Created by n0decaf
Software used: nmap, gdb, netcat
As always, nmap first.
One http-server running on the standard port, a NFS-server and one weird unknown service running on port 7411. Lets take a look at the http-server first.
Running dirbuster against the http-server gave the folder “jailuser” and the subfolder “dev”. In this folder a binary, a shellscript and some C sourcecode was found. The shellscript compiled the sourcecode and ran it as a service. The sourcecode was the following:
Looking at the code, the code at line 21 seem vulnable to buffer overflow since there was no boundary checks.
Check the filetypes showed that the binary was compiled on a 32bit machine.
Connecting to the service showed the userpass buffer location at 0xffffd610. This leak of information was enough to write the following exploit using pwntools.
The exploit in python. A padding of 28 chars was choosen and the EIP-address was set to 0xffffd638. A NOP-slide of 100 to ensure a reasonable big margin to hit. I tested a lot of different shellcodes that didn’t work, but after some help I was provided with a working one, which were a reuse-socket shellcode.
Running the exploit gave me a shell as the user “nobody”. Browsering around showed, that a user called “frank” had the only userdirectory in /home.
Browsering around som more I found two interesting folders with interesting user rights in /var. /var/adm owned by the user adm and /var/nfsshare owned by frank. The nfsshare folder I remembered from looking at the NFS-service. NFS is an old technology that in some situation has some massive security flaws. Since the user frank on Jail is uid 1000, I can create a user on my workstation with same uid, mount the share and write to the folder as frank. This will create a opportunity to upload a binary to /var/nfsshare, give that file setuid rights for all users(including “nobody”). This can potentially give any user the same rights as frank.
First I mounted the nfsshare folder to a local folder.
To retrieve the user-flag I created a small program in C which changed its effective setuid to 1000(frank) and then read and printed the user-flag file. I then compiled it with gcc user.c -o user
Afterwards I created the user frank which automatically were given a uid of 1000. I could then copy my program(user) to the mounted folder as frank. Furthermore I gave setuid rights for all users so the user “nobody” could run the program as the user frank.
Running it gave me the user flag! But to go further we need to escalate from “nobody” to frank. One way is to write my publickey for ssh to /home/frank.ssh/authorized_keys
I wrote the above program in C and again uploaded it to /var/nfsshare, set permissions and executed it with “nobody”.
And then there were no problems ssh’ing directly to Jail as frank.
Checking for sudo rights for the user frank I saw that he is allowed to run rvim(a restricted version of Vim) as the user adm. I then remembered that the folder /var/adm was owned by adm. Could be interesting to use vim/rvim’s filebrowser to view the files in that folder.
Running sudo -u adm /usr/bin/rvim /var/www/html/jailuser/dev/jail.c and then using the builtin filebrowser with :e /var/adm/ gave me access to the folder as the user “adm”. In the folder the files keys.rar(password protected, saved by opening it and typing :w /tmp/keys.rar), the textfile note.txt and in the folder “.local” another textfile called “.frank” was found.
“note.txt” contained a short description.
In the /var/adm/.keys/.local/ there file “.frank” was found. It contained what looked like a simple substition cipher which could be solved by using quipqiup.com. So I ended up with the following sentence: “Hahaha! Nobody will quess my new password! Only a few lucky souls have Escaped from Alcatraz alive like I did!!”
Since I visited Alcatraz a couple of months ago the first part, “Morris”, of the password was easy to guess. I could have bruteforced the rest, but a single guess got as “Morris1962!”. Using that with unrar extracted a public RSA-key.
Looking at the publickey showed that it was pretty short and therefore maybe could be cracked using rsactftool. And that turned out to be true. So by rsactftool I was able to create a private key and use it to login as root and grab the root flag. Finally!