|
Alright, I got it confirmed that the way to root is not by misconfiguration but rather exploiting existing unpatched software on the server. So that means: 1. Anything unpatched in SUID/SGID? 2. Anything unpatched or otherwise exploitable running as root? SUID/SGID output is here. I've been through the entire list and haven't found anything. code:
code:
* All beat-services, no exploits. * SSHd. Patched and secure. * Cron, no exploits. Nothing in crontab. * Google Cloud workers, out of scope. * polkitd (v0.103, not exploitable) * snapd, latest version. * networkd-dispatcher (nothing found) * accountsservice/accounts-daemon (nothing found) * systemd-* (systemd is v237, no known exploits) * agetty (no exploits) * lxcfs (not member of lxd group => no exploits) * lvmetad (no known exploits...) * in.telnetd - no known exploits we're left with code:
https://github.com/neex/phuip-fpizdam https://github.com/whotwagner/logrotten would work, but we dont fulfill the prerequistes. Regarding the PHP exploit then: code:
code:
I've ran the dpkg package list in tools which look at CVEs and exploitdb, but no joy. Alright... Any ideas? Might just be that I missed something in the enumeration part, it usually is. Hopefully someone old and grizzled can tell me that I forgot to look in some obvious place. Mopp fucked around with this message at 18:53 on Sep 9, 2020 |
# ? Sep 9, 2020 18:08 |
|
|
# ? Apr 18, 2024 00:39 |
|
i'm thinking it's php-dns-server specifically. can you see the entire install? see if you can figure out what version it is and check what the commits on github right after that might have fixed or changed. what does /etc/phpdns.json look like? can you actually query the DNS server? can you get it to act up if you try to query weird garbage?
|
# ? Sep 9, 2020 21:10 |
|
Why did I wait until I was old to start to do CTF stuff? I've been doing the overthewire basic stuff and it's puzzle fun that rewards decades of accumulated software trivia.
|
# ? Sep 9, 2020 21:22 |
|
yeah ctfs and boot2roots are great when you’re in the mood. there’s nothin like getting a flag before anyone else. i’ve been meaning to get back into it, it’s been a couple years
|
# ? Sep 9, 2020 22:07 |
|
Subjunctive posted:Why did I wait until I was old to start to do CTF stuff? I've been doing the overthewire basic stuff and it's puzzle fun that rewards decades of accumulated software trivia. Wait till this guy gets a load of Hack the Box
|
# ? Sep 9, 2020 23:01 |
|
I know this has been done before, but I feel like it's been a while. What 3 resources would you all recommend for IT generalists who want to stay up to speed on InfoSec stuff? I feel like I get enough through osmosis these days, but I want something that I can recommend to colleagues who aren't as plugged in.
|
# ? Sep 10, 2020 00:09 |
|
spankmeister posted:Wait till this guy gets a load of Hack the Box hack the box is cool especially when you root something a handfull of people get and there are some good people on there.
