HackTheBox: Frolic Walkthrough

Matt Johnson
6 min readApr 7, 2020

--

It’s been a while since I’ve had the chance to do one of these, things have been pretty busy… But anyways, the box is Frolic. This is probably the most difficult box I’ve done to date. It involves going further and further down an exceedingly convoluted rabbit hole to get an initial foothold on the box, and once you’re on you have to use a ROP technique to exploit a buffer overflow and become root. Here’s how I did it.

Enumeration

As always, I began doing a staged nmap scan:

Upon discovering an open SMB server, I tried to enumerate it and see if there was anything of interest, but no dice. The Node-RED server proved equally unfruitful. That left me only with the seemingly untouched Nginx server on port 9999.

Despite the main page telling you to visit forlic.htb:1880, there was nothing worth seeing there. I ran a gobuster on 10.10.10.111:9999, and here’s what I discovered:

One folder of interest was /backup:

Appears to be a directory listing…

Visiting /backup/password.txt and /backup/user.txt gave me what seemed to be a set of credentials:

Another interesting folder was /dev. On its face there was nothing special about this folder, but running gobuster against it proved helpful:

From the /dev/backup directory, I was able to discover a new folder to search:

Confusingly, though, the credentials found in the /backup directory didn’t work. Moving on.

The /admin page was a login page that claimed it was “hackable”. Fortunately for me, they weren’t lying. There were credentials in one of the javascript files:

How not to program your web apps

Less fortunately for me was that successfully logging in to the admin panel only yielded this:

After a lot of googling to try to figure out what this was even supposed to be, I was introduced to Ook! Ook is an encoded language mean to give Orangutans the ability to program. No joke. Plugging this nonsense into a translator gave this output:

Visiting the mentioned link gave me what appeared to be base64:

Decoding the base64 and running ‘file’ against it showed me that it was a zip folder:

The password was ‘password’

The cryptic text within the index.php file was a cousin of Ook called Brainfuck. I ran it through an interpreter and got another possible password:

I tried plugging this password in everywhere and managed to get a hit on the PlaySMS application! Now on to exploitation.

The Initial Foothold

Searchsploit showed that there were a few possible exploits to run:

If you have excellent vision, you might be able to read this.

I’ve tended to avoid using Metasploit as of late, mostly because I want to try to understand how exploits actually work better. However, after the rabbit hole I’d gone down to get to this point, I used a Metasploit module. Gasp.

As usual, Metasploit reliably got me where I needed to be.

Time for privesc.

Internal Enumeration and Getting Root

As this writeup is already a long one, I’ll spare too much of the details. After a great deal of internal enumeration, I managed to find an suid binary called ‘rop’ in a hidden directory.

The program requires an argument, and seems to just repeat whatever you type back to you. A bit of code analysis reveals that it’s most likely using strcpy(), an old and dangerous function in C.

Given this and the file name, I knew what was required to get root. I had to craft a buffer overflow attack that would spawn /bin/sh and get me root.

There were a couple of things I would need to find in order to do this:

  1. The length of the buffer.
  2. The address in memory of the system() function
  3. The address in memory of the exit() function
  4. The disk address of the library used by the program.
  5. The disk address of /bin/sh inside the previously mentioned library.

Breaking this down, here’s how I did it.

The first bit was just a bit of guesswork on my part. There are more formulaic ways to do it (using pattern_create.rb, for example), but I didn’t do it. The length of the buffer was 52 bytes in this case.

The second and third parts must be done using gdb. Here’s how I did that:

For the fourth part, I used ldd:

And finally, to get the location of /bin/sh, I used strings:

So the formula now is simply combining all of the individual parts. I used NOP bytes (\x90) for the first 52 bytes. After converting the addresses into little endian (LE) and putting them in a perl script, here’s how the command looked:

./rop `perl -e ‘print “\x90”x52 . “\xa0\x3d\xe5\xb7” . “\xd0\x79\xe4\xb7” . “\x0b\x4a\xf7\xb7”’`

Let’s test and see…

Voila! This was definitely a difficult box, but it was a great learning experience. I want to thank Dillan Hildebrand for his excellent explanation of ROP exploits and Dr. Mike Pound at the University of Nottingham for his walkthrough of a buffer overflow attack. These were both tremendously helpful to me while doing this box.

That’s it for now.

--

--

Matt Johnson
Matt Johnson

Written by Matt Johnson

Freelance cybersecurity consultant based in Düsseldorf, Germany.