy9peonUhmEMBagzaYr8f0cS5Dwm679MEULGSeEK8n3klUbv236IqWrdj9UVgn1WgGGlV4FGVkCt6dPVXNMTg6mLbFBJ6HbwBceda6qJn46vKuxBB3FzHjZIXiKr82RVI74/s1600/Screenshot+from+2017-08-23+23-04-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="358" data-original-width="736" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTONaQxaMLiy9peonUhmEMBagzaYr8f0cS5Dwm679MEULGSeEK8n3klUbv236IqWrdj9UVgn1WgGGlV4FGVkCt6dPVXNMTg6mLbFBJ6HbwBceda6qJn46vKuxBB3FzHjZIXiKr82RVI74/s640/Screenshot+from+2017-08-23+23-04-01.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij15ZKgX4DtHv30kPaayLVZupxY5St1sAQhPbdIoDaG7FqwDL7sfIEYd9AAbGiQ-zRAAt2wATmcJiXLuS7VraBbjYzP0V04uaEZz9GMiWk1DHnuI3PlAAzxA3qUG6zyiBP3yChQZni3Hk/s1600/Screenshot+from+2017-08-23+23-04-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="311" data-original-width="736" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij15ZKgX4DtHv30kPaayLVZupxY5St1sAQhPbdIoDaG7FqwDL7sfIEYd9AAbGiQ-zRAAt2wATmcJiXLuS7VraBbjYzP0V04uaEZz9GMiWk1DHnuI3PlAAzxA3qUG6zyiBP3yChQZni3Hk/s640/Screenshot+from+2017-08-23+23-04-28.png" width="640" /></a></div>
<br />
After running "find / -perm -2000 -o -perm -4000" I see nmap is setuid (took me longer than I'd like to admit to find this).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu1bokV74mmazD1UCSP-ySBXgauaejQyHui5ICZ5-BWkEMaJwQUjQKq67LQsIrBgWfIB5BdAa95dOxAy946lRIR9uQFoiAUIVZIrasTdg-si9m2G6STfnUVc9UkTAe-uUywgkHqb-9aZk/s1600/Screenshot+from+2017-08-24+00-13-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="56" data-original-width="736" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu1bokV74mmazD1UCSP-ySBXgauaejQyHui5ICZ5-BWkEMaJwQUjQKq67LQsIrBgWfIB5BdAa95dOxAy946lRIR9uQFoiAUIVZIrasTdg-si9m2G6STfnUVc9UkTAe-uUywgkHqb-9aZk/s640/Screenshot+from+2017-08-24+00-13-57.png" width="640" /></a></div>
<br />
A metasploit module exists to exploit this as well, so root is easy pickings.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ1aKPPuyyUW5O6LS_meNrYYc4ioNMimCZtcAb-JS_WLE9YYIbzjGUCdslespcaHySpjS1iwGfn1mcFsItzGp62KUIprdfSOUqkvSdHRAqG3GQSIRy7IHjW5M-DvwAOJ5jG6dWHwWB3eo/s1600/Screenshot+from+2017-08-24+00-17-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="736" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ1aKPPuyyUW5O6LS_meNrYYc4ioNMimCZtcAb-JS_WLE9YYIbzjGUCdslespcaHySpjS1iwGfn1mcFsItzGp62KUIprdfSOUqkvSdHRAqG3GQSIRy7IHjW5M-DvwAOJ5jG6dWHwWB3eo/s640/Screenshot+from+2017-08-24+00-17-10.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiayCmYoNfrSPwScwYfF9E42iVXKFERkNijfzM-j6Bt7b0najRZd6GBPGVt5bxc3i9P2wCOYxQs1HbDRoidjsQ8RU66dIPlTXlW21OVnrQbxZu5wUD4DFoxDVJPfwVNSaVNvsEY3a8jt6o/s1600/Screenshot+from+2017-08-24+00-18-19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="306" data-original-width="736" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiayCmYoNfrSPwScwYfF9E42iVXKFERkNijfzM-j6Bt7b0najRZd6GBPGVt5bxc3i9P2wCOYxQs1HbDRoidjsQ8RU66dIPlTXlW21OVnrQbxZu5wUD4DFoxDVJPfwVNSaVNvsEY3a8jt6o/s640/Screenshot+from+2017-08-24+00-18-19.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXNfPC61K10AXaVgPjxmDOXegysbtF5Pby-Rs-GT6n-icUyyGsbDp-QMioLZGDfxKWmL-TE0y30tYQB7Z2KrsCqlaTF0qjSneh2xGXLy7RhF_55nv90HbX3E1VttQFum6BlZcvFFXUW_I/s1600/Screenshot+from+2017-08-24+00-18-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="112" data-original-width="736" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXNfPC61K10AXaVgPjxmDOXegysbtF5Pby-Rs-GT6n-icUyyGsbDp-QMioLZGDfxKWmL-TE0y30tYQB7Z2KrsCqlaTF0qjSneh2xGXLy7RhF_55nv90HbX3E1VttQFum6BlZcvFFXUW_I/s640/Screenshot+from+2017-08-24+00-18-03.png" width="640" /></a></div>
<br />
So cool that a unique vulnerable VM was conjured in front of me from some Ruby code. Big thanks to <a href="https://github.com/cliffe">Cliffe from GitHub</a> for providing the community with a great resource for learning!thisguyhackshttp://www.blogger.com/profile/01558267097437201225noreply@blogger.comtag:blogger.com,1999:blog-7704159136346282066.post-69438106520546283682017-03-16T11:11:00.000-07:002017-03-16T11:11:36.262-07:00[VulnHub] hackfest2016: SednaAn nmap scan shows a very similar port list as the first hackfest VM I did. However, this time port 8080 is open.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-Wt1ZqnTDmU9pdmIzSt1GdaeW_YI4rP0B2Oykfbm5Mok1nsmpMYRws-62ZE6SyLTp1oMrodwbUd2-Ph6E7Ea-gdQz1WxgVTwTS6qwLNEalYMMayUOEBHX153uDmcuPzzcpYKEhPgKshI/s1600/Screenshot+from+2017-03-16+13-31-36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-Wt1ZqnTDmU9pdmIzSt1GdaeW_YI4rP0B2Oykfbm5Mok1nsmpMYRws-62ZE6SyLTp1oMrodwbUd2-Ph6E7Ea-gdQz1WxgVTwTS6qwLNEalYMMayUOEBHX153uDmcuPzzcpYKEhPgKshI/s640/Screenshot+from+2017-03-16+13-31-36.png" width="640" /></a></div>
<br />
I find a Tomcat 7 installation...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKy2TMSXLCKFpsr_BtzAwxt4s3akDl5PdpUI4xMjWU9XrftCyWM-Bq4jWF3nhkdZ5eMqrVIdLK_UCTsDErmmi-xiPzf7UTmq1Rg-P1XBfczz5apvxi581VUlLtulpMWXFKGxfJO93ozCM/s1600/Screenshot+from+2017-03-16+13-34-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKy2TMSXLCKFpsr_BtzAwxt4s3akDl5PdpUI4xMjWU9XrftCyWM-Bq4jWF3nhkdZ5eMqrVIdLK_UCTsDErmmi-xiPzf7UTmq1Rg-P1XBfczz5apvxi581VUlLtulpMWXFKGxfJO93ozCM/s640/Screenshot+from+2017-03-16+13-34-02.png" width="640" /></a></div>
<br />
...however I couldn't login as the manager, so I gave up on this and moved on to enumerating port 80. Uniscan found a few interesting directories.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXBjAEqcq6_GoCbZUKzC5sE3BGdLbH8MaRqv-tq88c-zgoxs-FhyDo4j1K01ozYJm2I8UKGvW3wcJjo-t-Ca2NEeH2QIqgdzn-DIoq3U7C15P7_V2mhyphenhyphence9QBd7JVKYBTs2mlBWrHutO0/s1600/Screenshot+from+2017-03-16+13-33-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXBjAEqcq6_GoCbZUKzC5sE3BGdLbH8MaRqv-tq88c-zgoxs-FhyDo4j1K01ozYJm2I8UKGvW3wcJjo-t-Ca2NEeH2QIqgdzn-DIoq3U7C15P7_V2mhyphenhyphence9QBd7JVKYBTs2mlBWrHutO0/s640/Screenshot+from+2017-03-16+13-33-49.png" width="640" /></a></div>
<br />
I couldn't do much with these on their own however. That is until nikto brought up a great point.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZvJjVkOe-tFz-OrttG-vJvZZcLp483MoyOrP1kCWiBwPLJ0L4hH8W3YgtvWIJgNzD6B8aUPp4lP4phDT5t8GvcdUMWST19YYzjFZw5HenJkgktQZ7h6BiMBNBn_Z2tm5yLi1199C05hM/s1600/Screenshot+from+2017-03-16+13-40-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZvJjVkOe-tFz-OrttG-vJvZZcLp483MoyOrP1kCWiBwPLJ0L4hH8W3YgtvWIJgNzD6B8aUPp4lP4phDT5t8GvcdUMWST19YYzjFZw5HenJkgktQZ7h6BiMBNBn_Z2tm5yLi1199C05hM/s640/Screenshot+from+2017-03-16+13-40-33.png" width="640" /></a></div>
<br />
I checked license.txt and found a useful piece of information.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPrUnWpI_261xQU4ugqlYdDz6svD4Ef6IvcBdaDKSfU98VEtpzumcGaqpTaarofpT0sHs3dyAwn0gPsq4UtUcJRo5WxlbsVr4qsQpgS34zXf9oPWUGdLmE69gkXQYoyGC8oj5R_nZdhMk/s1600/Screenshot+from+2017-03-16+13-14-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPrUnWpI_261xQU4ugqlYdDz6svD4Ef6IvcBdaDKSfU98VEtpzumcGaqpTaarofpT0sHs3dyAwn0gPsq4UtUcJRo5WxlbsVr4qsQpgS34zXf9oPWUGdLmE69gkXQYoyGC8oj5R_nZdhMk/s640/Screenshot+from+2017-03-16+13-14-13.png" width="640" /></a></div>
<br />
I see a "BuilderEngine" installation. I went to the /builderengine/ directory and confirmed it was present. There is an <a href="https://www.exploit-db.com/exploits/40390/">exploit</a> that exists that allowed me to upload an arbitrary file and place it in the /files/ directory on the web server. First I went to the directory used in the exploit to confirm it exists.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp9PVZRX6SL9nhIwyAVJZOkcxFS8Nd7WvSQruLEPxJrwq9z5Or7zbdkhfQZG_quaGBQWUE0ejepeXGpE3KHIGq0jkfKQ89XFrKIB2oZ7YOJuvtEicmW3OVqSRPRQWf_xoJJKqWSHf-hns/s1600/Screenshot+from+2017-03-16+13-13-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp9PVZRX6SL9nhIwyAVJZOkcxFS8Nd7WvSQruLEPxJrwq9z5Or7zbdkhfQZG_quaGBQWUE0ejepeXGpE3KHIGq0jkfKQ89XFrKIB2oZ7YOJuvtEicmW3OVqSRPRQWf_xoJJKqWSHf-hns/s640/Screenshot+from+2017-03-16+13-13-18.png" width="640" /></a></div>
<br />
Then I copied the exploit code, pasted it in a file called "uploader.html" on my attacking machine and swapped out the link to match the one above.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10MrbTfWX0s8zAfLsAZEJT63QVHfDJMdj9JpslwudJF617mXLCX_yC5PtfzqlBzU86e-Uh5ew_4mqpLIAxpwRt9TriP5ksvjrCigsEHP4qZsdqFnRehgUCXaS_GVuia2Waxq3qVaTfZ4/s1600/Screenshot+from+2017-03-16+13-51-09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10MrbTfWX0s8zAfLsAZEJT63QVHfDJMdj9JpslwudJF617mXLCX_yC5PtfzqlBzU86e-Uh5ew_4mqpLIAxpwRt9TriP5ksvjrCigsEHP4qZsdqFnRehgUCXaS_GVuia2Waxq3qVaTfZ4/s640/Screenshot+from+2017-03-16+13-51-09.png" width="640" /></a></div>
<br />
Then I opened the file in Firefox and uploaded a php reverse shell.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEq6kkNRVfeS7pW1_4gIDwsADuUBXbaRkAUQfFX0P1R5PqNukkU0yxw_TkadaBWk_ThhnEaa5ea9RjJwSOVmSqaOF_LTlPvUWqSoYtzU0Im2k3t4XaWVceBxkffKjMtGPR-_Ougx7HAb4/s1600/Screenshot+from+2017-03-16+13-16-42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEq6kkNRVfeS7pW1_4gIDwsADuUBXbaRkAUQfFX0P1R5PqNukkU0yxw_TkadaBWk_ThhnEaa5ea9RjJwSOVmSqaOF_LTlPvUWqSoYtzU0Im2k3t4XaWVceBxkffKjMtGPR-_Ougx7HAb4/s400/Screenshot+from+2017-03-16+13-16-42.png" width="400" /></a></div>
<br />
Then I navigated to the /files/ directory on the server and clicked on my shell.php file and get a beautiful reverse shell.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKiaifiXvRwB_m1RLVA-AI9a-eMiSOL9OmwH1mR5DZr6oMtBkO1s4H1r39_BjX6th3M-NOG9n6Z5cNBA1e5XEC89o8pNCcshP-SO7yB6W3-IeiumDyu2RfDRYwdPdt7hCJ3k3mAjid7MI/s1600/Screenshot+from+2017-03-16+13-17-29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKiaifiXvRwB_m1RLVA-AI9a-eMiSOL9OmwH1mR5DZr6oMtBkO1s4H1r39_BjX6th3M-NOG9n6Z5cNBA1e5XEC89o8pNCcshP-SO7yB6W3-IeiumDyu2RfDRYwdPdt7hCJ3k3mAjid7MI/s400/Screenshot+from+2017-03-16+13-17-29.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0tL2iL-X4qWszYzOlAaUlnoz62cQBh4oTrVCuVSjgBXaHgCz8szZp2yO0FAiWxxGPempDv9L9VWzJ8_xvI7sK_5Ij3oU-9n3zlRV1NZRGnBAploPVGHd49U66Smrj0hwvXcrCkl4GP5I/s1600/Screenshot+from+2017-03-16+12-44-28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0tL2iL-X4qWszYzOlAaUlnoz62cQBh4oTrVCuVSjgBXaHgCz8szZp2yO0FAiWxxGPempDv9L9VWzJ8_xvI7sK_5Ij3oU-9n3zlRV1NZRGnBAploPVGHd49U66Smrj0hwvXcrCkl4GP5I/s640/Screenshot+from+2017-03-16+12-44-28.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoNN3ce6oajbo1RbsmdLBawQpyAJM5zjjn5ktPhdXZuMxTQMZwDzhdJw6K8VeC74hWm6AEHp8HQdLHsTJp1MUWvwQU2fA5OTWyH2Q6QXzt7DS93ynrsWEtui3RhvXgRDIBNpCfVMBkuS8/s1600/Screenshot+from+2017-03-16+12-45-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoNN3ce6oajbo1RbsmdLBawQpyAJM5zjjn5ktPhdXZuMxTQMZwDzhdJw6K8VeC74hWm6AEHp8HQdLHsTJp1MUWvwQU2fA5OTWyH2Q6QXzt7DS93ynrsWEtui3RhvXgRDIBNpCfVMBkuS8/s640/Screenshot+from+2017-03-16+12-45-17.png" width="640" /></a></div>
<br />
Then I <a href="https://www.exploit-db.com/exploits/40839/">dirty COW </a>my way to root. The exploit kills my shell, however I can just ssh to the "firefart" user it created.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidrV1GemPpBGDdD_8W0a2NC5xDJvkNomR_Kl-EzMmcPg0idjCtsTEUPqdt3YZZtYf3IxMFlcUk8SD8fnTAjHlcP1ofx_MYd7DDT1EvImnBCRJfSic57-cN-YH76iAhmjr1ctxCq78MZEI/s1600/Screenshot+from+2017-03-16+13-19-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidrV1GemPpBGDdD_8W0a2NC5xDJvkNomR_Kl-EzMmcPg0idjCtsTEUPqdt3YZZtYf3IxMFlcUk8SD8fnTAjHlcP1ofx_MYd7DDT1EvImnBCRJfSic57-cN-YH76iAhmjr1ctxCq78MZEI/s640/Screenshot+from+2017-03-16+13-19-33.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBGn2PceiYIPXdviawBjRTDKcIPFEeGodQOPoy8qIBBVtJYvjHKPgKznQHxlal2YXMX0lx9FhPcdjJPr10VaXlQIQ-9zCvKQ7_yQs3ySOzk910odMu6X1nRwijrzFLCQqm7BRY-p1OGwE/s1600/Screenshot+from+2017-03-16+13-19-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBGn2PceiYIPXdviawBjRTDKcIPFEeGodQOPoy8qIBBVtJYvjHKPgKznQHxlal2YXMX0lx9FhPcdjJPr10VaXlQIQ-9zCvKQ7_yQs3ySOzk910odMu6X1nRwijrzFLCQqm7BRY-p1OGwE/s640/Screenshot+from+2017-03-16+13-19-27.png" width="640" /></a></div>
<br />
According to the VM details on VulnHub there are two post exploitation flags. I'm fairly certain one of them is the Tomcat7 password found at /etc/tomcat7/tomcat-users.xml.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguw8fVd0fRRJxpANg_NFL3VNBZ0se6aiHWxmjar1BgERzou_sqbj9pKuz6lSYk70cusbLasW3_8V6jk8_3pw5tjX5sMQgs1qvFBukf-pjFm6Je6rtpFdDaKdsNa18gc_j8ub8Bo9USPyc/s1600/Screenshot+from+2017-03-16+13-20-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguw8fVd0fRRJxpANg_NFL3VNBZ0se6aiHWxmjar1BgERzou_sqbj9pKuz6lSYk70cusbLasW3_8V6jk8_3pw5tjX5sMQgs1qvFBukf-pjFm6Je6rtpFdDaKdsNa18gc_j8ub8Bo9USPyc/s640/Screenshot+from+2017-03-16+13-20-33.png" width="640" /></a></div>
<br />
These credentials allowed me to login to the tomcat manager interface.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJu58xs9TP9u7RkBWoYoUQ0TJGxnOsvGno6CeapVAXfHdhPWjtNOop9z4friz8ttjzlPU23SQmqkvTlXqOtPpgubXhLTS8dNNHxhBMlOi_jzCryqCjbvucjgND-B_auVKPsk0dsf56rDg/s1600/Screenshot+from+2017-03-16+13-23-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJu58xs9TP9u7RkBWoYoUQ0TJGxnOsvGno6CeapVAXfHdhPWjtNOop9z4friz8ttjzlPU23SQmqkvTlXqOtPpgubXhLTS8dNNHxhBMlOi_jzCryqCjbvucjgND-B_auVKPsk0dsf56rDg/s640/Screenshot+from+2017-03-16+13-23-12.png" width="640" /></a></div>
<br />
The other flag I'm pretty sure is the password for the "crackmeforpoints" user...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjHxypmozNt1PKyn9_Q-v6bDasZdz3Ejrd8Gi22qwKD3pPaKkY6wpRwGm6EFDb6JRJ3elXwMRtG8RWqdotsL1wnR2Q8_MUEeRKJQvsP8hUzOLz5P5LxTehR0JYfq0iv912FQDa3r8MDOE/s1600/Screenshot+from+2017-03-16+14-06-15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjHxypmozNt1PKyn9_Q-v6bDasZdz3Ejrd8Gi22qwKD3pPaKkY6wpRwGm6EFDb6JRJ3elXwMRtG8RWqdotsL1wnR2Q8_MUEeRKJQvsP8hUzOLz5P5LxTehR0JYfq0iv912FQDa3r8MDOE/s640/Screenshot+from+2017-03-16+14-06-15.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
...but I'm going to go ahead and let someone else crack that due to my hardware limitations. Overall I really enjoyed this VM; I don't get to use exploit-db enough for web apps in VulnHub VMs so this was a pleasant surprise!</div>
thisguyhackshttp://www.blogger.com/profile/01558267097437201225noreply@blogger.comtag:blogger.com,1999:blog-7704159136346282066.post-51979801929473194522017-03-16T07:43:00.002-07:002017-03-16T07:45:35.720-07:00[VulnHub] hackfest2016: QuaoarAn nmap script scan of port 80 shows robots.txt is present. While there were other ports open, the details of the VM strongly suggested a web application is the correct rabbit hole so I decided to investigate that first.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzhygEvYOfWvVJoOB6WJubMzfWgLYT8eIGS1xyi78wDhZHbtcloPdX_JUQAic1pgPLeYJDJqXEmyOI7qCdQ5AAYsDGPKvSWMERO5LValMXmuARLqqqFDQRXkq-nM-QmmSsDb6DCjDvXx4/s1600/Screenshot+from+2017-03-16+09-46-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzhygEvYOfWvVJoOB6WJubMzfWgLYT8eIGS1xyi78wDhZHbtcloPdX_JUQAic1pgPLeYJDJqXEmyOI7qCdQ5AAYsDGPKvSWMERO5LValMXmuARLqqqFDQRXkq-nM-QmmSsDb6DCjDvXx4/s640/Screenshot+from+2017-03-16+09-46-10.png" width="640" /></a></div>
<br />
