• Twitter
  • Facebook
  • Youtube

Thursday, October 5, 2017

Remote Code Execution - From Recon to Root!

Greetings everyone! This is Shawar Khan and today i'm going to share one of my recent findings. I'll show you how proper recon can lead to code execution. Recon and information gathering is an important part of penetration testing as knowing your target gives you more areas to attack.

So, a friend of mine gave me an IP address which was having an Admin Panel for test. After pentesting the panel, i knew that it was not bypassable and every layer was properly protected. There was no info available about the IP address, so a quick file enumeration!

nothing interesting found, but a '.git' directory!

Alright, so '.git' contains a 'config' file where we can find the repository from where the files were cloned, sometimes we can find passwords for a password-protected repository in 'config'!

Unlucky... No credentials found. The next thing to check was to see if the .git directory is having directory listing or not. If there is directory listing, we are able to clone all the files include objects:
 and Yes!
and Directory Listing was enabled which means we can download all the files and can run git status to get paths of all the files available on apache. Using the following command i cloned the files:

wget -m -I .git http://IP/.git/

cloned the files and then 'git status'

found '3398' files!
Some 'xlsx' files having data of Users!


Accessed the files and got the data!

interesting that the git status command was showing files as removed but they were available. This was not the end, found an interesting file:
Backup files! One file was having entire user data and the other tar file was having the backup of all files on the web. So now i was having access to source code!

Now it was time for a code review of those files but wasn't crazy enough to review all of them as i was excited to gather some more interesting stuff. Did a quick grep to see if i can anything related to SSH:

grep /PATH/ -rnw -e 'ssh'


and i was amazed to see what i found in a PHP file:


Got SSH & Git Password! Time for SSH:

Server access with Root Privileges! That's the End ;)
Some more critical issues and another RCE was identified via code review but i guess this is the most interesting one among them.

The vulnerability was reported and the fix is now deployed.

Polish up Recon skills and you'll get what no one else could!
Good Luck and Thanks for watching. Please share if you love this write-up.

Contact

Get in touch with me