[termit]

this is a hosting build?

[hijoxi6719]

I have been at it for hours at this point. I still can't understand why the fuck I am missing some file bytes at the end of LFI exploit.
Any thoughts?

---

can someone provide links to CVEs about this machine foothold?

There are two CVEs to be chained for foothold with this machine, the first one is CVE-2023–26326 (Writeup: https://medium.com/tenable-techblog/word...ecb5575ed8)
The second one is CVE-2024-2961, it even uses the previous one as a demonstration for the deserialization (Writeup: https://www.ambionics.io/blog/iconv-cve-2024-2961-p1, PoC: https://github.com/ambionics/cnext-exploits)

The exploit needs to be tweaked accordingly to work properly.

[local]

I'm in the docker, how do i get to escape

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[QuackTheCode]

Quick question, how did you guys actually identify the command injection in the send_image function? Did you fuzz it or was there source code somewhere that you read?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[breached_idn]

For those still stuck on the foothold
go check for iconv ambionics blogpost.
Don’t over complicate yourself. You need to retrieve 3 informations, /proc/self/maps (you should not have too much pain for this one) and the libc.so.6. But the headers of this one is broken so use the script mentionned before to fix the libc and the exploit will work perfectly fine

How about the zlib replacement? is there any workaround on it?

[QuackTheCode]

Quick question, how did you guys actually identify the command injection in the send_image function? Did you fuzz it or was there source code somewhere that you read?

WPScan

[i] Plugin(s) Identified:

[+] buddyforms
| Location: http://blog.bigbang.htb/wp-content/plugins/buddyforms/
| Last Updated: 2024-09-25T04:52:00.000Z
| [!] The version is out of date, the latest version is 2.8.13
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 2.7.7 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
|  - http://blog.bigbang.htb/wp-content/plugins/buddyforms/readme.txt

Which leads to https://medium.com/tenable-techblog/word...ecb5575ed8

Sorry, I meant in the last part regarding the app running on port 9090 with Smali files and all that stuff

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[fl00d777]

Hmm if i try with one of the libc.so.6 png files i am getting "ELFParseError: expected 8, found 5"
if i try with my own libc.so.6 it doesnt work (expected)...

I think you can try my way. Firstly, you need download libc.so.6 from box machine, then use my script to fix missing header, then use this libc to get shell.

import os
import shutil

def extract_libc(png_path, output_path, start_offset, total_size):
    """
    Extract libc.so.6 data from a PNG file.
    """
    with open(png_path, 'rb') as png_file:
        # Read the exact number of bytes for libc.so.6
        png_file.seek(start_offset)
        extracted_data = png_file.read(total_size)
   
    with open(output_path, 'wb') as output_file:
        output_file.write(extracted_data)
   
    print(f"Extracted libc.so.6 data to {output_path}")
    print(f"Extracted size: {len(extracted_data)} bytes")

def append_valid_section_headers(libc_path, reference_libc_path):
    """
    Append valid section headers from a reference libc.so.6 to the extracted file.
    """
    with open(reference_libc_path, 'rb') as ref_file:
        ref_file.seek(section_headers_offset)
        section_headers_data = ref_file.read(total_section_headers_size)
   
    with open(libc_path, 'ab') as libc_file:
        libc_file.write(section_headers_data)
   
    print(f"Appended section headers from reference libc.so.6.")

# Paths to files
png_file_path = '1-40.png'
reference_libc_path = 'libc.so.6'
output_libc_path = 'libc.so.7'

# Known offsets and sizes
elf_start_offset = 9  # ELF header start offset in 1-40.png
section_headers_offset = 0x1D7278  # Section headers offset in reference libc.so.6
total_section_headers_size = 60 * 64  # 60 section headers, each 64 bytes
total_size = section_headers_offset + total_section_headers_size - elf_start_offset  # Full size of libc.so.6

# Step 1: Extract the main ELF data from 1-40.png
extract_libc(
    png_path=png_file_path,
    output_path=output_libc_path,
    start_offset=elf_start_offset,
    total_size=total_size
)

# Step 2: Append section headers from the reference libc.so.6
append_valid_section_headers(
    libc_path=output_libc_path,
    reference_libc_path=reference_libc_path
)

print(f"Fixed libc.so.6 saved to: {output_libc_path}")

Thank you this was really very helpful! I was able to get the RCE to work with this!

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[robonick]

i just gained a foothold after suffering, how do i escape docker or laterally move to another host

---

i just gained a foothold after suffering, how do i escape docker or laterally move to another host

ah nvm, for tho who still struggle with how to get the user flag after getting a foothold, just read wp-config.php. there is credential for logging into the db and the host ip. so you need to port forward to that host, access the db, and crack the user hash in it, after that using the credential to logging into SSH.

[breached_idn]

Hmm if i try with one of the libc.so.6 png files i am getting "ELFParseError: expected 8, found 5"
if i try with my own libc.so.6 it doesnt work (expected)...

