I started as usual with an nmap scan, this revealed a http server running on port 80 and ssh running on port 22
I ran dirb against port 80 which revealed a few interesting pages, including backup and upload.php
I navigated to backup where I could download a zip file containing what appeared to be the source code for several pages.
A block of code in upload.php shows that only .jpg, .png, .gif and .jpeg files can be uploaded, furthermore a block in lib.php suggests that the files are checked by mime type, this means that the files contents will be checked as well as the extension, alongside this the file name is changed to match the IP address of the user that uploaded it.
To get around this I downloaded one of the images that were already accepted by the upload filter on the photos.php page. I then added a line of php code to spawn a reverse shell using bash and changed the extension to .php.png, hoping that it would accept a double extension. Whilst doing this I made sure that the file would still be parsed as a .png file.
I uploaded the file, successfully bypassing the upload filter.
After this I set up a listener using nc and refreshed the page, successfully spawning a reverse shell logged in as apache.
I tried to grab the user flag but hadn’t got the permissions to read it.
I took a look at the other files in the home directory for guly, crontab.guly revealed that check_attack.php was run every 3 minutes.
check_attack.php basically checked the uploads directory for the webserver for any files that didn’t match the syntax that the filter from earlier applied, it then ran a command to remove the file by using the rm command, this looked vulnerable to command injection.
I checked to see if nc was available on the box using compgen, as including slashes stopped the injection from working properly.
With nc available I simply created a file with a name that wouldn’t match the syntax created by the uploaded filter (an IP address) and added ; nc <nc stuff> to spawn another reverse shell, this would try to delete the file called test and the execute the nc command. I set up a listener and waited, eventually gaining access as guly
After grabbing user.txt I used sudo –l to determine what guly could run as sudo, there is one file called changename.sh that they could run.
changename.sh looks like a script to update variables in a network device config file.
I ran the file as sudo to get an idea of how it worked, this didn’t give away too much, only that the device isn’t present.
A little research led me to this page: https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f
According to this the name parameter is vulnerable, simply leaving a space in the input will execute any command that precedes it. Using that information I arrived at the conclusion that aaaa bash should spawn a bash shell as the root account; and it does.