Safetech Blog - Security Tips and Tricks


by Oana Stoian

PwnLab:init Walkthrough

Thanks to Claor @Chronicoder and VulnHub folks for the opportunity of writing another walkthrough for a very challenging vulnerable machine.
First thing first, I fired-up nmap. Usually I do that, run nmap and after that nikto. 😀

nmap

As it can be observed, only two ports are of interest: 80 (for HTTP) and 3306, on which runs mysql.

Starting out nikto, it will reveal the following information:

nikto

On port 80 there is an web application  with an upload section but in order to upload files we have to be authenticated:

upload

The URL structure indicates that the application might be vulnerable to Local File Inclusion.

After some tests, I succeeded to include files from the server by using php://filter/convert.base64-encode/resource method, which seems to be the only way of reading files.

http://172.16.100.71/?page=php://filter/convert.base64-encode/resource=upload

The browser will display the source code of upload.php file encoded in base64:

result of lfi

With the same technique I have read the source code of all the php files available. In index.php a piece of code caught my attention:

<?php

//Multilingual. Not implemented yet.

//setcookie("lang","en.lang.php");

if (isset($_COOKIE['lang']))

{

            include("lang/".$_COOKIE['lang']);

}

// Not implemented yet.

?>

It looks like another way of doing local file inclusion and a quick test shows that it works as expected:

lfi

 

I took into consideration the results of nikto, that revealed the existence of a config.php file and using the above technique we can get the source code of this file:

<?php

$server              = "localhost";

$username = "root";

$password = "H4u%QJ_H99";

$database = "Users";

?>

We remembered that the machine has mysql port opened, and now that we have credentials for the database we can connect to it.

mysql01

Also in the database I discovered the users and base64 encoded passwords to log in into the web application.

mysq;02

Now that we have the credentials we can log into the application and find our way to execute commands on the operating system.

The next step is to upload a file with php code, but soon I realized that is not an easy job to do. Having the source code of the upload.php file I was able to see that the application restricts the extensions, verifies that the content-type contains image and also verifies the mime-type. So there is no other way to upload a file with php extension.

What we can do is to upload a text file with gif extension, put php code in it, and start the file content with a valid gif header.

aaaa

The file is uploaded in /upload folder, having the original file name transformed in its MD5 hash.

Now we can use the LFI present in lang cookie, to execute our uploaded shell.

lang_LFI

nc

Now is time to enumerate various information of the system, even use Linenum script to have comprehensive information, but no low hanging fruit was found.

Doing a quick review of the information that we gathered so far and trying to match everything, I realized that I have some users and passwords from mysql database, the same users are present on the system (/etc/passwd)…maybe the passwords are also valid on the operating system.

su_kane

We observed a file called msgmike in kane’s folder, that is owened by user mike and also has setuid bit set.

Running the file we see that it generates an error about a missing file in mike’s home. Analyzing msgmike binary with strings tool we observe the full command that is used and also that a relative path is utilized when running cat and this gives me an idea.

strings

We can manipulate the PATH environment variable and point to a different cat program, one that will do a shell spawn for us 🙂

We modify PATH to begin with /tmp – the location where we will create a file named cat.

export_path

#!/bin/sh

echo "#\!/bin/sh" >/tmp/cat

echo "/bin/sh" >>/tmp/cat

Now it`s time to run msgmike again and get our shell as mike user:

msgmike

In mike’s home folder we also find a binary that is owned this time by root and has setuid flag set. Running it, it prompts for some input that it echoes back and closes.

mike_home

Analyzing the binary with strings tool, we discover the command that it is used.

msg2root_srings

It looks like command injection might be possible, and we give it a try.

Iamroot

An now, by the power invested in me by the state of root, I present you the flag.txt content:

flaaaaag

 

4,573 total views, 5 views today





Leave a Reply

Your email address will not be published. Required fields are marked *