HSCTF 2021 | PWN Use After Freedom TL;DR Vulnerability: use after free
Exploit steps:
Leak glibc address by freeing a chunk into unsorted bins Perform partial unlink (unsorted bin attack) to overwrite global_max_fast Free a 0x3940 sized chunk to overwrite __free_hook with the address of 0x3940 sized chunk Use write after free to change the fd of 0x3940 sized chunk with system Allocate a 0x3940 sized chunk so _free_hook becomes system Call free(/bin/sh) Exploit #!
As usual we start with a nmap scan to find open ports and services on the server.
┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Worker] └─$ sudo nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.203 ... PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.
Academy Walkthrough Enumeration running nmap scan we find two ports (22, 80) are open and the machine also leaks a hostname as academy.htb
# Nmap 7.91 scan initiated Sun Jan 10 12:56:59 2021 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.
Initial Recon Running a nmap scan on the server to look for open ports and services.
┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Time] └─$ sudo nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.214 we find that port 22 (SSH) and port 80 (Apache) are open on the server.
Recon we start with a nmap scan to look for open ports and services on the server.
# Nmap 7.91 scan initiated Wed Oct 14 21:14:03 2020 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.
We start with a nmap scan to look for open ports and services running on the server.
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.
Initial Recon We start the initial recon with a nmap scan to look for open ports are services running on them.
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.
Admirer Writeup we start the recon with a nmap scan to look for open ports and services running on them
PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 3.