|
# ? Sep 10, 2020 00:09 |
|
yeah I doubt I’ll ever be good enough to race or otherwise compete, but they’re fun puzzles to wake up in the middle of the night with an answer to
|
# ? Sep 10, 2020 00:13 |
|
Internet Explorer posted:I know this has been done before, but I feel like it's been a while. What 3 resources would you all recommend for IT generalists who want to stay up to speed on InfoSec stuff? I feel like I get enough through osmosis these days, but I want something that I can recommend to colleagues who aren't as plugged in. https://risky.biz/
|
# ? Sep 10, 2020 00:16 |
|
Check sudo version and sudoers (though you said it wasn't a misconfiguration so sudoers is prob fine) Also the thing I said re: the auto loaded composer file being world writeable. Sometimes the file will be writeable but not discoverable via eg find due to perms on its parent dir, but you can write to it if you know its path
|
# ? Sep 10, 2020 03:33 |
|
uniball posted:i'm thinking it's php-dns-server specifically. can you see the entire install? see if you can figure out what version it is and check what the commits on github right after that might have fixed or changed. I'll agree with uniball. Usually VM challenge machines demonstrate one or maybe a few handful of exploits but it's always out of the blue like something not found or installed in base server image which what php-dns is basically so that's why a lot of us are looking at it. Unless it's something like Metaspoitable or DVWA or a CTF, it's usually to demonstrate something really weird and fun to learn about. Another thing I like to look at is stuff that sticks out. I am looking at the services running and they mainly concentrate around images made ~2019-2020 but the one from 2016 that you can check right now. quote:-rwsr-xr-x 1 root root 75824 Aug 21 2019 /usr/bin/gpasswd quote:root 9269 1 0 14:52 ? 00:00:00 in.telnetd: ::ffff:10.0.0.2 Plus it looks like someone is logged in either directly or through agetty. Run a netscan on it and set the level to high to try to get an accurate fingerprint. I know you looked at it, but look at it harder. It looks freaking weird how it's there and how old the binary is. Agetty is usually used to manage VMs easily in CTFs, but maybe they forgot to turn it off though. Maybe telnet as well..
|
# ? Sep 10, 2020 06:58 |
|
What's the version of utempter on that box?Subjunctive posted:yeah I doubt I’ll ever be good enough to race or otherwise compete, but they’re fun puzzles to wake up in the middle of the night with an answer to evil_bunnY fucked around with this message at 08:11 on Sep 10, 2020 |
# ? Sep 10, 2020 08:08 |
|
Pablo Bluth posted:I don't know if it's what your after but I find the Risky Business podcast an interesting listen. Definitely! Thank you.
|
# ? Sep 10, 2020 15:53 |
|
well i can tell you that after hours and hours, it's the kernel that's exploitable. I used https://raw.githubusercontent.com/brl/grlh/master/get-rekt-linux-hardened.c. could swear that i've tried this exploit from edb with no success, but don't care anymore. got the flag. code:
|
# ? Sep 10, 2020 17:12 |
|
this was a fascinating and educational adventure to read along with, I learned a thing or two! thanks for posting about it
|
# ? Sep 10, 2020 18:16 |
|
Balsa posted:MS is a means to a end. It really depends on what you are doing. I find its better to understand the issue of why the exploit even works so you can tell blue team how to prevent a issue like this from being a issue in the first place! Its really useful as a tool to convince your non tech CEO that allocating some money to getting an external security audit is a smart move though. Disabusing the suits of a false sense of security "But the database server is behind the firewall!" is worth it 100% of the time.
|
# ? Sep 11, 2020 04:09 |
|
Subjunctive posted:yeah I doubt I’ll ever be good enough to race or otherwise compete, but they’re fun puzzles to wake up in the middle of the night with an answer to I had this happen with a pwnable the other day and it's hilarious when it does.
|
# ? Sep 11, 2020 08:36 |
|
https://twitter.com/alt_kia/status/1024786909199884288?s=20 Breaker breaker, I got an RC-135 tracking me, anybody got your ears on, I need a convoy...
|
# ? Sep 11, 2020 18:18 |
|
CommieGIR posted:https://twitter.com/alt_kia/status/1024786909199884288?s=20 I can't wait for the GPS spoofers to get cheap enough that for ~some reason~ your GPS seems to think it's in the middle of Kansas somewhere, no matter what you try to do to fix it!
|
# ? Sep 14, 2020 05:24 |
|
CommieGIR posted:https://twitter.com/alt_kia/status/1024786909199884288?s=20 I'm going to assume these are from the same people that brought us $500 usb cables with "quantum field stabilizers". Because christ almighty theres a market to be plundered in stupid paranoid boomers with no radar for scams.
|
# ? Sep 14, 2020 11:53 |
|
fun https://twitter.com/wdormann/status/1305564045282598912
|
# ? Sep 14, 2020 21:28 |
|
duck monster posted:I'm going to assume these are from the same people that brought us $500 usb cables with "quantum field stabilizers". I mean, when you grow up in an environment where scams are illegal and immediately get scammed into voting those protections away....
|
# ? Sep 15, 2020 07:52 |
|
Yeah it's a doozy. Here's a writeup by the person who discovered the bug: https://www.secura.com/pathtoimg.php?id=2055
|
# ? Sep 15, 2020 08:26 |
|
Did anyone post this story about "hacking" Tony Abbott, the former PM of Australia? https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram It's more funny for the lengths he goes to report the thing then the actual exploit.
|
# ? Sep 18, 2020 13:10 |
|
I'm doing a simple buffer overflow with a twist that's messing with me. I got the source code where the critical part is this: code:
I wrote a small script to create palindrome payloads, and I got control of RIP. The RIP offset is 152, so calling it with a payload of "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" will overflow the program as below. The trouble I'm having now is that I can't find an address to jump to, or don't know how to using these tools (first time using gdb/pwngdb). There is a JMP RSP instruction at 0x00000000004007fb, but I don't know how to input an address with \x00 (null byte) as they get ignored in bash and the address becomes corrupted. In order to create the payloads, I made a small script to put together the shellcode + eip + padding and output the string as python compatible palindrome payload. A non working example then looks like this: code:
|
# ? Sep 19, 2020 09:36 |
|
Given that the buffer overflow uses strcpy, having a null byte in your payload means that it'll stop copying at that point, so even if you were able to pass it your overflow wouldn't work the way you wanted anyway. Trying to do things without needing to embed nulls is part of the fun of this sort of puzzle. I assume the stack is executable, since you're already trying to jump to it. I notice the program prints out the memory address that it's writing the string to - is that consistent from run-to-run?
|
# ? Sep 19, 2020 09:56 |
|
yeah, figured as much. the address changes every time. edit: correction: the address does not change every time... I thought it did when trying my payload but apparently not. Mopp fucked around with this message at 11:51 on Sep 19, 2020 |
# ? Sep 19, 2020 11:02 |
|
Well, you can probably embed one null in your input. If the palindrome check function keeps the null bytes intact the strcpy after it will copy up to and including the null byte and discard the rest. So you'd just make an input that has your desired eip address at the end including the null byte, then just mirror everything and stick it behind to pass that check. Not sure if it'll help in this case but on 32 bit that would be enough to get into the 0040XXXX range and you'd be golden.
|
# ? Sep 19, 2020 11:50 |
|
If the address doesn't change then looking for a gadget to explicitly jump to the stack pointer is a bit overcomplicated...
|
# ? Sep 19, 2020 11:52 |
|
spankmeister posted:Well, you can probably embed one null in your input. If the palindrome check function keeps the null bytes intact the strcpy after it will copy up to and including the null byte and discard the rest. So you'd just make an input that has your desired eip address at the end including the null byte, then just mirror everything and stick it behind to pass that check. From what I've found it's not possible to input null bytes using bash, so I'm currently stuck on that. The problem is visible in the first post. The program output is that is has written the word into 0x7fffffffe2d0, which seems to contain the entire payload. So to get code execution, I would like to insert shellcode + padding to index 152 + 0x7fffffffe2d0. this gives me the palindrome payload: code:
The null bytes did not make execution, so the RIP address is corrupted. The shellcode payload is at the correct place, so the only thing is to get the correct address into memory. Again: I'll gladly take any ideas you got.
|
# ? Sep 19, 2020 12:14 |
|
The return address that's already there probably has the relevant nulls in it already, right? What if you make your payload shorter, so that you're not overwriting those nulls? That way you'd only need to write the lower six bytes of the address you want to return to.
|
# ? Sep 19, 2020 12:23 |
|
Jabor posted:The return address that's already there probably has the relevant nulls in it already, right? I don't think that will work. Even if I make the payload shorter, there is still a continuation after the RIP address due to the fact that it must be a palindrome. That part would then be copied into the RIP instead.
