Vulnhub Netstart: 1 Walkthrough

by Vince
in Blog
Hits: 2215

The description states:  "This is a Linux box, running a WINE Application vulnerable to Buffer Overflow, escalation is pretty simple."

As stated, this is an easy buffer overflow problem assuming you understand the process.  If you want a more detailed walkthrough using a different box, my post on Brainpan, goes into greater detail for each step.

A brief overview of what we're doing:

We fuzz to get an approximate number of bytes.
We're using pattern_create.rb to generate a unique string which is slightly longer than the approximate number of bytes.
We're using pattern_offset.rb to determine the exact byte count once we identify the EIP value.
We determine which are the bad characters.
We find the appropriate module using Mona Modules.
We find the location of JMP ESP.
We generate our exploit shell code.
We get shellz!

We kick off with Nmap:



Given that we need the executable, FTP is going to be the obvious starting point.


After we download the files, we take a look to see what this executable does:



Moving the executable and dll over to our working machine, we fire up Immunity:



We create a simple fuzzing script:



We start our fuzzing script:



After what appears to be approximately 1800 bytes, we crash:



Using pattern_create, we get our unique string and add modify our script:



We execute and we find our EIP value:



With pattern_offset, we find that we're crashing at 1702 byes:



We go through the process of eliminating bad characters and we remove: 

x00, x2d, x2e, x46, x47, x59, x5e, x60

Modifying our script:



We run our script again and launch Mona Modules:


 
We find our module without protection:



We search for JMP ESP:



We get our value:



We generate our shell code removing the bad characters:



The output:



We modify our script:



With our handler setup:



We catch our shell.

Now we modify our shell script for the target which is Linux:



We get setup in Metasploit and we set an autorun script for auto-migrate:



We execute our script and we catch our shell:



After cleaning up the environment, we check our sudo privileges:



We learn that we can run systemctl as root with no password.  We execute the sudo command:



We break out into a shell and we're root.

One last thing to do:



I'm always a fan of a buffer overflow problem.  Good practice for anyone taking the OSCP course.