habibiefaried.com

Solving dpwwn:3 vulnhub machine

Habibie Faried
~3 minutes

Habibie Faried

Do you know what time it is??

It’s hacking time!!

Taking this ISO with you: https://www.vulnhub.com/entry/dpwwn-3,345/ and let’s get started

Disclaimer

No walkthrough/solution available at 16 August 2019. No cheating intended

Press enter or click to view image in full size

Easy SSH access

After walking around, I’m a little bit impressed that no tcp ports running other than SSH. I tried to gain something from it’s SNMP protocol using snmpwalk

Press enter or click to view image in full size

Found john

When I do ssh with password john. It was successful!

john@dpwwn-03:~$ iduid=1000(john) gid=1000(john) groups=1000(john),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Privilege Escalation

I directly go to sudo -l and this is what I got

john@dpwwn-03:~$ sudo -lMatching Defaults entries for john on dpwwn-03:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser john may run the following commands on dpwwn-03:(root) NOPASSWD: /bin/sh /home/ss.sh

And I opened that file, containing binary that able to run by sudo. I guess this is the time for “smashing the stack” stuffs

john@dpwwn-03:~$ cat /home/ss.sh#!/bin/shSHELL=/bin/bashPATH='/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/home'/home/./smashthestack &john@dpwwn-03:~$ sudo /bin/sh /home/ss.shjohn@dpwwn-03:~$ Thank you for run this programWelcome to Echo SystemCheck this system TCP port 3210

It means if I pwned this port 3210, then the game is over.

Get Habibie Faried’s stories in your inbox

Join Medium for free to get updates from this writer.

Ok, I don’t want to re-cover how buffer overflow works. But I’ll cover some tips here:

  1. Make the PoC working on Kali Linux x86 first! Recommended to use edb to debug the server
  2. You need to know that the EIP could be pointed to JMP ESP, or directly to the stack
  3. In this machine, you have to bruteforce the correct address for the stack.

But in any case. I know you might be lazy ;). This is my exploit script to that service: https://gist.github.com/habibiefaried/a7d4291fcd433a0ab6ff51611dcb4422

I even need additional 2 hours to just debug the correct address for the ESP on this machine

[MUST READ] The spec of this script:

  1. Jump directly into stack without any JMP ESP, etc
  2. Adding root user “habibie” with its password “handsome”
  3. In case not working on your machine, probably the stack address is changed. You need to research where the stack is….
PWNED

And the flag

Thanks for the creator of this VM for this amazing experience!