Potato
Last updated
Last updated
Source: Proving Grounds OS: Linux Community Rating: Intermediate
I started, as usual, with autorecon, which revealed three open ports:
SSH (22)
HTTP (80)
FTP (2112)
While I had background fuzzers running on HTTP, I started interacting with the FTP service since it allowed anonymous logins.
Upon connecting to the FTP service anonymously, I discovered two files:
welcome.msg
index.php.bak
The presence of the backup file immediately caught my attention, it hinted at potential misconfigurations or hidden clues or maybe a rabbit hole, we will see.
Exploring the web server, I found an admin login page located at /admin/index.php.
I tried multiple password combinations and even launched a brute-force attack targeting the user admin in the background. However, nothing worked, my attention kept returning to the suspicious index.php.bak file from the FTP server.
After some online digging, I learned about an interesting behavior related to PHP’s strcmp function.
It turns out that if $_GET['password'] is set to an empty array, strcmp returns NULL. Due to PHP’s quirky type juggling, the comparison NULL == 0 evaluates to true.
So I started Burp Suite, and it worked! I was able to bypass authentication and gain access to the admin panel.
Inside the admin panel, I discovered a function that allowed retrieval of log files. This feature turned out to be vulnerable to Local File Inclusion (LFI).
Exploiting the LFI, I managed to pull the passwd file from the server. Once in possession of this file, cracking the password for the user webadmin was a breeze, the password was dragon.
With user-level access secured, I ran linpeas.sh to see what else the system had to offer. The scan indicated that the target might be vulnerable to CVE-2021-3560. I tried several proof-of-concept exploits and even attempted a manual exploitation, but none of the approaches worked.
As I was about to give up, I checked the sudo privileges with sudo -l and found something neat: I could run /bin/nice on any file under /notes/*.
I created a bash script and placed it in the /tmp directory. Running the following command:
which granted me root access, proving to be a much simpler path than wrestling with the CVE exploit.
PHP Type Juggling: A subtle bug in PHP allowed an authentication bypass by exploiting the way strcmp handles an empty array input.
Sudo Misconfiguration: The ability to run /bin/nice on /notes/* without a password provided a straightforward path to privilege escalation.
