When your machine is ready, let's try to scan it. Below you will find few results:
Ok, nice. We can see few TCP port. Let's start from the HTTP port - 80/tcp:
In the registration form you will see that the username/login field is only able to hold 16-characters. It reminds me the bug from Wordpress (described by Sucuri) when after posting 'long' comment you will add XSS...
Let's check what will happen when we will set login-name longer then that (note that I used %20 as a space-character and then 17th character will do the job):
Checking if we can register as an 'admin':
Too bad. Checking if we can register as 'admin %0a' (to do that, grab a request in Burp and change it like below ;))
Ok, checking:
I spent some time with Burp and this form to try if there is 'any kind of bug'... after a while I found that we can upload a PHP file (time for the backdoor.php?):
It should be probably game-over now, but I saw some 'other' message from the author:
Let's try harder.
Orly? ;] Verifying:
So now it should be easier to read (our uploaded) file(s). Let's check some more...
...so I'm doing something wrong... again:
Response in the file below:
Let's de-base64 the response (file) now:
Looks interesting. Let's go deeper... Checking the binary:
(During the gdb session we can see some nice call's, for example:
)
Let's run the binary:
:Z
Ok, again. Let's analyze that webapp, checking results from dirb:
This looks pretty ready to be our new input for php://filter ;]
:]
...just in case... ;)
I decided to get back to the binary again. I found something (I remember from the long past when I was learning C for the first time ;> ) - CGI:
Few minutes with Google, and you should be here (but the link is dead afaik, so try to google it or grab a copy from archive.org):
...and after you will 'read' the validateEmail function...
After reading some files from webroot, we can assume how the apps is working. Check this out:
(of course the screen with the source is already de-base64'd but I believe you will get to that point at home ;])
(we will need it to prepare the request to ('run') our upload-CGI binary) how ? should be also easy to google:
(First I though that this is the binary responsible for the 31337/tcp port... that's why the name is elite.bin - but it was not ;])
Again...
I created the directory in /var/www to 'prepare' environment similar to the one available on the target-machine:
So now, we need to get a proper request to the app (on original remote target). Let's do that (using Burp):
) Interesting. ;] Let's try to do the similar 'request' from the Kali-console:
What's next?
...but the real shellcode I used was grabbed from this >tutorial< ;]
Calling pizza...
So now we need to get the offset lenght:
...and fix our payload to check if the result will be similar to the one we want to achieve:
Checking
Illegal instruction - so good (let's say;)) , but I missed something ;] recheck...
Nope.
After a while I decided to take a break and start the VM again from the beginning.
The reason I wasn't able to exploit that program was probably wrong shellcode or some error in the whole payload. This time I tried to achieve 'the same' results using gdb-peda:
According to the previous research, we should be here:
To get the proper names of fields I used Burp proxy (I'm logged-in as the new 'admin+11chars' user):
As you can see, program crashed at 0x42424242. Now we will open the program in gdb (with gdb-peda) using -c to add generated core file:
When the program is ready in gdb, first I created breakpoint to the main() function. Then I used 'r' to run the program:
gdb will break, so I used gdb-peda to find JMP ESP instruction and to generate a reverse-shellcode to my Kali Linux (.1.183):
(First I used 'call esp' but It wasn't good idea :]) To prepare a new query I used query2.txt file and notepad.exe to copy/paste some notes/addresses, see below:
Since my 'call esp' did not worked as I believed it will be, I decided to use 'jmp esp' (to do 'jmp to esp' ;] ...yeah I know.) - anyway:
Checking:
Great! It's working (but still on Kali machine!), now we need to check if the same payload can be used to attach OwlVM:
Ok, looks stable. Checking:
'Unable to open file' :|
There was only 1 reason I wasn't able to reach the shell - wrong values of parameters. :]
So after I fixed filenames - this is what I found:
Great! :] Now we are here:
Checking $HOME of rmp user:
Next binary :]
This is the moment when you are trying to install strace on Kali ;)
[:
I wasn't able (403) to (move to /var/www and) download adminconsole binary, so I decided to pack it with tar and then download:
It was a good idea to create authorized_keys on remote host (to easier access to remote shell):
...and here we are:
After a while with the binary:
We are here:
Checking...
...comparing results with the strace (and strings) output...
we are here:
Nope, we should 'check the file' before we'll check the password ;) so...
:]
I think this is the time for reverse-shell:
...aaaaand - magic:
To be honest this was one of "my top 5 CTF's". Big thanks goes to the author as well as to the VulnHub Team for hosting all of those great VMs! :]
Brak komentarzy:
Prześlij komentarz