Hack The Box / Jail

5 minute read

Jail is our fifth machine in the OSCP list provided by NetSec Focus! This machine was a great learning experience where buffer overflow, custom exploit development, and linux privilege escalation were crucial in order to obtain this machine. This machine show my weaknesses in buffer overflow, custom exploit development, and linux privilege escalation, so it was a great learning experience, and without Booj’s guide root this machine would’ve not been possible. This is the fifth blog before my third attempt to the OSCP exam, so let’s get to it!

Information Gathering

Nmap Scan

So, we start with a nmap scan to check what ports are open and what services are running in this machine.

nmap -sC -sV -p- -oN scan.nmap 10.10.10.34

nmap scan

So, we see some HTTP, RCPBIND, NFS, and a “random” service running. Actually, good results will come from the “random” service and the HTTP, about NFS we’ll get that later.

Visiting Port 80 HTTP

The first thing we see getting in this port is a jail cell, which is relatable with the name of the machine.

nmap scan

Sounds like time to do some directory brute force!

Directory Brute Force

Running dirsearch in port 80 gave us a good result.

python3 dirsearch.py -u http://10.10.10.34 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50

nmap scan

Yay! We got a good result with http://10.10.10.34/jailuser/ let’s check what’s in there.

nmap scan

So, going to http://10.10.10.34/jailuser/dev there are three files that can give us useful information.

Checking files from Jail

We start with jail.c and looking at the code it looks like buffer overflow!

nmap scan

According the screenshot showed above, there are variables that are “overflowable” because they can handle certain amount of characters before they overwrite the memory. Also the “random” service that we talked in our Nmap scan seems to be related with this buffer overflow because in the code shares its connection with port 7411.

nmap scan

Besides this in this code we can see some credentials that are going to be useful for exploit development.

nmap scan

Also, there is another file called compile.sh, after giving it permissions it compiles the file and we can run it and start working with the debugger and some other things!

telnet localhost 7411

nmap scan

Start Experimenting with buffer overflow and other things.

Time to run gdb!

nmap scan

After starting our debugger it’s time to crearte a pattern, you can use gdb or the packet from metasploit for this which is located at /usr/share/metasploit-framework/tools/exploit/

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 50

nmap scan

Now that we have the pattern it’s time to send it where we must overwrite the EIP which in this case is the password parameter.

nmap scan

And we have found the memory address where EIP overwrites.

nmap scan

That memory address will going to help us at the time to build the exploit. Now it’t time to find thr pattern offsert which is going to tell how many characters we need to send in order to write instructions to be executed.

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 62413961 -l 50

nmap scan

The result means that we’ll need 28 characters and after those characters we can execute instructions in memory. After having this it’s time start building the exploit. To keep in mind, we are going to need a new address memory from the vicitm machin which in this case is jail due to the address showed above is from the localhost. This is the memory address from Jail.

nmap scan

Time to show the exploit!

Exploit development & Obtaining Shell

In order to create the exploit we’ll need the library pwn and reusable shellcode for linux. Other information needed is showed above such as memory address, amount of characters need it and commands to execute. If you want to download the exploit you can find it here.

nmap scan

Once we make sure that the exploit is right and it’s aimed to the correct target, time to execute it.

nmap scan

We’re in user nobody which means time for privilege escalation!

Privilege Escalation

Do you remember the nfs service that was open in our nmap scan? let’s check what’s in there!

showmount -e 10.10.10.34

nmap scan

So, looks like there are some folder sharing /opt and /var/nfsshare/. Time to mount them and see whar we can find. Before mounting them remember to create a folder in /tmp named nfsshare

mkdir /tmp/nfsshare
mount -t nfs 10.10.10.34:/var/nfsshare /tmp/nfsshare

nmap scan

We can access to the directory, and looks like onlu root user has read, write and execute permissions, but a user with GID 1000 can also read, write, and execute files inside the folder. So, sounds good to create a user in our localhost with GID 1000. This is the command to add a new user to the local system.

adduser frank

You might ask why the user created has to be frank. We,ll from our shellcode connected to Jail, if we list home there is a user called frank, so can be helpful.

nmap scan

Now let’s check if our user frank has a GID 1000 in order to execute privilege escalation successfully.

nmap scan

Good! now, we login as frank and we create a c-progran that inside the share folder that can set a real effective user ID to be 1000 of the calling process. So this is the code.

nmap scan

So, in this image shows all the process that it has to be made in order to execute the code. Where I mount the nfs shared folders, I go to frank user, create the c-program, compiled it, and execute it.

nmap scan

After doing these steps, it’s time to go to our shell connected to Jail where we’ll execute our code in the shared folder which is /var/nfsshare/ in Jail machine.

nmap scan

And wolah we have user!

Getting User Flag

After getting our user frank, we can find the flag at /home/frank as user.txt.

nmap scan

Root Privilege Escalation

Executing the command sudo -l there is a good result that shows that frank can run logreader.sh as sudo! but that won’t work unfortunately. So, there is a good chance to execute rvim, and read, and write jail.c.

nmap scan

So in order to perform privilege escalation we shall we execute the following command once in rvim. This vulnerability has been found here from a user in github explaining that you can obtain a shell with the following command.

:diffpatch $(sh <&2 >&2)

and we got a shell as adm!

nmap scan

After listing all hidden directories in /.key there is a note encrypted in some kind of cypher text that might content valuable information.

nmap scan

So, after researching this puzzle in a website called quipqiip and looking for an answer, we found something interesting.

https://www.fbi.gov/history/famous-cases/alcatraz-escape Alcatraz? If you google it there is a interesting story about some guys who escaped from a prison located in aisland. Relatable to the name of the machine, right? Well, yes because that will help us to get some password craking with the name of the individuals who escaped from Alcatraz. By now there is key.rar file, there is no chance to transfer it through SCP ot HTTP method,let’s do it through base64!

base64 key.rar

nmap scan

After getting the base64 format in a file in our localhost, we can convert it to the normal format with the following command.

base64 -d key.rar.b64 > key.rar

Password craking with John

This time is a rar file so we can use rar2john in order to obtain this file. But before this it’s time to create a wordlist with the name of one of the individuals who escaped from Alcatraz, this time is Morris. To create this list we’ll use crunch.

crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@ 

nmap scan

The hash has been cracked and a result we have some kind of ssh public key.

nmap scan

#### Obtaining Private Key

So, is there any chance to get a private key from this public key? There is! the tool called RsaCtfTool will help us with this activity!

./RsaCtfTool.py --publickey rootauthorizedsshkey.pub --private > id_rsa

and as a result we obtain a private key!

nmap scan

so it’s time to give permissions to this private key and log as root through ssh!

Obtaining Root Flag

After log in we can find the flag in /root as root.txt

nmap scan

And we owned the machine!

To Conclude

There was so much to learn from this machine that at the same time was frustrating some terms that I didn’t understood well, although it was fun. Something new to me was how to transfer files through base64, and how you can get a private key from a public key! Also, the exploit development process was interesting and the usage of the library pwn and the reusable shellcode was interesting.

Leave a comment