← Back Published on

PHP Reverse Shell execution with Privilege escalation

I am trying a new version of a Capture the Flag writeup

This will be a combination of a tutorial and a small penetration test report

This writeup will be separated into 5 categories

-Recon

-Weaponization

-Delivery

-Exploitation

-Risk assessment score along with how to fix it for our client

RECON

I started with basic recon.

> Nmap scan - network mapping

We have 2 ports in service
22 and 80 along with the service versions as well listed above along with information listed under port 80 with PHP (phpsessid)

>Gobuster

>dirb

We have several directories that we can target and use

Significant findings with directories listed below

> Host Internet-facing IP

  • No info was given from the basic IP address

>/panel/

  • We have an upload page labeled as /panel/
  • This can be used for uploading malicious files/scripts/code/etc…..

>/uploads/

WEAPONIZATION

Php-reverse-shell exploit found!

You can either download it from GitHub or use kali Linux terminal to pull it from GitHub

A malicious file is downloaded, Let's configure it

We now have a configured malicious file to upload

DELIVERY

The file was then uploaded to the target

And can be seen on the /uploads/ page

EXPLOITATION

Netcat was started on my attacking machine with the same port configured when i created the file for upload

I then opened the file on the uploads page to start the exploitation! And reverse shell connection

This gave me a direct connection to the target

We have low-level access! We are the user of www-data

To find further means of exploits I checked to see the means of creation, upon further exploitation I saw that Python was used within this target host.  After a shell script command, I had a more clear terminal to navigate.

still, not the privilege i needed, I ran a Python command to allow a pty.spawn with bin/bash

.A bit more info i can gather now! Not the root information, But from this access, i can still open and read specific files

searched for the exploit to use the SUID for privilege escalation

I used a website named GTFO next, it has great command lines for use. I simply searched for what I needed

this allowed me to use the SUID as my own due to this exploit

As the root user of the system, we have access to all files with high-level access

And with root-level privileges, I can open, and share, anything i want. Even create a new user with high-level access. If i were to set up a back door. Here, you can see i opened a file in the root directory.

REPORT

Non-Offical use: Training purposes only

Target:10.10.63.25

Time of engagement: 6 Hours

Non Confidential information

IMPACT

1. Having out-of-date service versions of servers within a business or organization can have severe consequences, especially when combined with data leaks or unauthorized access by high-level users. Here are some potential impacts:

2. Security Breaches: Outdated service versions often contain known vulnerabilities and weaknesses that have been patched in newer versions. Hackers actively exploit these vulnerabilities to gain unauthorized access. In such cases, sensitive data can be compromised, leading to potential legal and financial consequences for the organization.

3. Data Loss: Outdated servers may lack important security features and safeguards, making them more susceptible to data loss or corruption. If an unauthorized user gains high-level access, they can tamper with or delete critical data, causing significant disruptions to business operations and potentially resulting in irrecoverable losses.

4. Reputation Damage: Data leaks or unauthorized access incidents can severely damage an organization's reputation. Customers, partners, and stakeholders may lose trust in the business's ability to protect sensitive information, leading to a loss of business opportunities and potential legal repercussions.

5. Legal and Regulatory Non-Compliance: Depending on the industry and location, organizations may be subject to specific data protection regulations and compliance requirements. Failure to maintain up-to-date service versions and protect data adequately can result in non-compliance, leading to fines, legal actions, and a damaged relationship with regulatory bodies.

6. Financial Impact: Dealing with security breaches, data leaks, and unauthorized access incidents can have significant financial implications. Remediation efforts, forensic investigations, legal fees, and potential lawsuits can result in substantial financial losses for the organization. Moreover, the cost of recovering lost or compromised data can be substantial, especially if proper backups were not in place.

7. Operational Disruptions: Security incidents can disrupt normal business operations. Organizations may need to allocate resources to investigate the breach, patch vulnerabilities, and mitigate further damage. This can result in downtime, decreased productivity, and potential disruptions in customer service, leading to dissatisfied clients and loss of business.

    Remediations

    1. Update Apache Version: Upgrade the server's Apache version from 2.4.29 to the latest stable version, which as of May 2023 is Apache 2.4.46. The updated version includes security patches and bug fixes, ensuring better protection against known vulnerabilities.

    2. Enable HTTPS: Configure the server to use HTTPS (HTTP Secure) instead of HTTP. HTTPS encrypts the data transmitted between the server and clients, providing an additional layer of security. Obtain an SSL/TLS certificate from a trusted certificate authority and configure Apache to use HTTPS for all connections.

    3. Secure Apache Configuration: Review the server's Apache configuration files. Pay attention to settings related to authentication, access controls, and directory permissions. Disable or limit the use of unnecessary modules and features to reduce the attack surface.

    4. Harden Server OS: Implement security measures at the operating system level. Keep the server's operating system and all installed software up to date with the latest security patches. Configure firewall rules to allow only necessary incoming and outgoing connections. Disable or remove unused services and applications to minimize potential vulnerabilities.

    5. Remove Publicly Facing Pages: Identity publicly facing pages or services that may pose a security risk. This includes file upload domains and file execution domains. Either secure them appropriately or consider removing them if they are not essential to business operations. Regularly review and audit the server's directory structure to ensure there are no unnecessary publicly accessible files or directories.

    6. User Authentication and Access Controls: Implement strong user authentication mechanisms, such as username/password combinations or multifactor authentication, to ensure that only authorized individuals can access the server. Enforce proper access controls to limit user privileges based on their roles and responsibilities.