# Hack The Box - Safe

## Quick Summary

Hey guys, today Safe retired and here’s my write-up about it. It’s a relatively easy machine with a binary exploitation challenge to get an initial shell, then for privilege escalation you have to crack a KeePass database to get root’s password and read the flag. It’s a Linux box and its ip is 10.10.10.147, I added it to /etc/hosts as safe.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services:

We got http on port 80 and ssh on port 22. Let’s check the web service.

## Web Enumeration

By going to http://safe.htb we see the default apache index page:

This is one of the most annoying parts about this box because at this point anyone would start enumerating sub directories, vhosts, other ports etc… and they won’t find anything, because the thing you’re looking for is in a comment in the default apache page:

It’s saying that a program called myapp can be downloaded from there, so I downloaded it:

Let’s start analyzing it.

## myapp: Analysis

The program simply asks for a string then it prints it back:

The comment said that the program is running on port 1337, let’s verify that:

Giving it a long string makes it crash so we have a buffer overflow:

checksec shows that NX is enabled so won’t be able to execute shellcode, we also won’t be able to do ret2libc because we don’t have libc so we need to find another way to exploit the binary:

## myapp: Exploitation

### Exploitation: Finding the Offset

I used a pattern to locate the offset:

Offset is 120 bytes which means that after 120 bytes we can overwrite rip.

### Exploitation: ROP Chain

By checking the functions we will notice a function called test:

From the disassembly we can easily figure out what test() is doing:

Simply what will happen when we call this function is that whatever is present in rbp will end up in rdi:

Then there’s a jump instruction that jumps to the address that the register r13 holds:

To be benefit from this function we need to be able to control r13 and rbp, by controlling r13 we can make the program jump to any function of our choice (in this case we need system()), and by controlling rbp we control the parameter (in this case /bin/sh) that will be passed to that function (because it will end up in rdi and the function will take its parameter from rdi)
rbp:
We found the offset which was 120 bytes, after that we can overwrite rip, but 8 bytes before that we can overwrite rbp,
r13:
By looking at the rop gadgets we’ll see a gadget that pops r13, r14, r15 then returns:

We can use that gadget to put the address of system() in r13 then we can put anything in r14 and r15
Now we have all the pieces, let’s write the exploit.
First thing is to load the binary in the script and load the rop gadgets:

We need the addresses for pop r13, r14, r15, ret gadget, test() and system() so let’s get them:

Then we can construct the payload which will be: 112 A’s to reach rbp + /bin/bash\x00 (will be put in rbp) + pop r13, r14, r15, ret + system() (will be put in r13) + 16 A’s (to fill r14 and r15) + test():

Finally we can connect and send the payload:

exploit.py:

We owned user.

## Cracking the KeePass Database –> Root Shell

After getting a shell we can echo our public key to /home/user/.ssh/authorized_keys and get ssh:

In the home directory of the user there was a keepass database and 6 images, one of them is the key:

I downloaded the database and the images using scp:

Similar to what we did in BigHead we’ll use an image as a key and use keepass2john then crack the database. The only difference is that we’ll need to try 6 images to find the right one.
After some attempts, the right image was IMG_0547.JPG and instead of using full rockyou.txt I used rockyou-70.txt and it had the password (bullshit):

Let’s open the database:

Root’s password was there so I copied it then I used it to su:

And we owned root !
That’s it , Feedback is appreciated !