I navigate to it in my browser and find a wordpress installation present.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjptlLZc99k3rFZ3XgLoBZJCDKIkY1vJ0efT5WOr-ghhzMygAsyZHlcxYlb06q7SV7Y71_J46ywvX9zdG_DiFqUXlubmuNPfVCvd3597e-CDRgJ5FxD6paWGiQO0DJvgJ20LM_EQcmH58Q/s1600/Screenshot+from+2017-03-16+09-46-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjptlLZc99k3rFZ3XgLoBZJCDKIkY1vJ0efT5WOr-ghhzMygAsyZHlcxYlb06q7SV7Y71_J46ywvX9zdG_DiFqUXlubmuNPfVCvd3597e-CDRgJ5FxD6paWGiQO0DJvgJ20LM_EQcmH58Q/s400/Screenshot+from+2017-03-16+09-46-53.png" width="400" /></a></div>
<br />
I immediately go to the admin login and get through with "admin/admin" credentials. The description <i>did</i> say this was a very easy VM after all.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc64AXatQzgBQgDFMZbPS_6b5UnG0PBy6GTKO4yJ3Gs5vDMI8ttoeTplGs1MmW3c4xKba5wTu3ud4omi69XH-bIFYKu9xDDr_wDFD13Ojkc4ve1sC86N61Gp1RAIbLdc9F55OVA0UVsYg/s1600/Screenshot+from+2017-03-16+09-47-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc64AXatQzgBQgDFMZbPS_6b5UnG0PBy6GTKO4yJ3Gs5vDMI8ttoeTplGs1MmW3c4xKba5wTu3ud4omi69XH-bIFYKu9xDDr_wDFD13Ojkc4ve1sC86N61Gp1RAIbLdc9F55OVA0UVsYg/s400/Screenshot+from+2017-03-16+09-47-24.png" width="400" /></a></div>
<br />
After logging in I navigated to "plugins > editor" and selected the "Mail Masta" plugin (since it was already active) and added a php reverse shell to one of the files. Simply clicking "update" gave me a shell.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid4TVykz4lhqXeiDcjvT6xKvcprAeRLIllkr7gg1QkPCR1N-TBQkpcUXw64XmNDpz500lu7mf_dW05vtl69i1m8aGhu8FaCQoFmQcTHtZISmItYWXkPMuwxGYs1IM4Yd3oZ0NOMhxZniQ/s1600/Screenshot+from+2017-03-16+09-50-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid4TVykz4lhqXeiDcjvT6xKvcprAeRLIllkr7gg1QkPCR1N-TBQkpcUXw64XmNDpz500lu7mf_dW05vtl69i1m8aGhu8FaCQoFmQcTHtZISmItYWXkPMuwxGYs1IM4Yd3oZ0NOMhxZniQ/s640/Screenshot+from+2017-03-16+09-50-10.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyyWKbvugXwRA9kiLnLNm1D8LRC52F92HEvtKLACMSRnYt_qdWkcumF6_2OrM2BBCEioXvb4v7p5X8nBSNcykuzeWPgGNhoAZqrHvOBY8tjul294BXUfjYd-iRRdFZ9T6UOpkZRtcSAa0/s1600/Screenshot+from+2017-03-15+09-12-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyyWKbvugXwRA9kiLnLNm1D8LRC52F92HEvtKLACMSRnYt_qdWkcumF6_2OrM2BBCEioXvb4v7p5X8nBSNcykuzeWPgGNhoAZqrHvOBY8tjul294BXUfjYd-iRRdFZ9T6UOpkZRtcSAa0/s640/Screenshot+from+2017-03-15+09-12-43.png" width="640" /></a></div>
<br />
I immediately noticed a "wpadmin" user in the /etc/passwd/ file and found the password to be "wpadmin" so I decided to ssh to that user for a more stable shell and I found the first flag.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9ZGUa8x2eoUxkt466i-l9fLUTlKHnWJoHnZ720anNgz8Cf2pybLkm7ZHOcvIeQxhMTCFdnsll7faORcD-SQrgbeeBoK3VTl9Soc0O34vqkGhBlkEl_4sa6msZELd4r_FuHZgoEpaFTMY/s1600/Screenshot+from+2017-03-16+09-51-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9ZGUa8x2eoUxkt466i-l9fLUTlKHnWJoHnZ720anNgz8Cf2pybLkm7ZHOcvIeQxhMTCFdnsll7faORcD-SQrgbeeBoK3VTl9Soc0O34vqkGhBlkEl_4sa6msZELd4r_FuHZgoEpaFTMY/s640/Screenshot+from+2017-03-16+09-51-23.png" width="640" /></a></div>
<br />
Going through a file in the "/upload/" directory of the web root, I found a "config.php" file containing root credentials for the MySQL server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPKwPAfXWLYhxyugc3N5ZFhj_8uKy2SugXMHb3r9UVG4gp5Bt79U4uS0_FmFkHvIC7wIg7hkhr6YDe3wJxAo-hT6neI9gYnVDAx3eyzKQOyA6H8rh8bK9MtSeDS_xJAWd9nohz3TN-Pus/s1600/Screenshot+from+2017-03-16+10-23-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPKwPAfXWLYhxyugc3N5ZFhj_8uKy2SugXMHb3r9UVG4gp5Bt79U4uS0_FmFkHvIC7wIg7hkhr6YDe3wJxAo-hT6neI9gYnVDAx3eyzKQOyA6H8rh8bK9MtSeDS_xJAWd9nohz3TN-Pus/s640/Screenshot+from+2017-03-16+10-23-14.png" width="640" /></a></div>
<br />
Going along with the "very easy" theme, I tried logging into root with these credentials and was successful!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFfvnZ4MA6CfsJ7ttFul7LeGvwWBs_Ctm1W_PvaSioDpU7M2ZEiC32NQQfjEeSvCuhilKR-Sd609xneJJfYAX0CGKCgjTLERvJRVHXA8AZ3GMc21Krq5zW5iroT6yMUi3n7EgRopGyCjE/s1600/Screenshot+from+2017-03-16+10-36-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFfvnZ4MA6CfsJ7ttFul7LeGvwWBs_Ctm1W_PvaSioDpU7M2ZEiC32NQQfjEeSvCuhilKR-Sd609xneJJfYAX0CGKCgjTLERvJRVHXA8AZ3GMc21Krq5zW5iroT6yMUi3n7EgRopGyCjE/s640/Screenshot+from+2017-03-16+10-36-43.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
According to the VM description on VulnHub there is a post exploitation flag on the VM, however I have not been able to find it. I went through the MySQL database and searched through the file system for anything resembling a flag and had no luck. Other than that, this was a very easy VM that was still somewhat satisfying in a weird way. I will be sure to make time for the other two, more difficult hackfest VMs.</div>
thisguyhackshttp://www.blogger.com/profile/01558267097437201225noreply@blogger.comtag:blogger.com,1999:blog-7704159136346282066.post-90383970816319060082017-03-12T04:29:00.000-07:002017-03-16T11:39:07.928-07:00[VulnHub] pluck: 1An nmap scan shows SSH, HTTP, and MySQL open.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu__V3IFUmbrF53bgPAkW4xaTnwSjo_CNO0iSpfzhHmI4eBJaTdnYYWn01uaIFEcOkqZI12bLj44IUFGaR9AWUTacqrX1V8jqPvIhV36yzlqpemLUc04qvmCCr48ib4w40uSaY6a4u3OU/s1600/Screenshot+from+2017-03-12+05-30-52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu__V3IFUmbrF53bgPAkW4xaTnwSjo_CNO0iSpfzhHmI4eBJaTdnYYWn01uaIFEcOkqZI12bLj44IUFGaR9AWUTacqrX1V8jqPvIhV36yzlqpemLUc04qvmCCr48ib4w40uSaY6a4u3OU/s640/Screenshot+from+2017-03-12+05-30-52.png" width="640" /></a></div>
<br />
Using uniscan, I find a promising LFI link.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOAdwVng_8xgbHhpVc3Tyhe2cHPNY3W4LdhZtUX0a7LdDvrL-PP1DhB-JbHadaT3_iePL_ZiS6KNf7heTCrXxN-us-I2mLCbz2J6fmZ9wQKjBaGjVkSEcw3iZQv9YPiGKp8WPi10AT62k/s1600/Screenshot+from+2017-03-12+05-36-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOAdwVng_8xgbHhpVc3Tyhe2cHPNY3W4LdhZtUX0a7LdDvrL-PP1DhB-JbHadaT3_iePL_ZiS6KNf7heTCrXxN-us-I2mLCbz2J6fmZ9wQKjBaGjVkSEcw3iZQv9YPiGKp8WPi10AT62k/s640/Screenshot+from+2017-03-12+05-36-03.png" width="640" /></a></div>
<br />
Visiting the link I see some juicy information.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUFiXvoA8Y0Umf4oJxGNK1UDKArd-f5AYILZSk9wm29_K6IKVZSmNLCI-xBCgtIR6LeWtSq5fmMteB6fRypyhemOcR3MN8pz1-uGpIsqvmzxCyQiYKhpX7MrvbrI5vYxGqSL6H0BpT7c0/s1600/Screenshot+from+2017-03-12+05-38-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUFiXvoA8Y0Umf4oJxGNK1UDKArd-f5AYILZSk9wm29_K6IKVZSmNLCI-xBCgtIR6LeWtSq5fmMteB6fRypyhemOcR3MN8pz1-uGpIsqvmzxCyQiYKhpX7MrvbrI5vYxGqSL6H0BpT7c0/s640/Screenshot+from+2017-03-12+05-38-10.png" width="640" /></a></div>
<br />
Obviously this is a great start, however, I navigated to "/admin.php" and found a very promising SQL error after trying basic injection techniques.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu4InOTiGUv1HDA1mn-T1rgmXRk-Mg92zq3KawgME67EDfVxAkLRMjcfO4u3PQ2WUyj0l9dt6IdGFfIfq-ZXQul4JAmsWxPYnqg9oEuL1Oq2xOa6O9rtGAhctPPMlBAkaBbjcoUK5gh1s/s1600/Screenshot+from+2017-03-12+06-12-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu4InOTiGUv1HDA1mn-T1rgmXRk-Mg92zq3KawgME67EDfVxAkLRMjcfO4u3PQ2WUyj0l9dt6IdGFfIfq-ZXQul4JAmsWxPYnqg9oEuL1Oq2xOa6O9rtGAhctPPMlBAkaBbjcoUK5gh1s/s640/Screenshot+from+2017-03-12+06-12-12.png" width="640" /></a></div>
<br />
I wasted more time than I'd like to admit trying to leverage this. Trying everything I can think of in sqlmap, I couldn't seem to find any way to exploit this (the reason becomes clear later on).<br />
<br />
Moving on with the /etc/passwd file, I see an interesting script associated with the "backup-user" account that might lead to something.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEdsfIoOtBhtr11Y6l8mT_ValnuOt61mN2Mdrn8gtwJj-Eg9o6TiYnGfxYK500LbeP6Byi7TlhyphenhyphenPCVEB1i7_dd-vrph1YuarfYFq5dikMJOxlDRsQEFq695ZpaE_HTM71AQ2ELtFfO1-k/s1600/Screenshot+from+2017-03-12+06-16-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEdsfIoOtBhtr11Y6l8mT_ValnuOt61mN2Mdrn8gtwJj-Eg9o6TiYnGfxYK500LbeP6Byi7TlhyphenhyphenPCVEB1i7_dd-vrph1YuarfYFq5dikMJOxlDRsQEFq695ZpaE_HTM71AQ2ELtFfO1-k/s640/Screenshot+from+2017-03-12+06-16-59.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
I view the script using the same link I used for /etc/passwd. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw0wygqWeiIimgBNUcxXJUk39dNC7jNB4oc6LsCRYnZiIBBxTQAv3cKzfqqQLeM0brN1W_ZO8k20A74A2JMHYrNAb1lv-KaVPAS7AX6ReRNSTx0_EGEMz-27cE-rNU6o63_8p8yD658wM/s1600/Screenshot+from+2017-03-12+06-19-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw0wygqWeiIimgBNUcxXJUk39dNC7jNB4oc6LsCRYnZiIBBxTQAv3cKzfqqQLeM0brN1W_ZO8k20A74A2JMHYrNAb1lv-KaVPAS7AX6ReRNSTx0_EGEMz-27cE-rNU6o63_8p8yD658wM/s640/Screenshot+from+2017-03-12+06-19-53.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It looks like this script creates a tar backup of the /home and web root directories and puts it in reach of a tftp server. I connect to the tftp server and download the tar file and extract it. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiGSWnLt-xWvgBI39_2v_CHbiU5RKnDq0Y0CD6BwmGKR88frL5f0biRyRE7H8OT0T2fmE3yK3VWyznGJ2xQOTOwwGYxYl7ZRCmeqGJlNC1pcRXLPVr177lNFvJDk2veNePWrlSGTA2hgU/s1600/Screenshot+from+2017-03-12+06-25-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiGSWnLt-xWvgBI39_2v_CHbiU5RKnDq0Y0CD6BwmGKR88frL5f0biRyRE7H8OT0T2fmE3yK3VWyznGJ2xQOTOwwGYxYl7ZRCmeqGJlNC1pcRXLPVr177lNFvJDk2veNePWrlSGTA2hgU/s640/Screenshot+from+2017-03-12+06-25-54.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Looking in paul's directory, I see SSH public key files. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF3eZizNvGeVLiwBm4ftf8BkrhXI7lMENmj1T3A2PpHWxF-ie1g1fTZ7qoMWsZ_J3ht2JQiae-fPaXtAa8hSqz8dJbhI9WRU7QBjA36sdgvy2x2VoVqzCb5nEXBAdjwEyNZH1OrU_1k8Y/s1600/Screenshot+from+2017-03-12+06-33-44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF3eZizNvGeVLiwBm4ftf8BkrhXI7lMENmj1T3A2PpHWxF-ie1g1fTZ7qoMWsZ_J3ht2JQiae-fPaXtAa8hSqz8dJbhI9WRU7QBjA36sdgvy2x2VoVqzCb5nEXBAdjwEyNZH1OrU_1k8Y/s640/Screenshot+from+2017-03-12+06-33-44.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Logging in with id_key4 I get a "pdmenu" shell.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg7Vad7Zkl3kiPTqy0dfGrPIfdSShBapm0Bm3VMdKuZYXfg5txbo8iemT0al0q_mhIlxM28UsiQnvrMOlK3-vB9NlpSBq2Q6D_ItsFCaoWsKPZwp_SGVS6rhl_YP_IOOAH-PmB2xkhuu0/s1600/Screenshot+from+2017-03-12+07-31-57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="16" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg7Vad7Zkl3kiPTqy0dfGrPIfdSShBapm0Bm3VMdKuZYXfg5txbo8iemT0al0q_mhIlxM28UsiQnvrMOlK3-vB9NlpSBq2Q6D_ItsFCaoWsKPZwp_SGVS6rhl_YP_IOOAH-PmB2xkhuu0/s640/Screenshot+from+2017-03-12+07-31-57.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKMmrN7ZZAXWqr7McYMXuhUmtNqlhkK6lMQS1ixSh8F7zyGenPaqdIQ8TKtz2SWC2BsEXyVZDzY1286lU7lSlqo1I_aoCwdGY-sahhtssQSet0sV8uaXHldls3S9aptmGux4InpQpbM0U/s1600/Screenshot+from+2017-03-12+06-38-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKMmrN7ZZAXWqr7McYMXuhUmtNqlhkK6lMQS1ixSh8F7zyGenPaqdIQ8TKtz2SWC2BsEXyVZDzY1286lU7lSlqo1I_aoCwdGY-sahhtssQSet0sV8uaXHldls3S9aptmGux4InpQpbM0U/s640/Screenshot+from+2017-03-12+06-38-06.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
From here, I select "Edit file" and create a php reverse shell file and place it in paul's home directory.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW9CyRENKzoSKfq8o8f-YFogRJWpUb5ASOUmYOQjilQxU8vzMj1J0_jAbWtuqjm3Lus1H-JTbe9abH3iyB3SWCQx8BCv5n48DpD6sjuVK1hri_zTfM9YtyR81UAuuq1B0B0KhfB4qQXHk/s1600/Screenshot+from+2017-03-12+06-42-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW9CyRENKzoSKfq8o8f-YFogRJWpUb5ASOUmYOQjilQxU8vzMj1J0_jAbWtuqjm3Lus1H-JTbe9abH3iyB3SWCQx8BCv5n48DpD6sjuVK1hri_zTfM9YtyR81UAuuq1B0B0KhfB4qQXHk/s640/Screenshot+from+2017-03-12+06-42-40.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaSBxrIggrsLkOU_9-QtPXhJnWGNhEElGbRJEFyFk_1SQxV_1mEJ-7ESKz8GC5HZrxfgMhWYkD2M2AyzVMhjLO6WhZTlV1Vuqx-eJbcBxGfUUovt-oeVbO5o1YsrF1mYsqZIG-lee9Dz8/s1600/Screenshot+from+2017-03-12+06-45-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaSBxrIggrsLkOU_9-QtPXhJnWGNhEElGbRJEFyFk_1SQxV_1mEJ-7ESKz8GC5HZrxfgMhWYkD2M2AyzVMhjLO6WhZTlV1Vuqx-eJbcBxGfUUovt-oeVbO5o1YsrF1mYsqZIG-lee9Dz8/s640/Screenshot+from+2017-03-12+06-45-30.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Then I once again use the LFI and execute the new php file and get a reverse shell.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJULKb9UmUG9lzD33zeOSUqODGY2e706D7V6sJEN9oldSNElek6pjWMU3lAJRyFU8U2nR-YahcYTJE3vccZN0L7sYKGOvfpBIIXgWIgCaRShwmEPghJ_CJRKxpUikAbvpojbxRx-tEtPI/s1600/Screenshot+from+2017-03-12+06-50-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="32" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJULKb9UmUG9lzD33zeOSUqODGY2e706D7V6sJEN9oldSNElek6pjWMU3lAJRyFU8U2nR-YahcYTJE3vccZN0L7sYKGOvfpBIIXgWIgCaRShwmEPghJ_CJRKxpUikAbvpojbxRx-tEtPI/s640/Screenshot+from+2017-03-12+06-50-59.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtbb1fjKG9DQrmATre4_G-ZYPJjGbUf57cyTzSjgbac7Tyd-3gyhPQLSQnfyIL-ox4lMUju0CXNtRZAvgaWLeifyDv_cgQTizLP1Vni1QzlhgKbmFCHez4xoujzfuOObL3OVy3hJV0Usg/s1600/Screenshot+from+2017-03-12+06-51-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtbb1fjKG9DQrmATre4_G-ZYPJjGbUf57cyTzSjgbac7Tyd-3gyhPQLSQnfyIL-ox4lMUju0CXNtRZAvgaWLeifyDv_cgQTizLP1Vni1QzlhgKbmFCHez4xoujzfuOObL3OVy3hJV0Usg/s640/Screenshot+from+2017-03-12+06-51-02.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
At this point, my number one concern was figuring out why my SQL injection efforts were futile. Viewing the "admin.php" source code, I can see I was duped. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikvjTu4wc7RWJc75fSckx6wtvxCqiJ48qPLWgzpJLQNNv_SZ0h_0DDs9a9g23O6TImasq3zR4HtI11TqCNGRWQTxAZie_1WA8RmGrIPMlV2W4_9okJIJgXojgScn5-u5tzcJi2zC6B5YQ/s1600/Screenshot+from+2017-03-12+07-02-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikvjTu4wc7RWJc75fSckx6wtvxCqiJ48qPLWgzpJLQNNv_SZ0h_0DDs9a9g23O6TImasq3zR4HtI11TqCNGRWQTxAZie_1WA8RmGrIPMlV2W4_9okJIJgXojgScn5-u5tzcJi2zC6B5YQ/s640/Screenshot+from+2017-03-12+07-02-27.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Moving on, I <a href="https://www.exploit-db.com/exploits/40616/">dirty COW</a> my way to root and find the flag.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWRK9urbnMIPJyGk-7wDrAYtCss4s2J-s1-DBXRY_O9tslZa6ZV0N2yAH3qFzmfA4h-seZxCTv1x3YDLF5EpAWbEGwas6DWA5Es61oAgICPX5PKDPt6wJZpdLIqvEqNt2bfH67JAdCypE/s1600/Screenshot+from+2017-03-12+07-08-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWRK9urbnMIPJyGk-7wDrAYtCss4s2J-s1-DBXRY_O9tslZa6ZV0N2yAH3qFzmfA4h-seZxCTv1x3YDLF5EpAWbEGwas6DWA5Es61oAgICPX5PKDPt6wJZpdLIqvEqNt2bfH67JAdCypE/s640/Screenshot+from+2017-03-12+07-08-17.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfpyndmwQYeYF4ue5RhqpSE32aX_wSL2uKO3HZpLtBCgQQXqtNYCWUD2ut9_CUg1Bjb-_A5FCYKkK7fA-R8zXfQ9U-cMbjqRk4atxa6LpZ6dPn6ciFxlYMaZcHAUsrT_7ONb1pcQcBRs0/s1600/Screenshot+from+2017-03-12+07-07-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfpyndmwQYeYF4ue5RhqpSE32aX_wSL2uKO3HZpLtBCgQQXqtNYCWUD2ut9_CUg1Bjb-_A5FCYKkK7fA-R8zXfQ9U-cMbjqRk4atxa6LpZ6dPn6ciFxlYMaZcHAUsrT_7ONb1pcQcBRs0/s640/Screenshot+from+2017-03-12+07-07-14.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This was an enjoyable VM that gave me flashbacks to working in the OSCP labs which is always something I'm looking for! </div>
