- Source Code Interrogation
- Burp Suite - POST Request
- Burp decode string
- Injecting Reverse Shell Code
- PHP Shell
- Reverse Shell
- Linux Local Privilege Escalation
- Tar Unix Wildcards Local Privilege Escalation
- Root Flag
Another short, but fun VM.
OpenSSH 6.7p1 Debian 5
Running OWASP dirbuster against port 80 exposed
Source Code Interrogation
js.php source revealed function
note: the examples at the bottom.
Inspection of the source revealed it works with the js file for serialization.
Burp Suite - POST Request
Modifying the request from GET to POST, renendered the index.php
Burp confirmed the Serialized object:
Burp decode string
Right click the string, send to Decoder.
Click “Smart decode”
Using the example section of the previously discovered php.js file, it was possible to workout the serialization mechanism.
New modified string introduced with burp:
Using Burp Decoder URL Encode the above string and using Burp Repeater to inject.
Refreshing the scriptz directory confirmed the creation of Meh.txt containing
Injecting Reverse Shell Code
Burp Decoder was leveraged to encode the following string:
Select Encode as URL.
Paste encoded string into Burp Repeater:
nc is installed on the target, the php shell introduced at the previous step is leveraged to execute a netcat reverse shell.
Linux Local Privilege Escalation
Get HighOn.Coffee linux local enumeration script:
/etc/crontab exposed the script
/usr/bin/compress.sh which is world readable.
Tar Unix Wildcards Local Privilege Escalation
The previously discovered backup script uses * to perform a backup of all files
within the directory
/home/rene/backup/. Due to poorly configured file system
permission on the backup directory, it’s possible to introduce files in the
backup directory which tar will process when it backs up the files in the directory.
Tar Arbitrary Command Execution
--checkpoint-action parameter can be abused to
execute arbitrary code as the user executing the tar binary.
--checkpoint-action exists as a tar feature allowing binary
execution of a command when the file prefixed with
--checkpoint-action=exec=COMMAND-HERE is reached.
The above leverages the tar arbitrary command execution, reseting the root account password when the cronjob is processed (every 5 minutes).
After 5 minutes, escalate root privileges by executing
and entering the password
Thanks for the VM :)