I think you can try my way. Firstly, you need download libc.so.6 from box machine, then use my script to fix missing header, then use this libc to get shell.

import os
import shutil

def extract_libc(png_path, output_path, start_offset, total_size):
    """
    Extract libc.so.6 data from a PNG file.
    """
    with open(png_path, 'rb') as png_file:
        # Read the exact number of bytes for libc.so.6
        png_file.seek(start_offset)
        extracted_data = png_file.read(total_size)
   
    with open(output_path, 'wb') as output_file:
        output_file.write(extracted_data)
   
    print(f"Extracted libc.so.6 data to {output_path}")
    print(f"Extracted size: {len(extracted_data)} bytes")

def append_valid_section_headers(libc_path, reference_libc_path):
    """
    Append valid section headers from a reference libc.so.6 to the extracted file.
    """
    with open(reference_libc_path, 'rb') as ref_file:
        ref_file.seek(section_headers_offset)
        section_headers_data = ref_file.read(total_section_headers_size)
   
    with open(libc_path, 'ab') as libc_file:
        libc_file.write(section_headers_data)
   
    print(f"Appended section headers from reference libc.so.6.")

# Paths to files
png_file_path = '1-40.png'
reference_libc_path = 'libc.so.6'
output_libc_path = 'libc.so.7'

# Known offsets and sizes
elf_start_offset = 9  # ELF header start offset in 1-40.png
section_headers_offset = 0x1D7278  # Section headers offset in reference libc.so.6
total_section_headers_size = 60 * 64  # 60 section headers, each 64 bytes
total_size = section_headers_offset + total_section_headers_size - elf_start_offset  # Full size of libc.so.6

# Step 1: Extract the main ELF data from 1-40.png
extract_libc(
    png_path=png_file_path,
    output_path=output_libc_path,
    start_offset=elf_start_offset,
    total_size=total_size
)

# Step 2: Append section headers from the reference libc.so.6
append_valid_section_headers(
    libc_path=output_libc_path,
    reference_libc_path=reference_libc_path
)

print(f"Fixed libc.so.6 saved to: {output_libc_path}")

Thank you this was really very helpful! I was able to get the RCE to work with this!

Did I understand this correctly?
we download the libc.so.6 (in form of .png) file from machine, located on : /lib/x86_64-linux-gnu/libc.so.6 using lfi for arbitrary read files

but the script also need reference_libc? what is this libc file?

[robonick]

Hmm if i try with one of the libc.so.6 png files i am getting "ELFParseError: expected 8, found 5"
if i try with my own libc.so.6 it doesnt work (expected)...

I think you can try my way. Firstly, you need download libc.so.6 from box machine, then use my script to fix missing header, then use this libc to get shell.

import os
import shutil

def extract_libc(png_path, output_path, start_offset, total_size):
    """
    Extract libc.so.6 data from a PNG file.
    """
    with open(png_path, 'rb') as png_file:
        # Read the exact number of bytes for libc.so.6
        png_file.seek(start_offset)
        extracted_data = png_file.read(total_size)
   
    with open(output_path, 'wb') as output_file:
        output_file.write(extracted_data)
   
    print(f"Extracted libc.so.6 data to {output_path}")
    print(f"Extracted size: {len(extracted_data)} bytes")

def append_valid_section_headers(libc_path, reference_libc_path):
    """
    Append valid section headers from a reference libc.so.6 to the extracted file.
    """
    with open(reference_libc_path, 'rb') as ref_file:
        ref_file.seek(section_headers_offset)
        section_headers_data = ref_file.read(total_section_headers_size)
   
    with open(libc_path, 'ab') as libc_file:
        libc_file.write(section_headers_data)
   
    print(f"Appended section headers from reference libc.so.6.")

# Paths to files
png_file_path = '1-40.png'
reference_libc_path = 'libc.so.6'
output_libc_path = 'libc.so.7'

# Known offsets and sizes
elf_start_offset = 9  # ELF header start offset in 1-40.png
section_headers_offset = 0x1D7278  # Section headers offset in reference libc.so.6
total_section_headers_size = 60 * 64  # 60 section headers, each 64 bytes
total_size = section_headers_offset + total_section_headers_size - elf_start_offset  # Full size of libc.so.6

# Step 1: Extract the main ELF data from 1-40.png
extract_libc(
    png_path=png_file_path,
    output_path=output_libc_path,
    start_offset=elf_start_offset,
    total_size=total_size
)

# Step 2: Append section headers from the reference libc.so.6
append_valid_section_headers(
    libc_path=output_libc_path,
    reference_libc_path=reference_libc_path
)

print(f"Fixed libc.so.6 saved to: {output_libc_path}")

Thank you this was really very helpful! I was able to get the RCE to work with this!

Did I understand this correctly?
we download the libc.so.6 (in form of .png) file from machine, located on : /lib/x86_64-linux-gnu/libc.so.6 using lfi for arbitrary read files

but the script also need reference_libc? what is this libc file?

yes the .png (which include libc.so.6 inside) is download via arbitrary file read and the reference_libc is actually the valid libc.so.6 on your own machine also locate at  /lib/x86_64-linux-gnu/libc.so.6, just copy it to your current working directory and then run the script where the .png file exist there too.