thisguyhackshttp://www.blogger.com/profile/01558267097437201225noreply@blogger.comtag:blogger.com,1999:blog-7704159136346282066.post-40285605352014759132017-01-06T05:14:00.004-08:002017-01-14T04:53:35.293-08:00[VulnHub] Tr0ll: 2 Privilege Escalation WalkthroughIf you've made it to the low privilege shell in Tr0ll: 2 by exploiting the Bash Shellshock vulnerability, you've probably quickly found the "nothing_to_see_here" directory and the three doors that go along with it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7ydu9InE5-B0-cDaAjQEkjA-bVwBE39RX4ToMDO9Pm1MEznCweFL_4XSEOEdMvSoGjR6Z2_4wKngOgAVYlSw1RH5DyTIEvlGWSi7uWjaRbD1nnOnD89EIXGw0ezErLwxI_Ad0bKjsIxA/s1600/Screenshot+from+2017-01-06+11-29-15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7ydu9InE5-B0-cDaAjQEkjA-bVwBE39RX4ToMDO9Pm1MEznCweFL_4XSEOEdMvSoGjR6Z2_4wKngOgAVYlSw1RH5DyTIEvlGWSi7uWjaRbD1nnOnD89EIXGw0ezErLwxI_Ad0bKjsIxA/s640/Screenshot+from+2017-01-06+11-29-15.png" width="640" /></a></div>
<br />
Each "door" contains a binary owned by root with the SUID bit set. These files will randomly switch directories every few minutes. The one that should be exploited is the largest sized binary (8401). When executed it asks for a user input, which strongly suggests I will be buffer overflowing my way to root. I first open gdb and send a string of 1000 "A's" through the debugger to see if the program crashes. Simply entering 'r "AAAA..."' into the gdb console will do this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiteQkF1id2pKIjZVosY0DBHrlv3oMnnAOl3auAkjBQaIQTuddThS9ZLBVQ0o87JyBCNYOvgfRWfWxRmD2tykscnDHuw7Rs92_eV_OQzQYOjLNN2KhmBbxcb3OX4tfKOQdjFV9U_GtsmMo/s1600/Screenshot+from+2017-01-06+11-30-31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiteQkF1id2pKIjZVosY0DBHrlv3oMnnAOl3auAkjBQaIQTuddThS9ZLBVQ0o87JyBCNYOvgfRWfWxRmD2tykscnDHuw7Rs92_eV_OQzQYOjLNN2KhmBbxcb3OX4tfKOQdjFV9U_GtsmMo/s640/Screenshot+from+2017-01-06+11-30-31.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8FrJwgr1DOM4mMUI8mFioM0hZFXhCHY14qCLbYy1COviInk7NO_uPyIGQyQ5eDHBtDCYmW7slpC1lzOcjU1LJJe3rfRHlcdPKvD8jGtJT2NtTsO9XxDWCv9BAKpYADsqVJxGTys2yoO0/s1600/Screenshot+from+2017-01-06+11-30-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8FrJwgr1DOM4mMUI8mFioM0hZFXhCHY14qCLbYy1COviInk7NO_uPyIGQyQ5eDHBtDCYmW7slpC1lzOcjU1LJJe3rfRHlcdPKvD8jGtJT2NtTsO9XxDWCv9BAKpYADsqVJxGTys2yoO0/s640/Screenshot+from+2017-01-06+11-30-46.png" width="640" /></a></div>
<br />
So after entering in the A's you'll see the program did indeed crash. Typing in "i r" (short for "info registers"), the registers and their contents will be displayed. The main register we're looking at here is the EIP register which contains the value "0x41414141" (41414141 is "AAAA" converted from ASCII to hex). EIP is code for "instruction pointer". This register controls the execution flow of a program. By modifying EIP, you can essentially redirect execution flow to an address of your choosing.<br />
<br />
Also, after examining the ESP register located at address 0xbffff8c0 (this may be different in your environment) by typing "x 0xbffff8c0" (short for "examine 0xbffff8c0") into the gdb console, I see the string overwrote ESP as well. This is the ideal spot to send EIP.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEEyZs_lI0whmDKsgPInEOrmcGYLT9iInXdmqUIi-kWgcHXm7XzTEYixf1z-s8Tlu-34W0I0w3KWWoXm_6c2klgN0DdODLmT9i3W-QIJPPdmpojn91EK-WiOx4uCxv6m9Z_SN_Kux9ZbM/s1600/Screenshot+from+2017-01-06+11-31-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEEyZs_lI0whmDKsgPInEOrmcGYLT9iInXdmqUIi-kWgcHXm7XzTEYixf1z-s8Tlu-34W0I0w3KWWoXm_6c2klgN0DdODLmT9i3W-QIJPPdmpojn91EK-WiOx4uCxv6m9Z_SN_Kux9ZbM/s640/Screenshot+from+2017-01-06+11-31-33.png" width="640" /></a></div>
<br />
However, first I'll need to find the exact point in which the string overwrites EIP. To do this, I use a program built in to Kali Linux (pattern_create.rb). This program basically creates a predictable string so we can see exactly where EIP is overwritten. I ask for a string length of 1000 characters once again.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWE5wNsm7DxIYBQc-1MuLxXrG7im1svXLxSDjuJxPN9jiKQem73B29Rn8uyOZN03P6bQHTxem8Bo1lU_hcXs6Skbh2YPAByP6I5UOmOqM0U8TnowZAuJIApWzQphdgraFfW8ZJR7uIagU/s1600/Screenshot+from+2017-01-06+11-32-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWE5wNsm7DxIYBQc-1MuLxXrG7im1svXLxSDjuJxPN9jiKQem73B29Rn8uyOZN03P6bQHTxem8Bo1lU_hcXs6Skbh2YPAByP6I5UOmOqM0U8TnowZAuJIApWzQphdgraFfW8ZJR7uIagU/s640/Screenshot+from+2017-01-06+11-32-06.png" width="640" /></a></div>
<br />
Now that I have the string, I send it through the program which once again crashes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLeWwdMauzgxLY5l4uSRDl5tnSJHVq7t5d4WF6MxYH0zfIlCxOLyG92uoAbgP4e2AdfxkfPSxJtl8H9AmP10-LTR3Ce68rPBqQ9aZDHyTnCCdFu-8nL-fqXfHkbqaYsMCz_UorBcBm8wk/s1600/Screenshot+from+2017-01-06+11-32-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLeWwdMauzgxLY5l4uSRDl5tnSJHVq7t5d4WF6MxYH0zfIlCxOLyG92uoAbgP4e2AdfxkfPSxJtl8H9AmP10-LTR3Ce68rPBqQ9aZDHyTnCCdFu-8nL-fqXfHkbqaYsMCz_UorBcBm8wk/s640/Screenshot+from+2017-01-06+11-32-37.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkuQ5A2UPqYhBjQ0nLfwhnoFO3cxLexWtyK9w6H0zak7pRc6okF32iEOUGHL2XeGaEKkp6aCoREWzX7jW64Xt8Dep9tTc_uV87hrIW_b7tEo-4XAiGGPtMIWx11APC7L_o-EQtEUE5R8I/s1600/Screenshot+from+2017-01-06+11-33-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkuQ5A2UPqYhBjQ0nLfwhnoFO3cxLexWtyK9w6H0zak7pRc6okF32iEOUGHL2XeGaEKkp6aCoREWzX7jW64Xt8Dep9tTc_uV87hrIW_b7tEo-4XAiGGPtMIWx11APC7L_o-EQtEUE5R8I/s640/Screenshot+from+2017-01-06+11-33-12.png" width="640" /></a></div>
<br />
Now I can copy the contents of EIP and plop it in another program (pattern_offset.rb) and find the exact spot in which EIP is overwritten.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0Ddz0obwChcDgXwBNuAUm5yXhqU9YTDgUvkWf-AaEsiIJA_txhPcv6-N8qVGy7HD9HLyUzrTlGVP9WumvU4pkmkNGU0NvYSjwmy6orA8uKXc7AFM37c68EtpbgNrlSDmEh4vQLzWKflY/s1600/Screenshot+from+2017-01-06+11-33-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0Ddz0obwChcDgXwBNuAUm5yXhqU9YTDgUvkWf-AaEsiIJA_txhPcv6-N8qVGy7HD9HLyUzrTlGVP9WumvU4pkmkNGU0NvYSjwmy6orA8uKXc7AFM37c68EtpbgNrlSDmEh4vQLzWKflY/s640/Screenshot+from+2017-01-06+11-33-51.png" width="640" /></a></div>
<br />
Now that I know EIP is 268 bytes in, I modify my input a little. I use python to print 268 "A's" followed by 4 "B's" which should overwrite EIP.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsr3uaLxAjkbwuVT7eqTVjx4dzGfLJDEpDHhHZmG0Zk38kzIU5n7OuUSmmVTxXfkrB9O2W2Z8KNks7D0gCKIbzPYUVXIVkRHy9Opw8mWpcEGWcLa_Cu34WLFodb4WsRo0gZrf4TCs722c/s1600/Screenshot+from+2017-01-06+11-35-19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsr3uaLxAjkbwuVT7eqTVjx4dzGfLJDEpDHhHZmG0Zk38kzIU5n7OuUSmmVTxXfkrB9O2W2Z8KNks7D0gCKIbzPYUVXIVkRHy9Opw8mWpcEGWcLa_Cu34WLFodb4WsRo0gZrf4TCs722c/s640/Screenshot+from+2017-01-06+11-35-19.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIcO2j0Zv7UNvPQ2JliOWLKiWJ4IAVu2e0YW6xgEgbKSguYdoKVBmingIpQENfXetnD-4YRBCffrZPFL2P8zlz1Ga09xolRzb4kG4drMYlB1qB0fG7Bby5Jun4WBpFBXHNyAhOhDIPRjY/s1600/Screenshot+from+2017-01-06+11-35-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIcO2j0Zv7UNvPQ2JliOWLKiWJ4IAVu2e0YW6xgEgbKSguYdoKVBmingIpQENfXetnD-4YRBCffrZPFL2P8zlz1Ga09xolRzb4kG4drMYlB1qB0fG7Bby5Jun4WBpFBXHNyAhOhDIPRjY/s640/Screenshot+from+2017-01-06+11-35-25.png" width="640" /></a></div>
