Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

Europa

Starting with a port scan.

So there is a SSH server running and a webserver on port 80 and 443. There is a certificate available and when looking at that certificate I noticed DNS information.
Because there is only one IP address, but 2 hostnames it looks like there is some virtual host routing (explanation).
Grabbing the HTTP header with Burp.

And changing the host.

And as a response I get a redirect to a login page.

When I follow the redirect burp doesn’t know where to go and that’s because of the hostname which it doesn’t know. Altering the /etc/hosts file will change that.

Now I can access the admin portal.

When checking the source page there is a CSS file which tells me that the framework used is a CMS called Bootstrap.
Let’s try to log in……..nope.
I capture the HTTP header with burp and feed it to sqlmap. Sqlmap tries to go to port 80 and doesn’t find the URL. So I add ‘:443’ to the host in the header file. Another possibile optinos is use the –forse-ssl flag in sqlmap.

After a while I get some result.

After a quick search on some MD5 crackers online I get the result.


Almost everything is inactive, except for the ‘Tools’ section.
Within the Tools section there is an OpenVPN Config Generator with an input field.

What does it do?

It replaces ‘ip_address’ with my given value (in this case 10.10.14.3). Can I misuse this? Let’s run it through Burp again.

Mostly URL encoded. Decoding in Burp is easy.

So the php function replaces a value with another value that was given by the user. When searching Google I found this was the preg_replace function (link).
It looks like this function searches the subject for pattern matching and replaces them with given replacement. With this PCRE there are a bunch of modifiers available and one of them stands out from the rest. It looks like the /e modifier is deprecated because of some security issues (link). The preferred function nowadays should be preg_replace_callback().
But why is this modifier so bad? On this site there is an excellent explanation why using preg_replace is such a bad idea. In a nutshell if this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. Single quotes, double quotes, backslashes (\) and NULL chars will be escaped by backslashes in substituted backreferences. As /e evaluates arbitrary PHP code it can easily be exploited if user input is not carefully validated or sanitized.
Let’s see if commands will be executed.

Looks like the commands are executed just nicely.
Now let’s get a shell. For this I use one of my favorites: pentestmonkey. The script is altered to point back to my ip + port.
Setting up listener.

Entering in same repeater window of Burp.

Response on my machine.

And I have a working shell.

Because this is a temporary shell I wanted to upload a more permanent one which I could execute from the /var/www/admin folder, but it was write restricted.
After exiting the /admin/ folder I noticed a /var/www/cmd and /var/www/cronjobs folder. The /cmd was empty but inside the /cronjobs folder there was a file named clearlogs

For the enumeration part I uploaded the LinEnum script and run it from /tmp.

Here is the cronjob from earlier. Looks like it runs every minute.
From earlier in the LinEnum output it looked like the /home/john folder is open for anyone….so let’s have a look for a flag.

Now for the elevated rights and the final flag.

Looks like that worked. Now for some better content.

That went well.

And done.
 
An easier and quicker way to get the flag was to change the password of root and ssh in as root or even just cat the /root/root.txt into a readable file.
But hey…..there are always other ways to get things done.
 
 
 
 
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.