|
# ? Sep 19, 2020 12:38 |
|
Mopp posted:From what I've found it's not possible to input null bytes using bash, so I'm currently stuck on that. The problem is visible in the first post. Ah yeah it's taking input from an argument, not stdin. I overlooked that part.
|
# ? Sep 19, 2020 12:54 |
|
Mopp posted:I don't think that will work. Even if I make the payload shorter, there is still a continuation after the RIP address due to the fact that it must be a palindrome. That part would then be copied into the RIP instead. What's stopping you making a palindrome with the return address at the end?
|
# ? Sep 19, 2020 12:58 |
|
spankmeister posted:Ah yeah it's taking input from an argument, not stdin. I overlooked that part. yeah, all info i've seen is that it's not possible to input null bytes as an argument... Jabor posted:What's stopping you making a palindrome with the return address at the end? Not sure if I understand what you mean. I'll try to simplify the problem: 1. I want to input the address 00BB into the RIP. The RIP overflows with the payload data at index 4. After changing the address to little endian, the payload would look like: code:
code:
code:
Putting the return address at the end wouldn't change the content of the RIP, or am I getting it wrong? edit: so from the real scenario: I want the address 0x7fffffffe2d0. The payload with the RIP address and its mirrored part look like this: code:
which again should be: 0x00007fffffffe2d0 second edit: just understood what you meant: make a payload of total length 152+8 for RIP which in turn is a valid palindrome. That is a nice idea. I'll try that. Mopp fucked around with this message at 13:32 on Sep 19, 2020 |
# ? Sep 19, 2020 13:10 |
|
alright, i've tried doing a shorter payload in the structure of: payload = rip + buf + shellcode + (palindrome part) with the total length of 152 + 8 bytes, so that the malicious address ends up at index 152-160 with the correct offset and the correct endian format. the payload then looks like this: code:
This is the result from running the payload: This is an obvious result with the correct address but trailing with the remainder of the payload, but I don't know how to solve it. I think I need to approach this from the beginning since this feels like a rabbit hole. Anyone got any ideas on how to buffer overflow the code posted earlier would be highly appreciated.
|
# ? Sep 19, 2020 16:10 |
|
well, turns out i needed to just read up on 64 bit buffer overflows. after going through this guide https://www.codeproject.com/Articles/5165534/Basic-x86-64bit-Buffer-Overflows-in-Linux and drawing the payload up on paper, it was pretty clear how to proceed. So the return address that gets loaded into RPI is stored directly after the base pointer. The buf variable is stored directly ahead of RBP and is 144 bytes. Filling the buffer with 144 A shows that we are directly at the RBP. So an overflow payload would have to be 144 + 8 (for the RBP) + 6 (for the return address) = 158 bytes large. To test this I made a simple palindrome payload with a new return address, NOPS and a cc interupt. you can see that the payload is mirrored around 0x7fffffffe3b0 and that the first bytes is the return address in big endian format. the return address is directly after 0x7fffffffe400 and should be loaded after execution, which will then run a bunch of nops. Success! After this, it was just a matter of creating a shellcode payload and inserting it to spawn a shell. Thanks for all the help! Mopp fucked around with this message at 11:39 on Sep 20, 2020 |
# ? Sep 20, 2020 11:36 |
|
https://twitter.com/Itmechr3/status/1308178096152023040
|
# ? Sep 22, 2020 01:09 |
|
They're about to do it all over the nation if the Breonna Taylor decision is as slap-on-the-wrist as Louisville's locking down is for it to be
|
# ? Sep 22, 2020 15:53 |
|
|
# ? Apr 18, 2024 00:39 |
|
Has anyone examined the salesforce outlook integration products and not immediately flag it all as high risk?
|
# ? Sep 22, 2020 19:04 |