Covfefe


Information:
Name: covfefe: 1
Author: Tim Kent
Rating: 9.5/10
Recommend: Yes. Great experience cracking SSH private keys and learning simple buffer overflow exploits.

$ nmap 10.0.2.8 -p 0-65535 Nmap scan report for 10.0.2.8
Host is up (0.00044s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
31337/tcp open Elite
Lets visit the 31337 port. http://10.0.2.8:31337/robots.txt
User-agent: *
Disallow: /.bashrc
Disallow /.profile
Disallow /taxes
We find the first flag in the the /taxes directory.
It looks like were in someones home directory... what a bad place to put an Apache web root.
So after dirbing the directory with fuzzdb (https://github.com/fuzzdb-project/fuzzdb) raft-large-files.txt, we find out the .ssh directory exists. Copy the id_rsa private key and id_rsa.pub key. Put both of those files in your own ~/.ssh directory. This will help us SSH into the server. Use ssh2john to convert the id_rsa key into something john understands.
SSH as simon@10.0.2.8 and enter the passphrase "starwars". Congrats your in.

If you read the .bash_history file, you see simon summoned a "read_message" command. Do read_message and you get a nice little message.

read_message is executed by root. The program "message" located in /usr/local/sbin/message is a 700 permission only. I thought it would be smart to replace that message binary and make my own. But it looks like were stuck with message. This is a buffer overflow exploit. So what we have to do is enter Simon followed by 15 random characters, and then put /bin/sh after it. The /bin/sh or (anything that is 21st character and over, gets executed by execve().

I boxed in the vulnerable code. I tried /bin/bash first, but I was getting permission errors. /bin/sh will let you read root files.

Comments

Popular posts from this blog

Palo Alto for GNS3 CCDC Tutorial

Trace Labs Global Missing Persons CTF V

Release of CCDC ISE Manager Website