HackTheBox - Rope

GTQxZlr5yvE/default.jpg

01:10 - Nmap the box, then play with the WebServer. 404 msg are interesting
05:15 - Discovering Directory Traversal and then grabbing the webserver by going to /proc/self/cwd/
09:25 - Opening the binary up in Ghidra and exploring the binary to understand what it does
18:35 - Discovering we have control over the first argument in log_access/printf
20:05 - Showing one of my most hated things about debugging forks. Be sure to always kill the process!
21:05 - Using GDB to help us analyze the log_access call, by breaking and examining the stack
24:00 - Begin of PrintF Exploitation, leak a bunch of memory addresses, then identify a spot in memory where we control
28:40 - Starting to write an exploit script
30:50 - Grabbing /proc/self/maps to obtain a memory map which helps bypass ASLR. Analyze the binary again and see it supports the "RANGE" HTTP Header which is required to grab these special files
34:30 - Back to Coding the exploit script, now that we can grab the process map
41:25 - Testing our leaking/rebasing code to verify we are leaking correctly then using fmtstr_payload to automate the exploit
47:00 - Running the exploit, seeing the output of "GET" on the Server's STDOUT... Lots of fighting with a debugger to show exactly what happened (explain it later, may want to skip to the next part)
01:01:30 - Replacing GET in our request with commands, to see it is running them. Placing a reverse shell here using IFS as space.
01:03:50 - Changing the exploit to use the target... For some reason we have the wrong libc version, once we figure that out it works.
01:08:25 - Going to /proc/self/maps again to leak the path of libc, redownloading it and then we instantly get a shell. Drop SSH Keys and SSH in
01:11:30 - Going back.. the issues with debugging the printf exploit, to explain it. The issues had was system() calls fork and we followed it
01:17:00 - John can sudo the readlogs binary, analyze it with ghidra/ldd to see it calls a printlog() option in a custom library that is chmod'd to 777
1:21:10 - Creating a custom library that replaces printlog() with a system("/bin/bash") call, uploading and getting our shell. Drop an SSH Key and go in via ssh
1:26:00 - Examining the contact bin in Ghidra, this one is stripped so it will be a bit more pain to navigate
1:31:20 - Explaining the buffer overflow in the recv() call -- Then lots of fighting with gdb to get to a part of the code to explain overwriting the canary
1:46:49 - Partially overwriting the canary and showing it in GDB, then explaining how its like a padding oracle attack due to it not changing.
1:50:10 - Begin the exploit script, start off with creating our threaded bruteforcer() class.
2:02:45 - Explaining what our code will do, then running it and fixing errors
2:11:30 - Testing our program to see we can leak the canary. Then leaking RBP and RIP
2:14:50 - Using VMMAP to aid us in rebase the binary to bypass ASLR.
2:18:22 - Using pwntools to create a write() gadget to leak a libc address, then rebase libc
2:23:35 - Since Canary/RBP/RIP are always the same, lets just hard code those variables for now to save time
2:25:30 - Going over the ROP Gadget, then verifying the libc address is correct and doing dup2,dup2,execve for code execution
2:35:40 - Found why the ExecVE wasn't working, didn't update the rop variable name, so ran libc leak twice
2:36:30 - Updating the code to work remotely. Use Chisel to forward port 1337 to our box
2:45:30 - Printing a few more debug things so we know the code is working, downgrading the # of workers, then running it remotely, to get a shell
2:48:50 - Showing we don't need the Pop RDI because RDI is already set as the FD
2:54:19 - Removing the first 16 bytes of our libc leak, to skip over RDI
2:56:40 - Removing the RDI's from our Dup2 calls
3:00:35 - Removing all the PwnTools magic from our binary, manually rebasing
3:02:30 - Manually specifying the addresses for everything, gadgets (ropper), objdump (PLT), ReadElf (GOT), Strings (binsh)
3:14:00 - Leaking libc gadget works. Repeating everything we did here with LibC and building the execve gadget
3:23:30 - Begin of manual PrintF, showing the liveoverflow videos I recommend watching.
3:35:15 - Creating the printf payload (have a typo, should be %4x)
3:38:35 - Going to the pritnf call in GDB, examining the GOT PUTS address before/after to see we screwed up
3:42:30 - Had the wrong address for PUTS in our printf payload, put the correct one in and examine the call in GDB to see PUTS@GOT is now 0xc
3:44:17 - Explaining why we want to break the SYSTEM() address into two 2 byte pieces instead of one 4 byte... Modifying our PrintF Payload to allow this. This piece should really show what the "n" variable does in printf
3:47:09 - Our memory address is close to what we want for SYSTEM, modifying the number slightly
3:49:20 - Address matches! Running the exploit with our reverse shell and hand crafted printf payload to show it works.

GTQxZlr5yvE/default.jpg
HackTheBox - Rope HackTheBox - Rope Reviewed by Anonymous on May 23, 2020 Rating: 5