DC5
Port 80 on the target machine take us to the following web page. Multiple sub pages include non-english text and after translating random paragraphs found this is mostly gibberish.
Clicking the home button takes us to the same page but we notice this time we are on /index.php. I then ran feroxbuster against the target site to identify more pages.
Checking out contact.php and it appears to be the only page to take some form of input.
After submitting some test information we are directed to /thankyou.php where the URL contains our input from the previous page.
At this point I decided to test thankyou.php? for command injection. I caught the request in Burpsuite
and sent it to intruder. I then set the payload variable as below.
I then added the command injection list as shown below as the payload.
Ensure URL encoding is turned off as this was causing incorrect results as it was encoding '?'
.
Viewing the results of the payload after show that the ?file=
parameter appears to be vulnerable due to the content length being greatly different form the other values.
Viewing this in the browser shows us valid results.
We can fuzz for further files using wfuzz
and the command below:
The LFI list can be downloaded from here
We have two interesting LFI paths found once wfuzz
completes:
Checking out access.log we can see requests we have made.
We can capture a request in Burpsuite
and inject a PHP reverse shell into the User-Agent field. When the code is injected into the log we are able to get a reverse shell.
Where the code snippet below is used for the RCE:
With a netcat listener listening we can then access the log files again at: http://192.168.211.26/thankyou.php?file=../../../../../../../var/log/nginx/access.log
When we attempt to load the log files the page should hang and we get a reverse shell.
Searching for SUID commands on the machine find the binary screen-4.5.0 has the SUID bit set.
Researching on Google shows a local privilege escalation exploit for this binary version.
We first need to create some files and break down the script to get this to work. Follow the instructions below to achieve shell.
Compile libhax.c
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
Compile rootshell.c
gcc -o /tmp/rootshell /tmp/rootshell.c
Create exploit bash script.
Upload compiled files to target machine.
Once uploaded make the bash script executable:
Execute exploit.sh then after run /tmp/rootshell
to gain shell as root.