Hades: The Infernal
It has been a long time since I wrote anything here, but I’d been getting the itch again recently and I’d always planned on re-visting Hades to do a full writeup. Three years later, and here we are… Hades is a boot2root challenge created by Lok_Sigma with a heavy focus on binary exploitation and stack overflows. Service discovery using netdiscover and nmap, you know the drill… # netdiscover -i eth1 -p r 10.66.66.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.66.66.6 08:00:27:4a:6c:d9 1 60 PCS Systemtechnik GmbH # echo 10.66.66.6 > ip # nmap -A -p- -T5 $(cat ip) | tee nmap.txt Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-12 14:22 EDT Nmap scan report for 10.66.66.6 Host is up (0.00044s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 e1:47:74:6c:b5:9c:8b:76:fd:92:77:91:fa:e7:f4:ee (DSA) | 2048 9c:a0:0b:f3:63:2e:8e:10:77:e9:a3:5a:dd:f1:6d:46 (RSA) |_ 256 0b:8d:d1:bf:6e:b8:cf:99:38:64:f0:58:bb:3c:45:77 (ECDSA) 65535/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, NULL, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq: | Welcome to the jungle. |_ Enter up to two commands of less than 121 characters each. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port65535-TCP:V=7.70%I=7%D=6/12%Time=5D0142F9%P=x86_64-pc-linux-gnu%r(N SF:ULL,55,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20 SF:two\x20commands\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\ SF:0")%r(GenericLines,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\ SF:x20up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characte SF:rs\x20each\.\n\0Got\x20it\n")%r(GetRequest,5C,"Welcome\x20to\x20the\x20 SF:jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x2 SF:0than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(HTTPOptions,5C, SF:"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20 SF:commands\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x2 SF:0it\n")%r(RTSPRequest,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnt SF:er\x20up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20chara SF:cters\x20each\.\n\0Got\x20it\n")%r(RPCCheck,5C,"Welcome\x20to\x20the\x2 SF:0jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x SF:20than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(DNSVersionBind SF:ReqTCP,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\ SF:x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\x20each\. SF:\n\0Got\x20it\n")%r(DNSStatusRequestTCP,5C,"Welcome\x20to\x20the\x20jun SF:gle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x20th SF:an\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(Help,5C,"Welcome\x SF:20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x SF:20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r( SF:SSLSessionReq,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up SF:\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\x2 SF:0each\.\n\0Got\x20it\n")%r(TLSSessionReq,5C,"Welcome\x20to\x20the\x20ju SF:ngle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x20t SF:han\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(Kerberos,5C,"Welc SF:ome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20comma SF:nds\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x20it\n SF:")%r(SMBProgNeg,63,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20 SF:up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\ SF:x20each\.\n\0Got\x20it\nGot\x20it\n"); MAC Address: 08:00:27:4A:6C:D9 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.44 ms 10.66.66.6 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 114.77 seconds I actually remember this, the ssh banner is a base64 encoded copy of the binary running on port 65535. ...