Vulnhub — Netstart 1 Writeup

Netstart is a ‘vulnhub’ Linux machine running a wine program vulnerable to Buffer Overflow, escalating privileges through user’s sudo permissions to root. Let’s get right to it.

First and foremost we start with the nmap scan:

2 tcp ports open: 21(ftp) and port 2371(worldwire)

Looks like ‘ftp’ has anonymous login enabled. Let’s go and take a look:

I’ve seen 2 files in the ftp directory, login.exe and login_support.dll, I downloaded them to my machine so I can examine and debug the program.

I now nc to port 2371

Seems like we’ve got an input option. At this point I’m thinking BoF could be an option on this box.

Sending the downloaded files into CommandoVM to debug the program with Immunity Debugger, I setup an smbserver on my Kali and accessed it from Windows CommandoVM.

Setting up the server on my Kali machine.

WIN+R and type \\ip\sharename, logging in with the credentials I setup.

Successfully connected to the SMBServer, extracting the files to a folder called “login” I created.

Files on the local machine.

Launched Immunity Debugger and opened login.exe. It required login_support.dll because.. you’ll see. (;

opened ‘login.exe’ and ran the program.

As we can see the program runs and waiting for connections.

I tried to connect to the CommandoVM on port 2371 and it successfully connected and requested the exact same thing as the target on port 2371. If this is vulnerable to BoF we can exploit the target machine!

nc on the CommandoVM machine.

Now I’ve ran python scripts against the program located at CommandoVM on port 2371, every script will be documented here.

The fuzzing template.

Fuzzing crashed at %s bytes. (1900 at this case)

We can see it crashed at 1900 bytes. Let’s generate a pattern using msf-pattern_create.

Generated the following.

We run the next script against the program:

Step 2

The program crashed with the EIP — 65433765

We now see if we can find an offset using the EIP address.

Offset found!

We found an exact match at 1702. We set our offset to 1702 in the next scripts!

We run the next script against the program to see if we can control the EIP to be 4 Bs.

Step 3

We can control the EIP! We overwritten the EIP with 4 Bs.

EIP is 42424242 (4 times the letter B)

Now we need to find bad characters. We run the following script:

Step 4 — BadChar finding

I’ve removed \x00 (null byte) from the bytearray because it is an already known bad character.

Hmm, doesn’t seem like we have bad characters except for the null byte.

Now we use mona to identify vulnerable modules that has the least security.

Running !mona modules in the console.

Remember login_support.dll? We can see login_support.dll has no security at all! Let’s try to find a JMP ESP address using the module, with ‘mona’ again.

2 addresses found.

Great, we found 2 addresses, I’m going to use the address 0x625012b8 on my next scripts.

625012b8 is indeed JMP ESP. Now the next script is going to verify the address, I’m going to set a breakpoint at this address.

Now let’s check Immunity Debugger:

Great. The EIP is our target.

Now I’m going to generate a shellcode with msfvenom. I’ve added x0a and x0d as bad characters, because they are commonly bad characters as well.

Putting the generated shellcode on our attacking script:

Ignore the “try” comment.

Now we set up a nc listener listening to port 51337.

Reverse shell returned.

We got a reverse shell!

Use ‘fox’ can execute /usr/bin/systemctl as root. GTFObins have a page showing how to use that method.

Let’s try this:

We can see it is indeed invoking the `less` pager.

Now we type !sh in this ‘less’ pager.

Got root

We got root! Fun box — this machine is a great BoF practice.

proof.txt