Hack The Box: (UpDown) Upload Phar File for RCE

Written by darknite -
on January 22, 2023
Testing

What is Phar Deserizalition to Remote Code Execution?

Phar file also known as PHP Archive will normally contain metadata that is written in a serialized format. As a result, the bad guys can abuse the vulnerability related to deserialized that wrote inside the PHP code.

For those who are not familiar with PHP functions that have been used in the deserialization which not eval the PHP code such as file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize().

Demonstration of uploading Phar File for Remote Code Execution Attack method

The demonstration is taken from my full walkthrough of the Updown Machine

Analyze the source code of the webpage

After a while, I managed to understand that we can upload a .phar file format so that the system will be able to check whether the website is up or down

We also found a special header that we can use in the later process.

After we whitelisted the subdomain, the page has given us a 403 error page.

Let’s try to inspect the request using the Burpsuite and add the special header.

Another way to proceed will be by using the curl command and inspecting with burpsuite

Inspecting the page with Burpsuite

The response looks like returned a 200 status which it’s a good thing to know

The subdomain will appear something such as shown in the screenshot above.

From my analysis of the checker.php file previously, let’s download the .phar file.

When we try to inspect via burpsuite, it will look exactly like shown in the screenshot above.

It seems like all the URLs are down and I was thinking that we might need to hang the website for it to work

As a result, let’s insert a bit more of the URL so that the website hangs and opens the file on the /uploads/ directory.

On the disable_functions, there are a lot of functions, but we didn’t manage to sight one function which is proc_open

Let’s create some basic PHP script so that we can call back by using the reverse shell connection.

Therefore, let’s start our listener using pwncat-cs

For us to retrieve the reverse shell connection, we need to click the file on the uploads

Finally, we managed to obtain the reverse shell connection back to us.

Categories:

Medium Machine

Tags:

ChallengesHackTheBoxPenetration TestingVulnerabilities

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *