fix references
This commit is contained in:
nihilist
parent
fd1fec5663
commit
8e4e47a9d8
16 changed files with 19 additions and 27 deletions
|
|
@ -49,7 +49,7 @@ Now, first things first, we are going to use pwntools' pwn tool to check the sec
|
|||
|
||||
|
||||
|
||||
So we are dealing with a 64bit binary, that scans the input of the user and then checks it, very much like the previous challenge we solved, [helithumper](heli.html). So we're going to import the file into ghidra, and take a look at the main function
|
||||
So we are dealing with a 64bit binary, that scans the input of the user and then checks it, very much like the previous challenge we solved, [helithumper](heli.md). So we're going to import the file into ghidra, and take a look at the main function
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -420,7 +420,7 @@ Now we know that there is a 0x48 bytes offset between the pattern an the return
|
|||
|
||||
Now we know that we will need 18 integers, Now since the binary is statically linked and there is no PIE (as we saw earlier in the pwn checksec command output), We can build a rop chain using the binary for gadgets and without an infoleak. The ROP chain will make an execve syscall to **/bin/sh** just like in the previous tutorials except that now we need to take into account 4 registers that we need to control in order to make this syscall:
|
||||
|
||||
As we saw in our [previous](../asm/2.html) x86_64 assembly tutorials, we need rax to take in our syscall ID, rdi to take the first arguement, rsi to take the 2nd arguement and rdx to take the third arguement. We can use this list to know more about syscalls, and since we are in x86_64 we will use the syscall ID 59 (0x3b) to trigger execve:
|
||||
As we saw in our [previous](../asm/2.md) x86_64 assembly tutorials, we need rax to take in our syscall ID, rdi to take the first arguement, rsi to take the 2nd arguement and rdx to take the third arguement. We can use this list to know more about syscalls, and since we are in x86_64 we will use the syscall ID 59 (0x3b) to trigger execve:
|
||||
|
||||
|
||||
rax : 0x3b # syscall ID
|
||||
|
|
|
|||
|
|
@ -410,7 +410,7 @@ So we can overwrite the stack canary one byte a a time, The byte we overwrite it
|
|||
|
||||
Now onto the ROP chain: Once we have the stack canary and nothing will be able to stop us from reaching the return function to get code execution as usual. Then what do we execute ? NX is turned on, so we cannot just jump to the shellcode we place on the stack. However the elf does have PIE set to enabled which randomizes the address of code, Therefore building a ROP chain without an infoleak is possible. For this ROP Chain, we will be making an execve() syscall to /bin/sh to give us a shell.
|
||||
|
||||
Now to build our ROP chain we need to look for ROP Gadgets as we saw in the previous 2 challenges. We will use ROPGadget for that, check out [simplecalc](calc.html) to check out how i installed it. now let's find the following gadgets:
|
||||
Now to build our ROP chain we need to look for ROP Gadgets as we saw in the previous 2 challenges. We will use ROPGadget for that, check out [simplecalc](calc.md) to check out how i installed it. now let's find the following gadgets:
|
||||
|
||||
|
||||
[ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
|
||||
|
|
|
|||
|
|
@ -230,7 +230,7 @@ Now that we have the got entry address, we need a gadget that pops an arguement
|
|||
|
||||
|
||||
|
||||
After we get the libc infoleak, we can just subtract the offset of puts from it to get the libc base. The only part that remains is the onegadget, check out the previous babyboi writeup to know how to set it up [here](bboi.html):
|
||||
After we get the libc infoleak, we can just subtract the offset of puts from it to get the libc base. The only part that remains is the onegadget, check out the previous babyboi writeup to know how to set it up [here](bboi.md):
|
||||
|
||||
|
||||
[ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
|
||||
|
|
|
|||
|
|
@ -308,7 +308,7 @@ Here we see that our input address is at **0x7fffffffdad0** and the return addre
|
|||
|
||||
|
||||
|
||||
Now we know that have an offset of 0x408 bytes between our input text and the return function. Next step is to find the ROP Gadgets we will use. To do so we will use ROPGadgets.py you can check out how we installed it in the previous tutorial [here](calc.html). Now let's find the gadgets we need for the **rax, rdi, rsi and rdx** registers using the following template:
