TAMUCTF: Bandaid

We are given a broken binary that claims it needs some fixin'!

We can go about this two ways: Patch the assembly so it executes as it should OR we can just force it to execute properly in GDB by setting the EIP to the function it is supposed to execute. I went with the latter method.

Setting the EIP to the address for _Z2f2v, we continue the program and it spits out a ton of stuff.
The top portion is definitely some sort of encryption, and the two big chunks below it are a ton of base64. Wonder that that could be...

Ah--neat! So we get a private and public RSA key, which means the private key should be able to decrypt the message at the top.

Modifying an existing RSA decryption python script, we can easily decrypt our message and get our flag!

Read More

TAMUCTF: Pwn 1 & 2

Pwn1:

Disassembling the binary we are given, we can see there is a print_flag function that is preceded by a cmp instruction.

We can perform a buffer overflow to manually enter the hex word "0xf007ba11" so that the comparison statement evaluates properly and the print_flag function is executed.

Looking at the assembly we can determine that our padding for our exploit will be 23 bytes long + 4 more bytes with our hex word. Remember though--this needs to be put in little endian, so we end up with the following payload:

Testing this out in GDB we see that it works perfectly, and we are able to fulfill the check.

Now we can take our payload and send it to the server running the binary.

And we get the flag!


=============

Pwn 2:

Using objectdump first, we are able to see that this is a hidden print_flag function that we can call after initiating a buffer overflow.

This time our buffer is a bit larger than last time, and our padding will be 243 bytes followed by our 4 byte address for print_flag.

Sending this to the server, we are able to get the flag!

Read More

TAMUCTF: Enum

This was by far my favorite challenge of the CTF since it resembled a mini boot-to-root challenge (minus actually getting root part...), which focused a lot (surprise, surprise) on enumeration.

When we initially SSH in, we are dropped into a restricted shell, so first things first to make it easier on ourselves, call /bin/bash with echo 'os.system("/bin/bash")' .

It took quite a lot of prodding around to find anything interesting, but I eventually discovered the following:

Alright, so we know they are running a pyserver of some sort. Time to find out what's going on.

Cool, it is running as root over port 9000. Now it's just a matter of finding a way to interact with it. We can do this by port forwarding to our local host with the following command:

Now that it is set, all we need to do is pull up our browser and navigate to our local host and the 8080 port we indicated.

Doing so, we get the flag!

Read More

Basic Pentesting: 1 Walkthrough

It's been quite a while since doing a VM (been busy moving, new job, etc...), and I saw that a bunch of new ones had been uploaded to Vulnhub, so I finally got a chance to sit down and have some fun.

Basic Pentesting: 1 was fun. Definitely geared towards beginners, but it made for an enjoyable night!

Naturally, start with an arp-scan to determine the machine's IP, and then use nmap to determine what services and ports are up.

Following up on this, running Sparta will help see if there is anything interesting as well.

Nikto discovers an interesting file on the HTTP server, so let's head over and find out what is there...
(Note: you will need to add the domain to your /etc/hosts file to properly browse.)

Mmmm a WordPress blog. Surely this use locked it down real tight and it's perfectly up to date!

admin:admin... How secure! Arriving at the admin portal we have free reign to do whatever we please with the plugins and site. So, I got my handy PHP reverse shell code and dropped it into the Akismet plugin replacing the code that was there, and then activating the plugin.

 Before hitting "Update File" have your listening port active. After pressing the button, we get onto the box with the www-data user.

Now it's time to enumerate for privilege escalation. I first headed to the wp-config.php file out of habit since creds are always laying around in there based off past VM experience, and sure enough we got a root creds for the mysql database.

Logging into mysql with these creds didn't yield much at all. I attempted to get root from a sys.exec call, but it wasn't on the box. After a bit of exploring a looked around for some other files of interest on the box.

Searching high and low I almost missed the critical issue with this box...

A beautiful invitation to change the passwd file! Don't mind if i do! First we just need to make a hash of whatever password we want. I chose 'derp'.

Since vim and nano were not on the box, I just paired this with the root info from /etc/passwd and echoed it into the file.

Yep... I used the double arrows because I was lazy but then the machine forgot who I was :(
No issues--I just copied the www-data line and echoed that back in. Now that our password is set, we just call root, and the machine happily escalates us!

Read More