# Hack The Box - Chainsaw

## Quick Summary

Hey guys, today Chainsaw retired and here’s my write-up about it. It was a great machine with vulnerable smart contracts and other fun stuff. I enjoyed it and I learned a lot while solving it. It’s a Linux box and its ip is 10.10.10.142, I added it to /etc/hosts as chainsaw.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services:

We got ssh on port 22 and ftp on port 21.

## FTP

Anonymous authentication was allowed on the ftp server, so let’s check what’s in there:

WeaponizedPing.sol:

WeaponizedPing.json:

address.txt:

## WeaponizedPing: Analysis

WeaponizedPing is a smart contract. smart contracts are written in a language called solidity.

The contract has a variable called store which holds the value google.com by default:

There are two functions, getDomain() which returns the value of store:

And setDomain() which takes a string and changes the value of store from whatever it was to that string:

From the name of the contract (WeaponizedPing), I assumed that ping gets executed on store. We can control store by calling setDomain(), if the ping command doesn’t get filtered we’ll be able to inject commands and get RCE. However to do all of that we need to be able to interact with the contract in the first place.

## WeaponizedPing: Interaction

Assuming that the contract is deployed on a publicly exposed ethereum node, I ran a full nmap scan to find the port on which the server is running:

I found another open port (9810), I ran a service scan on that port:

It responded to HTTP requests which means that the JSON-RPC server is HTTP based.
There are a lot of ways to interact with ethereum smart contracts, I used web3 python library. (A great reference)
I imported Web3 and eth:

Then I created a new web3 connection to http://chainsaw.htb:9810 and saved it in a variable called w3:

To interact with the smart contract we need two things:

• The address of the contract: we got the address earlier from the ftp server (Note: that address changes everytime the box is reset).
• The ABI (Application Binary Interface) of the contract: We can get it from the contract source.

To get the ABI I used the solidity IDE to compile the contract then I clicked on “Details” and copied the ABI:

I saved it in a file (ABI.txt) then I executed echo -n on cat ABI.txt to make it a single line:

I saved the ABI and the address in variables:

Then I finally created the contract representation and saved it in the variable contract:

By using the functions property we can call any function that the contract has, let’s call the function getDomain():

Final test.py looks like this:

Let’s run it:

It’s working fine, let’s try to change the domain by using setDomain():

Note: When passing arguments to functions we have to use transact() instead of call(), to use transact() we need an account, that’s why I added this line:

test.py:

Great, now for the exploitation part.

## WeaponizedPing: Exploitation

Let’s try to inject commands in the domain name and see if it’ll work, I injected a curl command and I ran a python server on port 80:

test.py:

After a few seconds I got a request:

Based on these tests I wrote this small exploit:

I listened on port 1337 and ran the exploit:

And I got a shell immediately as a user called administrator:

## ipfs –> SSH as bobby –> User Flag

There were 2 users on the box, administrator and bobby:

administrator had no permission to access bobby‘s home directory:

In administrator‘s home directory I noticed a directory called .ipfs:

The InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system. IPFS uses content-addressing to uniquely identify each file in a global namespace connecting all computing devices. -Wikipedia

Take a look at the cli documentation.
I used ip refs local to list the local references:

I used ipfs ls on every hash to list the contents, most of them were empty or useless except for this one which had some email messages:

We’re interested in bobby‘s file so I used ipfs get to get it:

The email had his encrypted ssh key as an attachment:

I copied it to my box:

I used ssh2john.py to get the hash of the key in john format then I used john with rockyou.txt to crack it:

Password: jackychain, let’s ssh into the box as bobby:

We owned user.

## ChainsawClub: Analysis

In bobby‘s home directory there was a directory called projects which had a project called ChainsawClub, Inside that directory there was another smart contract:

ChainsawClub.sol:

There was also a setuid elf executable called ChainsawClub:

Obviously we’ll use the smart contract to sign up, similar to what we did earlier we’ll write a python script to interact with the contract.
We’ll use:
setUsername() to set the username
setPassword() to set the password, it has to be md5 hashed as we saw:

setApprove() to change approve from false to true
transfer() to transfer coins to the user’s balance, it can’t transfer more than 1000 coins because that’s the value of totalSupply and we can’t transfer more than that:

Transferring coins is an important step because when I created a new user without transferring coins I could successfully login but it said that I didn’t have enough funds and exited.

## ChainsawClub: Exploitation

I used netstat to list the open ports, 63991 was open and listening on localhost only so I assumed that it’s the port on which the contract is deployed:

I got the ABI of the contract like I did before:

And we have the address of the contract in address.txt
I wrote the exploit and forwarded the port to my box:

The exploit is similar to the first one.
ChainsawClubExploit.py:

After authenticating I got a root shell:

However the root flag wasn’t there:

## Slack Space –> Root Flag

root.txt size is 52 bytes, the block size here is 4096 bytes which means that there are 4044 unused bytes (4096 - 52) which is called “slack space”. (Check this page, and this one).
Slack space can be used to hide data, which was the case here with the root flag. I used bmap:

And we owned root !
That’s it , Feedback is appreciated !