Archangel
Nmap
Looking at the immediate page on port 80 we see a hostname we can use of mafialive.thm.
I added this into /etc/hosts. Before checking the new hostname I scanned the IP further with dirsearch.py and only got one interesting hit on 'flags' which was a Rick Roll...
I then decided to browse tomafialive.thm and we immediately get the first flag.
Running dirsearch.py against this host reveals /robots.txt.
Browsing to and reading the contents of robots.txt the file contains the following:
Browsing to /test.php shows the below page.
Clicking the button runs the string 'Control is an illusion'. We can see from the URL bar test.php is 'viewing' /var/www/html/development_testing/mrrobot.php.
I tried running LFI parameters on 'test.php?view=' and was unable to discover any exploits. Searching through the following resource: https://book.hacktricks.xyz/pentesting-web/file-inclusion. We have several ways we can attempt to exploit the web application.
We can try a PHP filter on base64 to attempt to read a file. We can run the command below to read the contents of test.php to see what it is trying to do.
Running this with curl we are returned a base64 string.
Running the string against base64 returns a flag and the PHP code for test.php
The PHP code is shown below for easier reading.
Looking at the following line in the code:
if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
The exclamation mark stands for NOT so this line is saying if 'Does Not' contain '../..' and 'Does' contain /var/www/html/development_testing then perform the function.
We can use a list of filters in an attempt to fuzz and bypass the restrictions in order to read local files. Remembering from the code snippet above for the view parameter we need to include /var/www/html/development_testing.
Use this file for Fuzzing: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/Intruders/Traversal.txt.
The parameter --hl 15 was used to filter out invalid responses. Resulting in matches for the results below:
Running curl against the target with a confirmed filter from above.
We can attempt to perform log poisoning to gain RCE and shell on the target machine. Running curl again we can view the Apache access log files. We can also see the recent requests performed above by wfuzz.
I will switch over th Burpsuite for this as it is easier to work in than curl if we need to troubleshoot our requests. Reload the page for accessing the access.log and catch the request with Burpsuite. We can then alter the user-agent field to contain PHP code. In the example below we are executing netcat on the target machine to create a reverse shell to us.
Once the request has been sent this will exist in access.log Simply reload the LFI for http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..///var/log/apache2/access.log. This should then execute the PHP code and catch a shell on netcat on our attacking machine.
I then transferred over linpeas to the target machine. After exeucting linpeas identified a cronjob that is executed every minute by the user 'archangel'.
This cronjob is executing the file /opt/helloworld.sh. Viewing the permissions of the file we see we have the ability to edit the contents of the file. Currently every minute the file appends a new line to /opt/backupfiles/helloworld.txt
We can echo in a new line for a bash reverse shell and wait for it to execute.
Start a netcat listener on our attacking machine.
Then wait for the cronjob to execute. If performed correctly we will have shell as the user 'archangel'.
Again running linpeas on the target machine we find a custom binary with the SUID bit set.
Looking at the results above we can see the binary is trying to execute the command 'cp' or copy without a full path specified and as such is unable to locate the binary.
We can take advantage of this by exporting a new path where our home directory is searched in first and then get our own malicious binary executed with the SUID privileges (root privileges).
First set a new path where the users home directory is the first entry.
Then create a file containing a reverse shell in /home/archangel.
On the above commands we have created a file called 'cp' in the home directory of /home/archangel we have then set /bin/bash at the start of the script and then echo'd in on a new line a bash reverse shell. Finally we set the file to be executable with chmod.
Set up a netcat reverse shell on the attacking machine.
Then execute the backup binary:
We then receive a reverse shell as root.
Last updated
