hackmyvm: again walkthrough

1. 命令执行获取shell

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

访问web,Get username and hint.

下载 upload.bck.

<?php
if (!isset($_FILES["myFile"])) {
    
    die("There is no file to upload.");
}

$filepath = $_FILES['myFile']['tmp_name'];
$fileSize = filesize($filepath);
$fileinfo = finfo_open(FILEINFO_MIME_TYPE);
$filetype = finfo_file($fileinfo, $filepath);

if ($fileSize === 0) {
    
    die("The file is empty.");
}

$allowedTypes = [
   'image/jpeg' => 'jpg',
   'text/plain' => 'txt'
];

if (!in_array($filetype, array_keys($allowedTypes))) {
    
echo $filetype;
    die("File not allowed.");
}

$filename = basename($filepath);
$extension = $allowedTypes[$filetype];
$newFilepath = $_FILES['myFile']['name'];
if (!copy($filepath, $newFilepath)) {
    
    die("Can't move file.");
}

$blacklistchars = '"%\'*|$;^`{}~\\#=&';
if (preg_match('/[' . $blacklistchars . ']/', $newFilepath)) {
    
echo ("No valid character detected");
exit();
}

if ($filetype === "image/jpeg"){
    
echo $newFilepath;
$myfile = fopen("outputimage.php", "w") or die("Unable to open file!");
$command = "base64 ".$newFilepath;
$output = shell_exec($command);
unlink($newFilepath);
echo "File uploaded";
$lol = '<img src="data:image/png;base64,'.$output.'" alt="Happy" />';
fwrite($myfile, $lol);
}

else{
    
$myfile2 = fopen("outputtext.txt", "w") or die("Unable to open file!");
$command = "cat ".$newFilepath;
$output = shell_exec($command);
unlink($newFilepath);
echo "File uploaded";
fwrite($myfile2, $output);
}
?>

The exploitation process is a two-step process：

1. 利用txt上传一段base64编码的php反弹shell.

base64 phpreverseshell.php > tmp.txt

Upload via the upload pagetxt.

2. 利用上传jpg图片利用base64 -ddecode uploadtxt写入shell,并访问.
   
   成功获取shell.
   

2. 提权

运行getcap查看特殊文件,发现php7.4具有cap_fowner权限.

修改/etc/passwd权限,将root:x:****改为root::****,成功切换至root.

[email protected]:/tmp$ su - root
su - root
[email protected]:~# ls -all
ls -all
total 28
drwx------  3 root root 4096 Oct 12 17:36 .
drwxr-xr-x 18 root root 4096 Oct 11 07:33 ..
-rw-------  1 root root  155 Oct 12 17:36 .bash_history
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 Oct 11 07:38 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-------  1 root root   25 Oct 11 07:41 r00t.txt
[email protected]:~#