- Description
- Enumeration
- Source Code Interrogation
- Burp Suite - POST Request
- Burp decode string
- Injecting Reverse Shell Code
- PHP Shell
- Reverse Shell
- Linux Local Privilege Escalation
- Tar Unix Wildcards Local Privilege Escalation
- Root Flag
Description
Another short, but fun VM.
Author: @s4gi_
Download: /dev/random: Pipe via @VulnHub
Enumeration
Service Enumeration
Port | Service | Version Detection |
---|---|---|
|
SSH |
OpenSSH 6.7p1 Debian 5 |
|
HTTP |
Apache HTTPD |
|
rcpbind |
n/a |
HTTP Enumeration
Running OWASP dirbuster against port 80 exposed /scriptz/
containing javascript and php files.
Source Code Interrogation
php.js Interrogation
js.php
source revealed function
serialize
note: the examples at the bottom.
log.php.BAK Interrogation
Inspection of the source revealed it works with the js file for serialization.
Burp Suite - POST Request
Modifying the request from GET to POST, renendered the index.php
Burp confirmed the Serialized object:
Burp decode string
Right click the string, send to Decoder.
Click “Smart decode”
Using the example section of the previously discovered php.js file, it was possible to workout the serialization mechanism.
New modified string introduced with burp:
Using Burp Decoder URL Encode the above string and using Burp Repeater to inject.
Refreshing the scriptz directory confirmed the creation of Meh.txt containing
the text HighOnCoffee
.
Injecting Reverse Shell Code
Burp Decoder was leveraged to encode the following string:
Select Encode as URL.
Paste encoded string into Burp Repeater:
PHP Shell
’
Reverse Shell
nc is installed on the target, the php shell introduced at the previous step is leveraged to execute a netcat reverse shell.
Linux Local Privilege Escalation
Spawn tty:
Get HighOn.Coffee linux local enumeration script:
wget https://highon.coffee/downloads/linux-local-enum.sh
Inspection of /etc/crontab
exposed the script
/usr/bin/compress.sh
which is world readable.
Tar Unix Wildcards Local Privilege Escalation
Unix Wildcards
The previously discovered backup script uses * to perform a backup of all files
within the directory /home/rene/backup/
. Due to poorly configured file system
permission on the backup directory, it’s possible to introduce files in the
backup directory which tar will process when it backs up the files in the directory.
Tar Arbitrary Command Execution
Tar’s --checkpoint-action
parameter can be abused to
execute arbitrary code as the user executing the tar binary.
--checkpoint-action
exists as a tar feature allowing binary
execution of a command when the file prefixed with
--checkpoint-action=exec=COMMAND-HERE
is reached.
The above leverages the tar arbitrary command execution, reseting the root account password when the cronjob is processed (every 5 minutes).
Root Flag
After 5 minutes, escalate root privileges by executing su -
and entering the password passwd
.
Thanks for the VM :)