Arbitrary File Upload
The web application on the target port 8080 has a hidden endpoint, /dev/, that is built on PHP and supports file upload with a limit to GIF files only.
File Upload Filter Bypass
/Practice/Escape_OffSec/3-Exploitation/attachments/{94097290-15CF-4AC0-B2AC-9564781EF1DC}.png)
Uploading a sample JPG file fails.
This confirms the presence of file upload filter
Additionally, the file size appears to be capped to 100KB
/Practice/Escape_OffSec/3-Exploitation/attachments/{37F23C89-CF4A-4349-B5FA-1E18ED95C781}.png)
Changing the extension to .gif still fails
/Practice/Escape_OffSec/3-Exploitation/attachments/{04EC5CBD-A454-41DB-BCD3-E6ED624F4E5E}.png)
However, changing the Content-Type header to image/gif works
It also reveals the uploading directory; /uploads
/Practice/Escape_OffSec/3-Exploitation/attachments/{0868B5B6-2F0B-4C98-A849-1F851EA8D7A8}.png)
Changing the extension to .php with the Content-Type header set to image/gif still works
This suggests that the file upload filter is only checking the Content-Type header
Exploitation
/Practice/Escape_OffSec/3-Exploitation/attachments/{F066DFE2-D5BC-41A1-8244-4B7BEA000F73}.png)
/Practice/Escape_OffSec/3-Exploitation/attachments/{B31020A0-3227-40EB-89F5-6AC0210DCC8A}.png)
Changing the Content-Type header value to image/gif
/Practice/Escape_OffSec/3-Exploitation/attachments/{B3BFF901-0B92-4B11-BDE9-F6B257EFC240}.png)
Successfully uploaded the payload
/Practice/Escape_OffSec/3-Exploitation/attachments/{E9FA3BFF-C988-44D0-A8D5-9AC107FB1523}.png)
Triggering the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.153] from (UNKNOWN) [192.168.122.113] 58286
SOCKET: Shell has connected! PID: 114
whoami
www-data
hostname
a7c367c2113dInitial Foothold established to the a7c367c2113d host as the www-data account by leveraging an arbitrary file upload vulnerability to achieve remote code execution (RCE).
ip a
bash: line 3: ip: command not found
ifconfig
bash: line 4: ifconfig: command not found
/sbin/ifconfig
bash: line 5: /sbin/ifconfig: No such file or directory
/sbin/ip a
bash: line 6: /sbin/ip: No such file or directoryNotably, standard network-related commands appear to be unavailable, which strongly suggests that the compromised environment may be operating within a containerized environment, imposing certain restrictions on system capabilities. Further enumeration is required to determine the exact nature of the host and assess potential breakout opportunities.