Develop

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 192.168.160.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-13 11:38 +08
Nmap scan report for 192.168.160.135
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Did a detailed scan on the HTTP ports as well:

$ sudo nmap -p 80,8080 -sC -sV --min-rate 3000 192.168.160.135      
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-13 11:40 +08
Nmap scan report for 192.168.160.135
Host is up (0.17s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Jekyll v4.1.1
|_http-title: Develop Solutions
| http-git: 
|   192.168.160.135:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: added fix to do 
8080/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Admin Panel
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

So there's a .git repository which we can download first.

Web + Git Enumeration

Port 80 hosts a corporate website:

If we click 'Get in touch', we are redirected to develop.site/getintouch.php. We can first add that to our /etc/hosts file and then enumerate further.

The page reveals a simple Contact Form:

Nothing much there. I ran a gobuster scan on the website and also downloaded the .git repository. While the gobuster scan ran, I enumerated the logs of the repository. Here's the interesting output:

Firstly, we have some mention of a blacklist and whitelist preventing RCE. Next, we have some hashes and users, of which the hashes don't crack.

Lastly, we have login.php form, which uses the username concatenated with the MD5 of the password. This authentication mechanism is vulnerable to PHP type juggling since === is not used, hence magic hashes can be used to bypass the login.

Magic Hashes -> LFI SSH

The .git repository seems to be for the service running on port 8080:

We can login with lu191:240610708, abusing the type juggling here and view the dashboard:

The Resources tab of the dashboard shows potential for RCE:

So we know that this is probably still vulnerable to RCE, and it tells us when we are blocked.

I tested different commands, and found that curl isn't blocked:

Commands like bash and sh are blocked, and so are 'space' characters, so it will be difficult to get a reverse shell through curl. However, we can use this to read the files on the system by sending POST requests to our listening port 80.

To overcome the space character block, we can use ${IFS}. Using this, we can send POST requests with file contents using the -F flag:

Using this method, I found that the user was franz. We can then attempt to read their private SSH key:

We can then ssh in:

Privilege Escalation

Docker Group

As seen above, the user is part of the docker group, meaning that we can easily escalate privileges. Firstly, find the images present:

Just run this command from Hacktricks:

PreviousDepreciatedNextDibble

Last updated