Frolic_rop

rop

---

www-data@frolic:/home/ayush/.binary$ ll
total 16K
4.0K drwxr-xr-x 3 ayush ayush 4.0K Sep  9  2022 ..
4.0K drwxrwxr-x 2 ayush ayush 4.0K Sep  9  2022 .
8.0K -rwsr-xr-x 1 root  root  7.4K Sep 25  2018 rop

The presence of the unknown SUID binary was initially discovered upon gaining a foothold and later confirmed by PEAS

www-data@frolic:/home/ayush/.binary$ file ./rop
./rop: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=59da91c100d138c662b77627b65efbbc9f797394, not stripped

The rop file is a custom 32-bit binary

www-data@frolic:/home/ayush/.binary$ strings rop
strings rop
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setuid
strcpy
puts
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
UWVS
t$,U
[^_]
[*] usage: program <message>
[+] message sent: 
;*2$"0
gcc: (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7209
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
rop.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
printf@@GLIBC_2.0
vuln
_edata
strcpy@@GLIBC_2.0
__data_start
puts@@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_fp_hw
__bss_start
main
setuid@@GLIBC_2.0
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment

The strings command reveals the usage as well as some of the C functions used.

Particularly, there appears to be a function named, vuln

www-data@frolic:/home/ayush/.binary$ ./rop
[*] usage: program <message>
 
www-data@frolic:/home/ayush/.binary$ ./rop This is a message?
[+] message sent: This

Executing the SUID binary with some arbitrary text shows that “Message sent”

I will test it for buffer overflow

www-data@frolic:/home/ayush/.binary$ ./rop AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
Segmentation fault (core dumped)

Crashed The SUID binary is vulnerable to buffer overflow This would mean that I can escalate the privileges to the root user by exploiting the buffer overflow vulnerability present in the SUID binary

Moving on to the Privilege Escalation phase