Opacity is a Linux machine with a web app that features a vulnerable image upload form which can be used to upload a reverse shell to gain an initial foothold on the system. This leads to the discovery of a dataset.kdbx file in which the password of the sysadmin user can be cracked and used to login with SSH.
Further enumeration of the system reveals a cron job that runs a PHP script (script.php). Viewing the script shows that it calls another script named backup.inc.php, but both scripts are unwritable for the sysadmin user.
One workaround is to create a copy of backup.inc.php as a temporary file, delete the original, and rename the .tmp file to be the original name of backup.inc.php, which then allows the script to be writable by the sysadmin user. This can be leveraged to add a reverse shell script to backup.inc.php and when the cron job runs every minute, it will call backup.inc.php and return a shell as the root user.
Initial visit to the IP showed a login page. Tried some default creds, but none of them worked.
I ran rustscan to look for any open ports:
Ports open:
- 22 (SSH)
- 80 (HTTP)
- 139, 445 (SMB)
Since port 445 was open, I used smbclient to list shares, but there wasn't anything too interesting:
Next, I enumerated directories with gobuster:
gobuster found a /cloud directory so I visited that page:
The /cloud page features an image upload form, so next I started a python web server and attempted to upload a reverse shell.
The upload form only accepts image file formats, so in order to bypass the file restrictions and upload a reverse shell, I needed to have two files in my directory where the server was running: rev-shell.php#.png and rev-shell.php
I used rev-shell.php#.png as the file in the upload form, which will successfully upload since it ends with .png, but when the server actually tries to search for the specified file to upload that exists on the local python server, it will ignore the #.png and instead upload the file named rev-shell.php which will execute the reverse shell script.
The reverse shell script from pentestmonkey can be found here
Before uploading the script I started a listener with netcat:
Next, I uploaded the script:
200 response showing that the rev-shell.php file uploaded successfully:
Reverse shell as www-data:
Ran the following commands for a stable shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + Z
stty raw -echo; fg
When I tried to read the local.txt file within the /home directory, I got permission denied.
After looking around the system some more, I found an interesting login.php file in the /var/www/html directory.
login.php showed passwords for a few admin accounts.
I went to the login page and used the admin username and oncloud9 password.
It successfully logged in and brought me to the home page, but there wasn't anything interesting there.
Running ls -la in the /home/sysadmin directory showed that sysadmin was the only user that could read local.txt
Exploring the system some more led to the discovery of a dataset.kdbx file within /opt:
A .kdbx file is a password-protected database file used by the KeePass password manager to store and manage passwords. So, I started a python server so that I could download the file locally.
Used wget to download locally:
Successful 200 response:
Next, I used keepass2john to extract the password hash:
Then, I used john to crack the hash:
Opened KeePass:
Entered the password: 741852963, which logged in and showed the sysadmin user:
Password for sysadmin:
I logged in using SSH as the sysadmin user with the password: Cl0udP4ss40p4city#8700
I was now able to view the local.txt flag.
I ran sudo -l and crontab -l to see if there were any interesting sudo permissions or cron jobs for the sysadmin user, but there was nothing there.
I viewed /etc/crontab, which didn't show anything useful to go off of yet.
I started up a python server so that I could download pspy to enumerate the system.
Used wget to download pspy:
200 response:
Ran pspy:
The output showed a cron job that calls script.php within /home/sysadmin/scripts
The script.php file is owned by the root user and is also part of the sysadmin group, but users of this group can only read the file and not write to it:
script.php calls another file named backup.inc.php within the /lib directory:
backup.inc.php is owned by root and the group is root, all other users can only read the file:
This file gets called once every minute. But as mentioned above, it's currently unwritable.
I needed to find a way to write to this file so that I could add a reverse shell script that would give me a root shell.
To do this, I copied the current backup.inc.php to another file named backup.inc.php.tmp. Next, I removed to original backup.inc.php, and then renamed backup.inc.php.tmp to be backup.inc.php which gave the sysadmin user write privileges on the file.
This gave the sysadmin read and write access to backup.inc.php.
To get a root shell, first I started a listener with netcat:
Then, I added a PHP reverse shell script from pentestmonkey to backup.inc.php which returns a socket handle: $sock by creating a TCP/IP connection pointing to a specified IP and port using the fsockopen() function. The exec() function executes the shell command /bin/sh -i to start a shell session, <&3 >&3 2>&3 is used to redirect the standard input, output, and error streams of the shell to the socket handle.
After saving the file, I waited for about a minute until backup.inc.php was called to establish a reverse shell connection as the root user.
