Target Experience:

My observations while working this target:

· Enumeration: Life-like

· Vulnerabilities: Life-like/CTF-like

· Exploitation: Life-like/CTF-like

· Difficulty: Easy/Medium

· Community Notes: Life-like/CTF-like

Tools:

The recommended tools for this machine were:

· Nmap

· Gobuster

· Nikto

· Browser

· Netcat

Vulnerabilities:

The following vulnerabilities were found:

· Evading White List

· Local Privilege Escalation (Code Abuse)

· Local Privilege Escalation (Script Flaw)

Information Gathering:

Using Nmap, I performed a SYN scan on all TCP ports for service version detection as well as default safe scripts.

Nmap Scan

After identifying that TCP Port 80 was open, I followed up with scans from Gobuster and Nikto.

Gobuster Scan
Nikto Scan

Web Enumeration:

Reviewing the findings from the scans, I performed a manual inspection of the TCP Port 80 web server.

Default Web Page
Default Web Page Source
/backup Directory
/uploads Directory

After finishing inspecting the web site, I decided to download the contents of the backup.tar file to my attacker server to further inspect the contents.

Reviewing the upload.php file, I noticed that only certain extensions could be uploaded to the /uploads directory. In addition, I noticed that there was what appeared to be a file type check prior to uploading of the file.

uploads.php

Foothold:

After exploring the other files, I decided to return to the website to further investigate the files found within the backup file.

photos.php
/uploads/ Directory
uploads.php

I tried a few different methods to upload files, but my many attempts failed. I then did some research and found that adding GIF89a; to a file would bypass the file inspection that I identified within the uploads.php file.

With that said, I used one of the default Kali PHP shells and added the GIF89a; as well as modifying the $ip and $port variables for my attacker system. I then saved the file with a .php.jpg file extension.

PHP Reverse Shell

I then returned to the /upload.php form and was able to successfully bypass the file inspection.

Successful Upload

Next, I returned to the photos.php site and was able to validate that my file uploaded. In addition, the script modified the name of the file to the IP Address of my attacker system.

Validated Upload

After I validated the upload, I started a NetCat listener and then added the URL of my uploaded file to the browser.

Executed PHP File

Note: Photos should trigger the reverse shell pending if on a Free of VIP server

I then returned to the shell and validated a connection as well as credentials.

Connected Shell

Privilege Escalation — User:

With the foothold established, I decided to upgrade the shell prior to completing any enumeration.

Upgraded Shell

I was able to find the following script and crontab located within the home directory for the user named guly.

check_attack.php
crontab.guly

Reviewing the crontab, it used PHP to execute the check_attack.php script every three minutes. Within the script, it scanned all files ignoring index.html as well as any file starting with “.” or “..”. However, the exec() command could be abused by injecting a payload as a file name; thus, causing the script to launch and execute the file.

After launching a Netcat listen on my attacking system, I used the touch command to create a Netcat payload as part of the file name.

Payload Creation

Within three minutes I had a new shell that was established with user credentials.

User Shell

After upgrading the shell with Python, I reviewed the contents of guly’s home directory and then displayed the contents of the user.txt file.

User Flag

Privilege Escalation — Root:

Having an established user shell, I reviewed the contents of the sudo list to determine if the user could launch privileged commands.

Sudo List

Next, I decided to explore the contents of the changename.sh script for any clues as to how this could be exploited.

changeme.sh

In doing research, it appeared that the script could be escaped by entering in any named, followed by a space, and then adding a command. According to the researcher, the /etc/sysconfig/network-scripts/ifcfg-xxx could be abused to gain root privileges.

Reviewing the changeme.sh script, the /etc/sysconfig/network-scripts/ifcfg-guly file had variables written to it.

Escaped Script: Root

After obtaining root privileges, all that was left was to view the contents of root.txt.

Root Flag

References:

https://xapax.gitbooks.io/security/content/bypass_image_upload.html

https://www.owasp.org/index.php/Command_Injection

https://seclists.org/fulldisclosure/2019/Apr/24

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.

Information within this article is “as is”, without warranty of any sort.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store