Proteus writeup

*** Vulnhub Download ***

netdiscover and nmap

 

 

 

Submit binary file

 

Inject XSS Payload in file

 

 

Getting session cookie

 

Login as admin

 

RCE in delete function and get reverse shell

the function delete take filename coded in b64.

If we add a command after file name and code all in base64, we can execute command

 

 

 

 

Rooting

admin_login_logger has suid bit active.

Execute it:

 

Try with random input

 

Ok, if we give in input a long string we can see that we change output filename

 

With unique pattern we find that after 456 bytes we can replace filename.

But what’s about input? What input written on file?

We can not read file /var/log/proteus/log (where binary write originally), but we can try to download the binary and execute it locally, for reading what it wrote.

 

HEY this is our input !!

Well done!

Adding arbitrary user with root uid on /etc/passwd file

Generate hash for passwd file with:

python -c ‘import crypt; print crypt.crypt(“knx”, “$6$saltsalt$”)’

Then write complete string in /etc/passwd calculating right length  and offset

darix:$6$saltsalt$T8n4VW3IjrcEMAoe/B6J8AggtIaT3./6bOcv0YSKpVdFZYzp74KbO3ZA.9.Rvuz6LI26TLtbn9Dku8KQzGGN9/:0:0:knx:/home/knx:/bin/bash

 

 

Finally the FLAG

 

ROOT alternative

  1. We can overwrite /etc/crontab and add reverse shell job every minute but this not works because crontab is strict and the binary add not printable chars at hte beninning of the strings
  2. We can try to write our public id_rsa in authorized_keys but its fails because the length of full path of authorized_keys overflow the maximum length that is managed by binary

 

 

 

 

 

 

Annunci