I created this machine to help others learn some basic CTF hacking strategies and some tools. I aimed this machine to be very similar in difficulty to those I was breaking on the OSCP. This is a walkthrough to guide those who get stuck to complete the challenge. This is a boot-to-root machine and will not require any guest interaction.
Note: There is one local privilege entry and there are two different root privilege escalations.
The OVA can be found at: Vulnhub.
Upon booting up the machine I did an entire TCP scan of the host and only ssh is open.
Knock Friend? 1,2,3? That seems like port knocking to me..
Another full nmap scan reveals a web server has opened!
After an examination of the webapp with Nikto and Dirb there is nothing of interest. But I was able to find some things through manual testing and examination.
But there is a comment on the 404 page...
The comment seems to be base64 so we decode that:
This URL takes us to a php login page that is vulnerable to SQL injection!
The root Mysql password was also weak:
We are in low privilege!
There are two privilege escalations and both are described.
Escalation A Buffer overflow:
We found a suid buffer overflow contained within /SECRET directory. There are three files but when you look at the size of all of them, one is smaller than the other two. This smaller one is the BufferOverflow.
We moved an exploit dev file into temp so we didn't have to deal with the switching and verified the crash.
Next, we download GDB Peda. This gdb extension is the absolute best for exploit dev!
Verified the crash on Peda using out exploit code. Notice we have overwritten EIP with 0x41414141. the Ascii characters "AAAA".
We also check for security precautions. But there are none.
HOWEVER, ASLR is on.
Using GDB Peda, we find our EIP offset.
Next, we verify control the EIP register. Notice the crash is on 0x42424242. Which is "BBBB"
Now that we know we have ASLR to circumvent, we need to modify our exploit code.
Due to ASLR randomizing address space and there are no good jmp esp instructions to use, we do not have a pre-defined location in memory to go to. This means we need to bruteforce the solution. I ran the program in gdb a handful of times to get a feeling of where the stack was landing on execution, due to it being different every time. I was noticing that it always started with BF and the last 6 bytes were different. So I chose CC because it was in the middle of my random sample of stack locations. The last 4 digits I used were arbitrary. Next we will make a GIANT NOP sled. I used 20480 but it could be potentially larger.
Lastly, I created code to find the smallest buffer overflow file size to run just in case the file tries to switch mid run and we put that code in a while loop to run it indefinitely. This is because if we get a seg fault, it will replay the request and if we land our shell code it will stop on the shell giving us shell access.
This was our final code:
Note: You will notice back-off in the os call. This is expected because os.system is a blocking call. You can try to make it non-blocking to improve the script. But I used os.system for a quick and dirty solution.
Escalation B MYSQL:
Since we have the MySQL Root password and Mysql is running as root, we can use UDF's to escalate.
Success! We are in!
I hope you enjoyed the Lord Of The Root!