<br />
Perfect! I see EBP still contains the "A's" and EIP now contains the "B's" (42 in hex) like I'd planned. I check to see if ASLR is enabled. I do this by checking the "/proc/sys/kernel/randomize_va_space" file. If the value within the file is 2, it means ASLR is enabled, if it's 0 then it's been disabled. I find out it is disabled, which means ESP should contain a predictable address once our buffer length is set.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-ozz5jn6AqsqyLQVwF1IMZ3Yep4gbo87kvIKefW8AMxFGYHkbNpMacB3ZWmk2Wm3wePtnhavmnQ__QafjkD5-0eIY9VY-csLiBkb6aIusFqJ1XP_6LJu6zbxhY15Fsy0Zk7F9c_2G0d8/s1600/Screenshot+from+2017-01-06+11-39-01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-ozz5jn6AqsqyLQVwF1IMZ3Yep4gbo87kvIKefW8AMxFGYHkbNpMacB3ZWmk2Wm3wePtnhavmnQ__QafjkD5-0eIY9VY-csLiBkb6aIusFqJ1XP_6LJu6zbxhY15Fsy0Zk7F9c_2G0d8/s640/Screenshot+from+2017-01-06+11-39-01.png" width="640" /></a></div>
<br />
Before I check the address at ESP, I add 16 no operation or "NOP" ("\x90") instructions to the buffer. The NOPs will make sure the shellcode will smoothly make it to ESP. After I add the 16 NOPs, my pre-shellcode buffer length is set, so I can take note of the ESP register and I can overwrite EIP.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaEOMbi-7jsybPaYbwJDdi9qhGKAV9m_RTIOP2ZY3aV7ypL93YAaRCatawUj1y2izYdj0Hmdk3trA1Qguq8XiWPHFHbYDzq6gJU3vnoz-vhD1WyQQj0jKWSBgMgkJQh0u85iN1oGBjoVs/s1600/Screenshot+from+2017-01-06+11-40-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaEOMbi-7jsybPaYbwJDdi9qhGKAV9m_RTIOP2ZY3aV7ypL93YAaRCatawUj1y2izYdj0Hmdk3trA1Qguq8XiWPHFHbYDzq6gJU3vnoz-vhD1WyQQj0jKWSBgMgkJQh0u85iN1oGBjoVs/s640/Screenshot+from+2017-01-06+11-40-24.png" width="640" /></a></div>
<br />
So from there, I see ESP is at the address 0xbffffb80 (again, note this may be different for you). I replace the "B's" in my buffer with the address in <a href="https://en.wikipedia.org/wiki/Endianness">little endian</a> format. My buffer now has 268 "A's" followed by the address of ESP in little endian format ("\x80\xfb\xff\xbf") followed by 16 NOP instructions ("\x90"). Now a shellcode of my choosing can be added to the buffer and will be executed within the SUID binary as the root user. I choose a simple <a href="http://shell-storm.org/shellcode/files/shellcode-827.php">23 byte "/bin/sh" shellcode</a>.<br />
<br />
Now that my final buffer is set, I run the program with my small python script appended and I get a beautiful root shell.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaCXPHMuRwIoDkoOdkPsevraJ5FUR7-hNiZs9JJb92FBuhkANjD606CGqBVkClGfJycuIjYBusLjqsw6pOS5QJakxV3zNwEdBp0jx42ineLcjT451RHBUL7dPbU5UBrSJcMdsx4K9zHiE/s1600/Screenshot+from+2017-01-06+11-41-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaCXPHMuRwIoDkoOdkPsevraJ5FUR7-hNiZs9JJb92FBuhkANjD606CGqBVkClGfJycuIjYBusLjqsw6pOS5QJakxV3zNwEdBp0jx42ineLcjT451RHBUL7dPbU5UBrSJcMdsx4K9zHiE/s640/Screenshot+from+2017-01-06+11-41-39.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0B-zPnoGNCb8VZUfUf4kzFBFccTR0C_lXkdi8vfzfQT4bc7ZbnTkGRU6EoogaxSKaosmmUHCj7pbiRlfFHjaLlFfUOHjrPyAluQnOQTIY2Id9fgTRebh0zy3-6tx4qFlIu5lSWS5Cl88/s1600/Screenshot+from+2017-01-06+13-26-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0B-zPnoGNCb8VZUfUf4kzFBFccTR0C_lXkdi8vfzfQT4bc7ZbnTkGRU6EoogaxSKaosmmUHCj7pbiRlfFHjaLlFfUOHjrPyAluQnOQTIY2Id9fgTRebh0zy3-6tx4qFlIu5lSWS5Cl88/s640/Screenshot+from+2017-01-06+13-26-34.png" width="640" /></a></div>
<br />
Boom. It's that easy. Of course, if you ignore everything you just read, you could just use <a href="https://www.exploit-db.com/exploits/40839/">Dirty COW</a> and pop a root shell that way.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPfDS7lv__LzBol2xoMP7MMNK8CyXJxzWcmDD_PFDgEMRQ0pgSuIYv3lDGraLlgchaMPskUAyZIGp834hIwLZyAhsP9JkyFfkpE4jdeijcwVLfDflsEsgf5BvZpkK9y0hem_VEETHpD94/s1600/Screenshot+from+2017-01-06+11-50-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPfDS7lv__LzBol2xoMP7MMNK8CyXJxzWcmDD_PFDgEMRQ0pgSuIYv3lDGraLlgchaMPskUAyZIGp834hIwLZyAhsP9JkyFfkpE4jdeijcwVLfDflsEsgf5BvZpkK9y0hem_VEETHpD94/s640/Screenshot+from+2017-01-06+11-50-17.png" width="640" /></a></div>
thisguyhackshttp://www.blogger.com/profile/01558267097437201225noreply@blogger.comtag:blogger.com,1999:blog-7704159136346282066.post-80971118158704379202016-12-23T14:37:00.000-08:002016-12-24T02:57:57.116-08:00[VulnHub] Tr0ll: 1Starting off, an nmap script scan displays a few things of note. The FTP server allows anonymous access and shows an interesting packet capture file. Also, a "secret/" directory was found in robots.txt which, judging by the name of the VM, is surely not the right rabbit hole.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ2_gs9QB20m3ahWvmoFHnBzr_pwhHPgVDvXgV1B5lFQNSrhAVM-5RIJjBRz0pjxIfzJsSoxa-U4VJ7q2HicVRI1UOma9fTAsDMOjdNwKBXODzRTVswrFW1xkhPHIhA7UuO73EOwazqfM/s1600/Screenshot+from+2016-12-17+20-36-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ2_gs9QB20m3ahWvmoFHnBzr_pwhHPgVDvXgV1B5lFQNSrhAVM-5RIJjBRz0pjxIfzJsSoxa-U4VJ7q2HicVRI1UOma9fTAsDMOjdNwKBXODzRTVswrFW1xkhPHIhA7UuO73EOwazqfM/s640/Screenshot+from+2016-12-17+20-36-00.png" width="640" /></a></div>
<br />
Sure enough, visiting the directory...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiISyKJ4tgxXW1Ma-86K4bpaLstJz-oMs9HdJwXYaV2QNEWEtiEIdGlhmRHLJawrQA34fGNBngl3WJ50ozO6oETcBlNtIkQyNt_-Bug-J-ZELjWQHYh-p458KLH0ZUwgZlwKJ_d3aLWp-g/s1600/Screenshot+from+2016-12-23+17-28-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiISyKJ4tgxXW1Ma-86K4bpaLstJz-oMs9HdJwXYaV2QNEWEtiEIdGlhmRHLJawrQA34fGNBngl3WJ50ozO6oETcBlNtIkQyNt_-Bug-J-ZELjWQHYh-p458KLH0ZUwgZlwKJ_d3aLWp-g/s640/Screenshot+from+2016-12-23+17-28-17.png" width="640" /></a></div>
<br />
Gr8 b8 m8. After logging in to the FTP server and downloading the "lol.pcap" file, I take a closer look in Wireshark. It looks like a capture of a useless FTP session. However, halfway down I found something of interest.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9nGCRyB8CKqTmVd4KiMgM56DRDATZ8Hu8URg9MIBaTgFksZcbNK1W-U7mc5AKs1c2vNJc8zv992UYdoRyGk_9pl3mK4kv-oIs3QF_6a00o_ygfIGP3HSTQME3PepOeWYKVACAfGLAlp4/s1600/Screenshot+from+2016-12-17+20-57-49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9nGCRyB8CKqTmVd4KiMgM56DRDATZ8Hu8URg9MIBaTgFksZcbNK1W-U7mc5AKs1c2vNJc8zv992UYdoRyGk_9pl3mK4kv-oIs3QF_6a00o_ygfIGP3HSTQME3PepOeWYKVACAfGLAlp4/s640/Screenshot+from+2016-12-17+20-57-49.png" width="640" /></a></div>
<br />
Visiting the newly found "sup3rs3cr3tdirlol/" in the webserver, I found a file called "roflmao."<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnaSwQfu_ZBMNsaXuPz5Z0VPJF6MrhNOCeN5yxeA-f-E8qnaKfRiE9DsLslBZtIAzHbmM4M4LgI2CIexo-gRUgMwhd88rQtHFA1moaQLL1LxgGC8MAI5NonBs9dkc8WExqscofbKxjiAQ/s1600/Screenshot+from+2016-12-23+18-25-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnaSwQfu_ZBMNsaXuPz5Z0VPJF6MrhNOCeN5yxeA-f-E8qnaKfRiE9DsLslBZtIAzHbmM4M4LgI2CIexo-gRUgMwhd88rQtHFA1moaQLL1LxgGC8MAI5NonBs9dkc8WExqscofbKxjiAQ/s640/Screenshot+from+2016-12-23+18-25-02.png" width="640" /></a></div>
<br />
