Summary

ret2win was a simple challenge from the rop emporium that required the pwner to jump to a flag function, effectively reusing code within the exectuable file at runtime. It introduced the basics of ROP chaining with minimal countermeasures to simplify the process of attacking binaries with a non-executable stack. In this blog post, I break down how I solved this challlenge.

Analyze the Countermeasures

Always analyze binary countermeasures because it will determine our objective for exploiting the binary and what the limitations are. For all my binary exploit development walkthroughs, I will be using pwntools which when installed comes with checksec. This tool analyzes countermeasures in the binary when it was initially compiled:

Summary

split was a simple challenge from the rop emporium that required the pwner to build a ROP chain with two gadgets found within the ELF.

Analyze the Countermeasures

Always analyze binary countermeasures because it will determine our objective for exploiting the binary and what the limitations are. For all my binary exploit development walkthroughs, I will be using pwntools which when installed comes with checksec. This tool analyzes countermeasures in the binary when it was initially compiled:

Machine Release Date: March 22, 2017

Summary

Cronos was an older medium level machine that leaked its subdomains via a DNS zone transfer. From there, I found subdomain with a login form where I was able to bypass authentiction via basic MySQL injection. After logging into the web application, I was able to leverage OS command injection to get remote code execution on the machine. Once on the machine, I wrote a PHP reverse shell to the file the system’s cronjob was executing to get remote code execution as root.

Machine Release Date: June 22, 2019

Summary

Jarvis was a medium level machine that had an SQL injection vulnerability in its custom web application on port 80. Via SQL injection, I was able to write a web shell to the remote machine and leverage it to get remote code execution. I was also able to get the database user’s hash and crack it. This allowed me to access the PhpMyAdmin web application and exploit an LFI vulnerability which also granted me remote code execution. From there, I was able to own the first user by running one of their scripts with restricted sudo privileges via OS command injection to generate an SSH key and use it to login on thier behalf. After owning the first user, I enumerated for SUID binaries on the system and was able to get remote code execution via /bin/systemctl with root privileges.

Machine Release Date: June 30, 2018

Summary

Jerry was a trivial machine where default Tomcat 7 credentials were used. Leveraging these credentials, I was able to access the Tomcat manager API to upload a malicious WAR file acting as a reverse shell. Leveraging the uploaded payload, I was able to get remote code execution on the machine with SYSTEM privileges.

Active Ports

sudo nmap -p8080 -sC -sV -oA nmap/full-tcp-version 10.10.10.95

Nmap scan report for 10.10.10.95
Host is up (0.033s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 24 14:35:36 2020 -- 1 IP address (1 host up) scanned in 9.90 seconds

User Own - (Tomcat 7 Default Credential Usage)

Navigating to the web service on port 8080, I was presented with a Tomcat 7 web application. It looked like the application had just been deployed. Also, with Tomcat applications, it is always a good idea to brute force for default credentials:

Machine Release Date: March 24, 2018

Summary

Poison was a medium level machine that had a PHP LFI vulnerability in its web application. Exploiting this vulnerability, I was able to enumerate all users on the system and recover an SSH password. Additionally, I was also able to exploit the LFI vulnerability to get remote code execution on the server via PHP log poisoning. Leveraging the SSH password, I was able to own the charix user. Once on the machine, I found a tightvnc server running with root privileges which I was eventually able to log in to.