|
||||
Now we know that have an offset of 0x408 bytes between our input text and the return function. Next step is to find the ROP Gadgets we will use. To do so we will use ROPGadgets.py you can check out how we installed it in the previous tutorial [here](calc.md). Now let's find the gadgets we need for the **rax, rdi, rsi and rdx** registers using the following template:
|
||||
|
||||
|
||||
"pop register ; ret"
|
||||
|
|
|
|||
2
2/svc.md
2
2/svc.md
|
|
@ -310,7 +310,7 @@ Now we know that there is a 0xb8 offset between our input text and the return ad
|
|||
|
||||
So let's summarize everything we got so far:
|
||||
|
||||
We have a buffer overflow bug that we can use because of a gets() call and we can get to the return address with it. However the first mitigation we will need to overcome is the stack canary. The stack canary is an eight byte random integer (we saw that it was 4 bytes for x86 systems in the previous challenge [feed](feed.html))
|
||||
We have a buffer overflow bug that we can use because of a gets() call and we can get to the return address with it. However the first mitigation we will need to overcome is the stack canary. The stack canary is an eight byte random integer (we saw that it was 4 bytes for x86 systems in the previous challenge [feed](feed.md))
|
||||
|
||||
However, before the return address is executed, it checks to see if the stack canary has the same value. If it doesn't the program will end. To bypass this, we need to leak the stack canary. That way we can just overwrite the stack canary with itself, so it will pass the stack cnary to check and execute the return address, which we will overwrite with our buffer overflow
|
||||
|
||||
|
|
|
|||
|
|
@ -6,14 +6,6 @@
|
|||
|
||||
**Lame** is an easy Linux box which was released back in March 2017. It features a common vulnerability which could be exploited using a metasploit module.
|
||||
|
||||
## **Requirerements :**
|
||||
|
||||
* [Linux commands](../../CS/LTerm.html)
|
||||
* [Nmap](../../CS/nmap.html)
|
||||
* [Searchsploit](../../CS/searchsploit.html)
|
||||
* [Python](../../CS/python.html)
|
||||
* [Netcat](../../CS/netcat.html)
|
||||
|
||||
|
||||
|
||||
## **Part 1 : Initial Enumeration**
|
||||
|
|
|
|||
|
|
@ -459,7 +459,7 @@ Weird, we don't have permissions to see what files are there in the wwwroot dire
|
|||
}
|
||||
|
||||
|
||||
Looking at the results, we see a few interesting information : admin@support.htb, and a hash sha256 91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040. So navigating over to [hashes.org](hashes.org/search.php) we paste our hash and see that sadly, hashes.org can't find it for us, so we navigate over to the attachments directory
|
||||
Looking at the results, we see a few interesting information : admin@support.htb, and a hash sha256 91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040. So navigating over to [https://hashes.org](https://hashes.org/search.php) we paste our hash and see that sadly, hashes.org can't find it for us, so we navigate over to the attachments directory
|
||||
|
||||
|
||||
*Evil-WinRM* PS C:\inetpub\wwwroot> cd attachments
|
||||
|
|
|
|||
|
|
@ -603,7 +603,7 @@ However there's a simpler method:
|
|||
|
||||
### Don't forget your "ninja" password
|
||||
|
||||
Click here to logout [Session](logout.php)
|
||||
Click here to logout Session >> logout.php
|
||||
|
||||
And we have an encrypted ssh key! so let's crack it:
|
||||
|
||||
|
|
|
|||
|
|
@ -96,7 +96,7 @@ And now we're onto something! This may be a Windows IOT machine, and the [presen
|
|||
C:\windows\system32>
|
||||
--------- <****HResultResult | type: 1, payload length: 4, HResult: 0x0> <****OutputStreamResult | type: 11, payload length: 125, payload peek: 'b'Microsoft Windows [Version 10.0.17763.107]\r\nCopyri''>
|
||||
|
||||
Very weird box, we can't even use the whoami command, but let's try to get nc.exe onto the box, we're going to get [xc.exe](../Tools/xc.html) instead:
|
||||
Very weird box, we can't even use the whoami command, but let's try to get nc.exe onto the box, we're going to get [xc.exe](../Tools/xc/index.md) instead:
|
||||
|
||||
|
||||
[ 10.10.14.13/23 ] [ /dev/pts/74 ] [HTB/Omni/SirepRAT]
|
||||
|
|
|
|||
|
|
@ -800,7 +800,7 @@ We can use both wget or curl to get it on the box, but for now we're going to us
