Jail is our fifth machine in the OSCP list provided by NetSec Focus! This machine was a great learning experience where buffer overflow, custom exploit development, and linux privilege escalation were crucial in order to obtain this machine. This machine show my weaknesses in buffer overflow, custom exploit development, and linux privilege escalation, so it was a great learning experience, and without Booj’s guide root this machine would’ve not been possible. This is the fifth blog before my third attempt to the OSCP exam, so let’s get to it!
So, we start with a nmap scan to check what ports are open and what services are running in this machine.
nmap -sC -sV -p- -oN scan.nmap 10.10.10.34
So, we see some HTTP, RCPBIND, NFS, and a “random” service running. Actually, good results will come from the “random” service and the HTTP, about NFS we’ll get that later.
Visiting Port 80 HTTP
The first thing we see getting in this port is a jail cell, which is relatable with the name of the machine.
Sounds like time to do some directory brute force!
Directory Brute Force
Running dirsearch in port 80 gave us a good result.
python3 dirsearch.py -u http://10.10.10.34 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50
Yay! We got a good result with
http://10.10.10.34/jailuser/ let’s check what’s in there.
So, going to
http://10.10.10.34/jailuser/dev there are three files that can give us useful information.
Checking files from Jail
We start with
jail.c and looking at the code it looks like buffer overflow!
According the screenshot showed above, there are variables that are “overflowable” because they can handle certain amount of characters before they overwrite the memory. Also the “random” service that we talked in our Nmap scan seems to be related with this buffer overflow because in the code shares its connection with port 7411.
Besides this in this code we can see some credentials that are going to be useful for exploit development.
Also, there is another file called
compile.sh, after giving it permissions it compiles the file and we can run it and start working with the debugger and some other things!
telnet localhost 7411
Start Experimenting with buffer overflow and other things.
Time to run gdb!
After starting our debugger it’s time to crearte a pattern, you can use gdb or the packet from metasploit for this which is located at /usr/share/metasploit-framework/tools/exploit/
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 50
Now that we have the pattern it’s time to send it where we must overwrite the EIP which in this case is the password parameter.
And we have found the memory address where EIP overwrites.
That memory address will going to help us at the time to build the exploit. Now it’t time to find thr pattern offsert which is going to tell how many characters we need to send in order to write instructions to be executed.
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 62413961 -l 50
The result means that we’ll need 28 characters and after those characters we can execute instructions in memory. After having this it’s time start building the exploit. To keep in mind, we are going to need a new address memory from the vicitm machin which in this case is jail due to the address showed above is from the localhost. This is the memory address from Jail.
Time to show the exploit!
Exploit development & Obtaining Shell
In order to create the exploit we’ll need the library pwn and reusable shellcode for linux. Other information needed is showed above such as memory address, amount of characters need it and commands to execute. If you want to download the exploit you can find it here.
Once we make sure that the exploit is right and it’s aimed to the correct target, time to execute it.
We’re in user nobody which means time for privilege escalation!
Do you remember the nfs service that was open in our nmap scan? let’s check what’s in there!
showmount -e 10.10.10.34
So, looks like there are some folder sharing
/var/nfsshare/. Time to mount them and see whar we can find. Before mounting them remember to create a folder in
mkdir /tmp/nfsshare mount -t nfs 10.10.10.34:/var/nfsshare /tmp/nfsshare
We can access to the directory, and looks like onlu root user has read, write and execute permissions, but a user with GID 1000 can also read, write, and execute files inside the folder. So, sounds good to create a user in our localhost with GID 1000. This is the command to add a new user to the local system.
You might ask why the user created has to be frank. We,ll from our shellcode connected to Jail, if we list home there is a user called frank, so can be helpful.
Now let’s check if our user frank has a GID 1000 in order to execute privilege escalation successfully.
Good! now, we login as frank and we create a c-progran that inside the share folder that can set a real effective user ID to be 1000 of the calling process. So this is the code.
So, in this image shows all the process that it has to be made in order to execute the code. Where I mount the nfs shared folders, I go to frank user, create the c-program, compiled it, and execute it.
After doing these steps, it’s time to go to our shell connected to Jail where we’ll execute our code in the shared folder which is
/var/nfsshare/ in Jail machine.
And wolah we have user!
Getting User Flag
After getting our user frank, we can find the flag at
Root Privilege Escalation
Executing the command
sudo -l there is a good result that shows that frank can run logreader.sh as sudo! but that won’t work unfortunately. So, there is a good chance to execute rvim, and read, and write
So in order to perform privilege escalation we shall we execute the following command once in rvim. This vulnerability has been found here from a user in github explaining that you can obtain a shell with the following command.
:diffpatch $(sh <&2 >&2)
and we got a shell as adm!
After listing all hidden directories in
/.key there is a note encrypted in some kind of cypher text that might content valuable information.
So, after researching this puzzle in a website called quipqiip and looking for an answer, we found something interesting.
https://www.fbi.gov/history/famous-cases/alcatraz-escape Alcatraz? If you google it there is a interesting story about some guys who escaped from a prison located in aisland. Relatable to the name of the machine, right? Well, yes because that will help us to get some password craking with the name of the individuals who escaped from Alcatraz. By now there is key.rar file, there is no chance to transfer it through SCP ot HTTP method,let’s do it through base64!
After getting the base64 format in a file in our localhost, we can convert it to the normal format with the following command.
base64 -d key.rar.b64 > key.rar
Password craking with John
This time is a rar file so we can use rar2john in order to obtain this file. But before this it’s time to create a wordlist with the name of one of the individuals who escaped from Alcatraz, this time is Morris. To create this list we’ll use crunch.
crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@
The hash has been cracked and a result we have some kind of ssh public key.
#### Obtaining Private Key
So, is there any chance to get a private key from this public key? There is! the tool called RsaCtfTool will help us with this activity!
./RsaCtfTool.py --publickey rootauthorizedsshkey.pub --private > id_rsa
and as a result we obtain a private key!
so it’s time to give permissions to this private key and log as root through ssh!
Obtaining Root Flag
After log in we can find the flag in
And we owned the machine!
There was so much to learn from this machine that at the same time was frustrating some terms that I didn’t understood well, although it was fun. Something new to me was how to transfer files through base64, and how you can get a private key from a public key! Also, the exploit development process was interesting and the usage of the library pwn and the reusable shellcode was interesting.