# Hack The Box - Frolic

## Quick Summary

Hey guys today frolic retired and here is my write-up about it. This box was more of a CTF challenge than a real world scenario , especially the user part , But it was nice because for root we will exploit a buffer overflow vulnerability. It’s a linux box and its ip is 10.10.10.111 , I added it to /etc/hosts as frolic.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sc frolic.htb

We got ssh on port 22 , smb on port 139 and 445 (which is not a usual thing to see on a linux box) and http on port 9999. We will take a look at http first.

## HTTP Initial Enumeration

By visiting port 9999 we get the welcome page of nginx , so we will use gobuster to enumerate sub directories :

We got /admin , /backup , /dev and /test.
/backup :

/dev :

We got 403 on /dev , let’s run gobuster again on /dev :

We got /backup and /test
/dev/backup :

/playsms , Let’s check that :

It asks for authentication , we will get back to it later when we find any credentials. So that was for /dev.
/test :

It’s just the phpinfo() page
/admin :

on /admin there’s an authentication form , and the title is “c’mon i m hackable” :D

## Hacking the “Hackable” form

Let’s take a look at the source code :

We notice a script called login.js , maybe authentication is handled by that script.
login.js :

We got the username and the password : admin : superduperlooperpassword_lol

And after we login we find … this :

## Ook!

After searching on google for a long time I found out that this is an esoteric language called Ook!.
Read about Ook! here
I used an online interpreter for Ook! on a website called dcode.fr

Output :

/asdiSIAJJ0QWE9JAS :

Obviously it’s base64 , so I copied it and saved it in a txt file to decode it :

We got a weird output , let’s redirect the output into a file and check what kind of files is that :

It’s a zip archive , let’s unzip it :

Password protected. There’s a tool called fcrackzip we can use it to bruteforce the password :
fcrackzip file.zip -u -D -p /usr/share/wordlists/rockyou.txt
After extraction we get a file called index.php :

Hex encoded , let’s decode it. I will use a website called CyberChef :

Base64 encoded output , let’s decode one more time :

Another esoteric language. But this time it’s a famous one , brainfuck. We will use dcode.fr again :

Output :
idkwhatispass

Let’s try to login to playsms as admin with this password :

And it worked.

## Exploiting Authenticated RCE and getting user

There are some known vulnerabilities for playsms , one of them is an Authenticated CSV File Upload Code Execution (CVE-2017-9101). There’s also a metasploit module for it.

The exploit worked and we have a meterpreter session now :

We owned user !

## Buffer Overflow in rop

In the home directory of the user ayush there’s a directory called .binary , which has a binary called rop. we can verify that rop is suid by using find:
find /home/ayush/.binary/ -perm -4000

Let’s see what is it doing :

So it takes our input and just ouputs it , Let’s try giving it a long string :

We got a segmentation fault , so we have a buffer overflow. I will go through the exploitation without explaining everything because I have already written some posts about buffer overflow. You can check them here
We are going to do a ret2libc attack , if you are unfamiliar with it , you can read my post about it here
First of all , gdb is not installed on the box :

So I download a static version of gdb from github , and uploaded it to the box through the meterpreter session. upload gdb
Let’s find the length of the buffer :

So the buffer overflows after 52 chars. Now we need to know the address of /bin/sh , I won’t do it like I did before by loading the string in a environment variable. There’s a better way to do it, first thing we need to find the offset of /bin/sh in libc , we will use strings to get the address :
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh

Offset : 0x0015ba0b
Then we need the address of libc , we can use ldd to get it :
ldd rop

Address : 0xb7e19000
Then we will add the two addresses to get the address of /bin/sh
Address of /bin/sh : 0x0015ba0b + 0xb7e19000 = 0xb7f74a0b
Now we need the addresses of system() and exit() :

Address of system() : 0xb7e53da0
Address of exit() : 0xb7e479d0
Our final exploit will be:

Let’s upload and run it :

And we owned root !

That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham