You can find the machine there > Tomato
Summary
This one was a pretty good one, a bit “advanced”. We start by finding an LFI on info.php
page this drive us to a ssh log poisoning attack. After gaining a low-privilege shell we can privesc to root by exploiting an old kernel version. Let’s pwn it!
Enumeration/Reconnaissance
Let’s start as always with nmap.
1 |
|
Lot of stuff to enumerate, let’s focus on port 80 first. I tried to run gobuster on it but nothing:
1 |
|
Then i had the idea to run dirb on it and it worked, an interesting directory showed up.
1 |
|
Has lot of stuff in, but only info.php
is useful.
A good practise is always to check the source code of a page, even if it is a php one you never know. info.php
has a really interesting comment!
1 |
|
include == LFI
Since the super global variable $_GET
has the image
in the payload will go like that:
1 |
|
Shell as www-data
I enumerated a lot, but nothing. One thing left, that is log poisoning but we need to be able to read log files. And we can do SSH log poisoning because we can read the /var/log/auth.log
!
First we have to login with a php code as username:
1 |
|
Now we have command execution:
1 |
|
In the end we can see this:
1 |
|
Let’s simply now URL encode our reverse shell and send it. You can use this awesome tool to URL encode/decode from terminal:
1 |
|
1 |
|
1 |
|
We have shell!
1 |
|
Shell as root
I noticed that kernel is pretty old:
1 |
|
Let’s fire up linux exploit suggester
1 |
|
This one seems good, but system haven’t gcc
installed so let’s download and compile it on our box and then transfer it.
1 |
|
1 |
|
Let’s read the flag.
1 |
|
What an awesome box!!!