suid

Kioptrix 4

25 minute read Feb 12, 2012 Comments

I know there are a few different methods to the new Kioptrix 4 boot2root. Unfortunately, I could not find the remote root exploit that is mentioned, but my method used several tools, and privilege escalation. Tools used: Backtrack 5 VM Nmap SqlMap To start out, I had to find the machine on the network. I booted up my Backtrack VM and Kioptrix VM both using a NAT connection in my VMWare.

Read more wargames linux kioptrix suid hacking

Exploit Exercises - Protostar Stack 7

5 minute read Jan 9, 2012 Comments

Welcome everyone to 2012! I took a bit of a break during these holidays, and am just starting to get back going. This challenge was very interesting to me. I figured it would build off of the previous one. However, it was its own standalone challenge. We are given the following code to the stack7 executable: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); } From tinkering with the stack7 executable, I knew I was going to do a stack overflow, and somehow needed to execute code from the stack.

Read more ret2text wargames Protostar linux exploit-exercises suid hacking

Exploit Exercises - Protostar Stack 6

7 minute read Dec 22, 2011 Comments

The Stack6 challenge was definitely a learning experience for me. This actually went beyond my existing skills, and made me learn some new stuff. We are given the following code. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } The first thing I tried to do, was to set it up just like I did on Stack 5.

Read more wargames Protostar linux exploit-exercises suid rop hacking ret2libc

Exploit Exercises - Protostar Stack 5

5 minute read Dec 17, 2011 Comments

Wow, this challenge was a tough one for me. I ran into some huge problems that I had to work out. Considering this is a “standard buffer overflow”, I figured it’d be as easy as some of the others I’ve done in the past. I’ll explain my frustrations inline. First, we’re given the following vulnerable program. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[64]; gets(buffer); } The first task with this challenge was to find the offset of the EIP.

Read more wargames Protostar linux exploit-exercises suid hacking

Exploit Exercises - Nebula 09

4 minute read Dec 10, 2011 Comments

Challenge 09 gave me the most issues out of any other challenge so far. This may just be because I haven’t touched PHP since version 3 was just coming out. However, it is based on a dangerous function, known as preg_replace(). There are several more dangerous functions, some of which can be seen here. The challenge starts by giving us the source code of the program we will be exploiting.

Read more Nebula wargames linux exploit-exercises suid injection hacking

Exploit Exercises - Nebula 07

3 minute read Dec 8, 2011 Comments

This next challenge is a little bit more tricky than some of the previous ones. There’s a lot more code involved, but it’s not too bad. In the flag07 home directory, you’ll find the configuration for a simple http server, thttpd.conf. Inside, you’ll find that it’s running an HTTP server on port 7007 as the flag07 user. This is where the perl script that is provided comes in. #!/usr/bin/perl use CGI qw{param}; print "Content-type: text/html\n\n"; sub ping { $host = $_[0]; print("<html><head><title>Ping results</title></head><body><pre>"); @output = `ping -c 3 $host 2>&1`; foreach $line (@output) { print "$line"; } print("</pre></body></html>"); } # check if Host set.

Read more Nebula wargames linux exploit-exercises suid hacking

Exploit Exercises - Nebula 03

2 minute read Dec 4, 2011 Comments

In this challenge, we can see that there’s no code for us to exploit, it’s something in the system. I log in to the system, and look in the /home/flag03 folder, as all the other challenges have started. I see there’s a writable.sh script, which I was guessing was the script getting called on a crontab every couple minutes. It contained: #!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done So this script looks like it will execute anything in the writable.

Read more Nebula wargames linux exploit-exercises suid hacking

Exploit Exercises - Nebula 00

2 minute read Dec 1, 2011 Comments

Recently, I’ve been getting more and more back into computer security, one of my favorite topics. Part of this is research, and part is more practical, such as wargames or labs. One newer wargame that I’ve been playing is called “Nebula”, from the guys over at Exploit-Exercises. If you’re interested in security, please check out their site, as well as many other wargames. If this goes successfully, perhaps I’ll start going through my notes of otherwargames, publishing them as well.