Upon further inspection, it appears to be a binary, and after executing it, I see what appears to be a memory address of some sort.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUmGIh-7bTH0Jit-CSHZ5FsEUoDCtLyLh0LOx1e3Pc3Rm24umYqbZjKVkQ3Km7EMXnsFhmXqOdUpK1tTOWFaTeSTMrUKBC8GzjUP9Q0CXbBMhOJ7WsSdP-zcobtybrCqY69JKPyMPqv0c/s1600/Screenshot+from+2016-12-17+20-59-37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUmGIh-7bTH0Jit-CSHZ5FsEUoDCtLyLh0LOx1e3Pc3Rm24umYqbZjKVkQ3Km7EMXnsFhmXqOdUpK1tTOWFaTeSTMrUKBC8GzjUP9Q0CXbBMhOJ7WsSdP-zcobtybrCqY69JKPyMPqv0c/s640/Screenshot+from+2016-12-17+20-59-37.png" width="640" /></a></div>
<br />
My first instinct was to use edb-debugger to perhaps find something to do with the address mentioned in the executable. Fortunately, I didn't waste much time (20 minutes lol) because after pasting the address in to the web browser...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisY5a8rmtPu27E1ZLFK5MBaqZUHaNKw8SSfWBdGKk-VmXWO4v-XLJtKibvJzr_pJJQ_KWLylmX5fEtxxRcTEngdz0sG1bKB6U_fLH6F-tKqMenulNrePO964poiyU87OfJryXMyak72GY/s1600/Screenshot+from+2016-12-23+17-45-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisY5a8rmtPu27E1ZLFK5MBaqZUHaNKw8SSfWBdGKk-VmXWO4v-XLJtKibvJzr_pJJQ_KWLylmX5fEtxxRcTEngdz0sG1bKB6U_fLH6F-tKqMenulNrePO964poiyU87OfJryXMyak72GY/s640/Screenshot+from+2016-12-23+17-45-39.png" width="640" /></a></div>
<br />
Yeah... Anyway, I find what looks like a username list and a password list (Pass.txt) in the respective directories so I decide to go ahead and start brute forcing SSH. It took me awhile, but "Pass.txt" is literally the password for the "overflow" user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ1w7T0nmTF_twSLGP6EFk4J2dTW4LL12-3jp9Zl1JWiZZLBn6QY7DLFNRn64iG3sZtt44SF96PPj2Ff5j3_rCODmYYMWXHkUzpzYoQiVBO-pBV3cXc4Ks96te5qxVuXAKFgvbJqB0Mtc/s1600/Screenshot+from+2016-12-17+21-11-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ1w7T0nmTF_twSLGP6EFk4J2dTW4LL12-3jp9Zl1JWiZZLBn6QY7DLFNRn64iG3sZtt44SF96PPj2Ff5j3_rCODmYYMWXHkUzpzYoQiVBO-pBV3cXc4Ks96te5qxVuXAKFgvbJqB0Mtc/s640/Screenshot+from+2016-12-17+21-11-38.png" width="640" /></a></div>
<br />
Within minutes, I can tell escalation is going to be annoying because I'm getting kicked off seemingly randomly and my "/tmp/" files keep getting deleted. I figure this is the work of a cron job, so I take a look at "cron.log."<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCgtrBkKM4GpsGR8r8DxefgjahyphenhyphenlKd8YXfMG-0Vl79xVrvVFi9MypfalVObmPygBs82ZWbJlKhx3uIUlZQfNHwBs1xqUIGRxwZxQDmt3ZXI9Cady1gCuLyh-tqU1HzQL6BrFKmSJDIIpk/s1600/Screenshot+from+2016-12-23+17-58-58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCgtrBkKM4GpsGR8r8DxefgjahyphenhyphenlKd8YXfMG-0Vl79xVrvVFi9MypfalVObmPygBs82ZWbJlKhx3uIUlZQfNHwBs1xqUIGRxwZxQDmt3ZXI9Cady1gCuLyh-tqU1HzQL6BrFKmSJDIIpk/s640/Screenshot+from+2016-12-23+17-58-58.png" width="640" /></a></div>
<br />
Taking a look at the file, I see this is indeed what is removing my tmp files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDm4zJ7Z1BIvh-IAopibH2t4FQMyXTmyIS5Oy303XsdaLOtOr1mepIbadDiMHDklqo0kp9yDQhUo8838JrNBKK4CeoKDZe8l_-zNhUTsjIkYS12kw_WgXazXI7V_IbQ5li3IVUp7rJXF8/s1600/Screenshot+from+2016-12-23+18-08-05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDm4zJ7Z1BIvh-IAopibH2t4FQMyXTmyIS5Oy303XsdaLOtOr1mepIbadDiMHDklqo0kp9yDQhUo8838JrNBKK4CeoKDZe8l_-zNhUTsjIkYS12kw_WgXazXI7V_IbQ5li3IVUp7rJXF8/s640/Screenshot+from+2016-12-23+18-08-05.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
I also see this file is writable, meaning I can simply create a setuid binary and give it root permissions and I should be good. I create a simple setuid C program and compile it in the tmp directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWJg4kDIA2xkp24WGSy_l9Q6qOS7ivrSMayWxpByVirnA9a4uhcVeHje1Q03ORxvR2Rtpx5fhyuMNfwjpaulMz0v3uk8gTKd52i9XyZXAUgZpHskMeG_HApOjNxvBjl1h_XjcutQfIxMM/s1600/Screenshot+from+2016-12-18+20-18-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWJg4kDIA2xkp24WGSy_l9Q6qOS7ivrSMayWxpByVirnA9a4uhcVeHje1Q03ORxvR2Rtpx5fhyuMNfwjpaulMz0v3uk8gTKd52i9XyZXAUgZpHskMeG_HApOjNxvBjl1h_XjcutQfIxMM/s640/Screenshot+from+2016-12-18+20-18-21.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji5JawZqM8YD0xqOVSNkogOx7L0kKu6MbHUUxJIdEd2EcN5Y7W5j9gmCqdi8A2CHWzl-j4f7iQRoruSFdCXTiMWYP7QRR6DNseqxoQDwq8Np48QpgkIT_xnGFVGWysO58K732w4c0J4SE/s1600/Screenshot+from+2016-12-23+18-12-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji5JawZqM8YD0xqOVSNkogOx7L0kKu6MbHUUxJIdEd2EcN5Y7W5j9gmCqdi8A2CHWzl-j4f7iQRoruSFdCXTiMWYP7QRR6DNseqxoQDwq8Np48QpgkIT_xnGFVGWysO58K732w4c0J4SE/s640/Screenshot+from+2016-12-23+18-12-11.png" width="640" /></a></div>
<br />
Then I modify the cleaner.py script to give the file root permissions and set the setuid bit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBG8pjJKbBQHDfVBbc6W4QDnnPjmkuQ-TL6-823kJNWPZgFY40i1f0BWcu09RM_0Mcl_1SWbNhv4XJ7iMupZyTOunVRgd-adkq8i8F140jVgPAFYb4cuVx-80C4qypSokA3ekGltyOD3g/s1600/Screenshot+from+2016-12-23+18-12-46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBG8pjJKbBQHDfVBbc6W4QDnnPjmkuQ-TL6-823kJNWPZgFY40i1f0BWcu09RM_0Mcl_1SWbNhv4XJ7iMupZyTOunVRgd-adkq8i8F140jVgPAFYb4cuVx-80C4qypSokA3ekGltyOD3g/s640/Screenshot+from+2016-12-23+18-12-46.png" width="640" /></a></div>
<br />
After "ls -al"-ing a few times, I see the file permissions change and I'm able to execute the program and become root!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh90vb60BJMtEt9Ng3mPseYdmR7ffkBKOZ15PBj5sps_ofcNzyTxDCYcE0RTRRmMgAPO6mxeSnuIdID6WkJAcni4r0C3wf8_1YLv2fKr_29cqns2bMNWz575c5BbiBv3jVs-YpC2aW7YII/s1600/Screenshot+from+2016-12-17+21-40-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh90vb60BJMtEt9Ng3mPseYdmR7ffkBKOZ15PBj5sps_ofcNzyTxDCYcE0RTRRmMgAPO6mxeSnuIdID6WkJAcni4r0C3wf8_1YLv2fKr_29cqns2bMNWz575c5BbiBv3jVs-YpC2aW7YII/s640/Screenshot+from+2016-12-17+21-40-14.png" width="640" /></a></div>
<br />
This was a very fun VM and it did actually remind me of working in the OSCP labs. I look forward to making time for Tr0ll 2.thisguyhackshttp://www.blogger.com/profile/01558267097437201225noreply@blogger.comtag:blogger.com,1999:blog-7704159136346282066.post-87693227247594962122016-12-09T04:15:00.003-08:002017-01-25T15:25:51.595-08:00[VulnHub] HackDay: Albania<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">A good old nmap script scan grabs robots.txt from the HTTP server and displays its contents for us.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDpgEVjH0y2Vlozi6WAluydtJC0K04ynhuz1qyipmea0eGqniriNF286Ag8P1oOj8uLbLP2VKUART6AwjwliQqBb0XCMwolh5wiixX2wmKHZNQOjm-wrvpykgaq2Yj-7LoFOCmf6w3Wxc/s1600/Screenshot+from+2016-12-09+08-53-50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDpgEVjH0y2Vlozi6WAluydtJC0K04ynhuz1qyipmea0eGqniriNF286Ag8P1oOj8uLbLP2VKUART6AwjwliQqBb0XCMwolh5wiixX2wmKHZNQOjm-wrvpykgaq2Yj-7LoFOCmf6w3Wxc/s640/Screenshot+from+2016-12-09+08-53-50.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">The first few directories I visited gave me an interesting little philosoraptor meme in Albanian. Google Translate tells me this says "Is this a proper directory, or are jerk." Interesting.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2eHPvT1IkWLDqhJ7qLlBjzq6PvSJSbYkjLh-PNZVJZUiiFARHRG3dOH-Cmo4-81zY-yx9oBdV0Sci2G39lDA6b2aQeHyDBc-J3arZaljG5hyphenhyphenRWFEIpnSLnBHlAXMBzpmE3ef7pleEIRw/s1600/Screenshot+from+2016-12-08+13-35-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2eHPvT1IkWLDqhJ7qLlBjzq6PvSJSbYkjLh-PNZVJZUiiFARHRG3dOH-Cmo4-81zY-yx9oBdV0Sci2G39lDA6b2aQeHyDBc-J3arZaljG5hyphenhyphenRWFEIpnSLnBHlAXMBzpmE3ef7pleEIRw/s400/Screenshot+from+2016-12-08+13-35-30.