Archangel
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a file called nmap
Enumeration
Lets visit the webpage
Looking at the page, we see a domain , lets add this to our /etc/hosts
file
Now lets go to the webpage.
We have the first flag
Lets look for a robots.txt
file as we usually find pages that are important.
And we found one, lets visit this
The page has a button, lets press it
It takes us to a different page. Looking at the URL , the view parameter is navigating through the directories, lets try to use some LFI commands to find vulnerabilities. I was searching on google when I found this.
Exploitation
They say that we can use this command to bypass the filter and get a LFI vulnerability, lets test it out.
Lets change this command to our page and php file.
When we replace the current URL with this one, we get this
Its a base64
encoded string. When we decode it, we get the message earlier.
Now lets try to read other pages like test.php
.
We get another base64 encoded string, lets decode it.
We have the second flag.
Lets now look at the code closely
In line 17 we can see the conditions. The first one is that the parameter should not contain the substring ../../
and the second one is that the parameter must contain the string /var/www/html/development_testing
. So for the first conditions we can use ../../../
.
We know that this is running on Apache web server so there should be a access.log file, lets check if we can access it.
Now we can try log poisoning to get Remote Code Execution (RCE): We have to send this reverse shell in the request.
Make sure to set up a netcat listener
First we have to intercept the request and pass this code in the user-agent parameter
And now if we send the request we get a reverse shell.
Now lets stabilize the shell
We can read the user.txt file
Privilege Escalation
In the home/myfiles
directory of archangel you see a passwordbackup
file, you can go check it out.
We have another directory which might be interesting called secret, lets try to change directories into it.
And we are not allowed. We need to be the user archangel to access this. Lets look at other files that are owned by archangel.
We find these, the first one looks interesting, so lets check it out.
Its a bash script, lets look at the permissions to see if we can write to it.
Looks like we can so lets echo a reverse shell into the file and execute to get a reverse shell.
Also make sure to start a netcat reverse shell listener
Now lets echo the reverse shell into the file and execute the file
We are archangel now. Lets stabilize the shell
Lets go into the secret directory
We can read the user2.txt
file, lets read the other file called backup
.
Looks like we can't the output we can read, lets see what type of file it is.
Its a LSD shared object
. Lets use the strings command to get more information
This command is interesting, the cp
command is run without the full path , which means that this is exploitable, lets create msfvenom
payload called cp and adjust the PATH
variable and when executed we should get a reverse shell.
Now we have to transfer the file so lets start a http server.
Now use this command on the victim machine to download the file, make sure you are in the secret directory.
Now lets modify the PATH
variable.
Now start a netcat listener and make the cp file executable
Now run the backup file
And you should get a reverse shell as root
Last updated