HSCTF 2021 | PWN Use After Freedom TL;DR Vulnerability: use after free
Leak glibc address by freeing a chunk into unsorted bins Perform partial unlink (unsorted bin attack) to overwrite global_max_fast Free a 0x3940 sized chunk to overwrite __free_hook with the address of 0x3940 sized chunk Use write after free to change the fd of 0x3940 sized chunk with system Allocate a 0x3940 sized chunk so _free_hook becomes system Call free(/bin/sh) Exploit #!
As usual we start with a nmap scan to find open ports and services on the server.
┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Worker] └─$ sudo nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.203 ... PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.
Academy Walkthrough Enumeration running nmap scan we find two ports (22, 80) are open and the machine also leaks a hostname as academy.htb
# Nmap 7.91 scan initiated Sun Jan 10 12:56:59 2021 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.
Initial Recon Running a nmap scan on the server to look for open ports and services.
┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Time] └─$ sudo nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.214 we find that port 22 (SSH) and port 80 (Apache) are open on the server.