|
|||
|
||||
|
||||
|
||||
Here, linpeas is going to find EVERYTHING for us, therefore i'm going to put the full results [here](prg/9/linpeas.html):
|
||||
Here, linpeas is going to find EVERYTHING for us, therefore i'm going to put the full results [here](prg/9/linpeas.md):
|
||||
|
||||
Basically, linpeas found a few interesting things for us:
|
||||
|
||||
|
|
|
|||
|
|
@ -182,7 +182,7 @@ and in doc/error_codes.pdf we are hinted towards the error codes we saw on the L
|
|||
|
||||
|
||||
|
||||
So we know that the password to login as administrator on the platform is the serial number, which is why we need to enumerate our snmp service further and just like on the [ Sneaky](7.html) Box we'll use snmpwalk:
|
||||
So we know that the password to login as administrator on the platform is the serial number, which is why we need to enumerate our snmp service further and just like on the [ Sneaky](7.md) Box we'll use snmpwalk:
|
||||
|
||||
|
||||
{Ø} nothing [ 10.10.14.24/23 ] [~/_HTB/Carrier]
|
||||
|
|
|
|||
|
|
@ -266,7 +266,7 @@ Here we see something interesting which is that the Gitlab Login link is in fact
|
|||
javascript:(function(){ var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })()
|
||||
|
||||
|
||||
Which seems to be some javascript obfuscated code, so we can use some [javascript prettifier](beautifier.io) to make it readable, but we can do the same from inside our terminal using vim's :%s function
|
||||
Which seems to be some javascript obfuscated code, so we can use some [javascript prettifier](https://beautifier.io) to make it readable, but we can do the same from inside our terminal using vim's :%s function
|
||||
|
||||
|
||||
:%s/;/\r/g
|
||||
|
|
|
|||
|
|
@ -217,7 +217,7 @@ Now scrolling down, we see that we have a hint towards a java command that's bei
|
|||
|
||||
|
||||
|
||||
In this giant java process being ran by root, we are hinted towards a **java debugging wire protocol** service, and it probably doesn't require any authentication. We also see that it listens on the local port **8000** , but probably only accepts localhost connections, so we're going to use a [SSH tunnel](../Tools/sshtunnels.html) to port forward the remote port 8000 to our local machine on port **8000** :
|
||||
In this giant java process being ran by root, we are hinted towards a **java debugging wire protocol** service, and it probably doesn't require any authentication. We also see that it listens on the local port **8000** , but probably only accepts localhost connections, so we're going to use a [SSH tunnel](../Tools/sshtunnels.md) to port forward the remote port 8000 to our local machine on port **8000** :
|
||||
|
||||
|
||||
alexa@AI:~$ netstat -tulpen
|
||||
|
|
|
|||
|
|
@ -196,7 +196,7 @@ Back to our local host we see that we catched the incoming reverse shell connect
|
|||
!ssh port
|
||||
* starts sshd with the configured keys on the specified port
|
||||
|
||||
Now from here we can do things like sending a file to scan the system for privilege escalation paths like [linpeas.sh](peas.html) to do that, we simply put the script inside the directory where we started the xc listener, and we use the **!upload** function:
|
||||
Now from here we can do things like sending a file to scan the system for privilege escalation paths like [linpeas.sh](https://linpeas.sh) to do that, we simply put the script inside the directory where we started the xc listener, and we use the **!upload** function:
|
||||
|
||||
|
||||
[ 10.10.14.13/23 ] [ /dev/pts/77 ] [HTB/Servmon/xc]
|
||||
|
|
|
|||
10
index.md
10
index.md
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
##### Below you will find my personal writeups of the various boxes that can be found on hackthebox.eu, ranked by difficulty.
|
||||
|
||||
 nihilist
|
||||
|
||||
|
||||
##### Hack The Box - Easy Boxes
|
||||
|
||||
|
|
@ -158,7 +158,7 @@
|
|||
|
||||
|
||||
|
||||
 nihilist
|
||||
|
||||
|
||||
##### Hack The Box - Medium Boxes
|
||||
|
||||
|
|
@ -304,7 +304,7 @@
|
|||
|
||||
|
||||
|
||||
 nihilist
|
||||
|
||||
|
||||
##### Hack The Box - Hard Boxes
|
||||
|
||||
|
|
@ -336,7 +336,7 @@
|
|||
|
||||
|
||||
|
||||
 nihilist
|
||||
|
||||
|
||||
##### Recurrent Tricks
|
||||
|
||||
|
|
@ -349,7 +349,7 @@
|
|||
|
||||
|
||||
|
||||
 nihilist
|
||||
|
||||
|
||||
##### The Concept of Hacking
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue