medium.com

DeathStar : VulnHub Walkthrough

Vinit Patil
7–9 minutes

Vinit Patil

DeathStar is a VM designed by . This machine is the latest addition on VulnHub.I have jot down this walk through as i went along with my normal approach with this machine that could be easily understandable for beginners. I would say this machine is more towards the advance level. Your knowledge with the usual recon is tested to the understanding of binary coding and buffer overflows. Also quite helpful if you are a Star Wars fan.

Well I have used VmWare Workstation version 15.0 on my windows 10 system to start with and my attacker system is Kali Linux version 2020.1.

So first to go through to find the IP of the target system I started with Netdiscover.

Netdiscover -r to lookup the IP (192.168.44.133)

Then lets go ahead with the next phase that is Port Scanning. The basic thing for anyone to do here is Nmap….But as I said in the beginning this is not a potential machine that relies on normal recon.So I mostly failed with my regular approach.:-(

Press enter or click to view image in full size

Ports appeared filtered suspecting a firewall on the machine.

So based on this failure I thought that might be there is an application here that might be blocking Nmap probes from hitting. I tried by random scans, fragments and even by other techniques to avoid a firewall.So what I actually got was a result for UDP ..Luckily !

What I did was I ran a tcdump with the command:

tcpdump -i eth0 host 192.168.44.133.

What was strange here is that there was an activity from random UDP ports

Press enter or click to view image in full size

UDP random ports sending responses.

So as the UDP ports are broadcasting something,lets have a further look

Tcpdump result exported to a pcap file

Further Checking this file on Wireshark.

Press enter or click to view image in full size

Intercepted traffic data in the stream

Press enter or click to view image in full size

Access Code found.

Upon further observation of the pcap file it was observed that the UDP ports had a pattern of broadcasting data every 60 secs.So i tweaked a script available online that would do the same thing and used the access code found above. And also ran tcpdump .

Python Script for intercepting via the access code

Press enter or click to view image in full size

Exporting pcap file tracing results via tcpdump which logs results for the python script

I opened this pcap file in wireshark,clicked on Conversations tab followed the UDP stream, selected only the response from the stream and saved the ASCII data to file. The format of the data seemed to be base64.

Press enter or click to view image in full size

UDP data stream captured and saved to ASCII

This file was named streamed.txt and further was decoded. This result further proved it to be an image file.

File decoding

Press enter or click to view image in full size

File type found jpg

Press enter or click to view image in full size

StreamAct jpg file with code to unlock as a hint.

So I tried sending this code back to the target and also a few random ports but no result. Then I had a hunch of steganography being employed and tried a few things until I got the hidden message.

Steghide to extract message

Press enter or click to view image in full size

Code Hint

After this hint i sent the code split in groups of three to any of the ports previously used as well as the mentioned port 10110 but didn’t get a response and the port 10110 remained in filtered state. Upon googling i found a software called port knocking, where you have to “knock” on a sequence of ports in order to unlock a port in the firewall. Si I split the unlock code in groups of three the sequence of ports to knock on would be 197 ,719, 801 and 983. Then going forward where i found the port to be opened.

Press enter or click to view image in full size

Knock installed and then used for knocking on the ports of the target machine.

Press enter or click to view image in full size

Port 10110 opened and found to be having ssh.

So we go further trying to ssh. But as the access we find is for a normal user named erso. We have to disconnect and try that. Here, the catch is that there is a hint for the password : “My wife’s first name plus the year (BBY) she died.”

Get Vinit Patil’s stories in your inbox

Join Medium for free to get updates from this writer.

So lets search this guy: Galen Walton Erso which turns out to be a Star Wars guy.Let’s go ahead to search his wife and Voila ! Her name is Lyra and died in 13 (BBY).So guess the password is : lyra13

Press enter or click to view image in full size

So going ahead with tinkering the ssh login.

Press enter or click to view image in full size

Found warning.txt which displays a challenge to go with further exploitation.

Further to exploit lets go ahead with find command to get any files belonging to SUID.

ls -lart in initial attempts
find super user
A suspicious Entry dartVader

Checking the file.

File access

Press enter or click to view image in full size

Message found

Translating the message

Press enter or click to view image in full size

It was a troll but probably not completely useless.

It actually hinted that there might be something in this file.So we go ahead to download it via SCP to our local system with :

scp -P 10110 -q erso@192.168.44.133:/bin/dartVader /root

After downloading we go ahead to observe this file.

Press enter or click to view image in full size

File found to be of elf type which has to be checked using binary gdb
After dissambling the file.

I found the following observations-

Small application which checks for a command line argument. If none was given it displays the message, else it bypasses the message.

Then it will do a strcpy with the command line argument as input. Pointing a buffer overflow.But,lets move ahead.

We go ahead installing scanelf utility and checking what the file can do.

Non executable stack found.

So this made things bit grumpy. I almost was frustrated to go ahead.But somehow thought of going ahead.

SO i went on tinkering in my SSH to find out if I could find something.

Press enter or click to view image in full size

Checking kernel system files
Address space layout randomization enabled.

So i came across the term ASLR. Hopefully, Reddit where 0x1ceb00da1 provide worthwhile information on ASLR and binary exploitation.

References:

  1. RET 2 ROP

2. return-to-libc

3. Scripts to exploit offset and address instructions.

So first finding the offset, that is the number of bytes we have to fill before overwriting an instruction pointer. A lot of scripts on metasploit.

Press enter or click to view image in full size

Script for loading instructions and verification

Next is knowing the memory address of libc library. This can be done by running ldd for our application. We observe the address changes, but its not so different , and even sometimes the same memory addresses are used. So bruteforce is possible. And also, we need the location of exit, system and the /bin/sh string inside the libc library.

Press enter or click to view image in full size

glib Private
Libc start

Press enter or click to view image in full size

Offset Values

Press enter or click to view image in full size

Tail and match offset

Then I move ahead with the script I got on reddit.

Press enter or click to view image in full size

Exploit for bruteforcing ASLR

So I copy this via SCP over to the machine.

Upload via SCP

And Finally Root on the 208th attempt!!!

Press enter or click to view image in full size

Conclusion:

This is a really tough machine from most of the conventional ones on VulnHub. Wrongly marked in intermediate , where it is actually hard. But nonetheless mission accomplished.