Writeups

From South Africa to Asia via Northern California, smashing stacks along the way, we progress through the next versions of the LockIT Pro.

A thrilling ride through icy Whitehorse to sultry Montevideo, as we unmask more flaws in Lockitall’s feeble attempts to keep us out… And learn a thing or two about stack overflows and shellcode injection along the way.

I’ve decided to take another crack at the microcorruption CTF and document my progress as some form of tutorial type thing. I also wanted to have a play around with ghidra and this seemed like a good candidate.

It has been a long time since I wrote anything here, but I’d been getting the itch again recently and I’d always planned on re-visting Hades to do a full writeup. Three years later, and here we are… Hades is a boot2root challenge created by Lok_Sigma with a heavy focus on binary exploitation and stack overflows. Service discovery using netdiscover and nmap, you know the drill… # netdiscover -i eth1 -p r 10.66.66.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.66.66.6 08:00:27:4a:6c:d9 1 60 PCS Systemtechnik GmbH # echo 10.66.66.6 > ip # nmap -A -p- -T5 $(cat ip) | tee nmap.txt Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-12 14:22 EDT Nmap scan report for 10.66.66.6 Host is up (0.00044s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 e1:47:74:6c:b5:9c:8b:76:fd:92:77:91:fa:e7:f4:ee (DSA) | 2048 9c:a0:0b:f3:63:2e:8e:10:77:e9:a3:5a:dd:f1:6d:46 (RSA) |_ 256 0b:8d:d1:bf:6e:b8:cf:99:38:64:f0:58:bb:3c:45:77 (ECDSA) 65535/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, NULL, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq: | Welcome to the jungle. |_ Enter up to two commands of less than 121 characters each. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port65535-TCP:V=7.70%I=7%D=6/12%Time=5D0142F9%P=x86_64-pc-linux-gnu%r(N SF:ULL,55,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20 SF:two\x20commands\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\ SF:0")%r(GenericLines,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\ SF:x20up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characte SF:rs\x20each\.\n\0Got\x20it\n")%r(GetRequest,5C,"Welcome\x20to\x20the\x20 SF:jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x2 SF:0than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(HTTPOptions,5C, SF:"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20 SF:commands\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x2 SF:0it\n")%r(RTSPRequest,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnt SF:er\x20up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20chara SF:cters\x20each\.\n\0Got\x20it\n")%r(RPCCheck,5C,"Welcome\x20to\x20the\x2 SF:0jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x SF:20than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(DNSVersionBind SF:ReqTCP,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\ SF:x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\x20each\. SF:\n\0Got\x20it\n")%r(DNSStatusRequestTCP,5C,"Welcome\x20to\x20the\x20jun SF:gle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x20th SF:an\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(Help,5C,"Welcome\x SF:20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x SF:20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r( SF:SSLSessionReq,5C,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up SF:\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\x2 SF:0each\.\n\0Got\x20it\n")%r(TLSSessionReq,5C,"Welcome\x20to\x20the\x20ju SF:ngle\.\x20\x20\nEnter\x20up\x20to\x20two\x20commands\x20of\x20less\x20t SF:han\x20121\x20characters\x20each\.\n\0Got\x20it\n")%r(Kerberos,5C,"Welc SF:ome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20up\x20to\x20two\x20comma SF:nds\x20of\x20less\x20than\x20121\x20characters\x20each\.\n\0Got\x20it\n SF:")%r(SMBProgNeg,63,"Welcome\x20to\x20the\x20jungle\.\x20\x20\nEnter\x20 SF:up\x20to\x20two\x20commands\x20of\x20less\x20than\x20121\x20characters\ SF:x20each\.\n\0Got\x20it\nGot\x20it\n"); MAC Address: 08:00:27:4A:6C:D9 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.44 ms 10.66.66.6 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 114.77 seconds I actually remember this, the ssh banner is a base64 encoded copy of the binary running on port 65535. ...

Mr-Robot 1 is a boot2root challenge based on the Mr. Robot TV series, given I'd recently completed the Gibson challenged based on Hackers it seemed only reasonable to have a go at another challenge based on hacker-culture entertainment. root@kali:~# mkcd VulnHub/mrRobot root@kali:~/VulnHub/mrRobot# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.101 08:00:27:95:a1:6b 1 60 Cadmus Computer Systems root@kali:~/VulnHub/mrRobot# echo 10.1.11.101 > ip root@kali:~/VulnHub/mrRobot# nmap -A -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-30 20:46 BST Nmap scan report for linux.vulnlab.fbcnt.in (10.1.11.101) Host is up (0.00029s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03 MAC Address: 08:00:27:95:A1:6B (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.1 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.29 ms linux.vulnlab.fbcnt.in (10.1.11.101) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.18 seconds Not a lot to go off so far, lets throw nikto at the web service and see what it comes up with. ...

Stapler is a boot2root with multiple paths to shell and root, written by g0tmi1k. I found the simple brute force path the most obvious on the first play through but I think I will visit this one again. Discovery & Enumeration root@kali:~# mkcd VulnHub/Stapler root@kali:~/VulnHub/Stapler# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 4 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.137 08:00:27:f2:ed:b4 1 60 Cadmus Computer Systems root@kali:~/VulnHub/Stapler# echo 10.1.11.137 > ip root@kali:~/VulnHub/Stapler# nmap -A -p- -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-29 15:36 BST Nmap scan report for red.initech.vulnlab.fbcnt.in (10.1.11.137) Host is up (0.00022s latency). Not shown: 65523 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: Can't parse PASV response: "Permission denied." 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) |_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) 53/tcp open domain dnsmasq 2.75 | dns-nsid: | id.server: patriot.fbcnt.in |_ bind.version: dnsmasq-2.75 80/tcp open http |_http-title: 404 Not Found 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: RED) 666/tcp open doom? 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 53 | Version: .7.12-0ubuntu1 | Thread ID: 27 | Capabilities flags: 63487 | Some Capabilities: LongPassword, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsTransactions, Support41Auth, FoundRows, Speaks41ProtocolOld, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsCompression, IgnoreSigpipes, DontAllowDatabaseTableColumn, LongColumnFlag | Status: Autocommit Kv\x12\x19`"dx\s\x01ptM" 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Tim, we need to-do better next year for Initech Host script results: |_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED | Domain name: | FQDN: red |_ System time: 2016-06-29T16:38:10+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.22 ms red.initech.vulnlab.fbcnt.in (10.1.11.137) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 106.26 seconds Anonymous FTP, etc A lot running on this box, working top-to-bottom anonymous ftp immediately caught my attention so I started there. ...

Gibson is a boot2root created by Knightmare with a heavy 1988 Hackers theme; one of my favourite movies! Discovery & Enumeration The usual netdiscover and nmap to get an idea of what we are dealing with… root@kali:~# mkcd VulnHub/Gibson root@kali:~/VulnHub/Gibson# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.143 08:00:27:2c:de:ec 1 60 Cadmus Computer Systems root@kali:~/VulnHub/Gibson# echo 10.1.11.143 > ip root@kali:~/VulnHub/Gibson# nmap -A -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-28 20:53 BST Nmap scan report for gibson.vulnlab.fbcnt.in (10.1.11.143) Host is up (0.00030s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 fb:f6:d1:57:64:fa:38:66:2d:66:40:12:a4:2f:75:b4 (DSA) | 2048 32:13:58:ae:32:b0:5d:b9:2a:9c:87:9c:ae:79:3b:2e (RSA) |_ 256 3f:dc:7d:94:2f:86:f1:83:41:db:8c:74:52:f0:49:43 (ECDSA) 80/tcp open http Apache httpd 2.4.7 | http-ls: Volume / | SIZE TIME FILENAME | 273 2016-05-07 13:03 davinci.html |_ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Index of / MAC Address: 08:00:27:2C:DE:EC (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Network Distance: 1 hop Service Info: Host: gibson.example.co.uk; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.30 ms gibson.vulnlab.fbcnt.in (10.1.11.143) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds SSH and a somewhat baron web server, not a lot but something to work with. ...