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">Looking at the directories in list form, two things become clear:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">1. The creator of the VM is a fan of the Billy Madison VM (/exschmenuating/).</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">2. All the directories are in alphabetical order with the exception of /unisxcudkqjydw/.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFdZupzVwC-pXjSST5CzcAkZXp4fsR1tkwCqRguUmyQx0-KBFJSJ8Y55DO-BFWifNpEeIs8PVTmEr5Kc36xZlIfApNeIC9P5HDdYylyUzv1nQ5SoRpLGPse_OcbbFiS8_5EUDQ-_VHt2o/s1600/Screenshot+from+2016-12-08+13-02-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFdZupzVwC-pXjSST5CzcAkZXp4fsR1tkwCqRguUmyQx0-KBFJSJ8Y55DO-BFWifNpEeIs8PVTmEr5Kc36xZlIfApNeIC9P5HDdYylyUzv1nQ5SoRpLGPse_OcbbFiS8_5EUDQ-_VHt2o/s640/Screenshot+from+2016-12-08+13-02-27.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">Going to the directory in Firefox...</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdyux5DKLqvsdx4waw1GLFNF7bVVLyTqmqr7OM_7EGlbYF2_U0Wt-r0YXiaJk67q35kUv8xBT6eNXJT0rxw3QYAhJmDkrwxYSkU7SnOkcJGZjgNf_1vi9V6MggUcECaOZqT8o3NSpLa2Y/s1600/Screenshot+from+2016-12-08+13-06-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdyux5DKLqvsdx4waw1GLFNF7bVVLyTqmqr7OM_7EGlbYF2_U0Wt-r0YXiaJk67q35kUv8xBT6eNXJT0rxw3QYAhJmDkrwxYSkU7SnOkcJGZjgNf_1vi9V6MggUcECaOZqT8o3NSpLa2Y/s400/Screenshot+from+2016-12-08+13-06-10.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">Yep. I eventually ended up at "/unisxcudkqjydw/vulnbank/client/login.php" and was greeted with a login page.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7p7PBTjvbxG9CWw6Eveuk3CEAe-EeDMskwQT4WBRP4WQdHh-FixqpdUu969oQLZZBpPX5QCR1nMO0mPdUA_3zFRlFGXrhjUbaeZUMB5QUOJL1XkOWwPKyd7mdN4o4eD99dfA9dxgc8dc/s1600/Screenshot+from+2016-12-08+13-39-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7p7PBTjvbxG9CWw6Eveuk3CEAe-EeDMskwQT4WBRP4WQdHh-FixqpdUu969oQLZZBpPX5QCR1nMO0mPdUA_3zFRlFGXrhjUbaeZUMB5QUOJL1XkOWwPKyd7mdN4o4eD99dfA9dxgc8dc/s640/Screenshot+from+2016-12-08+13-39-33.png" width="640" /></a></span></div>
<br />
Trying some basic SQL injection techniques, I got a promising error message.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiue6LTvSfpj9TET_g2XknrfYCeVl4mLvOOLyDFM4y8x2KbAGegGaGR74rxx4K8W4ZXNeAli0Me2dhp1ZEq-8ePR3icGF6X-FNLkYVUEFxmhdwJvrYkkbBhjDVfFjEfELGCzeaAjrQy0Eo/s1600/Screenshot+from+2016-12-08+13-46-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiue6LTvSfpj9TET_g2XknrfYCeVl4mLvOOLyDFM4y8x2KbAGegGaGR74rxx4K8W4ZXNeAli0Me2dhp1ZEq-8ePR3icGF6X-FNLkYVUEFxmhdwJvrYkkbBhjDVfFjEfELGCzeaAjrQy0Eo/s640/Screenshot+from+2016-12-08+13-46-13.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I decided to play around with some basic payloads and quickly had success using a username of "test' || 1=1;#". Not only did I get in, but I also became €25,000 richer! Somewhere, a Nigerian prince is proud!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQZb79SGK8mDOLdFqZo0w_uRXP18rg4HPIaRboBibwVQk6ZeKetQ8Rva83lRALTfxKhmmlKzesQ4duW1iSKy2hCw3eOOf_p1QXXmOWghUrfQ5lp_LiFPMp71VJlDyycYEaVMv9szv3AbY/s1600/Screenshot+from+2016-12-08+14-21-56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQZb79SGK8mDOLdFqZo0w_uRXP18rg4HPIaRboBibwVQk6ZeKetQ8Rva83lRALTfxKhmmlKzesQ4duW1iSKy2hCw3eOOf_p1QXXmOWghUrfQ5lp_LiFPMp71VJlDyycYEaVMv9szv3AbY/s640/Screenshot+from+2016-12-08+14-21-56.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Uploading the plain old "php-reverse-shell.php" file didn't work. However simply adding the extension ".jpg" allowed me to upload the file. Once uploaded, I simply clicked "View Ticket" and I get a beautiful reverse shell.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwTPevrw1f4Msj0yMuJDXjuxaxirfPgM4S10Uu73veWooDg8HJ7hGKyyjQ0QCrOZaQTE4TD0iORzc-fberkZ2jayMF8L9NF7L_Aacy_zlsT5Q36FzIViWC3Hnv8NaIdKxlVv0-H7F90zI/s1600/Screenshot+from+2016-12-09+07-28-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwTPevrw1f4Msj0yMuJDXjuxaxirfPgM4S10Uu73veWooDg8HJ7hGKyyjQ0QCrOZaQTE4TD0iORzc-fberkZ2jayMF8L9NF7L_Aacy_zlsT5Q36FzIViWC3Hnv8NaIdKxlVv0-H7F90zI/s640/Screenshot+from+2016-12-09+07-28-24.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I immediately notice a user "taviso" in the home directory, but I couldn't find an easy password. It also soon became clear there weren't going to be any kernel exploits either. After an hour or two of searching, I eventually go ahead and reference <a href="https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/">g0tm1lk's privilege escalation guide</a> which lead to me checking file permissions in the /etc/ directory. I found /etc/passwd to be writable.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge6qGDayF_glG6k__FvkJnao8bxqvY1rDhoLhgUqaHMn4kQcDUr-5omwpZ2i4E9D7KlD54VP1Uvjb30OlWP7Og8mLcxSuCTpQbBsZJuDxqWE_vrBuzWEyfigQ1_1ZLNLcqoQCZ2CN7knY/s640/Screenshot+from+2016-12-09+07-43-28.png" width="640" /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now that I knew I could edit /etc/passwd, I decided to simply edit the password of the "taviso" user, since this user was in the sudo group. First, I copied and pasted the contents of the /etc/passwd file into a file onto my attacking machine's web server root. I then created a password hash using openssl.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY7g6uXB6Y9zkDdXgGwSqBx5OafA08Mk5YGvW-w7WtLHoqbEYSckspcB_74EXCTvkwdhwniO2NGz_gxQfZYKrFPUB4uKHd3Z-swKb_TmzjPEL-baaykfUNiByiA658Aw8EjaXGG8YgLMY/s1600/Screenshot+from+2016-12-09+07-53-14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY7g6uXB6Y9zkDdXgGwSqBx5OafA08Mk5YGvW-w7WtLHoqbEYSckspcB_74EXCTvkwdhwniO2NGz_gxQfZYKrFPUB4uKHd3Z-swKb_TmzjPEL-baaykfUNiByiA658Aw8EjaXGG8YgLMY/s640/Screenshot+from+2016-12-09+07-53-14.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Then I simply placed the new password hash where the "x" is located in the /etc/password file next to the user "taviso."</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYc6MNux-I_YHgNT6uHSQwIn3HtXenMs7jT_kh0fKgfai-fW7L7ZMU9RES6BDqGU67da3HvPHE32mirGT9eEfgsKplodTEOTIoHOmgbuc7NHNMWobTUD9_s_CAiNbd5mwQAAscGNAave8/s1600/Screenshot+from+2016-12-09+07-59-30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYc6MNux-I_YHgNT6uHSQwIn3HtXenMs7jT_kh0fKgfai-fW7L7ZMU9RES6BDqGU67da3HvPHE32mirGT9eEfgsKplodTEOTIoHOmgbuc7NHNMWobTUD9_s_CAiNbd5mwQAAscGNAave8/s640/Screenshot+from+2016-12-09+07-59-30.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I then used wget to download the newly created passwd file onto the target machine and replaced the old passwd file. Logging in to taviso had worked and I was able to become root!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCsK6NHlEL_JIAU88A1bdeewicLHVEE-40hMe6dqYwUAdF_yUFitBx-ZWlfSXS7lW77-817nzzUx2uO9cBP41rHYQiCgg2vSxZMxkPZOkgA-jQOo6n8-1c18PaxtvVlWyj0bEcYZgt1GE/s1600/Screenshot+from+2016-12-09+08-01-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCsK6NHlEL_JIAU88A1bdeewicLHVEE-40hMe6dqYwUAdF_yUFitBx-ZWlfSXS7lW77-817nzzUx2uO9cBP41rHYQiCgg2vSxZMxkPZOkgA-jQOo6n8-1c18PaxtvVlWyj0bEcYZgt1GE/s640/Screenshot+from+2016-12-09+08-01-12.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Overall, I quite enjoyed the VM, specifically the privilege escalation part, and I definitely enjoyed the humor sprinkled throughout. I would definitely recommend this VM to you if you hadn't just read the spoilers.</div>
thisguyhackshttp://www.blogger.com/profile/01558267097437201225noreply@blogger.com