19 Nov 2016 ~6 minutes
Writeup by npny and nobe4.
Firstly, we run
nmap against the website, to discover that (among others), the ports 80 and 22 are open.
SSH doesn’t yield any results, and we try, without luck, a possible exploit against the used version.
HTTP is a lot more interesting:
An HTTP password is asked when trying to access the main page. After a few random try on the different
HTTP verbs we try to access the default
index.php file, which seems to have the same security. But, making a
POST request on the file returned a valid
HTML page. Nice!
We can see in this web page a some useful information:
- there is an image in the subdirectory
Both directories are not protected and can be accessed and listed.
Moreover, it seems that the file has a link that make a
POST request and display some information on painters. One crucial note is that the
PHP can unserialize. A copy of the script can be found here.
The information sent to the server is an object
images contains only the image of La trahison des images, a famous painting by René Magritte. Nothing more here.
scriptz folder contains the
php.js script as well as a
It seems that this file define a simple logging class in PHP. We are not sure what to do with yet…
But, we can combine this class and use it instead of the
Info one in the
POST request. Using the following script:
What will happen here is the following:
Logstring will be
unserialized by the PHP server script.
- During this step, the
datafields will be saved to a set of defined values.
- When the object is destroyed, the content of
datawill be written in the file
We had to figure out the directory to use. After some research, we figured out the default
Apache folder is used.
The payload is a simple web shell and will be placed in the folder
Now, we must find something to do with this shell, first of, the following script enhance the usage of the web shell:
This very simple script will get the web page, passing the command as a
GET argument and display the result.
We immediately check for the
/passwd file, which is, unfortunately, accessible only by the root user.
After some time looking around, we can see that the files in
/home/rene/backups are constantly updated. It seems that a backup file is created every minute, and every 5 minutes the 5 backups are compressed together.
/etc/crontab file confirm this, two scripts are running, both as root, this could be the way to leverage the
A detail that is interesting, is that both scripts are run as root, but one of them is readable:
The interesting part of the script is the line:
Indeed, there is a vulnerability concerning this
*. If a file or a directory is name like a flag, the command that use the
* will treat the filename as a flag.
As an example:
This issue is discussed in this paper.
Now the command that need to be exploited is
tar, its man page (and the previous paper) gives us the next step:
We now need to find the command we want to execute.
To make this step easier, we decided to use a script file on the server to that will be run by root, we thus need to create a file named:
Of course, the space in the filename has to be escaped, otherwise the execution will only run
The script.sh will contain the following code, which copy the content file into an accessible file, and will change the permission on it, so that anyone can read it:
Then we just need to check the file from the browser and we get the flag.