Target Experience:
My observations while working this target:
· Enumeration: Life-like
· Vulnerabilities: Life-like/CTF-like
· Exploitation: Life-like/CTF-like
· Difficulty: Easy/Medium
· Community Notes: Life-like/CTF-like
Tools:
The recommended tools for this machine were:
· Nmap
· Gobuster
· Nikto
· Browser
· Netcat
Vulnerabilities:
The following vulnerabilities were found:
· Evading White List
· Local Privilege Escalation (Code Abuse)
· Local Privilege Escalation (Script Flaw)
Information Gathering:
Using Nmap, I performed a SYN scan on all TCP ports for service version detection as well as default safe scripts.
After identifying that TCP Port 80 was open, I followed up with scans from Gobuster and Nikto.
Web Enumeration:
Reviewing the findings from the scans, I performed a manual inspection of the TCP Port 80 web server.
After finishing inspecting the web site, I decided to download the contents of the backup.tar file to my attacker server to further inspect the contents.
Reviewing the upload.php file, I noticed that only certain extensions could be uploaded to the /uploads directory. In addition, I noticed that there was what appeared to be a file type check prior to uploading of the file.
Foothold:
After exploring the other files, I decided to return to the website to further investigate the files found within the backup file.
I tried a few different methods to upload files, but my many attempts failed. I then did some research and found that adding GIF89a; to a file would bypass the file inspection that I identified within the uploads.php file.
With that said, I used one of the default Kali PHP shells and added the GIF89a; as well as modifying the $ip and $port variables for my attacker system. I then saved the file with a .php.jpg file extension.
I then returned to the /upload.php form and was able to successfully bypass the file inspection.
Next, I returned to the photos.php site and was able to validate that my file uploaded. In addition, the script modified the name of the file to the IP Address of my attacker system.
After I validated the upload, I started a NetCat listener and then added the URL of my uploaded file to the browser.
Note: Photos should trigger the reverse shell pending if on a Free of VIP server
I then returned to the shell and validated a connection as well as credentials.
Privilege Escalation — User:
With the foothold established, I decided to upgrade the shell prior to completing any enumeration.
I was able to find the following script and crontab located within the home directory for the user named guly.
Reviewing the crontab, it used PHP to execute the check_attack.php script every three minutes. Within the script, it scanned all files ignoring index.html as well as any file starting with “.” or “..”. However, the exec() command could be abused by injecting a payload as a file name; thus, causing the script to launch and execute the file.
After launching a Netcat listen on my attacking system, I used the touch command to create a Netcat payload as part of the file name.
Within three minutes I had a new shell that was established with user credentials.
After upgrading the shell with Python, I reviewed the contents of guly’s home directory and then displayed the contents of the user.txt file.
Privilege Escalation — Root:
Having an established user shell, I reviewed the contents of the sudo list to determine if the user could launch privileged commands.
Next, I decided to explore the contents of the changename.sh script for any clues as to how this could be exploited.
In doing research, it appeared that the script could be escaped by entering in any named, followed by a space, and then adding a command. According to the researcher, the /etc/sysconfig/network-scripts/ifcfg-xxx could be abused to gain root privileges.
Reviewing the changeme.sh script, the /etc/sysconfig/network-scripts/ifcfg-guly file had variables written to it.
After obtaining root privileges, all that was left was to view the contents of root.txt.
References:
https://xapax.gitbooks.io/security/content/bypass_image_upload.html
https://www.owasp.org/index.php/Command_Injection
https://seclists.org/fulldisclosure/2019/Apr/24
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
