Welcome! This is my walkthrough of the IMF challenge hosted on vulnhub.com. The actual url to this exact machine is: https://www.vulnhub.com/entry/imf-1,162/
And now....onto the walkthrough....
After loading the image into VirtualBox, it showed up as 192.168.6.101 on my local network.
Now to base64 decode flag2...and we got 'imfadministrator' (no quotes). Again, I tried using the flag as path and this time it got us to a login prompt.
After password guessing for awhile (longer than I care to admit) I started googling for things along the lines of 'php password bypass'. Lots of SQLi pages came up but another page came up that said something along the lines of 'PHP password bypass for CTF'. *strokes beard*. After reading about this, apparently PHP does not do well with type conversions when comparing to zero and we can alter the POST request to send an array object instead of a string object for the password field and because of the type conversion issues, the php page will incorrectly allow us access.
The dump showed a new page that we hadn't seen before 'tutorials-incomplete' (no quotes). This page has a picture with a QR code. After scanning it, I got the fourth flag. The flag was 'uploadr942.php' so I navigated to that page next.
First I tried to upload a text file and got an invalid file type error. After trying a couple different formats, I finally found the jpg was accepted as a valid filetype. There isn't any information on where the picture was uploaded to so, I thought I'd try the obvious options /images and /uploads. /images returned a blank page and /uploads was forbidden. So it exists? Going back to the result there is a comment in the source code that didn't exist before; unique hash? Possible filename? The /images/<hash>.jpg was not found. /uploads/<hash>.jpg worked! Holy crap! Ok, so now I needed something I could use to execute code with so I grabbed a webshell included in Kali Linux and attempted to upload the webshell renamed with the .php.jpg extension. Unfortunately, this didn't work because 'CrappyWAF detected malware. Signature: fopen php function detected'. Well screw you too IMF.
The CrappyWAF also detected the 'system' function. ....seriously....and exec too....and shell_exec....and passthru...COME ON!
I found a stackoverflow page that listed out different ways to execute code via php and BACKTICKS seems to be working. I edited my php-webshell to use backticks instead of system/exec/whatever calls and I only got 'Error: Invalid file data' instead of CrappyWAF errors. Two steps forward, one step back. Now, how to make it look like valid data...
After trying for a couple hours I decide that jpg files are not going to work and I determine that png, bmp, and gifs are also acceptable formats. I used a technique I found online to write the magic number "FF D8 FF E0" to a fake gif file and then append straight php to the fake file. This FINALLY allows us to achieve code execution on the machine.
HAHAHAHA FINALLY! I can cat the fifth flag and move forward...
I am able to port knock the machine using nmap and then I can simply nc to the machine on port 7788 and the service is now available! So, from our php webshell I can 'cat' the contents of the 'agent' executable, but I need to find out what the Agent ID means.
First I copy the agent executable back to my local workstation and I run strings, nothing jumps out about the Agent ID but, I can see there are menu options that include Extraction Points, Request Extractions and Submitting a report. In addition, there are numerous cities and places, i'm assuming, to request an extraction.
After running into some issues and desiring a more robust prompt, I switched over to meterpreter and executed an msfvenom payload via the php backdoor shell and now have a meterpreter shell on the machine.
Finally, I am able to run ltrace on the agent executable and we can easily see the 'strncmp' call made with my provided value 'a' and the actual value needed '48093572'.
Ok now it looks like we have access to this executable and from our previous recon on the box we know this executable is running as root so, I think it's time to design a BUFFER OVERFLOW!!! *epic music*
So after a little fuzzing, I found that the Report (option 3) is able to be corrupted with a string length of 1024 "\x90"s so now, I need to find where the buffer overwrites EIP. To do this we can use pattern_create.rb. We found where EIP crashes and determined that the offset is 168 bytes into the buffer. To confirm this, we edit bytes 168-171 (inclusive) to be unique and when the program crashes, we should see our exact bytes that caused the application to crash.
Now that we've confirmed we can write to EIP, let's see which registers are also overwritten. It looks like eax is holding a pointer to an array of data that was overwritten by our pattern so let's investigate that more thoroughly.
So again, we used pattern_create.rb to create a pattern and put it into the application, and then we use pattern_offset.rb to calculate the offset of the buffer! Which is....
...offset 0? That seems awfully nice. Now, I need to find someway to get code execution to eax. Fortunately, there is a site called ropshell that you can upload a binary to and it will give you back some options including one for 'call eax' located at offset 0x00000563. You need a little more computer architecture knowledge to know that this will be located at 0x08048563 in memory (most linux executables are loaded at base address 0x08048000). Lastly, we just need shellcode which is easily generated by msfvenom. Now we have the exploit!
Let's try and see if it works! So, this specific script didn't work, but the format stayed the same. I had to add some time delays and I switched from meterpreter shellcode to regular shellcode. Here is the actual script that worked followed by my root privs.
Well, now all that remains is to see the final flag and wrap up this walkthrough! Drum roll please......................
This was an awesome exercise and I'd like to give credit to all the website I used while researching how to exploit this box. I'd also like to say I did compare my walkthrough to the other walkthroughs already posted on Vulnhub.com and it was very fun to see alternate and similar techniques used. All thoughts and comments are the authors and do not represent the thoughts or comments of anyone else. I hope you enjoyed this walkthrough! -Hack Responsibly. Hack Professionally.