Hey guys this is my write-up about Dummy from Wizard Labs. If you don’t know them , They are a new penetration testing lab, They have 16 boxes so far and Dummy is their first box to retire. This lab is nice I definitely recommend checking it out. Dummy is a windows box and it was an easy one (Difficulty: 2/10). It had an http service which was vulnerable to a buffer overflow , and metasploit had a module for it so this box can be done easily through metasploit . I will show that, then we will take a look at the exploit and how it’s happening. The ip of the box is 10.1.1.13 so let’s jump right in.
As we always do we will start by scanning the box with nmap , so :
nmap -sV -sT -sC 10.1.1.13
We see a lot of open ports , most of the http ports are running Microsoft HTTPAPI, we will ignore that and look at other things. We also see that the box has smb which is an interesting thing to look at so let’s try smbmap
smbmap -H 10.1.1.13
And we immediately get Access Denied so smb is not helpful here.
On port 8000 there’s an http server and it’s not running Microsoft HTTPAPI , it’s running Icecast streaming media server. Let’s check that port
If we go to that port we get a 404 response which is odd. We can try bruteforcing directories with dirbuster but that won’t help too much.
By searching online we will find that an old version of icecast had a buffer overflow vulnerability which allowed for a remote code execution (RCE). And we also find a metasploit module . So let’s open metasploit and search for icecast modules.
search icecast we will find the module , and it’s an exploit from 2004.
And we got a meterpreter session. we can drop a shell by typing
shell then if we type
whoami we will find that we are already Administrator so no need for privilege escalation
Then we can grab the flags
So now we did the box , but let’s understand the exploit. basically it’s a buffer overflow vulnerability, it happens because that version of icecast only accepted a maximum of 32 headers in the HTTP request , so if a request had 32 headers this caused the return address of the vulnerable function to be overwritten with a pointer to the begining of the header number 32. this means that anything we add as the 32nd header will be executed
So if we make a request with 31 headers and add shellcode as the 32nd header we can get a reverse shell and that’s what metasploit is doing. But if we look at the source of the module :
There’s not much detail because it’s based on metasploit so luckily I found this refrence which had a poc c code.
By looking at this part of the code :
We can see how the exploit is working. It’s doing a GET request , adding 31 “a”s as headers , then the 32nd header is the shellcode.
If you want to know more about bufferOverFlows check out my other articles
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.
Next Wizard Labs Write-up : Wizard Labs - Devlife