DomDom is another CTF challenge based on PHP mis-functionality
and credit goes to Avraham Cohen for designing this VM. Here you need to identify
bug to get reverse shell connection of the machine and try to access root
shell. This VM can be downloaded from given below link and its level is set to
easy for beginners.
Let’s start off with the scanning process. This target VM
took the IP address of 192.168.1.103 automatically from our local Wi-Fi
network.
Then we used Nmap for port enumeration. We found that port
80 is open for running http services.
Taking our manual penetrating approach ahead we navigate to
web browser and explore VM IP in the URL filed. It welcomed us with a login
form as shown below in the image.
So, we just simply type following and then click on execute
tab:
Your Name: admin
Your Username: admin
Password: admin
Since we didn’t find any clue to step ahead therefore, we
choose dirb for web directory enumeration. So, when I execute below command, I
found two URL with 200 OK code.
dirb http://192.168.1.102
So when we had explored /admin.php it gave me us a hint to
dig more to identify the action being used here.
So again I explore http://192.168.1.102
and intercept its data with in burp suite and then send the intercepted data
into repeater to identify what action is being execute.
So, I forward the intercepted data into responder and at
initial phase it captures the POST request for /index.php but inside responder
we have changed the Post request from /index.php to /admin.php to identify the
action.
Wow!! From its response we found an in-built script which is
executing command.
To ensure the backend functionality, we try to send request
to execute “id” command and obtain desired result as expected hence it is
confirm that it vulnerable to Remote Code Execution.
Hence, I found the path where once can execute the
malicious code or inject the malicious file inside the host machine to get the reverse
connection machine.
Therefore, I grabbed a malicious file “php-reverse-shell”
from inside /usr/share/webshells/php and modify the listening i.e. Kali Linux
IP and named it shell.php.
Further I try to inject our shell.php file inside the host
machine and gave full permission to the malicious php file as shown in the
image given below, further launch netcat listener in a new terminal to get
reverse connection.
Now, once the file gets uploads successfully, we need to execute
malicious file as highlighted below.
As soon as you will execute the malicious file you get
reverse shell through netcat. So, as you can observe that we have netcat
session thus now we can step ahead for privilege escalation.
At this point, I was not sure what should be done to extract
hidden flag, therefore, I thought to identify the binary capability files with
the help of getcap and saw the fruitful result.
getcap -r / 2>/dev/null
On exploring further we found README.md from inside /home/domom/Desktop which is owned by
root.
As we have seen in the above image that “/bin/tar” has the
capabilities to compress the file. It can manipulate its process UID and can be
used on Linux as a backdoor to maintain elevated privileges with the CAP_SETUID
capability set therefore I trigger the following command which will generate
the .tar README.md inside /tmp directory
cd /tmp
tar -cvf readme.tar /home/domom/Desktop/README.md
when you will execute the above command, it will generate
readme.tar file inside /tmp directory which could be extracted further to read
README.md file.
tar -xvf readme.tar
cat tar /home/domom/Desktop/README.md
Great!! From inside this file we have obtained the password
for user “root” thus switch into root account with the help of password found
and access the root shell.
su root
0 comments:
Post a Comment