Introduction

We covered how to bypass disable functions in php and how to evade upload filters in this TryHackMe Machine.

What is a file upload vulnerability?
This vulnerability occurs in web applications where there is the possibility of uploading a file without being checked by a security system that curbs potential dangers.
It allows an attacker to upload files with code (scripts such as .php, .aspx and more) and run them on the same server, more information in this room.
Why this room?
Among the typically applied measures is disabling dangerous functions that could execute operating system commands or start processes. Functions such as system() or shell_exec() are often disabled through PHP directives defined in the php.ini configuration file. Other functions, perhaps less known as dl() (which allows you to load a PHP extension dynamically), can go unnoticed by the system administrator and not be disabled. The usual thing in an intrusion test is to list which functions are enabled in case any have been forgotten.
One of the easiest techniques to implement and not very widespread is to abuse the mail() and putenv() functionalities. This technique is not new, it was already reported to PHP in 2008 by gat3way, but it still works to this day. Through the putenv() function, we can modify the environment variables, allowing us to assign the value we want to the variable LD_PRELOAD. Roughly LD_PRELOAD will allow us to pre-load a .so library before the rest of the libraries, so that if a program uses a function of a library (libc.so for example), it will execute the one in our library instead of the one it should. In this way, we can hijack or “hook” functions, modifying their behaviour at will.

The Challenge: Disabled Functions and Upload Filters

First, let’s talk about the problem. On many web servers, PHP functions that can execute system commands (like system, shell_exec, etc.) are disabled. This is a good security practice, but for a penetration tester, it’s a hurdle to overcome. The goal here is to find a way around these disabled functions.

To do this, I’ll be using a nifty tool called Chankro. Chankro is designed specifically to bypass these kinds of restrictions. It works by creating a special PHP file that, when uploaded and executed, uses some clever tricks with environment variables (putenv) and LD_PRELOAD to load a library and give me a reverse shell.

Getting a Foothold

My first step is always reconnaissance. I run an Nmap scan to see what’s running on the target machine and find an Apache web server. I also fire up Burp Suite to intercept the web traffic.

The website has a job application feature with a CV upload form. This is my way in! However, the server is picky and will only accept image files. When I try to upload a standard PHP reverse shell, it tells me to upload a “real image.”

To get around this, I use a classic trick: I modify the magic number of my PHP shell file. A magic number is a sequence of bytes at the beginning of a file that identifies the file type. I simply add the magic number for a GIF image (GIF87a) to the very beginning of my PHP code in Burp Suite. The server is fooled, and my file is uploaded!

Now I have to find where my file went. I use Gobuster to brute-force directories on the web server and quickly discover an /uploads directory.

Bypassing the Disabled Functions

I set up a Netcat listener on my machine and try to execute my uploaded shell by visiting its URL. As expected, nothing happens. This confirms that the dangerous PHP functions are disabled.

To be absolutely sure, I use a tool called ffuf to look for common PHP configuration files. I find a phpinfo.php file, which is a goldmine of information. It lists all the disabled functions, confirming my suspicions, and also tells me the exact document root of the web server, which is /var/www/html.

Now it’s time to bring in Chankro.

  1. I clone the Chankro repository from GitHub.
  2. I create a simple Netcat reverse shell script.
  3. I use the Chankro Python script to generate my final payload. I tell it the target architecture (64-bit), give it my reverse shell script, name the output file, and provide the document root I found earlier.
  4. Chankro spits out a new PHP file, config_v1.php. I upload this file to the server, again using the GIF magic number trick to bypass the filter.

Victory!

With my Chankro payload uploaded, I start my Netcat listener one last time. I navigate to the uploaded config_v1.php file in the /uploads directory, and this time… I get a shell! 🐚

I’m now in control of the server. I navigate to the user’s home directory, and there it is: the flag.

Technical Commands

Here’s a list of the commands I used in my terminal during this engagement:

  • Nmap Scan:Bashnmap -sC -sV <target_ip>
  • Gobuster for Directory Brute-forcing:Bashgobuster dir -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  • Netcat Listener:Bashnc -lvnp 4545
  • FFUF for File Fuzzing:Bashffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -u http://<target_ip>/FUZZ -e .php
  • Cloning Chankro Repository:Bashgit clone https://github.com/TarlogicSecurity/Chankro.git
  • Creating Reverse Shell File:Bashnano rev.sh
  • Executing Chankro to Generate Payload:Bashpython chankro.py --arch 64 --input rev.sh --output config_v1.php --path /var/www/html
  • And some basic navigation:Bashls cd <directory_name> id

Challenge Questions and Answers

Compromise the machine and locate the flag.txt

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles