Sneaky — HTB walkthrough

Difficulty : Medium
TCP scan
Nmap UDP Scan
SNMP : Simple Network Management Protocol 161
Not included unwanted ports output. 161 UDP SNMP port is of importance here.
Visiting home page of website
/dev directory found. Confirmed the same using WFUZZ
Login option
Capturing request on burp and watching response. Tried a little fuzzing with user/pass field
Reference strings
tried name=admin pass=‘ or 1=1#
Information before we start SNMP enum and exploitation
We get login successful for Public. Thus Public string is present there
onesixtyone a tool for port 161 enum, to detect pub and pri strings.
sysName value for sneaky
This IPv6 value is in Decimal and we need it in HEX.
cat snmp-v6 and locate HEX address
Note the way HEX IP is passed in param.
getting user.txt FLAG
/usr/local/bin/chal is executable file with SUID set.
It is using strcpy func which is exploitable.
Trying As once for 350 time and next for 400 times
So keeping length = 370 we will create a pattern using metasploit-framework
Sending this as input to chal on GDB we get Segmentation Fault at 0x316d4130
EIP has same value where we got segmentation fault, so this is where our pattern hit EIP
Exact macth found at 362.
EIP overwritten by Bs
calculating exact value of x42424242 on stack it is : 0xff8b8fdc
Ignore further errors, just see if breakpoint hits
Make shellcode using msfvenom
Format : shell.py.
A’s hit on address 0xbffff56c
Modifying our eip to 0xbffff56c ; Running this again
First occurence of 90s in EIP
Here we see x90s return back after some space in ESP. Those spaces might be the bad chars
on gdb chosing EIP : 0xbffff7a0
On your machine we see a reverse shell spawned
after getting this EIP , I came out of gdb and ran chal from home of Thrasivoulos

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store