Linux Machine CTF! You’ll learn about enumeration, finding hidden password files and how to exploit php deserialization!
Medium rated. This is Debug from THM. Everything seems to have been kicking my ass lately (yes, I prefer the American spelling for that expression). I’ve also been a bit lacking in motivation. However, I am still doing something every day. I didn’t really get anywhere yet with SafeZone on THM. I did Spectra on HTB - did I mention that? Also I’ve got user on Armageddon and I think I know how to get root but I haven’t done it yet.
Am I getting off track? Back to Debug.
Ports
SSH and HTTP, but we already knew it was PHP deserialization so we’re looking for some PHP code I guess.
HTTP
We have index.html which is the Apache default page, plus index.php which isn’t. This has some fields in which we can submit some user input … maybe something that can be deserialized? Lol.
I hadn’t done this before and it took me some reading. Which I liked, so yay! Anyway, we need some more info.
Feroxbuster (my weapon of choice these days) points us to /backup/. What’s there? A directory listing!
What we want is the index.php.bak so we can examine the source code. Good reading material here, and I used this pdf.
Vulnerable Code
Okay, I removed a few spaces and whatnot. So we have a class FormSubmit that creates a file called message.txt and puts it in the webroot, and appends stuff to it. Here’s what I came up with for an exploit:
So I’m creating my own file called cmd.php and adding the classic PHP command execute code into it. I run this from the command line via:
GET /index.php?debug=O%3a10%3a"FormSubmit"%3a2%3a{s%3a9%3a"form_file"%3bs%3a7%3a"cmd.php"%3bs%3a7%3a"message"%3bs%3a35%3a"<%3fphp+echo+system($_GET['cmd'])%3b+%3f>"%3b} HTTP/1.1
Creates the cmd.php file, and sending it a shell gets us on the box:
james@osboxes:~$ cat Note-To-James.txt
Dear James,
As you may already know, we are soon planning to submit this machine to THM’s CyberSecurity Platform! Crazy… Isn’t it?
But there’s still one thing I’d like you to do, before the submission.
Could you please make our ssh welcome message a bit more pretty… you know… something beautiful :D
I gave you access to modify all these files :)
Oh and one last thing… You gotta hurry up! We don’t have much time left until the submission!
Best Regards,
root
SSH welcome message files eh? That’s in /etc/update-motd.d then?
So yes, we have access to these files. What is it for?
The basic design is rather simple. The update-motd package creates a directory, /etc/update-motd.d, and installs a cronjob, /etc/cron.d/update-motd, which calls /usr/sbin/update-motd every 10 minutes (by default).
/usr/sbin/update-motd uses run-parts to execute each script in /etc/update-motd.d in lexigraphic order, concatenating the results with the message-of-the-day header, /etc/motd.tail.
In this way, users, or even other packages can drop scripts into /etc/update-motd.d to affect the MOTD.
So we can edit these files, and get ourselves root. Okey dokey. There are myriad choices here. I added this line:
chmod +s /bin/bash
To the end of 00-header. Did it work?
Before:
After:
And when I log in?
I enjoyed this one, learned some stuff and actually felt like I achieved something so three thumbs up to ustoun0.