After c0ne build the vulnerable binary for the knock-knock challenge, he now made a complete boot2root VM with 5 levels: Pandora’s Box! I had the pleasure of being one of the testers for the vulnurable binaries, so I got a sneak peek for level 2 and 3 (after which level 2 changed quite a bit). I’l be splitting up the writeup per level and I’l only describe the final levels that ended up in the VM.
Writeups for Levels:
- Level1 –
- Level2 – http://jellevergeer.com/pandoras-box-level-2/
- Level3 – http://jellevergeer.com/pandoras-box-level-3/
- Level4 – http://jellevergeer.com/pandoras-box-level-4/
- Level5 – http://jellevergeer.com/pandoras-box-level-5/
Level1, Getting a shell
After mounting the VM and locating it with arp-scan we scan the VM with nmap to see what kind of services are running on the box. We find 2 ports: ssh(22) and some unknown port(54311). After we connect with netcat to the unknown port we can see it is a “secure remote shell”.
It requests a password and keeps on requesting a password if the password is incorrect. After checking for the classic vulnerabilities like stack overflow I started checking the response times for some kind of timing vulnerability. Right before doing this challenge I did Fusion level 4, which also contained a password timing attack so that gave me the idea to give it a try here.
So, I build a small python script to try all possibilities in the a-z, A-Z, 0-9 range and print the time it took to receive the response from the “secure remote shell”. These were the results:
root@kalipwn:~/Documents/pandoras_b0x# python pass.py
a 0.0062189102 Password: Invalid password!
b 0.0379989147 Password: Invalid password!
c 0.0055730343 Password: Invalid password!
P 0.0064117908 Password: Invalid password!
Q 0.0052409172 Password: Invalid password!
R 0.0001790524 Password: Invalid password!
S 0.0055990219 Password: Invalid password!
T 0.0058290958 Password: Invalid password!
U 0.0068531036 Password: Invalid password!
As you can see the character ‘R’ took considerable less time than all the others! I modified my script to keep iterating and append to the password when the response time was under a certain threshold and soon I had my password!
Awesome! We got in and have a basic shell! Here is my little python script I used to retrieve the password: