π‘networked
FILE UPLOAD VULNERABIILITY | PHP SOURCE CODE REVIEW | CRONTAB | "nohup" COMMAND INJECTION | "ifcfg" FILE EXPLOITATION
nmap
port open :- 22 , 80 , port closed :- 443
gobuster
backup/ server-status/ uploads/ photos/ lib/
website (80)
homepage :- doesnt have any functionality just a message saying "it works "
backup/ contains backup.tar file , after untar it gives us 4 files:- upload.php , photos.php , index.php , lib.php they are all source code <php> files of target as it also scanned as a directories in gobuster scan
server-status/ no-response
uploads/ give us functionality to upload image file on the server
photos/ shows the uploaded files
lib/ no-response
file upload vulnerability
upload a php reverse shell & capture the request in burp and then :-
shell as apache
after uploading the shell go to directory "photos/" open your file in new tab or just refresh the page , while running a nc listener on terminal BOOM....... we get the shell as apache
after getting the shell , i was unable to read user.txt . we need to do privesc , before that i found 2 files on "/home/guly" directory 1. check_attack.php 2. crontab.guly the "crontab.guly" is running a cronjob and executing the " check_attack.php " in every 3 minutes
reading php source code
lib.php
this file check and filter out the input for both the other files it has 4 functioning to sanitize the upload
getnameupload() getnamecheck() both functions check the name of file and extension of file and remove "_" from file name and separate and join the name and extension using "explode" and "implode" functions. check_ip() this checks the name of ip is correct or not , basically if the name is not in ip format: "10.10.10.10" then ait will not validate the file.
MIME() - forgot the real name of function first it checks the type of file :- whether its an image or text or whatever.... then this functions checks the MIME type of file which we are going to upload.
NOTE :- this is the main file bcoz all other files :- upload.php & check_attack.php require this file to do all the other functioning
upload.php
i already got the reverse shell , means already bypassed all the condition requrie in this
check_attack.php
Here's the summary :- require '/var/www/html/lib.php'; to get the variables from lib.php so that it can perform all the other functioning Basically it checks the whether the attack happen or not , and if there is an attack then it will remove the files and mail about the attack to user : guly it checks the name and ip of files present in '/var/www/html/uploads/' and if the file name is not ip then it will assume there is an attack and delete all files and make logs in $logpath = '/tmp/attack.log'; and to remove the content it execute exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n";
privesc apache => guly
This passes the path of the file to the exec() function and deletes it. Of course, no validation is being done on the input of the exec() function and so we can abuse it to escalate privileges.
Change to the /var/www/html/uploads directory and create the following file.
The β;β will end the βrmβ command in the exec() function and run the nc command, set up the listener BOOM.......... we get the shell as guly
privesc guly => root
After reading the shell script i get to know that when this script is executed , it do a regex check by taking input from user and then writes a ifconfig script. https://seclists.org/fulldisclosure/2019/Apr/24 , for more details , but here is short detail :- after executing the file it takes input from user and save everything in ifcfg file , but if you put a wrong command/input or gives 2 input like this :-"vaibhav xxx" then it through backs error : "command not found" , the problem starts here , this script is executing everything after a whitespace <space> in order to do privesc , just execute a valid command after the input :- "vaibhav /bin/bash" and BOOM........ we got the shell as root
Last updated