Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this lab were:

Vulnerabilities:

The following vulnerabilities were found:

Information Gathering:

First things first, I used Nmap to perform a scan for service version detection, OS detection, script scanning, and traceroute.

Image for post
Image for post
Nmap Scan
Image for post
Image for post
Nikto Scan

Web Enumeration:

With the initial scans completed, I decided to open a web browser to further investigate the web site. Nothing interesting other than a default Apach2 page.

Image for post
Image for post
Page Source
Image for post
Image for post
Binary Download

Buffer Overflow:

Testing for Buffer Overflow:

This was the toughest part of the entire challenge for me. I have had very little knowledge with registers and how things work. I had to watch many…many…many videos and read lots…lots…lots of articles to get the basics; which I barely comprehend.

Image for post
Image for post
myapp
Image for post
Image for post
Python with Print
Image for post
Image for post
myapp with a Buffer Overflow

Obtaining the Offset:

I decided to launch gdb with the peda extension pack. Before continuing any further insvestigation, I needed to understand the security implemented on the binary. So, I issued the checksec command within gdb.

Image for post
Image for post
gdb: checksec

Obtaining the Offset:

Continuing with gdb, I added the set follow-fork-mode parent so that the debugger would continue to debug the parent process if a fork occurred within the binary.

Image for post
Image for post
gdb-peda
Image for post
Image for post
Buffer Overflow
Image for post
Image for post
Cyclic Pattern
Image for post
Image for post
Buffer Overflow: Cyclic
Image for post
Image for post
RSP Memory
Image for post
Image for post
Pattern Offset
Image for post
Image for post
Binary Execution and Fault
Image for post
Image for post
Binary: Registers
Image for post
Image for post
Binary: Code
Image for post
Image for post
Binary: Stack and Stopped Reason

Code Review:

Next, I wanted to review the binary code to gather more information. So, I launched radare2 with the aaaa command, followed by the afl command to analyse the flags, files, and directories.

Image for post
Image for post
Analyze Binary Functions
Image for post
Image for post
Main Function
Image for post
Image for post
Test Function
Image for post
Image for post
Test Function: gdb

ROP Chain:

In order to determine if I could use the test function as a ROP gadget, I needed to use ROPgadget to review the binary for listed mov, pop, and ret entries.

Image for post
Image for post
ROPgadget
Image for post
Image for post
ROP Chain Entry
Image for post
Image for post
radar2: system
Image for post
Image for post
ROP Chain Entry

RBP Offset:

At this point, I tried to build and test my exploit script, but a segmentation fault was still occurring. After inspecting the main function, a little closer, I noticed that rsp had a sub instruction of 0x70. So, this needed to be calculated as part of the offset.

Image for post
Image for post
main Disassembled
Image for post
Image for post
Registers
Image for post
Image for post
Calculated Offset
Image for post
Image for post
ROP Chain Entry

Final Local Exploit:

Since I had a local copy of the binary, I decided to build my exploit to test against it. So, I gathered all of the data needed to build the exploit.

Image for post
Image for post
Final Exploit Data
Image for post
Image for post
Final Local Exploit
Image for post
Image for post
Local Connectivity

Final Remote Exploit:

With the local exploit complete, I modified it and connected to the remote target.

Image for post
Image for post
Final Remote Exploit
Image for post
Image for post
Remote Connectivity

User Flag:

With connectivity established, I was able to locate the user flag within the /home/user directory.

Image for post
Image for post
User.txt

Root Flag:

I tried the standard methods to exfiltrating the KeePass file found within the /home/user directory, but nothing was working. So, I converted the file to Base64 and then copied the text to my attacker system.

Image for post
Image for post
Base64 Encode
Image for post
Image for post
Base64 Decode
Image for post
Image for post
rsa.pub
Image for post
Image for post
Target: Authorized_keys
Image for post
Image for post
SCP w/Identity Flag
Image for post
Image for post
keepass2john
Image for post
Image for post
Cracked Password
Image for post
Image for post
MyPasswords.kdbx Authentication
Image for post
Image for post
Root Credentials
Image for post
Image for post
SSH w/Identity Flag
Image for post
Image for post
Root.txt

Resources:

http://docs.pwntools.com/en/stable/about.html

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store