Potato

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started, as usual, with autorecon, which revealed three open ports:

    • SSH (22)

    • HTTP (80)

    • FTP (2112)

Service Analysis

  • While I had background fuzzers running on HTTP, I started interacting with the FTP service since it allowed anonymous logins.

FTP Service

  • Upon connecting to the FTP service anonymously, I discovered two files:

    • welcome.msg

    • index.php.bak

FTP Loot
  • The presence of the backup file immediately caught my attention, it hinted at potential misconfigurations or hidden clues or maybe a rabbit hole, we will see.

Web Application

  • Exploring the web server, I found an admin login page located at /admin/index.php.

  • I tried multiple password combinations and even launched a brute-force attack targeting the user admin in the background. However, nothing worked, my attention kept returning to the suspicious index.php.bak file from the FTP server.

Vulnerability Discovery

  • After some online digging, I learned about an interesting behavior related to PHP’s strcmp function.

  • It turns out that if $_GET['password'] is set to an empty array, strcmp returns NULL. Due to PHP’s quirky type juggling, the comparison NULL == 0 evaluates to true.

  • So I started Burp Suite, and it worked! I was able to bypass authentication and gain access to the admin panel.

Authentication Bypass

Gaining Initial Access

  • Inside the admin panel, I discovered a function that allowed retrieval of log files. This feature turned out to be vulnerable to Local File Inclusion (LFI).

Passwd file
  • Exploiting the LFI, I managed to pull the passwd file from the server. Once in possession of this file, cracking the password for the user webadmin was a breeze, the password was dragon.

Cracking the Password

Privilege Escalation

  • With user-level access secured, I ran linpeas.sh to see what else the system had to offer. The scan indicated that the target might be vulnerable to CVE-2021-3560. I tried several proof-of-concept exploits and even attempted a manual exploitation, but none of the approaches worked.

  • As I was about to give up, I checked the sudo privileges with sudo -l and found something neat: I could run /bin/nice on any file under /notes/*.

Privilege Escalation
  • I created a bash script and placed it in the /tmp directory. Running the following command:

/bin/nice /notes/../tmp/bash.sh

which granted me root access, proving to be a much simpler path than wrestling with the CVE exploit.

Lessons Learned

  • PHP Type Juggling: A subtle bug in PHP allowed an authentication bypass by exploiting the way strcmp handles an empty array input.

  • Sudo Misconfiguration: The ability to run /bin/nice on /notes/* without a password provided a straightforward path to privilege escalation.

Last updated