This challenge includes a web application generally designed for image hosting. The application has a few vulnerabilities. The challenge is to exploit the application’s vulnerability and find the hidden message for a date arrangement that Bob sent to Alice.
Host the virtual machine and let’s start by identifying the target IP. We will run an Nmap ping scan for detecting all live hosts.
As can be seen in above figure, nmap detected three hosts: The IP 192.168.0.1 is my router, the IP 192.168.0.100 is my system’s IP, and the IP 192.168.0.103 is our target. Try to open this IP from browser.
There is an application that seems to be for image hosting. First, we will start enumerating the whole application try to find all possible URLs of this application. For enumeration we will use Burp Suite’s spider option.
After spidering the application, we now have some internal URLs for the application. We can see some PHP files over there. The upload.php file is used for file upload functionality, but what is that myphp.php file? Let’s find out what is hidden in that page. Open the URL in the browser and add an id parameter with some integer value. For example, we added id=100 and the URL looks like this: http://192.168.0.103:8880/myphp?id=100
The application is showing a message, it is giving us a hint that we should dig more. Let’s try some more values in the id parameter; this time, we will pass 101 as the id parameter.
The PHP version disclosed some sensitive information. Try with another value, like 102:
No such information is showing, only a “PHP Credits” banner. Change the id value to 104:
Now this time we have some juicy information; the full PHP configuration is disclosed. We can see all PHP functions that are disabled from configuration file. Again we changed the id value to 108.
This time we get the Apache server details, such as the server version, installed modules, etc. That is enough for our enumeration phase; we now have much information about our target. Now go back to the application home page and try out the application’s functionality to see how it works? We can see that there is a file upload functionality there, so try to upload an image file.
For an example, we will upload an image named fishy.jpg. After successfully uploading the image, it will redirect to image.php which is showing our uploaded image.
Let’s check out the source code for the page from which the image comes. Right-click in the browser and select “View Source.”
As can be seen above, the uploaded image is coming from the images directory and our uploaded image name is changed to some kind of hash value. We identified that this is a MD5 Hash because it is 32 bytes long and contains only numbers and a-f characters. So let’s verify that this MD5 hash value matches with our file name. First, we calculate the MD5 value for “fishy” and the output was “29c3a60c13d1e0eda25d65f65a761b47″; this value does not match the current value. Next, we use the full name of the file, “fishy.jpg,” and calculate the MD5 hash value; the output is “e1a9d5f33b65b29243ca47bd3f5fd3af,” which is the correct value.
fishy = 29c3a60c13d1e0eda25d65f65a761b47 fishy.jpg = e1a9d5f33b65b29243ca47bd3f5fd3af
It means the application calculates the MD5 hash with the full file name, including the extension.
Now we know where the application stores an uploaded file and the name it uses. Let’s try to upload a PHP file.
It does not allow us to upload a PHP file. We tried some different techniques to bypass this restriction. Finally, we added a double file extension like this: “k.jpg.php” and tried to upload it.
The file is successfully uploaded. But we can’t see any image.
We checked the source code and there is nothing:
But there is no need to worry. We know where our image is and the current name of the PHP file. We can access our PHP file by changing the file name into a MD5 hash. First, calculate the MD5 for k.jpg.php:
Now we have the MD5 hash; let’s try to access our uploaded PHP file by calling from the URL: http://192.168.0.103:8880/images/f6af844136a85c964355ae9578923323.php
Yes, our PHP file is successfully executed: It shows “www-data” because, in the PHP file, we used the “whoami” command. Now it is confirmed that we are able to execute a PHP file on the server. So let’s upload another PHP file, but this time we will use execute all Unix commands on the server; that’s why we have written this small piece of code:
Now upload this PHP file by using the same technique. Locate the file and access it from the URL. Whatever command we want to execute on the server, we just have to pass the command as a c parameter. For example, we want to check which directory we are currently in, so we passed “c=pwd.”
And it shows that the current directory is images. We want to see all the files in this current directory with the file permissions, so we use this command: “ls -la ./ > dirlist.txt”:
After executing the command we know that the result is in the dirlist.txt file so let’s open the dirlist.txt file from images directory, which is: http://192.168.0.103/images/dirlist.txt
We can see the all files in the images directory. Here we can see there is nothing that will help us to find the hidden files. So we will now check the root directory files. Type in “ls -la /var/www > dirlist.txt”:
Open the dirlist.txt from the same location as we previously did.
We can see the all the application files , but we are searching for a hidden file. What’s the .proof file? Let’s see type in “cat /var/www/.proof > proof.txt”:
Access the proof.txt file from the images directory.
Yeah! We finally found something, a Secret code: TGglMUxecjJDSDclN1Ej , this code looks as if it’s Base64 encoded, so we decoded this; the output is “Lh%1L^r2CH7%7Q#.” We can see there is a small conversation is between bob and an unknown person. Now who is bob? Is bob a user? Let’s check the home directory: Type in “ls -la -R /home > bob.txt”:
After executing the command, open the bob.txt file to check out the home directory files.
We can see that bob is a user on this server and we can see his all directories. There is a public_html folder, which means he has a web application. We tried to open his application by calling this URL: http://192.168.0.103/~bob/
The application is asking for a Secret. We already have that secret code, we provided this code: Lh%1L^r2CH7%7Q#
We can see there is a message if we write we write these number into Google Maps, we get the secret location:
Coast Tombazis 7, Chania Crete, Greece.