Friday, March 2, 2018

IrfanView 4.50 Email PlugIn - Buffer Overflow (SEH Unicode)


  02-07-18: emailed author
  02-12-18: response; requested poc
  02-13-18: provided poc 
  02-27-18: newer version of code released
  02-28-18: poc released

pop calc


IrfanView 4.44 Email PlugIn - Buffer Overflow (SEH)


  02-07-18: emailed author
  02-12-18: response, not concerned with previous versions of code
  02-13-18: provided poc anyway
  02-27-18: newer version of code released
  02-28-18: poc released

pop calc


Sunday, October 29, 2017

Vulnhub Walkthrough: BTRSys v2.1


uid=0(root) gid=0(root) groups=0(root)

Initial nmap reveals ports on 21, 22, and 80

Nothing special on web page or in the source

robots.txt reveals a wordpress instance

Crude implementation of wordpress and nothing special after some enumeration

Throwing it at wpscan it reveals an older version with lots of vulns, but I suspect it's a ruse

Enumerating users we find btrisk and admin

Brute forcing admin using wpscan reveals admin is the password as well

We're able to login to wordpress

First thing is to get our php reverse shell into footer.php and haha! Someone already left one on the style.css page. Not sure if this was intentional or not...

After prepping netcat, we pull up the wordpress instance and we have a reverse shell and confirm username btrisk

Couldn't find much on enumeration so I grab mysql root password from wp-config.php

Next we dump the wordpress database using mysql oneliners revealing usernames and passwords

We throw the hash for btrisk at findmyhash and a password is revealed

We're able to ssh using the username btrisk and the found password

Simple sudo -i elevates us to root

Vulnhub Walkthrough: BTRSys v1


uid=0(root) gid=0(root) groups=0(root)

Initial nmap reveals open ports on 21, 22, and 80

ftp is a ruse

Looking at the web page nothing is found on first inspection

nikto reveals a login.php page

Standard login page 

Looking at the source it shows that it posts to personel.php and has some rules

Testing first rule shows they're working

Looking at the personel.php page, there's a mysql error

We know from the rules we need to post something with so we do and intercept using burp

From there we throw it at sqlmap and we have a vulnerable parameter 'kullanici_adi' (username in turkish)

We dump the database and we get usernames and passwords

We then login using this information and we find a place to upload files

Looking at the source we can only upload .jpg or .png files

Let's test adding .jpg extension to a .php file


Completely guessed that the upload folder is is :)

Now to get a php file with a reverse shell uploaded, so we interrupt using burp...

and strip the .jpg extension


After prepping netcat, we browse to our uploaded php file...and we have a shell

Looking the home folder there is only a user named troll, which doesn't match anything in /etc/passwd

We start enumerating and find an interesting log file called cronlog

Turns out it's a cron job that runs every 2 minutes calling a python script, which removes all files from the tmp folder

Wasn't even about to attempt to edit this using the shell we have so we copy to the uploads folder in order to download and edit properly

We edit the script to do a reverse shell back to our machine over a different port

Now to get this back on the victim machine.  First we delete the old script from the uploads folder and use the same trick to upload we did for the initial php file

After that we copy over to the original script

We then setup netcat and wait for the cron job to run...and BOOM, we have root