I’ve decided to take another crack at the microcorruption CTF and document my progress as some form of tutorial type thing. I also wanted to have a play around with ghidra and this seemed like a good candidate.

It has been a long time since I wrote anything here, but I’d been getting the itch again recently and I’d always planned on re-visting Hades to do a full writeup. Three years later, and here we are… Hades is a boot2root challenge created by Lok_Sigma with a heavy focus on binary exploitation and stack overflows. Service discovery using netdiscover and nmap, you know the drill… # netdiscover -i eth1 -p r 10.66.66.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.66.66.6 08:00:27:4a:6c:d9 1 60 PCS Systemtechnik GmbH # echo 10.66.66.6 > ip # nmap -A -p- -T5 $(cat ip) | tee nmap.txt Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-12 14:22 EDT Nmap scan report for 10.66.66.6 Host is up (0.00044s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 e1:47:74:6c:b5:9c:8b:76:fd:92:77:91:fa:e7:f4:ee (DSA) | 2048 9c:a0:0b:f3:63:2e:8e:10:77:e9:a3:5a:dd:f1:6d:46 (RSA) |_ 256 0b:8d:d1:bf:6e:b8:cf:99:38:64:f0:58:bb:3c:45:77 (ECDSA) 65535/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, NULL, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq: | Welcome to the jungle. |_ Enter up to two commands of less than 121 characters each. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port65535-TCP:V=7.70%I=7%D=6/12%Time=5D0142F9%P=x86_64-pc-linux-gnu%r(N SF:ULL,55,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20 SF:two\x20commands\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\ SF:0")%r(GenericLines,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\ SF:x20up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characte SF:rs\x20each\.\n\0Got\x20it\n")%r(GetRequest,5C,"Welcome\x20to\x20the\x20 SF:jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x2 SF:0than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(HTTPOptions,5C, SF:"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20 SF:commands\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x2 SF:0it\n")%r(RTSPRequest,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnt SF:er\x20up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20chara SF:cters\x20each\.\n\0Got\x20it\n")%r(RPCCheck,5C,"Welcome\x20to\x20the\x2 SF:0jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x SF:20than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(DNSVersionBind SF:ReqTCP,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\ SF:x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\x20each\. SF:\n\0Got\x20it\n")%r(DNSStatusRequestTCP,5C,"Welcome\x20to\x20the\x20jun SF:gle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x20th SF:an\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(Help,5C,"Welcome\x SF:20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x SF:20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r( SF:SSLSessionReq,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up SF:\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\x2 SF:0each\.\n\0Got\x20it\n")%r(TLSSessionReq,5C,"Welcome\x20to\x20the\x20ju SF:ngle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x20t SF:han\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(Kerberos,5C,"Welc SF:ome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20comma SF:nds\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x20it\n SF:")%r(SMBProgNeg,63,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20 SF:up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\ SF:x20each\.\n\0Got\x20it\nGot\x20it\n"); MAC Address: 08:00:27:4A:6C:D9 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.44 ms 10.66.66.6 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 114.77 seconds I actually remember this, the ssh banner is a base64 encoded copy of the binary running on port 65535. ...

Mr-Robot 1 is a boot2root challenge based on the Mr. Robot TV series, given I'd recently completed the Gibson challenged based on Hackers it seemed only reasonable to have a go at another challenge based on hacker-culture entertainment. root@kali:~# mkcd VulnHub/mrRobot root@kali:~/VulnHub/mrRobot# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.101 08:00:27:95:a1:6b 1 60 Cadmus Computer Systems root@kali:~/VulnHub/mrRobot# echo 10.1.11.101 > ip root@kali:~/VulnHub/mrRobot# nmap -A -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-30 20:46 BST Nmap scan report for linux.vulnlab.fbcnt.in (10.1.11.101) Host is up (0.00029s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03 MAC Address: 08:00:27:95:A1:6B (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.1 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.29 ms linux.vulnlab.fbcnt.in (10.1.11.101) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.18 seconds Not a lot to go off so far, lets throw nikto at the web service and see what it comes up with. ...

Stapler is a boot2root with multiple paths to shell and root, written by g0tmi1k. I found the simple brute force path the most obvious on the first play through but I think I will visit this one again. Discovery & Enumeration root@kali:~# mkcd VulnHub/Stapler root@kali:~/VulnHub/Stapler# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 4 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.137 08:00:27:f2:ed:b4 1 60 Cadmus Computer Systems root@kali:~/VulnHub/Stapler# echo 10.1.11.137 > ip root@kali:~/VulnHub/Stapler# nmap -A -p- -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-29 15:36 BST Nmap scan report for red.initech.vulnlab.fbcnt.in (10.1.11.137) Host is up (0.00022s latency). Not shown: 65523 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: Can't parse PASV response: "Permission denied." 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) |_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) 53/tcp open domain dnsmasq 2.75 | dns-nsid: | id.server: patriot.fbcnt.in |_ bind.version: dnsmasq-2.75 80/tcp open http |_http-title: 404 Not Found 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: RED) 666/tcp open doom? 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 53 | Version: .7.12-0ubuntu1 | Thread ID: 27 | Capabilities flags: 63487 | Some Capabilities: LongPassword, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsTransactions, Support41Auth, FoundRows, Speaks41ProtocolOld, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsCompression, IgnoreSigpipes, DontAllowDatabaseTableColumn, LongColumnFlag | Status: Autocommit Kv\x12\x19`"dx\s\x01ptM" 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Tim, we need to-do better next year for Initech Host script results: |_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED | Domain name: | FQDN: red |_ System time: 2016-06-29T16:38:10+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.22 ms red.initech.vulnlab.fbcnt.in (10.1.11.137) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 106.26 seconds Anonymous FTP, etc A lot running on this box, working top-to-bottom anonymous ftp immediately caught my attention so I started there. ...

Gibson is a boot2root created by Knightmare with a heavy 1988 Hackers theme; one of my favourite movies! Discovery & Enumeration The usual netdiscover and nmap to get an idea of what we are dealing with… root@kali:~# mkcd VulnHub/Gibson root@kali:~/VulnHub/Gibson# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.143 08:00:27:2c:de:ec 1 60 Cadmus Computer Systems root@kali:~/VulnHub/Gibson# echo 10.1.11.143 > ip root@kali:~/VulnHub/Gibson# nmap -A -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-28 20:53 BST Nmap scan report for gibson.vulnlab.fbcnt.in (10.1.11.143) Host is up (0.00030s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 fb:f6:d1:57:64:fa:38:66:2d:66:40:12:a4:2f:75:b4 (DSA) | 2048 32:13:58:ae:32:b0:5d:b9:2a:9c:87:9c:ae:79:3b:2e (RSA) |_ 256 3f:dc:7d:94:2f:86:f1:83:41:db:8c:74:52:f0:49:43 (ECDSA) 80/tcp open http Apache httpd 2.4.7 | http-ls: Volume / | SIZE TIME FILENAME | 273 2016-05-07 13:03 davinci.html |_ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Index of / MAC Address: 08:00:27:2C:DE:EC (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Network Distance: 1 hop Service Info: Host: gibson.example.co.uk; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.30 ms gibson.vulnlab.fbcnt.in (10.1.11.143) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds SSH and a somewhat baron web server, not a lot but something to work with. ...

Hades is a boot2root challenge created by Lok_Sigma with a heavy focus on reverse engineering. Video This really was a fantastic challenge, standby for a full writeup!